Article 47 GDPR
Binding corporate rules

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism provided for in Article 63, provided that:

(a) they are legally binding and apply to any member of a group of undertakings or a group of undertakings engaged in a joint economic activity, including their employees, and shall be enforced by each of those members;

(b) expressly grant data subjects enforceable rights in relation to the processing of their personal data; and

(c) comply with the requirements set out in paragraph 2.

2. At a minimum, the binding corporate rules referred to in paragraph 1 shall specify:

(a) the structure and contact details of the relevant group of undertakings or groups of undertakings carrying on joint economic activities and of each of its members;

(b) the single or multiple transmission of data, including categories of personal data, the type of processing and its purposes, the types of data subjects and the name of the third country or third countries concerned;

(c) their legally binding nature, internal and external;

(d) the application of general data protection principles in particular the purpose limitation, data minimisation, limited storage periods, data quality, the inclusion of data protection at the design stage and default data protection, the legal basis for processing, the processing of specific categories of personal data, data security measures, further disclosure requirements to entities not bound by binding corporate rules;

(e) the rights of data subjects in relation to processing and the means of exercising those rights, including the right not to be subject to decisions based solely on automated processing—including profiling—in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and the competent courts of the Member States in accordance with Article 79, and the right to a judicial remedy and, where applicable, compensation for a breach of binding corporate rules;

(f) the acceptance by the administrator or processor having an establishment in the territory of a Member State of legal liability for the breach of binding corporate rules by the relevant member of the non-existing establishment in the Union; the administrator or processor shall be exempted from that liability in whole or in part only if it proves that member is not liable for the event which led to the damage;

(g) the manner in which data subjects are provided—in addition to the information referred to in Articles 13 and 14—with information on binding corporate rules, in particular the provisions referred to in subparagraphs (d), (e), and (f) of this paragraph;

(h) the duties of the data protection officer appointed in accordance with Article 37 or of any other person or entity responsible for monitoring compliance with binding corporate rules within a group of undertakings or a group of entrepreneurs engaged in a joint economic activity, as well as for monitoring training and handling complaints;

(i) complaint procedures;

(j) mechanisms in place within a group of companies or a group of joint ventures to ensure verification of compliance with binding corporate rules. Such mechanisms include data protection audits and methods for ensuring corrective actions to protect the rights of data subjects. The results of such verification should be communicated to the person or entity referred to in point (h) and to the board of directors of the controlling enterprise in the group of enterprises or to the body in charge of the joint venture group, and should be available to the competent supervisory authority upon request;

(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

(l) a cooperation mechanism with the supervisory authority ensuring compliance with the principles by all members of the group of undertakings or groups of undertakings engaged in joint economic activities, in particular by making available to the supervisory authority the results of the verification of the measures referred to in point (j);

(m) the mechanism for reporting to the competent supervisory authority any legal requirements to which a member of a group of undertakings or a group of undertakings carrying on joint economic activities is subject in a third country and which may have a material adverse effect on the guarantees provided for in the binding corporate rules; and

(n) appropriate data protection training for staff with permanent or regular access to personal data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors, and supervisory authorities regarding binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).