Binding Corporate Rules or "BCRs" were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCRs were developed as an alternative to the U.S. Department of Commerce EU Safe Harbor Safe Harbor (which is for US organizations only) and the EU Model Contract Clauses.
BCRs are required to be approved by the data protection authority in each EU Member State (such as the Information Commissioner's Office in the United Kingdom, CNIL in France, AEPD in Spain,....) in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority (known as the "lead" authority) and two other "co-lead" authorities may be approved by the other relevant member states who may make comments and ask for amendments. Other members states, not part of mutual recognition process, will be also involved by the lead authority and will apply their own independent review process within a limited timeframe. The overall process for BCR acceptance takes usually between 6 and 9 months. This time frame doesn't include the required Data Protection setup which should be already implemented within the company in order to comply with the current directive and its local implementation.
BCRs typically form a stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfies EU standards and may be available as an alternative means of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of Europe.
BCRs should be seen as a framework having different elements (Internal legal agreement, Policies, training, audit, etc.) providing compliance with EU data protection regulations and effective privacy and data protection.
It has to be noticed that, while originally designed for providing legal ground to international transfers, BCR became de facto a Corporation demonstration of its capacity to comply "at large" with Personal data processing requirements. A corporation having a BCR applies this framework independently of international transfers and should be seen as part of the "Corporate Governance" or "Data Governance"