SaaS Agreements – Data Protection – Binding Corporate Rules

The German data protection commissioner has recently approved the Binding Corporate Rules (BCRs) of Deutsche Post DHL. This permits the company to transmit personal data internationally in accordance with its privacy policy without having to seek consent from data subjects on an individual basis.

What are Binding Corporate Rules?

BCRs are a set of rules adopted within a particular company or corporate group that provide legally binding protections for data processing within the company or group to cover global data transfers.

Advantages of Binding Corporate Rules

Under the Data Protection Act personal data cannot be transferred to countries outside of the EEA, unless the receiving country has adequate protection. To date only Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan have been deemed “adequate” and US companies are accepted as having equivalent protections if registered under the Safe Harbor regime.

For large businesses with complex corporate structures and numerous cross border data transfers outside of the EU, BCRs can be a real alternative.

Disadvantages of Binding Corporate Rules

Currently only a small number of global companies have implemented BCRs as the rules have to be accepted by each individual EU country’s data protection commissioner. There is also a considerable cost involved  and the whole procedure is time consuming and can last a number of years.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: