Modal Title

Modal Description

Latest Updates to EU Processor Binding Corporate Rules (BCR-Ps) – What Your Organisation Needs to Know

Published

Feb 17 2026

Reading Time

7 minutes

Contacts

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

elizabeth upton module
Elizabeth Upton

Legal Director
UK

I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.

Related

Practices

On 15 January 2026, the European Data Protection Board (EDPB) published draft Recommendations to update Processor Binding Corporate Rules (BCR-Ps). The consultation remains open until 2 March 2026.

These Recommendations will affect all organisations with existing EU Processor BCRs, as well as those applying for or considering applying, and will require amendments to BCRs. They build on the supervisory authorities’ experience since the GDPR’s entry into force and align with the updated Recommendations on Controller BCRs adopted in June 2023. A key change concerns requirements arising from Schrems II, including transfer impact assessments and procedures for public authority access requests.

The Recommendations state that BCR-Ps apply to transfers by and to entities within the same Group that are processors or sub-processors, but are not suitable for a direct transfer from an external controller to a processor member of the BCR Group outside the EU. This means that, in this situation, businesses will need to use a different transfer tool, most likely standard contractual clauses. It has previously been unclear whether BCR-Ps can address this situation. The proposed clarification subjects businesses to additional administrative effort without any benefit in terms of improved protection for personal data in practice. It is disappointing that the EDPB has taken this approach. By contrast, the ICO allows use of BCR-Ps in this way, in its interpretation of UK BCRs and the UK BCR Addendum. We encourage everyone interested in this area to give feedback on this point to the EDPB.

These Recommendations are intended to replace and repeal the former Article 29 Working Party documents: WP 257, rev.01 and WP 265 and can be found here: Recommendations 1/2026 on the Application for Approval and on the elements and principles to be found in Processor Binding Corporate Rules (Art. 47 GDPR) | European Data Protection Board.

In order to help affected organisations quickly assess the scope of the changes to the Requirements table, we have produced the following:

  1. a simple track changes version of the Requirements showing all the changes between the new Requirements and those originally set out in WP 257 rev.01 (marked as version 1); and

Click here to access Version 1

  1. an "edited" track changes version of the Requirements where minor changes and/or sections which have just been moved around the document are not highlighted, leaving track changes which are more significant in nature and/or which are likely to require organisations to carefully check their existing or draft EU Processor BCRs to see if further amendments are needed (marked as version 2).

Click here to access Version 2

The main changes to note are:

RequirementOverview
Local Laws and Government Access Requests (8.1, 8.2)

These sections incorporate Schrems II obligations, including clearer expectations for transfer impact assessments and obligations on importers regarding public authority access requests. 

Transfer Risk Assessments

BCR members must only use the BCR-Ps as a tool for transfers where they have assessed, in agreement with the controller, that the laws and practices in the third country applicable to the processing of data by the BCR member-importer do not prevent it from fulfilling its obligations under the BCR-P.

The BCR members must take account of elements similar to those set out in Clause 14 of the EU SCCs in their assessment and can consider "the laws and practices of the third country of destination relevant in light of the circumstances of the transfer". Reference is made to the EDPB Recommendations 01/2020 on measures that supplement transfer tools.

The Liable BCR Member/relevant Privacy Officer or function should be involved in any transfer risk assessment and informed of any additional safeguards which are put in place. The assessment and any supplementary measures should be documented and be available on request to the competent supervisory authority. The controller has the responsibility to verify the assessment.

If supplementary measures will not assist, the exporter must suspend the relevant transfers or similar transfers until compliance is ensured or the transfer is ended. The exporter must agree with the controller to end the transfer if compliance is not restored within one month of suspension. Any data which has already been transferred prior to the suspension must, at the choice of the controller, be returned or destroyed.

Members must also monitor legal developments in the third countries and notify controllers of changes. 

Government Access Requests

Government access protections reflect EU SCC Clause 15, requiring that access by any public authority cannot be massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary and proportionate in a democratic society.

Internally Binding Nature of BCRs (1.2)Organisations relying on a Unilateral Declaration to make BCR-Ps internally binding must meet strengthened requirements to ensure enforceability.
Externally Binding Nature of BCRs (1.3.1, 1.4, 1.5, 1.7)

Additional detail is required on third‑party beneficiary rights (1.3.1). 

Where organisations do not adopt a centralised responsibility and liability regime, they must demonstrate that data subjects are transparently informed, assisted in exercising their rights and not disadvantaged or unduly inhibited by the use of such an alternative mechanism. The requirements do not include any express reference to the fact that the Liable BCR member must be a legal entity with a separate legal personality (as is the case under UK BCRs) (1.4).

Annual confirmation of sufficient assets of the Liable BCR Member is required (1.5), and more information must be included in the public-facing BCRs (1.7).

Scope of BCRs (2.1, 2.2)

Transfer descriptions must be “exhaustive”, though not overly granular, but more detailed descriptions of transfers may need to be included in processing and sub-processing agreements. The scope of the BCRs should not be limited to "EEA Citizens" or "EEA residents" (2.1).

At a minimum, BCRs must cover all personal data processed within the scope of the GDPR and transferred by processors to BCR members outside the EEA (including any onward transfers). However, groups can use the BCR-P as their global data protection policy governing processing by all entities (either exporters or importers) acting as processors or sub-processors, whatever their location (inside or outside the EEA). Address and registration details for BCR members should be provided (2.2).

Effectiveness (3.1, 3.2, 3.3)More detailed expectations apply to training requirements (e.g. intervals specified, requirement to address procedures for managing requests for access to personal data by public authorities) (3.1), complaints and data subject contact points (3.2), and audits. DPOs should not audit where conflicts exist, and BCRs cannot restrict sharing audit results with supervisory authorities. Audits can also be carried out by the data controller and the data exporter (3.3).
Data Protection Safeguards and Data Subject Rights (5, 6)These sections have been completely rewritten to reference “exporters” and “importers,” rather than “processors” and “sub-processors”, aligning with EU SCC Model 3 structures. Organisations should review these obligations carefully to ensure consistency with the revised framework.
Tools for Compliance (7)Clarification is provided that BCR members must assist controllers with data protection impact assessments. The obligation for the BCR members to assist the controller with the data protection by design and default principle appears to have been deleted.
Termination (9)New provisions clarify obligations when a data importer ceases to be bound by the BCR-P, including, if at the choice of the controller, the data importer keeps the data. 
Non‑Compliance (10)New provisions outline steps required when BCR obligations are breached.
Mechanisms for Reporting and Recording Changes (11)

Changes that would “possibly be detrimental to the level of protection offered by the BCR-P or significantly affect them (e.g. changes to binding character, change of Liable BCR Member)” must be notified in advance to supervisory authorities together with a brief explanation for the change. The supervisory authorities will then consider if a new approval is required.

Other changes must be reported annually, including changes made to align with these Recommendations and an updated confirmation of sufficient assets.

Definitions (12)BCRs must include a definitions section. Where GDPR terms are used, definitions should match GDPR wording, and references to GDPR provisions should be avoided unless fully quoted.

The Application Form remains in two Parts:

  • Part 1 (Applicant Information): This section is largely unchanged but now requires acknowledgment that (i) each BCR member meets all GDPR and BCR-P obligations for each transfer; (ii) it is the responsibility of the exporter (with the help of the importer, if required) to carry out transfer risk assessments and consider whether supplementary measures are needed; and (iii) if the exporter cannot implement supplementary measures necessary to ensure an essentially equivalent level of protection as provided in the EU, the personal data cannot be lawfully transferred.
  • Part 2 (Background Paper): This has been shortened. Detailed explanations on complaints, third‑party rights, cooperation, data flows, accountability, and change management now sit in Annex 2 (Elements and Principles Table), whilst a copy of the BCRs will sit in Annex 1.

If you have questions about your EU BCRs, please reach out to Ruth Boardman or Elizabeth Upton to discuss. 

You can also subscribe to receive newsletter updates from Bird & Bird's International Privacy & Data Protection Practice by clicking here.

Latest insights

More Insights
featured image

ASIC cyber enforcement outcome against FIIG — what the February 2026 penalty means in practice

3 minutes Feb 12 2026

Read More
Curiosity line teal background

Key Revisions and Compliance Recommendations of the PRC Cybersecurity Law

7 minutes Feb 09 2026

Read More
featured image

Facial recognition and the Privacy Act: a clearer (but stricter) line for businesses

3 minutes Feb 06 2026

Read More
More Insights