Binding Corporate Rules (BCRs) — DPC as Lead and Art. 47 GDPR requirements
Binding Corporate Rules (BCRs) offer multinational groups a lawful transfer path for personal data from Ireland (EEA) to non-EEA affiliates under Chapter V of the GDPR.
Article 47 GDPR – BCR substance Article 47 GDPR mandates that the competent supervisory authority approve BCRs following the coherence mechanism in Article 63. BCRs must be:
- legally binding and enforced across all group members, including employees;
- expressly confer enforceable rights on data subjects;
- include each of the elements listed in Article 47(2), such as group structure and contact details; categories and purposes of transfers; enforceability; protection of data subjects’ rights; onward transfers; and liability and redress mechanisms.
Source: Article 47 GDPR
DPC’s role as Lead Authority As Ireland hosts many multinational headquarters, the Data Protection Commission (DPC) regularly serves as Lead Supervisory Authority (LSA) for BCR applications. The DPC evaluates the submission, consults other supervisory authorities via the Article 64 / Article 63 EDPB cooperation process, and issues a national approval decision once GDPR criteria are satisfied.
In 2023, the DPC acted as LSA for 26 approved Controller and Processor BCRs across 18 groups. Of those, four BCRs (Controller and Processor for Autodesk Ireland Operation Unlimited and Informatica Ireland EMEA UC) received approval within that year. The DPC continues to supervise annual BCR updates.
Source: DPC Annual Report 2023, p. 73
Real‑world example – Shopify According to the DPC’s 2025 Annual Report, Shopify International Limited applied for separate Controller and Processor BCRs with the DPC as lead. The DPC assessed the application, invited other EU authorities to object, received none, and proceeded. Following iterative feedback, it recommended amendments aligned with EDPB WP 263 rev 1 and WP 257 recommendations. The EDPB issued positive Article 64 opinions (17/2025 and 18/2025) in September 2025. The DPC issued final national approval in October 2025.
Source: DPC Annual Report 2025, pp. 98–99
Practical implications for practitioners For multinationals headquartered in or running EEA operations via Ireland, choosing the DPC as LSA for BCRs makes operational sense. The process demands careful documentation of internal structures, data flows, enforcement measures, redress, audits, training, and liability. Regular engagement during the iterative review and cooperation procedure expedites approval, but plan multi-month lead times. Shopify and other major corporates have successfully navigated this process most recently in 2025.
Source: Article 47 GDPR Source: DPC Annual Report 2023, p. 73 Source: DPC Annual Report 2025, pp. 98–99