Legally binding internal corporate privacy rules for transferring personal information within a corporate group.  BCRs are typically used by corporations that operate in multiple jurisdictions, and can be used as an alternative to model contract clauses.  BCRs must be approved by the EU data protection authorities of the member states in which the corporation operates. The EU GDPR defines it as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.