The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the usage of Binding corporate rules (BCR) is stated in Art. 47 GDPR. For example, all the data protection authorities in the member states where the BCR is going to be used need to approve the usage for it to be legal.
Binding corporate rules are defined in Art. 4 (20) GDPR as: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.”