§ GDPR · Article 47

GDPR Article 47: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 47 · All obligations · GDPR
At a glance
Article 47 of the GDPR imposes 17 obligations on controller, supervisory authority.
§ Obligations

All obligations under Article 47

Obligation 1
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided they meet specific criteria. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
supervisory authority
Action required
approve
Deadline
Penalty
Obligation 2
Binding corporate rules must be legally binding and apply to and be enforced by every member concerned of the group of undertakings or enterprises engaged in a joint economic activity, including their employees. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
enforce
Deadline
Penalty
Obligation 3
Binding corporate rules must expressly confer enforceable rights on data subjects with regard to the processing of their personal data. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
confer
Deadline
Penalty
Obligation 4
Binding corporate rules must specify the structure and contact details of the group of undertakings or enterprises and of each of its members. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 5
Binding corporate rules must specify the data transfers or set of transfers, including categories of personal data, type of processing, purposes, data subjects affected, and identification of third countries. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 6
Binding corporate rules must specify their legally binding nature, both internally and externally. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 7
Binding corporate rules must specify the application of general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis, special categories, security measures, and onward transfer requirements. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 8
Binding corporate rules must specify the rights of data subjects regarding processing and the means to exercise those rights, including rights against automated decision-making, lodging complaints, and obtaining redress or compensation. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 9
The controller or processor established in the Union must accept liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless it proves that member is not responsible for the event giving rise to the damage. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
accept
Deadline
Penalty
Exemptions
if it proves that that member is not responsible for the event giving rise to the damage
Obligation 10
Binding corporate rules must specify how information on the rules, particularly provisions on principles, rights, and liability, is provided to data subjects in addition to Articles 13 and 14. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
provide
Deadline
Penalty
Obligation 11
Binding corporate rules must specify the tasks of any data protection officer or other person/entity in charge of monitoring compliance, training, and complaint-handling within the group. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 12
Binding corporate rules must specify the complaint procedures. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
specify
Deadline
Penalty
Obligation 13
Binding corporate rules must specify mechanisms for ensuring verification of compliance, including data protection audits and methods for corrective actions, with results communicated to the monitoring entity and board and available to the supervisory authority. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
verify
Deadline
Penalty
Obligation 14
Binding corporate rules must specify mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
report
Deadline
Penalty
Obligation 15
Binding corporate rules must specify the cooperation mechanism with the supervisory authority to ensure compliance, including making available the results of verifications of measures. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
cooperate
Deadline
Penalty
Obligation 16
Binding corporate rules must specify mechanisms for reporting to the competent supervisory authority any legal requirements in a third country likely to have a substantial adverse effect on the guarantees provided by the rules. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
report
Deadline
Penalty
Obligation 17
Binding corporate rules must specify the appropriate data protection training to personnel having permanent or regular access to personal data. Regulation (EU) 2016/679, Article 47, Article 47
Obligated entity
controller
Action required
train
Deadline
Penalty
§ Frequently asked

Questions about Article 47

Who must comply with Article 47 of the GDPR? +
controller, supervisory authority.
What does Article 47 of the GDPR require? +
approve enforce confer
Need a cross-border briefing on GDPR Article 47?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles