§ GDPR · Article 47
GDPR Article 47: Obligations, Deadlines & Penalties
At a glance
Article 47 of the GDPR imposes 17 obligations on controller, supervisory authority.
§ Obligations
All obligations under Article 47
Obligation 1
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided they meet specific criteria.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
supervisory authority
- Action required
-
approve
- Deadline
-
—
- Penalty
-
—
Obligation 2
Binding corporate rules must be legally binding and apply to and be enforced by every member concerned of the group of undertakings or enterprises engaged in a joint economic activity, including their employees.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
enforce
- Deadline
-
—
- Penalty
-
—
Obligation 3
Binding corporate rules must expressly confer enforceable rights on data subjects with regard to the processing of their personal data.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
confer
- Deadline
-
—
- Penalty
-
—
Obligation 4
Binding corporate rules must specify the structure and contact details of the group of undertakings or enterprises and of each of its members.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 5
Binding corporate rules must specify the data transfers or set of transfers, including categories of personal data, type of processing, purposes, data subjects affected, and identification of third countries.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 6
Binding corporate rules must specify their legally binding nature, both internally and externally.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 7
Binding corporate rules must specify the application of general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis, special categories, security measures, and onward transfer requirements.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 8
Binding corporate rules must specify the rights of data subjects regarding processing and the means to exercise those rights, including rights against automated decision-making, lodging complaints, and obtaining redress or compensation.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 9
The controller or processor established in the Union must accept liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless it proves that member is not responsible for the event giving rise to the damage.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
accept
- Deadline
-
—
- Penalty
-
—
- Exemptions
- if it proves that that member is not responsible for the event giving rise to the damage
Obligation 10
Binding corporate rules must specify how information on the rules, particularly provisions on principles, rights, and liability, is provided to data subjects in addition to Articles 13 and 14.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 11
Binding corporate rules must specify the tasks of any data protection officer or other person/entity in charge of monitoring compliance, training, and complaint-handling within the group.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 12
Binding corporate rules must specify the complaint procedures.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
specify
- Deadline
-
—
- Penalty
-
—
Obligation 13
Binding corporate rules must specify mechanisms for ensuring verification of compliance, including data protection audits and methods for corrective actions, with results communicated to the monitoring entity and board and available to the supervisory authority.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
verify
- Deadline
-
—
- Penalty
-
—
Obligation 14
Binding corporate rules must specify mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
report
- Deadline
-
—
- Penalty
-
—
Obligation 15
Binding corporate rules must specify the cooperation mechanism with the supervisory authority to ensure compliance, including making available the results of verifications of measures.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
cooperate
- Deadline
-
—
- Penalty
-
—
Obligation 16
Binding corporate rules must specify mechanisms for reporting to the competent supervisory authority any legal requirements in a third country likely to have a substantial adverse effect on the guarantees provided by the rules.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
report
- Deadline
-
—
- Penalty
-
—
Obligation 17
Binding corporate rules must specify the appropriate data protection training to personnel having permanent or regular access to personal data.
Regulation (EU) 2016/679, Article 47, Article 47
- Obligated entity
-
controller
- Action required
-
train
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 47
Who must comply with Article 47 of the GDPR?
+
controller, supervisory authority.
What does Article 47 of the GDPR require?
+
approve enforce confer