The transfer of personal data abroad depends on obtaining the express consent of the relevant person in accordance with Article 9 of the Personal Data Protection Law No.6698 (“Law”). However, as an exception in paragraph 2 of the same provision, In the absence of adequate protection in the foreign country where the personal data will be transmitted, personal data can be transferred abroad without the explicit consent of the person concerned provided that data controllers in Turkey and the foreign country concerned guarantee adequate protection in writing and Personal Data Protection Board (“Board”) grants a permit.
In this context, the Board determined one of the methods enabling the related parties to undertake an adequate protection in writing as “Commitments”. In addition, with the Announcement published by Personal Data Protection Authority (“Authority”) on 10.04.2020, “Binding Company Rules” were determined as another method to be used in international data transfers between multinational group companies.
2. Definition of Binding Corporate Rules (BCR)
Binding Company Rules are data protection rules that are used for the transfer of personal data abroad for multinational group companies operating in countries where there is no sufficient protection, and that guarantees sufficient protection in writing as per the relevant Announcement of the Authority. Companies within this scope are required to make Binding Company Rules application to Authority by filling out the relevant form and following the necessary instructions.
3. Prodecures and Principles Regarding the Application
3.1. Authority to Make an Application
If the Group Company has headquarters located in Turkey, it is authorized to make the application. If there is no headquarters located in Turkey, one of the Group Members located in Turkey must be authorized for protection of personal data.
3.2. Documents to be Submitted in the Application
– Application Form
– Binding Corporate Rules
– Other information and documentation that is related to the application
Applicant prepares the application documents and submits them to the Authority at the application stage. If necessary, other information and documents may be requested from the Authority.
3.3. Application Method
Applications are submitted to the Authority by hand or by mail.
3.4. Conclusion of Application
Applications are concluded by the Authority within one (1) year from the official application date. If necessary, this period can be extended for six (6) months. In case of the approval of application by Authority, this situation is notified to the relevant person by the Authority and announced if necessary.
4. Fundamental Elements in Binding Corporate Rules
In order to ensure binding, a legal contract or other legal transaction valid in Turkish law should be drawn up between the data controller and the data processor to be included in the Binding Corporate Rules, and it should be ensured that this is signed by all data processors. Obligations determined by the Binding Corporate Rules for data controllers are also applied to the structures where data is transferred as data processors within the group companies, in a way that does not contradict the service contract.
4.1. Binding Nature
4.1.1. Obligation to comply with Binding Corporate Rules:
Binding Corporate Rules should be legally binding and should impose a clear obligation to comply with Binding Company Rules.on all group members, including their employees.
4.1.2. Explanation on how the rules legally bind Binding Corporate Rules members and employees within the group:
Group companies must explain the binding nature of the rules in the application form:
– BCR’s binding nature must be ensured by one or more legally valid and provable methods for each member in the group
– One or more of the methods like employment agreement, collective employment agreement, confidentiality agreement, ethical rules, company policies, workplace internal regulations, etc. can be used in order to ensure bindingness on employees.
4.1.3. Rights of the person concerned and legal claims (including the possibility of filing a complaint before the KVKK and Courts):
The BCR should include at least the right to request the application of the following articles: General principles (Art.4), Clarification of the relevant person (Art.10), Right to request the deletion and destruction of personal data (Art.7), Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems (Art.11 / 1 / g), Whether and if there is a national legislation that prevents compliance with the Binding Corporate Rules in the country where the data is transferred, and if there is, to be clearly stated, Giving the data controller the right to apply (Art.13), The obligation to coordinate with the Authority, specifying all legal obligations that one is subject to in a foreign country and that may have significant negative effects on the guarantees provided to the person concerned in BCR, Authorization determination provisions (art.14). BCR related persons should be given the opportunity to use all kinds of legal remedies, including the right to request the compensation of the damage contained in the clause (ğ) of Article 11 of the Law.
4.1.4. Acceptance of the obligation to make compensation and remedy violations arising from BCR by the headquarters in Turkey/ authorized for the protection of personal data of a resident members in Turkey / data controller processing data of group companies:
If a member outside Turkey violates BCR, authorities in this regard will be in the courts and authorities of Turkey. The person concerned has right to claim and demand compensation against responsibilities and rights against BCR members who have accepted the responsibility as if such violation has taken place in Turkey. In case that the responsibility cannot be undertaken by a particular person in terms of a group of companies with a corporate structure, all the violations by a BCR member outside Turkey who receives data from an established BCR member in Turkey.
4.1.5. The presence of sufficient assets of the company:
Application form must contain a commitment that all BCR members which accept responsibility of the actions of other members outside Turkey, have enough assets to compensate the losses caused by the BCR breach.
4.1.6. Burden of proof not being on individual but on the company:
With BCR; whether the damages claimed by the person concerned are caused by the member who is abroad, it should be clearly regulated that the BCR member who takes the responsibility accepts the burden of proof.
4.1.7. Ensuring easy access and transparency to the BCR for relevant persons:
Binding Corporate Rules should include the right to easily access these rights for each person concerned.
4.2. Effective Application
4.2.1. Finding appropriate training and awareness studies:
BCR should include a training program suitable for personnel who have continuous or regular access to personal data, are involved in data collection, or are working in the development of tools used to process personal data. The training program should be clearly stated in the application.
4.2.2. Availability of the complaint mechanism:
The requests of the relevant persons within the scope of the complaint are concluded within thirty days at the latest, depending on the nature of the request. The application form should explain how the relevant persons will be informed about the implementation stages of the complaint system.
4.2.3. Finding a compliance audit:
BCR should include explanations on the subjects such as regular audits / audits to ensure compliance with the promised rules and who will do this audit. In addition, BCR should specify the issues regarding the notification of the relevant units and employees of the Group members about the audit results. BCR should include the authority to access the audit results upon the request of the Authority and the Authority to make an audit on any BCR member when necessary. The application form should contain explanations regarding the compliance audit system.
4.2.4. Presence of Personnel in Charge of the Implementation of BCR:
There must be an appropriate personnel structure assigned to ensure compliance and its follow-up for the whole Group. Issues such as the formation of this personnel structure, duties and responsibilities should be explained in the BCR. These staff inform and advise senior management, deal with the competent supervisory authority’s reviews, monitor compliance and report annually at group level.
4.3. Coordination with the Authority
Binding Corporate Rules should include a clear obligation that all members are audited by the Authority if necessary, and that they agree to comply with the recommendations of the Authority on any issue related to these rules.
4.4. Processing and Transfer of Personal Data
4.4.1. Explanation about the content of BCR:
BCR should include a general description of the scope of the Rules and the transfers in order to ensure that the operations carried out in third countries are evaluated by the Authority. BCR must include the nature of the personal data subject to the transfer, the purposes and periods of the transfer, the data’s subject group or groups, the method of data transfer, the legal reason/ reasons for the data transfer, the distribution of the data to be transferred within the group and subsequent transfers.
4.4.2. Explanation about the scope of BCR in terms of location:
The structure and contact information of the group including each of the group members, should be clearly stated in BCR
4.4.3. Structures affiliated with the BCR:
A defined contact person of the group has the obligation to keep a fully updated list of companies / assets affiliated with BCR and to inform the Authority and relevant persons in case of changes in the list.
4.5. Reporting and Record Change Mechanisms
BCR can be changed / updated, but there must be an obligation to notify all BCR members and the Agency of the changes without delay. However, there is no need to report again in the following cases:
– A specific person or team / unit keeps a complete and up-to-date list of BCR members and records of updates to the rules, and provides necessary information to the relevant persons and to the Authority upon request.
– No personal data transfer is made to the new Group member until they fully ensure their loyalty and compliance with BCR.
– Any changes in BCR or BCR members are reported to the Authority once a year, with a brief explanation of the reasons justifying the update.
– Changes that significantly affect the protection level offered by BCR or BCR itself (such as changes affecting the binding quality) are immediately notified to the Authority.
4.6. Data Security
4.6.1. Explanation of data protection principles covering transfer from Turkey or subsequent transfers:
BCR should clearly include the following points to be monitored by the company:
– Compliance with the law and the rules of honesty (Art. 4/2 / a)
– Being accurate and up-to-date when necessary (Art. 4/2 / b)
– Processing for specific, explicit and legitimate purposes (Law Art.4 / 2 / c)
– Being connected, limited and proportionate to the purpose for which they are processed (Law article 4/2 / ç)
– Keeping for the period stipulated in the relevant legislation or required for the purpose for which they are processed (Law Art. 4/2 / d)
– Processing of special category personal data
– Security (administrative and technical measures will be taken)
– Transfers to data processors and controllers outside the group and subsequent transfers.
In addition, these technical and administrative measures must include the obligation to notify without delay the relevant persons whose rights and freedoms could be effected by the violation, related data security unit and company’s headquarter in Turkey or authorized BCR member for protection of personal data in Turkey. All personal data breaches should be documented and the relevant documents should be submitted to the Authority if requested.
4.6.2. Transparency in cases where national legislation prevents the group from complying with BCR:
If there are provisions that prevents the company from fulfilling its duty arising from BCR or affecting the execution of the rules in BCR, in the legislation that a BCR member is obliged to abide, Group’s headquarters in Turkey or authorized Group member for the protection of personal data in Turkey must be notified immediately.
In addition, the Authority should be notified if the legal requirements that a BCR member is subject to in a third country have a significant negative effect on the guarantees provided by BCR. This includes requests for disclosure of personal data by an authority, authorized by law or an institution responsible for national security. In such a case, the Authority must be clearly informed about the request. In terms of certain situations such as suspension and / or prohibition of notification; BCRs should contain a provision that the BCR member will make and demonstrate his best efforts to obtain his right to waive this prohibition as soon as possible and to provide as much information as possible. If, in the above cases, the BCR member whose information is requested is not in a position to inform the Authority despite all his efforts, he must undertake to provide a general notification to the Authority annually about the requests received. In any case, BCR must state that; The transfer of personal data by a BCR member to any public authority cannot be done in a broad, disproportionate and random manner beyond what is necessary in a democratic society.
4.6.3. Explanation of the relationship between national legislation and BCR:
Although not mandatory, it will be useful to identify the relationship between BCR and the relevant national legislation.
4.7. Accountability and Other Tools
Each data controller is obliged and responsible to comply with BCR. In order to ensure compliance, BCR members are required to keep a written record of data processing activities in all categories, including electronic methods, and submit to the Authority upon request. Risk analysis should be conducted to increase compliance and, when necessary, for data processing activities that are likely to pose high risks to the rights and freedoms of natural persons. According to the risk analysis, if the necessary measures have not been taken by the data controller to mitigate the risk and it is revealed that data processing will pose a high risk, the Agency should be consulted before the data processing activity.
4.8. Helpful Information and Documents
Although it is not mandatory to provide information on the following issues, it will be useful for the evaluation of the application: Indication of the international conventions to which the countries to which the transfer will be made are parties, which contain provisions on the protection of personal data, by referring to the relevant parts; In the country where the personal data will be transferred, the national legislation on the protection of personal data and the existence of an authorized personal data protection authority and, if any, the relevant legislation and its implementation.
5. Binding corporate rules procedure in terms of GDPR
The audit authority is the main body in national law that ensures compliance with EU Data Protection legislation. its authorisation and organizational structure are stated in the GDPR. In order to fulfill these duties, the audit authority must have the duty to regulate binding company rules together with the authorities specified in Article 58 of the GDPR. Under EU law, the transfer of personal data to a third country or international organizations is permitted only if the data controller or data processor provides the appropriate protections and applicable data subject rights, and only if the data subjects have access to effective legal ways. The list of acceptable ‘appropriate protection’ in EU data protection law is provided exclusively. Binding corporate rules are also a necessary factor in establishing appropriate protection.
5.1. Transfers subject to binding corporate rules
EU law also allows personal data transfers based on binding corporate rules for international transfers between groups of companies within the organization engaged in joint economic activities or the same undertaking. Before the binding company rules are relied upon as a means of transferring personal data, the comptroller authority needs to approve them using the continuity mechanism, in line with binding corporate rules. To be approved, binding corporate rules must be legally binding, involves basic data protection principles and be applicable to all members of the group concerned.
It should clearly present the enforceable rights for data owners and include all basic data protection principles and they must comply with certain formal obligations such as stating the structure of the enterprise, explaining the transfer and stating how data protection principles will be applied. This includes providing such information to data owners. Binding corporate rules should state, among other things, the rights of data subjects and provisions for violation of the rules.
While the binding corporate rules are approved, a continuity mechanism will be appeared for cooperation between comptroller authorities. Within the framework of the continuity mechanism, the relevant comptroller authority reviews the proposed binding corporate rules, creates a draft decision and sends it to the EDPB. Board publishes an opinion on the subject and the relevant comptroller authority, may officially approve binding corporate rules by “taking into account the opinion of the Board as much as possible”.
And finally, under Council of Europe law, temporary or standardized protections embedded in legally binding documents include binding corporate rules.
6. The binding corporate rules procedure in terms of the letter of undertaking
Personal datas, In accordance with the relevant article of the Personal Data Protection Law, in case of the absence of adequate protection can be transferred abroad without the explicit consent of the person concerned in case of adequate protection of data in a responsible and Turkey in the foreign countries to commit themselves in writing and if the Board has permission. These commitments, although it generally facilitates bilateral data transfers between companies, it is insufficient to provide application practice in terms of data transfer between multinational companies. Binding Corporate Rules are data protection policies that are used for the transfer of personal data abroad for multinational group companies operating in countries where there is not sufficient protection, and that ensures an adequate protection in writing.
Companies within this scope, must apply to the Personal Data Protection Authority (Corporation) for Binding Company Rules by filling in the binding company rules application form and following the necessary instructions. Finally, in accordance with the relevant article of the Law, Written commitments they have prepared to provide adequate protection by those responsible for the data in the relevant foreign country and Turkey are subject to the permission of the Board in the absence of adequate protection in the country where the personal data will be transferred.