Binding corporate rules on procedures and methods to be pursued in cross-border personal data transfers within groups of undertakings (the "Binding Corporate Rules") within the scope of Personal Data Protection Law No. 6698 (the ''Law'') and relevant legislation in Turkey was published on 10 April 2020 by the Turkish Personal Data Protection Authority (the ''Authority'').
In this respect, considering the commercial operation and data processing procedures regarding the transfer of personal data abroad, a new mechanism has been introduced by the Authority to take into account the needs arising from transfers among intra-group undertakings.
BINDING CORPORATE RULES MECHANISM IN CROSS-BORDER PERSONAL DATA TRANSFER WITHIN GROUPS OF UNDERTAKINGS
Article 9 of the Law provides that in case there is no adequate protection in the foreign country where personal data will be transferred, personal data can be transferred without the explicit consent of the data subject provided that data controllers in Turkey and in the relevant foreign country undertake for adequate protection in a written form and obtain an authorisation from the Turkish Personal Data Protection Board (the ''Board'').
For personal data transfers from data controllers in Turkey to data controllers/processors in countries where there is no adequate protection, the use of "written engagements" had been previously introduced as one of the methods allowing the relevant parties to undertake adequate protection in a written form whose minimum mandatory content had been announced by the Board.
However, since these written engagements are inadequate in practice for data transfers within multinational groups of undertakings, a new mechanism (generally aligned with the GDPR) has been introduced in the announcement of the Authority dated 10 April 2020, which aims at facilitating international data transfers within multinational groups of undertakings operating in countries where there is no adequate protection, subject to the prior approval of the Board.
Multinational groups of undertakings operating in countries where there is no adequate protection are required to fill in the Binding Corporate Rules application form (the "Application Form") published on the Authority’s website, and to apply for the Binding Corporate Rules mechanism in order to transfer data abroad without need to obtain the explicit consent of the data subjects.
For groups whose headquarters are located in Turkey, such headquarters shall have the authority to file the application. Groups that do not have headquarters located in Turkey must apply through one of their Turkish group members, which will be acting as "authorized group member" for the protection of personal data, subject to appropriate empowerment by the headquarters.
The applicant shall prepare the following documents and submit them to the Authority either in person or by post:
- Application Form;
- Binding Corporate Rules document;
- Any other information and documents related to the application.
If necessary, the Authority may request other information and documents from the applicant and the applications shall be assessed by the Authority within 1 year from the official date of the application. The said period may be extended by the Authority for 6 months, if deemed necessary.
If the application is approved by the Board, this will be notified to the relevant person by the Authority and may be announced if deemed necessary.
The following main information shall be included in the Application Form to be submitted to the Authority by the data controller:
- General information on the applicant's group of undertakings and the data controller performing the application procedure;
- Names of the countries to which the data will be transferred from Turkey, and all group members to be covered by the Binding Corporate Rules with contact details;
- Explanations and declarations to ensure the legally binding effect of the Binding Corporate Rules on group companies, employees, data processors and data subjects;
- Explanations on training sessions and awareness studies for employees, intra-group complaint mechanisms, compliance control and the personnel responsible for implementing the Binding Corporate Rules in order to ensure effective implementation;
- Information for coordination and cooperation with the Authority;
- Detailed information on personal data processing within the group (categories of personal data and purposes, durations, method, etc.);
- Information on reporting and record change mechanisms;
- Information on ensuring data security;
- Explanations on accountability;
- Additional information and documents (international conventions and the legislation and application of the country where the data is transferred).
Binding Corporate Rules Document
The Binding Corporate Rules document for data controllers shall be applicable for personal data transfers from the data controller residing in Turkey to any non-Turkish undertakings belonging to its group acting either as data controller or data processor. The obligations set out in this document shall also apply to any transfer of data originating from Turkey performed by any data controller or data processor belonging to the same group of undertakings.
Furthermore, in order to ensure enforceability, an agreement or other legal process valid in accordance with Turkish Law must be executed between the data controller and data processor.
Although there is no published draft of the Binding Corporate Rules document, the Authority has published guidance on the main content expected in such document.
The Binding Corporate Rules mechanism adopted by the Board is not subject to any time limitation, but its implementation can nevertheless be suspended or terminated by the Board if deemed necessary.
* * *
In compliance with Turkish bar regulations, opinions relating to Turkish law matters that are included in this client alert have been issued by Özdirekcan Dündar Şenocak Avukatlık Ortaklığı, a Turkish law firm acting as correspondent firm of Gide Loyrette Nouel in Turkey.
This legal update is not intended to be and should not be construed as providing legal advice. The addressee is solely liable for any use of the information contained herein and the Law Firm shall not be held responsible for any damages, direct, indirect or otherwise, arising from the use of the information by the addressee.
>> Click here to read the legal updates of Gide's multidisciplinary taskforce set up to answer all your legal issues relating to Covid-19.