24 April 2020

On April 10, 2020, the Personal Data Protection Authority (“Authority”) has published an announcement (“Announcement”) on its website regarding the implementation of “Binding Corporate Rules” that will be applicable while transferring personal data to a foreign country where sufficient protection of the personal data is not available.

1-  Transfer of Personal Data Abroad

The transfer of personal data abroad is regulated under the Law No. 6698 on the Protection of Personal Data (“Law”) and it is subject to strict conditions according to Article 9 of the Law.

Personal data cannot be transferred abroad without the explicit consent of the data subject, as per Article 9(1). On the other hand, pursuant to Article 9(2), personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions for processing of personal data set forth under Article 5(2) of the Law or for processing of sensitive personal data envisaged under Article 6(3) exists, and that;

  1. sufficient protection of the personal data is provided in the foreign country where data are to be transferred, or
  2. in case sufficient protection is not provided, the controllers in Turkey and in the foreign country shall guarantee adequate protection of personal data in writing and the Personal Data Protection Board (“Board”) shall authorize such transfer.

2-  Transferring Data where Sufficient Protection is not provided

The Board has previously stipulated that a written letter of undertaking, in which the parties commit the adequate level of protection, must be submitted to the Board in order to transfer the personal data without the consent of the data subject to a data controller or a data processor in a country where sufficient protection is not provided. Also, the minimum criteria for the elements that must be included in these undertakings have also been previously announced. Therefore, upon the approval of the letter of undertaking by the Board, the transfer of data abroad where no sufficient protection is provided becomes possible. However, since the list of countries with sufficient protection has not yet been published by the Board, these conditions have become applicable for all data transfers abroad.

While the letters of undertaking would be useful for the bilateral transfers, this method is insufficient for the data transfers to be made between the multinational group companies and the letters of undertaking could not fully meet the needs arising from the practical implementation in this respect. For this very reason, the Board has determined the “Binding Corporate Rules” (Bağlayıcı Şirket Kuralları) as another method that can be used while transferring personal data abroad.

3-  Binding Corporate Rules and its Consequences

The General Data Protection Regulation (“GDPR”) indicates the minimum requirements regarding the data transfers among the multinational companies under Article 47 and named the rules as binding corporate rules (BCR). In this regard, the forms and charts prepared and the definitions set forth by the Authority show similarity with the GDPR.

Binding Corporate Rules are defined by the Authority as the data protection rules used in the transfer of personal data for the multinational group companies operating in countries where adequate protection is not provided and that enable the undertaking of sufficient protection in writing.

The general characteristics of the Binding Corporate Rules are as follows:

  • Binding Corporate Rules are only related to the data transfers within the group and between group members as a whole, as such, the personal data permitted to be transferred under these rules cannot be transferred to the ones other than the group members.
  • Binding Corporate Rules shall be legally binding and it must contain a clear duty for all the group members including the employees to comply with these rules.
  • The group processes the personal data transferred under the Binding Corporate Rules in accordance with the Law and the Binding Corporate Rules; in case, for any reason, the Law and the undertaking cannot be complied with, the Authority shall immediately be informed about this non-compliance. In such case, the Authority has the right to suspend the data transfer and terminate the Binding Corporate Rules.
  • In case the personal data processed under the Binding Corporate Rules are obtained by others in illegal ways, this situation must be notified to the group’s headquarter if it is in Turkey or if it is not in Turkey to a group member in Turkey which is authorized for the protection of personal data matters (“Authorized Group Member”), and they inform the data subject and the Board as soon as possible. The Board may announce this situation if necessary.
  • In cases where any of the group members are disconnected from the group or the Binding Corporate Rules are terminated for any reason, the personal data with its back-ups subject to the transfer shall be sent to the group’s headquarter or the Authorized Group Member or shall be destroyed along with the back-ups.
  • The group and the group members shall not disclose the personal data they process to anyone in violation of the provisions of the Law and shall not use such data for purposes other than purpose of processing.

4-  Application

The companies included in the abovementioned scope should fill out the relevant form in the Announcement and submit the Binding Corporate Rules application by hand or through postal service. If there exists a group headquarter in Turkey, this headquarter; if there is not, the Authorized Group Member shall submit the application on behalf of the group.

Following documents shall be submitted while making the application: (i) Application Form, (ii) Binding Corporate Rules Document, and (iii) Any other information and documents considered to be related to the application. Besides, the Authority may request further information and documents, if it deemsnecessary.

The Authority has determined various titles for the content that should be included both in the application form and the Binding Corporate Rules2Document and the Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers, which is annexed tothe Announcement, provides detailed information for each title.

The Authority will conclude the applications within 1 year following the date of the application; however, if necessary, this period may be extended for 6 months. In case the application is approved, the Authority will notify the related person and where necessary will make an announcement on the approval.

5-  Conclusion

Considering the structures and operations of multinational companies in the world, such companies operate in different countries and perform data transfers within their systems accordingly. However, since the list of countries that provide adequate protection has not been published by the Authority yet, there still exist problems in respect of the realization of data transfers and the signing of the data transfer undertakings cannot fill the gap in practice. Together with Binding Corporate Rules, a method to better satisfy the current situation has been implemented for the data transfers of multinational companies within their own organizations.

Accordingly, when multinational companies wish to transfer data without explicit consent to a country where no sufficient protection is provided, such companies may act so upon the approval of the Authority after submitting Binding Corporate Rules application.

If you have any questions regarding our note above, please do not hesitate to contact us.


Ece Güner
Managing Partner

Burçak Kurt Biçer