24 April 2020
On April 10, 2020, the Personal Data Protection Authority (“Authority”) has published an announcement (“Announcement”) on its website regarding the implementation of “Binding Corporate Rules” that will be applicable while transferring personal data to a foreign country where sufficient protection of the personal data is not available.
1- Transfer of Personal Data Abroad
The transfer of personal data abroad is regulated under the Law No. 6698 on the Protection of Personal Data (“Law”) and it is subject to strict conditions according to Article 9 of the Law.
Personal data cannot be transferred abroad without the explicit consent of the data subject, as per Article 9(1). On the other hand, pursuant to Article 9(2), personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions for processing of personal data set forth under Article 5(2) of the Law or for processing of sensitive personal data envisaged under Article 6(3) exists, and that;
2- Transferring Data where Sufficient Protection is not provided
The Board has previously stipulated that a written letter of undertaking, in which the parties commit the adequate level of protection, must be submitted to the Board in order to transfer the personal data without the consent of the data subject to a data controller or a data processor in a country where sufficient protection is not provided. Also, the minimum criteria for the elements that must be included in these undertakings have also been previously announced. Therefore, upon the approval of the letter of undertaking by the Board, the transfer of data abroad where no sufficient protection is provided becomes possible. However, since the list of countries with sufficient protection has not yet been published by the Board, these conditions have become applicable for all data transfers abroad.
While the letters of undertaking would be useful for the bilateral transfers, this method is insufficient for the data transfers to be made between the multinational group companies and the letters of undertaking could not fully meet the needs arising from the practical implementation in this respect. For this very reason, the Board has determined the “Binding Corporate Rules” (Bağlayıcı Şirket Kuralları) as another method that can be used while transferring personal data abroad.
3- Binding Corporate Rules and its Consequences
The General Data Protection Regulation (“GDPR”) indicates the minimum requirements regarding the data transfers among the multinational companies under Article 47 and named the rules as binding corporate rules (BCR). In this regard, the forms and charts prepared and the definitions set forth by the Authority show similarity with the GDPR.
Binding Corporate Rules are defined by the Authority as the data protection rules used in the transfer of personal data for the multinational group companies operating in countries where adequate protection is not provided and that enable the undertaking of sufficient protection in writing.
The general characteristics of the Binding Corporate Rules are as follows:
The companies included in the abovementioned scope should fill out the relevant form in the Announcement and submit the Binding Corporate Rules application by hand or through postal service. If there exists a group headquarter in Turkey, this headquarter; if there is not, the Authorized Group Member shall submit the application on behalf of the group.
Following documents shall be submitted while making the application: (i) Application Form, (ii) Binding Corporate Rules Document, and (iii) Any other information and documents considered to be related to the application. Besides, the Authority may request further information and documents, if it deemsnecessary.
The Authority has determined various titles for the content that should be included both in the application form and the Binding Corporate Rules2Document and the Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers, which is annexed tothe Announcement, provides detailed information for each title.
The Authority will conclude the applications within 1 year following the date of the application; however, if necessary, this period may be extended for 6 months. In case the application is approved, the Authority will notify the related person and where necessary will make an announcement on the approval.
Considering the structures and operations of multinational companies in the world, such companies operate in different countries and perform data transfers within their systems accordingly. However, since the list of countries that provide adequate protection has not been published by the Authority yet, there still exist problems in respect of the realization of data transfers and the signing of the data transfer undertakings cannot fill the gap in practice. Together with Binding Corporate Rules, a method to better satisfy the current situation has been implemented for the data transfers of multinational companies within their own organizations.
Accordingly, when multinational companies wish to transfer data without explicit consent to a country where no sufficient protection is provided, such companies may act so upon the approval of the Authority after submitting Binding Corporate Rules application.
If you have any questions regarding our note above, please do not hesitate to contact us.
Ece Güner Toprak
Burçak Kurt Biçer