Turkish Data Protection Authority ("DPA") published an announcement 1 on April 10, 2020 to introduce binding corporate rules for cross-border transfers of personal data between affiliates of multinational group companies.
Prior to DPA's announcement of April 10, 2020, there was no provision under the Turkish legislation or any guidance in Turkey recognizing use of binding corporate rules for inter-company personal data transfers. The DPA does not provide any model or example for these rules, but only provides guidance on the minimum required content of the binding corporate rules to be submitted to the DPA's approval, along with the application form.
I. Cross-Border Personal Data Transfer Rules under the DPL
According to the Article 9 of the Law No. 6698 on Protection of Personal Data ("DPL"), personal data cannot be transferred abroad, without explicit consent of the data subject. On the other hand, there are certain exemptions provided by the DPL for this rule, in principle.
Personal data can be transferred abroad, without obtaining explicit consent of the data subject, if:
(1) One of the following conditions exists:
ii processing is necessary to protect the vital interests or the bodily integrity of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
iii. processing personal data of the parties of a contract is necessary, on condition that processing is directly related to the execution or performance of such contract; or
iv. processing is necessary for compliance with a legal obligation which the data controller is subject to; or
v. data has been made public by the data subject; or
vi. processing is necessary for the establishment, exercise or defense of a legal claim; or
vii. processing is necessary for the purposes of the legitimate interests of the data controller, provided that such interests do not violate the fundamental rights and freedoms of the data subject;
viii. for the transfer of special categories of personal data (sensitive), the processing should explicitly regulated by laws (other than the ones related to health and sexual life). Personal data related to health and sexual life may only be processed (including transfer) without explicit consent of the data subject only if the data is processed by authorized entities and institutions or by persons who are under the confidentiality obligation for the purposes of protection of public health, preventive medicine, medical diagnosis, planning, managing and financing of treatment and maintenance services.
(2) The country that the personal data will be transferred to has an adequate level of protection.
II. Undertaking Letter Procedure
If the level of data protection in such country is not deemed to be adequate, then the data controllers in Turkey and abroad can provide a written undertaking, warranting the delivery of an adequate level of protection, which can be approved by the Turkish Data Protection Board ("Board") per Article 9 of the DPL. The same provision also states that the Board will determine the countries in which there is an adequate level of data protection and announce them (i.e. publish a list of such countries).
Having said that, at this stage, it is not certain which countries will be deemed safe for data transfers as the Board has still not announced them yet 2. However, in accordance with the foregoing requirements, the Board published a decision with number 2019/125 and dated May 2, 2019 which stipulates the criteria and methodology used for determining the countries with adequate levels of protection 3.
III. Binding Corporate Rules ("BCR")
In the European Union practice, self-regulatory approaches such as implementing Binding Corporate Rules ("BCRs") allow multinational groups to transfer data from European Economic Area to their affiliates outside European Economic Area upon binding set of rules in compliance with European data protection laws. Once approved by the competent data protection authority, BCRs provide an adequate level of protection in data transfers. Until DPA's announcement of April 10, 2020, Turkey did not have any regulation recognizing the BCRs.
In its announcement, the DPA describes the undertaking letter procedure for data transfers outside of Turkey, and states that although the undertaking letters make bilateral data transfers easier, they may be inadequate in terms of data transfers between multinational group companies. Therefore, DPA determined BCRs as another mean that could be used in international data transfers between group companies.
DPA defines BCRs as "data protection rules that enable written undertakings an adequate level of protection to be used by multinational group companies in data transfers abroad, where such companies operate in countries with inadequate level of protection." Accordingly, such companies should fill out the form which is available at DPA's website, follow the necessary instructions and apply to DPA for BCRs. Such submissions will also be subject to DPA's permission. Therefore similar to the current undertaking process regulated under Article 9 of DPL, data transfers between group companies will be possible once the relevant BCR is approved by DPA. BCRs are not bound by a validity period. If needed, DPA may suspend or terminate the BCRs.
IV. BCR Application Procedure
DPA issued (i) a BCR Application Form and (ii) a BCR Guidance in its official website. Currently, none of them include model BCR clauses. Each multinational group company, which will apply to the DPA for approval of BCR, will need to draft a BCR in accordance with the DPA's guidance to be submitted for approval as an attachment of the BCR application form.
DPA defines group as "the companies or enterprises operating affiliated with a group company or data controllers who have a common economic activity or who have a common decision mechanism for data processing activities." Accordingly, per the information on the Application Form, the Turkish headquarters of the group company is authorized to make the application. If the group does not have a Turkish headquarter, a group member residing in Turkey must be appointed regarding data protection matters, which will also be entitled to make the application.
Accordingly, the application is made by submitting (i) the application form, (ii) BCR document and (iii) any other information and documents that would be related to the application. Where necessary, DPA may request additional information. The application is made through either delivery by hand or through postal service.
DPA will conclude the application within one (1) year following the official application, and where necessary, extend this period for six (6) months. If approved, DPA will notify the related persons and if necessary, publish the approval.
The Application Form then requires detailed information regarding many aspects of data transfer activities. As an attachment to the application form, a copy of the BCR should be added along with all necessary information.
The BCR Guidance further provides explanations regarding the necessary information and obligations that must be within the BCR, by referring to each step of the Application Form.
Footnotes
1 https://kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET-KURALLARI-HAKKINDA-DUYURU
2 As of the publication date of this article.
3 Please see our article for further information on the criteria and methodology used for determining the countries with adequate level of protection at https://www.mondaq.com/turkey/data-protection/876686/the-turkish-dpa-announces-the-criteria-to-be-considered-for-the-determination-of-the-countries-with-adequate-levels-of-protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
