Turkey: Turkish Data Protection Authority Issues Announcement On Binding Corporate Rules

Recent Development

On April 10, 2020, the Personal Data Protection Authority ("DPA") issued an announcement regarding the "Binding Corporate Rules" for personal data transfers between multinational group companies. The relevant group companies must fill out the DPA's application form, follow the relevant instructions and apply to the DPA for the approval of their Binding Corporate Rules. The DPA's announcement is available online here (in Turkish).

What's New?

According to the Law on Protection of Personal Data, data controllers may transfer personal data, without obtaining the data subjects' explicit consent, to countries that do not provide an adequate level of data protection by executing an undertaking letter with the recipient entities and obtaining the Personal Data Protection Board's approval.

The DPA stated that the foregoing procedure regarding undertaking letters is insufficient in practice for data transfers between multinational group companies. Accordingly, the DPA introduced an alternative procedure, the "Binding Corporate Rules", modeled after the EU's BCR model. The Binding Corporate Rules are defined as data protection rules used in cross-border transfers that ensure that multinational group companies operating in unsafe countries undertake an adequate level of data protection. Group companies may fill out the application form on the DPA's website, follow the relevant instructions, and apply to the DPA for the approval of their Binding Corporate Rules. If the DPA approves the Binding Corporate Rules, the applicant company will not have to obtain explicit consents from data subjects or submit an undertaking letter to the DPA for transfers between their group companies.

The application form contains questions on how the Binding Corporate Rules become binding on the Group members; mechanisms ensuring the efficacy of the Binding Corporate Rules; coordination with the DPA; details on the transfer and processing of personal data; mechanisms for reporting and recording changes; data protection safeguards; accountability; questions about the supporting documentation; and the general provisions of the Binding Corporate Rules.

Conclusion

To address the needs of the sector, the DPA introduced the Binding Corporate Rules for personal data transfers to unsafe countries as an alternative to obtaining data subjects' explicit consents or the DPA's approval by executing undertaking letters with the recipient entities. The DPA aims to facilitate data transfers within multinational group companies by introducing the Binding Corporate Rules. Accordingly, the relevant group companies may fill out the application form on the DPA's website and submit their Binding Corporate Rules for the DPA's approval.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.