Turkey's data protection authority announces Binding Corporate Rules

On 10 April 2020, the Turkish Authority for the Protection of Personal Data published on its website a notice on Binding Corporate Rules (BCR), which are data protection regulations to ensure the secure transfer of personal data between multinational group companies that may be located in jurisdictions lacking adequate personal-data protection.

The Turkish Personal Data Protection Law allows the transfer of personal data to foreign jurisdictions in the following cases (even without the consent of the data subject):

• The transfer is based on one of the reasons specified in the law (e.g. legitimate interest, legal obligations, etc.) and is made to a jurisdiction where there is sufficient protection for personal data;
• If the jurisdiction in question does not have adequate protection, but the entities in Turkey responsible for the data processing and the relevant foreign jurisdiction undertake to provide adequate personal-data protection by concluding model agreements issued by the Authority and by obtaining the Authority's approval for the transfer.

To date, the Authority has not published the list of secure jurisdictions referred to in the first paragraph above. Hence, it is not possible to invoke this principle when transferring data abroad.

In the absence of a consent-based transfer, the only possibility for data controllers in Turkey and data controllers or processors abroad is to base the transfer on the second paragraph above. In this case, the model agreements issued by the Authority would have to be implemented, and the sending and receiving entities would undertake to ensure the protection of the personal data to obtain the Authority's consent for such a transfer.

In general, these model clauses represent the minimum standards that data controllers must follow to transfer and process data, such as the implementation of specific technical and administrative measures, notification requirements in case of data breaches or termination of data transfers.

These model clauses are designed for use between two entities and not between group companies and may not be an efficient means of transferring personal data between numerous companies.

In order to facilitate the transfer of personal data between group companies, the Authority now allows group companies to issue BCRs as a basis for the transfer of personal data as opposed to relying on previously issued model clauses. These BCRs are subject to the Authority's approval, which can be applied for by completing the appropriate form (found here). This application should contain, among other things, the following:

• details of the applicant company, the jurisdictions where the Turkey-based companies are transferring the data, and contact details of the group companies subject to the BCRs in question;
• the means of BCR enforcement and the sanctions that will result in case of non-compliance;
• the mechanisms established to ensure effective implementation (e.g. training and awareness-raising studies, BCR-compliance studies, complaint mechanisms, appointment of personnel to implement the BCRs);
• the mechanisms implemented for coordination with the Authority, reporting and record-keeping changes, data security, accountability and the details of the transmission and processing of personal data.

The Authority will process applications within one year from the date of application. If necessary, this period may be extended by another six months.

BCRs are considered a useful and efficient method for the transfer of personal data for a simple reason. Once implemented, it should not be necessary for a group company to conclude numerous bilateral agreements with foreign group companies on the basis of the model clauses the Authority previously issued.

For more information on whether BCRs may be useful for your organisation, contact your regular CMS advisor or local CMS experts: Dr. Döne Yalçın or Sinan Abra.