Use Of Binding Corporate Rules For Transfer Of Personal Data Abroad As Per The Law On Protection Of Personal Data No. 6698
According to the Law on Protection of Personal Data No. 6698 (“Law”), explicit consent of the person must be obtained in order transfer his/her personal data1 abroad; however, in the exceptional cases2 stated in articles 5 and 6 of the Law where personal data can be processed without the explicit consent of the person, the data can be transferred abroad without the explicit consent under the below stated conditions:
a. The country to which data will be transferred should be one of the countries that are determined by the Board of Protection of Personal Data (“Board”) to provide sufficient protection for the data or,
b. If the country to which data will be transferred is not one of the countries that are announced by the Board to provide sufficient protection for the data, data controllers settled in Turkey and relevant foreign country should undertake the sufficient protection in writing and the Board should provide permit for the transfer.
Since the Board has not announced the countries that provide sufficient protection for data yet (and such announcement is not expected in the near future), currently the data cannot be transferred abroad without the person’s consent based on paragraph (a) above. In this regard, currently personal data can be transferred abroad only by using one of the below methods:
(i) Obtaining of person’s explicit consent or,
(ii) Permit provided by the Board following application to be made by a written undertaking of data controllers (or data processors) in Turkey and in the relevant foreign country, if one of the exceptional cases stated in articles 5 and 6 of the Law is present. In order to make an application for permit to the Board by using the method stated in paragraph (ii) above, an undertaking stating that sufficient protection will be provided for the data subject to transfer should be signed by and between the data controller in Turkey and data controller or data processor in the foreign country to which the data will be transferred and such undertaking should be submitted to the Board. The Board has previously announced a template for such undertaking in its official website.
On 10.04.2020, the Board has announced that the method of Binding Corporate Rules (“BCR”) can be used for application to the Board for permit, in addition to the method of undertaking of which a template has been previously announced. In this regard, the Board has provided an alternative method that can be used for making an application to the Board for data transfer between the group companies that has members settled in different countries.
B. Which Parties May Benefit From BCR?
As per the announcement made by the Board on its official website on 10.04.20203, it is stated that BCR is an undertaking for data protection that can be used by international group companies operating in the countries that do not provide sufficient protection. Since there is no distinction on countries that provide and that do not provide sufficient protection for the moment, it is understood that international companies can benefit from BCR in general.
It is important to determine what exactly the term of “group” stated in the announcement reflects. When the Supporting Document Regarding Basic Points to Be Included in Binding Corporate Rules for Data Controllers has been reviewed, group is defined as companies, enterprises operating under a collection of companies and all of the data controllers engaged in a mutual economic activity or that have a mutual decision making authority with regards to data processing activity. In this regard, in case a data controller that is a legal person settled in Turkey is part of a collection of international companies or, even if it is not part of such collection, if it is engaged in mutual economic activity with a legal person settled abroad or has a mutual decision making authority with a legal person settled abroad, such data controller settled in Turkey may use BCR in order to obtain Board’s permit for transfer of data to the relevant persons settled abroad.
Note that not only the data controllers, but also the internal data processors within the group can be included in the scope of BCR. In case the data processors are included in the scope of BCR, in order to ensure bindingness of BCR, a legal transaction that is valid under Turkish law (e.g. a service agreement) should be executed by and between the data controller and internal data processor to be included in the scope of BCR. In the announcement made by the Board, it is advised that whether or not a general permit stated in the agreement is sufficient for transfer of data by such data processor to other data processors, if not the requirement to obtain a separate permit for each sub-processor to which data will be transferred are stated in such service agreement.
C. What Should Be Included In the BCR and Application Form Regarding BCR?
The points that should be included in BCR and Application Form Regarding BCR For Data Controllers (“Application Form”) which needs to be filled out separately for submittal of BCR to the Board are explained in detail in the Supporting Document Regarding Main Points to Be Included in Binding Corporate Rules of which a link is provided in the Board’s announcement.
* Obligation to comply with BCR: It should be stated that all the group members (including their employees) are obliged to comply with BCR.
* Explanation of bindingness of BCR: The methods used for ensuring bindigness of BCR for all group members should be explained with legally valid and provable methods (e.g. we believe that an undertaking signed by all group members can be used). In addition, methods such as privacy policies, employment contracts, corporate policies can be used with regards to bindingness of BCR for the employees.
* Rights of the relevant person: BCR should include the relevant person’s right to request for application of the following articles at minimum:
o General principles of the Law (article 4),
o Informing the relevant person (article 10),
o Right to request for deletion, destruction of personal data (article 7),
o Right to object to occurrence of a result against the relevant person by way of analysis of processed data exclusively with automatic systems (article 11/1/g),
o Whether or not there is any national legislation preventing compliance with BCR in the country to which data is transferred and if such legislation exists, explicit indication thereof,
o Right to apply to data controller (article 13),
o Obligation to coordination with the Authority of Protection of Personal Data (“Authority”),
o Indication of all the legal liabilities of one of the group members subject to foreign law that may have negative impact on the guarantees provided to the relevant person by BCR,
o Provisions regarding determination of authority (the authorized body with respect of BCR is the Authority and BCR should include the right to make complaint to the Board which the authorized body of the Authority for this subject and right to apply to the court) (article 14).
* Acceptance of payment of the compensation arising from BCR and remedy of violations by the registered center of the group settled in Turkey, a group member settled in Turkey which is authorized for protection of personal data or the data controller transferring personal data: If registered office or center of the group is not in Turkey, a group member settled in Turkey that is authorized for protection of personal data, a liability should be stipulated under BCR stating that such group member shall take the necessary actions in order to correct the actions of other group members settled abroad that are bound by BCR and compensate pecuniary and non-pecuniary damages arising from the violation of BCR.
We believe that purpose of this regulation is to ensure that there is a person/body that can be held liable for the violation that may occur with regards to data of persons settled in Turkey, by considering the risk that no sanction can be applied by the Board to violating party that is settled abroad.
* Burden of proof should not be personal, it should be imposed upon the company: In order to determine whether or not the damages alleged by the relevant person arises from the group company settled abroad, it should be explicitly stated that the group member undertaking responsibility (we believe that what is meant here is the group member settled in Turkey) accepts the burden of proof. If the group member undertaking responsibility can prove that the group member settled abroad has no liability with regards to event causing damage, the group member undertaking responsibility can also be released from the liability.
* Ensuring easy access to BCR by the relevant persons and transparency: Data subjects should be extensively informed with regards to their rights regarding processing of their personal data, especially their rights stipulated in article 11 of the Law4 and issued under the data controller’s obligation to inform data subjects stipulated under article 10 of the Law, exercise of such rights, liability and general principles. BCR should include easy access of each person to such rights. For example; parts of BCR that are related to such persons can be published on internet.
* Presence of suitable training and awareness studies: BCR should include a training schedule that is suitable for the personnel that has continuous or regular access to personal data, engaged in collection of data or works for development of devices used for processing of personal data.
During the application process, the Board may request for examples and explanations regarding the training schedule. Therefore, the training schedule should be explicitly stated in the Application Form to which BCR will be attached.
* Presence of complaint mechanism: An internal complaint management process should be established that will ensure that any relevant person can use his/her own rights and make an application regarding any member of BCR.
Requests of the relevant persons under the complaint shall be finalized within the shortest time possible depending on the nature of the request and in any case, within maximum thirty days. In the Application Form to which BCR will be attached, the method of informing the relevant persons regarding implementation stages of complaint system should be explained.
* Presence of compliance audit: BCR should include explanations on subjects such as performing or having third parties performed regularly audits in order to ensure compliance with the rules undertaken and who shall perform such audits. In addition, BCR should entitle the Board to access to audit results upon request and perform audit with regards to any member of BCR in cases deemed necessary. Explanations regarding audit systems should also be present in the Application Form to which BCR will be attached.
* Presence of authorized personnel structuring regarding implementation of BCR: With regards to whole group, a suitable personnel structuring should be present in order to ensure compliance with BCR and follow up thereof. The person or department that will follow up the compliance should be supported by high ranking managers.
* Duty to cooperate with the Authority: BCR should contain an explicit liability stating that all the group members can be inspected by the Board when necessary and the group members accept to comply with the advises of the Board with regards to any subject relating to such rules.
* Explanation on the content of BCR: BCR should contain subjects such as nature of the personal data (general/sensitive personal data) subject to transfer, categories of personal data (identity, contact information, location, personnel information etc.), purposes and periods of transfer, group or groups of persons subject to data (employee, intern, visitor, person obtaining products or services etc.), method of data transfer, legal cause/causes of data transfer, breakdown of the data to be transferred within the group (by indicating name and contact information of relevant group members) and subsequent transfers.
* Explanation on geographical scope of BCR: In BCR, structure of the group and contact information with regards each member of the group should be explicitly indicated.
* Reporting, recording and notification of changes regarding BCR to the Board: BCR can be changed/updated; however, a liability regarding notification of the changes to all members of BCR and the Board without undue delay should be stipulated.
* Explanation regarding data protection principles in a manner covering transfer from Turkey or subsequent transfers: BCR should include the following: (i) being compliant with the law and good faith principles, (ii) being accurate and up to date when necessary, (iii) processing data for definite, explicit and legitimate purposes, (iv) the data being relevant, limited and proportionate with the purpose of processing, (v) storage of data for the period stipulated under the relevant legislation or the period necessary for purpose of processing, (vi) processing of special personal data, (vii) administrative and technical measures and (viii) limitations on transfers and subsequent transfers to data processors and data controllers that are not part of the group. With respect to data transfers to data processors within the scope of personal data processing activities within the group, it should be ensured that such data controllers act in compliance with the technical and administrative measures stipulated under BCR.
* Transparency in cases where the national legislation prevents the group from complying with BCR: If there are provisions preventing a group member from performing its obligations under BCR or seriously affecting implementation of rules stipulated in BCR under the legislation which a group member must comply with, registered office of the group settled in Turkey or if the group’s registered office is not in Turkey, a group member settled in Turkey which is authorized for protection of personal data should be immediately informed.
* Accountability and other tools: In order to ensure compliance, all the group members should keep written records of data processing activities in all categories including the electronic methods and submit such records to the Board upon request.
D. Application Method
After drafting a BCR containing the points stated above at minimum, legally binding documents such as undertaking/contract etc. indicating that all group members and internal data controllers are obliged to comply with BCR should be signed, Application Form should be filled out in accordance with the announcement of the Board, other documents relating to BCR should be attached to Application Form and the application should be made in writing to the Board. There is no time limitation regarding the application. On the other hand, considering that the Board responds to the application made with the method of undertaking in a very long time and there is no time period stated for response to application made by BCR as well, finalization of an application made by this method may take a long time as well.
BCR is an alternative specially introduced for enterprises consisting of international companies with respect of obtaining the permit of the Board for transfer of data by such enterprises as per article 9 of the Law. Since BCR has been announced as an alternative by the Board, even if a data controller is included within such enterprise, it may still choose to apply to the Board for permit by an undertaking to be signed by such data controller and the data controller/data processor abroad, instead of BCR. However, application to be made by BCR may be a more practical method for the data controllers settled in Turkey that do not transfer data to only one data controller/data processor abroad but transfer data to other data controllers/data processors within the same group because if such data controllers choose to proceed with the method of undertaking, they would be obliged to sign a separate undertaking with each data controller/data processor to which data will be transferred.
On the other hand, although BCR is a more practical application method for certain groups, since transfer of data abroad is still subject to Board’s permit, currently it is not possible to state that a regulation accelerating the process has been introduced.