Cross border transfer of personal data has been a significant issue for the multinational corporations in their efforts to comply with Turkish data protection rules.
The main reason for the difficulty was that transfer of personal data abroad could either be conducted with the explicit consent of the data subject or under the exceptions within the scope of the Law on the Protection of Personal Data ("Data Protection Act"). Within the scope of the exceptions, it is worth to mention that the foreign countries list providing sufficient protection has not been announced yet and the commitment mechanism is far from being practicable. Therefore, the Personal Data Protection Board ("Board") has introduced binding corporate rules ("BCR"), to be used as another exception for the cross-border data transfers made between multinational group companies.
BCR, as widely used within the scope of the GDPR, are data protection rules which enable the transfer of personal data abroad by multinational group corporations operating in countries with inadequate protection, and provides for the commitment of adequate protection in writing.
According to the public announcement made by the Board, multinational corporations are required to fill out the BCR form and follow the instructions required to make an application to the Data Protection Authority ("Authority").
Before examining BCR applications in detail, let us recall several problems relating to cross border transfers of personal data.
Cross border transfer of personal data in Turkey
Pursuant to Article 9 of the Data Protection Act, personal data can be transferred abroad,
- if explicit consent of the data subject is provided,
- if the foreign country to which personal data will be transferred has an adequate level of protection,
- in case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the Board grants a permission.
However, since the list of countries with an adequate level of protection have not been announced by the Board, this causes several difficulties for many multinational companies especially for the ones operating through centralized databases located outside of Turkish borders. For instance, although data controllers should avoid obtaining the consent of their employees, they had to seek such consents due to use of centralized IT systems of their multinational parent organizations.
For this reason, the private sector has been wondering for the last two years whether binding corporate rules will be applied in Turkey as well.
The Board made the awaited announcement on April 10, 2020 and introduced the BCR for the cross border transfers of personal data between multinational group companies.
So now, the question is how this process will work? We strived to respond a number of primary questions to be raised.
What are binding corporate rules?
According to the rules and procedures published by the Board, BCR are personal data protection rules used in the transfer of personal data for the multinational group corporations operating in countries where adequate protection is not provided and that enable the commitment of adequate protection in writing.
The main chapters that have to be included in Binding Corporate Rules are as follows:
- Legally binding nature
- Effective application
- Coordination with the Board
- Processes of processing and transfer of personal data
- Reporting and mechanisms for recording changes
- Data security
- Other necessary information and documents
Therefore, it is feasible to say that BCR include detailed information regarding the effective implementation of the data protection rules. In this respect, it can be also accepted as a global privacy framework with regard to the international transfers of personal data to those group members located in third countries which do not provide an adequate level of protection under Article 9 of the Data Protection Act.
On the other hand, it is worth to mention that the BCR rules cannot be used as a legal basis for processing the personal data. In other words, companies must first ensure that the processing activity is lawful under the Data Protection Act. In addition, cross border transfer of the personal data by relying on BCR must be conducted within a group of enterprises engaged in a joint economic activity. Therefore, any data transfer to third parties will be out of the scgope of the BCR.
Finally, it is quite crucial to consider that the implementation requires an elaborate examination of intra-group data flows in order to ensure whether the necessary administrative and technical measures are already taken by the other group members.
Who will make the application?
According to the rules and procedures of the Board, if the group has its headquarters established in Turkey, that enterprise will be authorized to make the application. In case the group does not have its headquarters established in Turkey, a member of the Group that is established in Turkey has to be authorized for data protection matters including conducting applications to the Authority.
What are the required documents for the application?
Certainly, the primary required document to be delivered to the Board is the application form along with the text of the "binding corporate rules". It should be highlighted that the application from includes detailed information regarding many aspects of the data processing activities of the group companies.
How long will it take to process the application?
Applications can be made to the Board via e-mail or by hand. The review process will be concluded within one year from the date of the formal application. If need be, the review period can be extended for six month periods.
Once the application is approved, it will be published by the Authority.
It is an undeniable fact that using personal data is quite engaged with the sharing of information beyond the borders for multinational companies. Therefore, companies require a flexible and cost-effective solution for their cross border operations. As the current cross border data sharing rules are far from being practical in Turkey, BCR that has been waited for so long by private sectors in Turkey.
As a final note, although it can be burdensome from some aspects, BCR should be regarded as a good opportunity to elaborate on the implementation processes of data protection matters and ensure to fully comply with the data protection obligations stemming from the GDPR and national legislations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.