Turkey: Personal Data Protection Authority Announces Binding Corporate Rules

On 10 April 2020, the Personal Data Protection Authority ('KVKK') announced its long-discussed Binding Corporate Rules ('BCRs') that allows intra-group data transfers among multinational companies. Burcu Tuzcu Ersin, LL.M. and Burcu Güray, from Moroglu Arseven, discuss the introduction of BCRs in Turkey, and how these will help in the facilitation of cross border data transfers.

Due to the difficulties in the implementation of cross-border data transfer rules determined under the Law on Protection of Personal Data No. 6698 ('the Law'), the KVKK was expected to issue new rules set for intra-group cross-border data transfers in parallel with the BCR approach accepted under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Considering the market needs, the KVKK introduced an alternative cross-border data transfer method specific to group companies, which is modelled after the EU's BCR approach.

Current cross-border data transfer regime under the Law

As per Article 9 of the Law, cross-border data transfers shall be based upon the following legal grounds:

• the data subject giving his/her explicit consent; or
• the cross-border transfer being based on one of legal basis stipulated under the Law:
  • the receiving country must be accepted as safe with adequate level of data protection by the Personal Data Protection Board ('the Board'); or
  • if the level of data security is not adequate, then the data controller in Turkey and the data receiver abroad must execute a written undertaking letter (of which the minimum content is already determined by the Board) and seek the approval of the Board for the data transfer.

The list of the countries with an adequate level of protection has yet to be published by the Board, which means at the time of publication, all countries are unsafe in terms of data transfers. The lack of this list causes operational and legal problems for multinational companies, which, necessarily transfer personal data due to organisational, infrastructural, and reporting purposes.

The KVKK stated in its announcement that, although the undertaking letter procedure makes bilateral data transfers easier, it may be inadequate for the data transfers between multinational group companies. The undertaking letter process, is indeed, insufficient for the intra-group cross-border data transfers by taking into consideration the complexity of the group structure. Besides, in practice, there are drawbacks with the use of undertakings, due to the uncertainty in the implementation of the undertakings for the data transfer under the same corporate group.

Considering the practical needs and corporate group structure, the KVKK has announced the BCRs to overcome the inadequacy in the current implementation of cross-border data transfer rules under the same corporate group, as an alternative method.

What are BCRs?

BCRs are defined as data protection rules applicable for cross-border transfers that allows multinational group companies, operating in countries with inadequate level of protection, to undertake an adequate level of data protection for the intra-group data transfers.

In the GDPR, BCRs are designed to allow multinational companies to transfer personal data from the European Economic Area ('EEA') to group companies located outside of the EEA in line with the applicable data protection legislation. In parallel with the EU approach, the BCRs introduced by the KVKK would allow multinational companies to transfer personal data from Turkey to a member of same corporate group, located in a country with inadequate level of data protection. BCRs, themselves, would be considered as a commitment of adequate data protection for intra-group cross-border data transfer in such circumstances.

BCRs must include all general data protection principles and adequate safeguards for protecting personal data in the corporate group. The KVKK issued a statement ('the Statement') on the necessary content of the BCRs, as well as a standard application form on its official websites¹.

Application and approval process

Multinational group companies intending to base their intra-group cross-border data transfers on BCRs need to make necessary preparations for BCRs in line with the Statement and fill out the application form published by the KVKK, and make an application to the KVKK for the approval of their BCR by submitting all documentation related to application.

Data controllers who are located in Turkey within the same corporate group are authorised to make the application before the KVKK. If the corporate group does not have a group member located in Turkey, one of the group members must be authorised to submit the application. The application can be made by hand or via postal service to the KVKK. The documents to be submitted for the application are the application form, the Binding Company Rules text, and all other information and documents related to the BCRs application. If necessary, the KVKK is entitled to request additional information from the applicant.

Applications will be concluded by the KVKK within one year of the official application date. If necessary, the KVKK can extend this period for six months.

If the application is approved by the Board, the KVKK will notify the relevant parties and make an announcement, if necessary. The Board has particularly noted that the BCRs are not approved for an indefinite period. If necessary, the implementation of BCRs can be suspended or terminated by the Board.

Required content

To shed a light on the implementation of BCRs, the KVKK issued the Statement detailing the essential points and content required to be included in BCRs. The elements and principles that are to be found in the BCRs are determined in line with the EU practices to that end. Accordingly, the main matters that need to be included in the BCRs can be summarised as follows:

• binding nature of BCRs: BCRs need to be binding and contain obligations for each participating member of the corporate group. The corporate group needs demonstrate how the BCRs are made binding on the group members, as well as their employees. Service agreements need to be executed between the data controllers and data processors included into the BCRs. BCRs need to expressly confer rights on data subjects to enforce the rules as third-party beneficiaries and include undertakings of group members to that end. Group Members should accept Turkey's jurisdiction over the BCR. Further information on liability and financial capacity of the group needs to be also expressed within the BCRs. BCRs must be transparent and easily accessible by the data subjects;
• effectiveness: BCRs must include the following practices:
  • proper trainings and works to create awareness in the group;
  • internal complaint mechanism in the group;
  • regular compliance audits; and
  • appropriate staff for monitoring the compliance with BCR;
• coordination with the Board: BCRs should contain a clear duty for all group members to co-operate with the KVKK and to comply with the advice of the KVKK on BCRs. Audit rights of the KVKK should also be included in the BCRs;
• processing and transfer of personal data: BCRs must contain descriptions of the material scope of the BCRs (nature of transferred data, type of data subjects, data categories, transfer methods, legal basis of transfer, and data transfer flows among group members), so that the KVKK could examine the compliance of the processing in third countries. The group structure and contact details of the group members need also to be expressly stated in the BCRs. A contact person would be obliged to keep an updated list of group members participated in the BCRs;
• mechanisms for reporting and recording changes: BCRs can be modified but they should include a duty to report modifications without delay to all group members and to the KVKK;
• data protection safeguards: BCRs should include a description of the data protection principles on data transfers from Turkey, including onward transfers in line with the Law. BCRs should regulate participant group members' obligations where a local legislation applicable to a group member prevents the company from fulfilling its obligations under the BCRs;
• accountability and other tools: each data controller in the group shall be responsible for and be able to demonstrate compliance with the BCRs. In this context, BCR members need to apply appropriate technical and organisational measures, such as maintaining proper records of processing activities in line with the KVKK's instructions and to that end, conduct risk analysis, when necessary; and
• auxiliary information and documents: applicants can insert certain non-mandatory auxiliary information in the BCRs for the ease of application process, such as a reference to the relevant sections of the international conventions signed by transferee countries related to the protection of personal data, or the local legislation on the protection of personal data and the presence of an authorized personal data protection authority of the transferee countries.

Conclusion

The introduction of the BCRs by the KVKK is an important step for multinational companies operating in Turkey as, at the time of publication, no countries are accepted as having an adequate level of data protection and available legal solutions for cross-border data transfers (explicit consent, the execution of an undertaking letter, and the approval of the Board) do not meet the needs of multinational companies. In the present state of affairs and in the absence of the KVKK identifying a list of the countries which have data protection adequacy, BCRs are the major alternative legal basis for multinational group companies which require the ability to conduct cross-border data transfers and practices.

Group companies, hereupon, need to examine their operational needs and cross-border data flows carefully and depending on their specific circumstances, should choose the most appropriate mechanism from the cross-border data transfer alternatives.

Footnote

1. Available at: https://www.kvkk.gov.tr/Icerik/6730/PUBLIC-ANNOUNCEMENT-ON-BINDING-CORPORATE-RULES

Originally published May 7, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.