Turkey: Binding Corporate Rules

What is "Binding Corporate Rules"?

It is the data protection policies that multinational companies determine the rules for transferring personal data to the companies that they are affiliated to, where they operate, have common economic activities or have a common decision mechanism, and that all companies in the group must comply with. Binding Corporate Rules are approved by data protection authority in the country, where the company is to make the data transfer. This institution was originally designed to provide a legal basis for international data transfers in Europe; however, it is obvious that if these rules are fully implemented, since they include the principles regarding data processing, companies will perform data processing management as required.

Binding Corporate Rules According to European Data Protection Regulation ("GDPR")

In order understand the binding corporate rules in the data protection legislation in Turkey (KVKK), first, it will be useful to handle the regulation of "Binding Corporate Rules" in European data protection law (GDPR). Binding Corporate Rules are regulated under Article 47 of the GDPR and the minimum conditions that must be included in the Binding Corporate Rules text have been set out with this article. According to GDPR, the points that should be included in the text are briefly as follows:

• Structure and contact information of each group company
• Information on processed personal data (data category, type of processing, legal basis and purposes, data subject group of people, details about data transfer, retention periods, data protection measures)
• Evaluation of rules regarding personal data transfers in terms of binding of group companies
• The rights of data subjects and the method of exercising these rights in cases where there is a right to take legal action against a controller (data controller) and the data processor
• A data controller or data processor who is a resident of the European Union will take responsibility upon the violation by a group company not within the Union,
• In addition to the information to be provided to the data subject regarding the acquisition of personal data, how the Binding Corporate Rules will be provided to those concerned.
• The duties of the persons and institutions responsible for the supervision of compliance with the Binding Corporate Rules of the data protection officer (DPO) or the group of companies in question, the training given in this context and the handling of complaints submitted,
• Complaint procedures,
• Mechanisms that ensure the continuation of the compliance of the group of companies with the Binding Corporate Rules,
• Mechanisms for reporting changes in Binding Corporate Rules to the supervisory authority (data protection authority in the relevant country).

Binding Corporate Rules According To Turkish Data Protection Legislation

On 10.04.2020, the way of creating Binding Corporate Rules has been announced by the Authority that the way of creating Binding Corporate Rules and Binding Corporate Rules Application Form for Data Controllers and Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers have been published. Details on the application form and the auxiliary document are as follows:

1. In the application form, primarily the principles and procedures regarding the application are included. Accordingly;
2. • The authorization for application, if the member company is located in Turkey, the application will be made by the headquarters of the member company, if it is not located in Turkey, it will be made by the member company resident in Turkey. In this case, the member company located in Turkey, should be authorized by the headquarters.
   • The application form, the text of the binding corporate rules and all other information and documents related to the application must be submitted to the Authority during the application. As can be seen from here, the binding corporate rules text and the application form are different documents.
   • The application must be delivered to the Authority by regular mail or in person.
   • The application is finalized by the Authority within 1 year and this period can be extended for 6-month periods if necessary.
   • When the application is approved, the Authority notifies the applicant and announces it when necessary. In our opinion, the announcement system will be useful for those concerned, as it will show the points examples that should be included in the binding corporate rules text with examples.
3. In the application form, the information about the group of companies applying and the applicant (authorized group member or company headquarters), which countries the data transfer will take place, and which group companies the Binding Corporate Rules will cover will be specified.
4. In another section on the application form, there are questions on how to apply the Binding Corporate Rules in terms of the rights of the companies, employees, data processors and data subjects whose personal data are processed. These questions are intended to determine whether there is a binding element between the parties. According to this;
5. • Required agreements, company policies and procedures, undertakings, and directives regarding the Binding Corporate Rules should be included.
   • The results of violating the Binding Corporate Rules should be stated by those concerned above.
   • It must be declared that the data subjects can open cases in the Turkish courts regarding their rights listed in Article 11 of the Law, including compensation for damage. It should be declared that for the cases to be filed in other countries, the assistance required by the case such as translation, attorney will be provided.
   • Guarantees regarding the damage resulting from violation of the Binding Corporate Rules should be declared; if the member is located in Turkey, it should be covered by the headquarters of the group company, if not, then it should be covered by the member group company resident in Turkey.
6. Regarding the violation of the Binding Corporate Rules, the burden of proof depending on the group member resident in Turkey, in case of any violation or claim, process to be carried out should be determined with the Binding Corporate Rules text.In another section of the application form, there are questions regarding which methods to follow for the effective implementation of the Binding Corporate Rules. According to this;
7. • Detailed information on awareness activities to be carried out for employees should be included.
   • It should be stated whether there is a complaint mechanism in the group company for the violation of the Binding Corporate Rules.
   • It should be stated which mechanisms have been established to check the compliance of each group member to the Binding Corporate Rules. As can be seen from here, it should be supervised whether the companies in the group comply with the Binding Corporate Rules and whether they continue to comply.
8. It should also be explained in the application form that how the way of communication with the Authority will be performed.
9. Details regarding the transfer, which is also included in the undertaking, should be included in the "Processing and Transfer of Personal Data" section of the application form.
10. Also, in the application form, it is necessary to explain how the changes in the group companies that will affect the Binding Corporate Rules will be applied to other group companies and reporting mechanisms to the Authority.
11. The application form should include the administrative and technical measures taken to ensure data security and other details.
12. In the application form, it should be stated how the group members will comply with the Binding Corporate Rules within the scope of accountability and how they will keep a record of the data processing activity. Accordingly, it is necessary to prepare the personal data processing inventory, the principles of which is specified by the By-Law On Data Controllers Registry.
13. In addition to the above, general regulatory provisions are included in the application form under the title of General Provisions. According to this;
14. • A clear and understandable language should be used when filling out the application form.
    • If any of the group members do not comply with the Law or commitment, the Authority will be informed immediately. In this case, the Authority has the right to suspend data transfer or terminate the Binding Corporate Rules.
    • In case of a data breach in any of the group members (in terms of data processed under BCR), the Authority and the data subjects should be informed immediately. The Board may declare this situation in a method it deems appropriate. The latest 72 hours rule in the Board Decision No. 2019/10 should be understood under the statement "immediately" here. In addition, the Authority currently publishes the breaches on its website.
    • Personal data that are permitted to be transferred under the Binding Corporate Rules cannot be transferred to individuals other than group members. In cases where the transfer is required, the undertaking-permission process regulated in Article 9 of the Law should be applied.
    • In case one of the group members dismisses from the group, it should transfer the records of the data processes to the company resident in Turkey and destroy the data including backups.
    • If the legislation of the country in which the relevant group company is located does not allow this, data transfer activity should be limited by taking the necessary administrative and technical measures.
15. Although it is not included under the General Provisions title in the application form, it is stated in the form that company employees should read the Binding Corporate Rules and should be able to access this text at any time.
16. In addition, disclosure should be made to the data subjects transparently in accordance with Article 10 of the Law and access to information in this context should be facilitated for data subjects. For example, the sections of the Binding Corporate Rules related to the data subjects can be published on the company's website or can be presented with the disclosure text provided to the data subject.

In the auxiliary document published in addition to the announcement of the Authority, the points to be included in the application form and the Binding Corporate Rules text are shown comparatively. In the light of the information included in the application form and the auxiliary document, minimum points to be included in the Binding Corporate Rules are as follows:

• General principles (KVKK - Article 4)
• The structure and contact information of each group member and the obligation to comply with the Binding Corporate Rules
• Rights of the data subject (KVKK - Article 11)
• The point that the group member resident in Turkey will compensate for damages arising from non-compliance with the Binding Corporate Rules. (In cases where it is not possible that all responsibility shall be taken by one single company due to the structure of the company, it can also be stated that each member shall be individually -conjointly- responsible.)
• The point that the burden of proof regarding the damage claimed by the data subject is on the company undertaking the responsibility,
• Whether there is a legislation in the country where the data is transferred to prevent the implementation of the Binding Corporate Rules
• That legal obligations one of the group members is subject to in a third country and whether these legal obligations adversely affect compliance with the Binding Corporate Rules.
• How to establish the coordination with the Authority and a commitment that all group members will follow the recommendations of the Authority
• Application procedure to the data controller (Article 13)
• Technical and administrative measures regarding the protection of personal data
• Duties and responsibilities of those who supervise compliance with Binding Corporate Rules for all group members and information about the structuring on this subject.

Should you require any additional information in regards, please contact your customer representative.