Binding Corporate Rules
As it is known, the principles of transfer of personal data abroad are regulated in Article 9 of KVKK. According to this regulation, in transfers to countries that are not counted among adequate countries, with a commitment to be signed between the person to whom the transfer will be made and the person who will make the transfer, permission must be obtained from the Board. However, adequate countries have not yet been announced by the Authority and it is likely that it will take time to identify safe countries, as we see from the "Criteria to be Based on Determining Countries with Sufficient Protection" published by the Authority. Since the adequate countries have not yet been announced, although people go for permission from the Board, there are also some difficulties in this process. Considering these difficulties, the Authority announced the Binding Corporate Rules institution and announced the method to facilitate data transfer for multinational group of companies. In this method announced, the process of obtaining permission from the Board will be carried out, as well. However, it should be noted that although a different alternative has been presented by the Authority, the question marks in transferring abroad have still not been eliminated, since the adequate countries have not been announced yet. Besides, as we will explain below, the announcement that the application of the Binding Corporate Rules will be finalized by the Authority in 1 year and this period will likely to be extended for 6-month periods shows that this process will not be short, as well.
What is "Binding Corporate Rules"?
It is the data protection policies that multinational companies determine the rules for transferring personal data to the companies that they are affiliated to, where they operate, have common economic activities or have a common decision mechanism, and that all companies in the group must comply with. Binding Corporate Rules are approved by data protection authority in the country, where the company is to make the data transfer. This institution was originally designed to provide a legal basis for international data transfers in Europe; however, it is obvious that if these rules are fully implemented, since they include the principles regarding data processing, companies will perform data processing management as required.
Binding Corporate Rules According to European Data Protection Regulation ("GDPR")
In order understand the binding corporate rules in the data protection legislation in Turkey (KVKK), first, it will be useful to handle the regulation of "Binding Corporate Rules" in European data protection law (GDPR). Binding Corporate Rules are regulated under Article 47 of the GDPR and the minimum conditions that must be included in the Binding Corporate Rules text have been set out with this article. According to GDPR, the points that should be included in the text are briefly as follows:
- Structure and contact information of each group company
- Information on processed personal data (data category, type of processing, legal basis and purposes, data subject group of people, details about data transfer, retention periods, data protection measures)
- Evaluation of rules regarding personal data transfers in terms of binding of group companies
- The rights of data subjects and the method of exercising these rights in cases where there is a right to take legal action against a controller (data controller) and the data processor
- A data controller or data processor who is a resident of the European Union will take responsibility upon the violation by a group company not within the Union,
- In addition to the information to be provided to the data subject regarding the acquisition of personal data, how the Binding Corporate Rules will be provided to those concerned.
- The duties of the persons and institutions responsible for the supervision of compliance with the Binding Corporate Rules of the data protection officer (DPO) or the group of companies in question, the training given in this context and the handling of complaints submitted,
- Complaint procedures,
- Mechanisms that ensure the continuation of the compliance of the group of companies with the Binding Corporate Rules,
- Mechanisms for reporting changes in Binding Corporate Rules to the supervisory authority (data protection authority in the relevant country).
Binding Corporate Rules According To Turkish Data Protection Legislation
On 10.04.2020, the way of creating Binding Corporate Rules has been announced by the Authority that the way of creating Binding Corporate Rules and Binding Corporate Rules Application Form for Data Controllers and Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers have been published. Details on the application form and the auxiliary document are as follows:
- In the application form, primarily the principles and procedures regarding the application are included. Accordingly;
- The authorization for application, if the member company is located in Turkey, the application will be made by the headquarters of the member company, if it is not located in Turkey, it will be made by the member company resident in Turkey. In this case, the member company located in Turkey, should be authorized by the headquarters.
- The application form, the text of the binding corporate rules and all other information and documents related to the application must be submitted to the Authority during the application. As can be seen from here, the binding corporate rules text and the application form are different documents.
- The application must be delivered to the Authority by regular mail or in person.
- The application is finalized by the Authority within 1 year and this period can be extended for 6-month periods if necessary.
- When the application is approved, the Authority notifies the applicant and announces it when necessary. In our opinion, the announcement system will be useful for those concerned, as it will show the points examples that should be included in the binding corporate rules text with examples.
- Required agreements, company policies and procedures, undertakings, and directives regarding the Binding Corporate Rules should be included.
- The results of violating the Binding Corporate Rules should be stated by those concerned above.
- It must be declared that the data subjects can open cases in the Turkish courts regarding their rights listed in Article 11 of the Law, including compensation for damage. It should be declared that for the cases to be filed in other countries, the assistance required by the case such as translation, attorney will be provided.
- Guarantees regarding the damage resulting from violation of the Binding Corporate Rules should be declared; if the member is located in Turkey, it should be covered by the headquarters of the group company, if not, then it should be covered by the member group company resident in Turkey.
- Detailed information on awareness activities to be carried out for employees should be included.
- It should be stated whether there is a complaint mechanism in the group company for the violation of the Binding Corporate Rules.
- It should be stated which mechanisms have been established to check the compliance of each group member to the Binding Corporate Rules. As can be seen from here, it should be supervised whether the companies in the group comply with the Binding Corporate Rules and whether they continue to comply.
- A clear and understandable language should be used when filling out the application form.
- If any of the group members do not comply with the Law or commitment, the Authority will be informed immediately. In this case, the Authority has the right to suspend data transfer or terminate the Binding Corporate Rules.
- In case of a data breach in any of the group members (in terms of data processed under BCR), the Authority and the data subjects should be informed immediately. The Board may declare this situation in a method it deems appropriate. The latest 72 hours rule in the Board Decision No. 2019/10 should be understood under the statement "immediately" here. In addition, the Authority currently publishes the breaches on its website.
- Personal data that are permitted to be transferred under the Binding Corporate Rules cannot be transferred to individuals other than group members. In cases where the transfer is required, the undertaking-permission process regulated in Article 9 of the Law should be applied.
- In case one of the group members dismisses from the group, it should transfer the records of the data processes to the company resident in Turkey and destroy the data including backups.
- If the legislation of the country in which the relevant group company is located does not allow this, data transfer activity should be limited by taking the necessary administrative and technical measures.
In the auxiliary document published in addition to the announcement of the Authority, the points to be included in the application form and the Binding Corporate Rules text are shown comparatively. In the light of the information included in the application form and the auxiliary document, minimum points to be included in the Binding Corporate Rules are as follows:
- General principles (KVKK - Article 4)
- The structure and contact information of each group member and the obligation to comply with the Binding Corporate Rules
- Rights of the data subject (KVKK - Article 11)
- The point that the group member resident in Turkey will compensate for damages arising from non-compliance with the Binding Corporate Rules. (In cases where it is not possible that all responsibility shall be taken by one single company due to the structure of the company, it can also be stated that each member shall be individually -conjointly- responsible.)
- The point that the burden of proof regarding the damage claimed by the data subject is on the company undertaking the responsibility,
- Whether there is a legislation in the country where the data is transferred to prevent the implementation of the Binding Corporate Rules
- That legal obligations one of the group members is subject to in a third country and whether these legal obligations adversely affect compliance with the Binding Corporate Rules.
- How to establish the coordination with the Authority and a commitment that all group members will follow the recommendations of the Authority
- Application procedure to the data controller (Article 13)
- Technical and administrative measures regarding the protection of personal data
- Duties and responsibilities of those who supervise compliance with Binding Corporate Rules for all group members and information about the structuring on this subject.
Should you require any additional information in regards, please contact your customer representative.