Binding Corporate Rules as an Additional Mechanism to be Used For Overseas Transfers of Personal Data

The Turkish Data Protection Authority (“DPA”) announced on 10 April 2020 that it will accept Binding Corporate Rules (“BCRs”) as an additional mechanism to be used for overseas transfers of personal data.The DPA’s announcement (in Turkish) is available here.

1. What are Binding Corporate Rules?

BCRs are internal data privacy policies regulating intra-organizational data transfers within multinational groups of companies or international organizations. They are, in essence, a binding undertaking whereby data controllers undertake to adhere to strict internal data privacy rules when carrying out overseas transfer of personal data within group companies.

BCRs are more familiar to European data controllers, as they are one of several different mechanisms set out in the General Data Protection Regulation (“GDPR”) regulating international data transfers.

BCRs have to be submitted to the DPA for approval, by submission of an application form. In its announcement, the DPA also published a guide on what the BCRs should include at a minimum. It remains unclear how long it will take the DPA to review applications.

2. Current Regulations on Overseas Data Transfers

Under Article 9 of Law No: 6698 on the Protection of Personal Data (Kişisel Verilerin Korunmasu Kanunu – “KVKK”), overseas transfer of personal data is, as a rule, subject to the data subject giving their explicit consent to the transfer.

The KVKK only allowed overseas transfer of personal data without obtaining explicit consent, if any one of the conditions under Articles 5 and 6 (relating to exceptions to the rule to obtain explicit consent before processing personal data) are met, and

(i) the recipient is located in a country included in the list of “safe countries” to be announced by the DPA, or

(ii) the transferor and transferee undertake in writing to ensure an adequate level of protection.

3. BCRs – What They Bring to the Table

Because the DPA is yet to announce its safe-countries list, option (i) mentioned above has been inapplicable since the KVKK came into force. With regards option (ii), the DPA notes in its announcement that written undertakings are more suited to data transfers between different companies, rather than data transfers among groups of companies – hence its decision to accept BCRs as a more suitable alternative.

The most significant benefit of BCRs will be to allow multinational corporations and international organizations to transfer data among group companies without obtaining explicit consent from data subjects, provided the rules are approved by the DPA.

The DPA’s announcement comes as the latest in a series, reflecting the DPA’s intention to interpret the KVKK in line with its European equivalent, the GDPR. For instance, the DPA had earlier announced in its decision dated 24 January 2019 (No: 2019/10) that, in respect to the obligation of data controllers to notify data breaches to the DPA as soon as possible, it would interpret the phrase “as soon as possible” to mean 72 hours, as this was the period determined to be reasonable under Art. 33 of the GDPR.

In this regard, the introduction of BCRs also serve the purpose of bringing the KVKK (which is mostly based on Directive 95/46/EC that was repealed by the GDPR) closer to the higher standard set by the GDPR.

Yiğit Kaynar, Esq.