Sponsored briefing: Binding corporate rules for transfer of personal data abroad

Eren Can Ersoy of Kılınç Law & Consulting looks at the regulations associated with data protection

The irrepressible rapid development of technology and digitalisation around the world necessitates the processing and transfer of personal data. This evolution has a direct impact not just on individuals but also on the business world. The processing and transfer of personal data abroad necessitates the effective protection of data. Personal data processing and transfers overseas demand robust data protection. The transmission of personal data abroad is regulated by Law No. 6698 on the Protection of Personal Data (the Law), and the primary rule for data transfer abroad is to get the data subjects’ explicit consent. With the existence of one of the data processing conditions specified in the Law, and the recipient being located in one of the countries on the list of safe countries to be published by the Personal Data Protection Authority (the Authority), the data controllers in Türkiye and abroad can undertake adequate protection in writing and the Personal Data Protection Board (the Board) can gain permission as an exception to the rule of obtaining explicit consent.

This rule poses certain issues for multinational companies that operate on a global scale. Indeed, because the procedures and principles governing the processing of personal data differ from country to country, it is impossible for companies operating in more than one country to comply with the rules specified in each country’s legislation and to establish a common data processing and protection policy that will cover all rules. As a consequence, on 10 April 2020, the Authority adopted the Binding Corporate Rules (Binding Corporate Rules or Rules) as a new procedure to be applied to the transfer of personal data abroad by multinational companies operating on a global scale, in parallel with the regulations titled Binding Corporate Rules established by the European Commission Working Group 29 while the European Union’s Directive 95/46/EC (Directive) is the predecessor regulation.

Binding corporate rules

Binding corporate rules are applied with a written commitment of sufficient protection for the transfer of personal data abroad for multinational group companies operating in countries where binding corporate laws do not provide sufficient protection.

Through the announcement published by the Authority, the procedures and principles for the implementation of the Rules have been determined and it has been stated that the application can be made to the Authority by hand or by e-mail under the guidance of the ‘Binding Corporate Rules Application Form for Data Controllers’ and the ‘Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers’ (the Auxiliary Document). In this context, the application regarding the Rules will be evaluated, finalised, and announced within a year from the date of application. This period may be extended up to six months, if necessary. If the application is approved by the Authority, multinational group companies operating on a global scale will not be required to obtain explicit consent or submit a letter of undertaking for transfers between themselves.

‘Personal data processing and transfers overseas demand robust data protection.’
Eren Can Ersoy, Kılınç Law & Consulting

Definition of binding corporate rules within the scope of the auxiliary document regulated as ‘Personal data protection policies to be adhered to by a data controller within a group of undertakings established in Türkiye for transfers or a set of transfers of personal data to companies and enterprises operating abroad in one or more countries within the same group of companies and to data controllers that engage in a joint activity or have a joint decision making mechanism regarding data processing activities.’

Elements to be included in binding corporate rules

The elements that should be included in the Binding Corporate Rules are regulated within the scope of the Supplementary Document based on the regulations established by the Authority under Directive 95/46/EC of the European Parliament and of the Council of the European Union on the Protection of Individuals with Regard to the Processing and Free Movement of Personal Data.

During the period when the Directive was in force in the European Union, multinational companies operating on a global scale were obliged to fulfil the obligations arising from the legislation of more than one country at the same time when transferring data to group companies. Over time, it was observed that this obligation disrupted the business order of companies and delayed transactions, and the European Commission Working Group 29 determined the minimum requirements that data transfer policies should meet and named them ‘Binding Corporate Rules’.

This regulation, which is required in accordance with professional life requirements in European Union legislation, has also been recognised by the Authority, and an Auxiliary Document has been prepared in accordance with these regulations, as have regulations on the minimum elements that the rules should bear.

Pursuant to the Auxiliary Document, the elements to be included in the Binding Corporate Rules and the application to be made within this scope are as follows;

• Binding nature: Rules must be legally binding and contain a clear obligation for each participating member of the group including their employees to comply with the Rules. For each group member, the ability of the rules to be binding must be ensured by one or more legally valid and provable method. (To ensure that rules are binding on employees, one or more of the following methods can be used: employment contract, collective agreement, confidentiality agreement, codes of conduct, company policies, workplace internal regulations, etc). Rights of the data subject in respect to Rules must be clearly recognised, the headquarters of the group established in Türkiye, a group member established in Türkiye with delegated data protection responsibilities or the data controller that transfers data accepts liability for paying compensation and to remedy breaches of the Rules.
• Effectiveness: Within the scope of the rules, there should be appropriate training and awareness raising activities within the group, a complaint handling mechanism that can be applied by the persons concerned, an audit of compliance with the Rules, and a network of personnel in charge for the implementation of the Rules.
• Cooperation with the Authority: Rules shall contain a clear duty for all group members to accept to be audited by the Authority and to comply with the advice of the Authority on any issue related to those rules if needed.
• Processing and transfer of personal data: Rules should contain a general and territorial scope of the rules and a general description of the transfers, as well as information on an identified contact person of the group and the companies/entities bound by the rules, in order to enable the Authority to assess whether the transactions carried out in third countries are compatible.
• Mechanisms for reporting and recording changes: There should be obligations to report and record changes to the Rules and notification of such changes to the Authority.
• Data security: An explanation of the data protection principles, including transfers from or to Türkiye, transparency and disclosure obligations where national legislation prevents the group from complying with the rules, and regulations on the relationship between the rules and national legislation.
• Accountability: Members within the scope of the Rules are required to keep a written record of data processing activities in all categories, including electronic methods, and to submit it to the Authority upon request, to carry out the necessary analyses to identify the risks in data transfer, to consult the Board in cases of high risk, and to take appropriate technical and administrative measures for data protection.

In order for the application to be successful, it would be appropriate to make the application with the assistance of an expert, in addition to fulfilling all of the obligations.

Conclusion

The Authority has regulated the Binding Corporate Rules in light of global regulations, particularly those enacted by the European Union, in order to prevent and eliminate current and future problems encountered in the transfer of personal data abroad by group companies operating on a global scale as a result of developing technology and the use of the internet, which has eliminated borders, and this situation has a direct impact on both business and individual life. In this case, the application form must be completed and sent to the Authority in accordance with the Authority’s Auxiliary Document. In order for the application to be successful, it would be appropriate to make the application with the assistance of an expert, in addition to fulfilling all of the obligations.