Turkish Data Protection Authority (“Turkish DPA”) has made a public announcement about Binding Corporate Rules (“BCRs”), on April 10, 2020.
INTRA-GROUP DATA TRANSFERS OF MULTINATIONAL GROUP COMPANIES BECOMES POSSIBLE VIA BCRs
Turkish DPA has made clear that BCRs can be used as a legal basis for cross-border data transfers of multinational group companies among each other, i.e. for intra-group purposes.
It has been stated in the announcement that the BCRs would be considered as a commitment of adequate protection, thus the intra-group transfers multinational group companies which are operating in countries where adequate protection is not provided would become in line with the Law on Protection of Personal Data no. 6698 (“Law”).
THE MULTINATIONAL GROUP COMPANIES MUST GET THEIR BCRs APPROVED BEFORE THE DPA
Along with the announcement, an application form which needs to be submitted before the DPA for the approval of BCRs, has been published.
The multinational group companies which would like to manage their intra-group cross-border transfers via BCR must fill out this form and make an application before the DPA to demonstrate their BCRs put in place adequate safeguards for protection of personal data throughout the organization in line with the Law.
THE APPLICANTS MUST DEMONSTRATE BACKGROUND INFORMATION REGARDING THEIR BCRs
In order to get approval for their BCRs, the DPA requests the applicants to submit an application and demonstrate background information regarding their BCRs and data flow practices.
The application form published by the DPA consist of the following sections which are mainly in line with the EU’s Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data (WP264) adopted on 11 April 2018;
- Binding Nature of the BCR
- Cooperation with DPA
- Description of Processing and Transfer of Personal Data
- Mechanisms for reporting and recording changes
- Data SecurityAccountability and other tools
THE EXAMINATIONS OF THE BCR APPROVAL APPLICATION MIGHT TAKE MAXIMUM OF 1.5 YEARS
The DPA commits that the examination of BCR approval applications are to be concluded within 1 year as of the official application date for approval, whereas it is additionally noted that examination can be extended for an extra period of 6 months.
THE BCRs ARE TO NOT TO BE APPROVED FOR INDEFINITE TIME
The DPA has particularly noted that the BCRs are not approved for an indefinite period. In case of any need, the implementation of BCRs can be suspended or terminated by the DPA.
BACKGROUND AND PRACTICAL ADVICE
The Law on Protection of Personal Data no. 6698 has come into force nearly 4 years ago in Turkey however the cross-border data transfer remains as one of the most controversial topics since the Turkish PDA has currently recognized no country as providing adequate protection.
Furthermore, despite the fact that the cross-border transfer based on contractual clauses -provided that they are approved by the DPA- is possible in Turkey, none of the contractual clauses submitted before the DPA for this purpose so far has been approved yet, to the extent of our knowledge.
Thus, it is possible to say that the DPA has so far not provided a very clear and foreseeable path to data controllers for cross-border data transfers.
With the subject announcement on BCRs, the Turkish DPA has paved the way for at least intra-group data transfers which is vital for multinational companies.
Prior to proceeding with BCR method, we recommended multinational companies to conduct a pre-examination on whether they are subject to any sector-based data transfer restriction in Turkey.