Legal Business

Sponsored briefing: Binding corporate rules for transfer of personal data abroad

Eren Can Ersoy of Kılınç Law & Consulting looks at the regulations associated with data protection

The irrepressible rapid development of technology and digitalisation around the world necessitates the processing and transfer of personal data. This evolution has a direct impact not just on individuals but also on the business world. The processing and transfer of personal data abroad necessitates the effective protection of data. Personal data processing and transfers overseas demand robust data protection. The transmission of personal data abroad is regulated by Law No. 6698 on the Protection of Personal Data (the Law), and the primary rule for data transfer abroad is to get the data subjects’ explicit consent. With the existence of one of the data processing conditions specified in the Law, and the recipient being located in one of the countries on the list of safe countries to be published by the Personal Data Protection Authority (the Authority), the data controllers in Türkiye and abroad can undertake adequate protection in writing and the Personal Data Protection Board (the Board) can gain permission as an exception to the rule of obtaining explicit consent.

This rule poses certain issues for multinational companies that operate on a global scale. Indeed, because the procedures and principles governing the processing of personal data differ from country to country, it is impossible for companies operating in more than one country to comply with the rules specified in each country’s legislation and to establish a common data processing and protection policy that will cover all rules. As a consequence, on 10 April 2020, the Authority adopted the Binding Corporate Rules (Binding Corporate Rules or Rules) as a new procedure to be applied to the transfer of personal data abroad by multinational companies operating on a global scale, in parallel with the regulations titled Binding Corporate Rules established by the European Commission Working Group 29 while the European Union’s Directive 95/46/EC (Directive) is the predecessor regulation.

Binding corporate rules

Binding corporate rules are applied with a written commitment of sufficient protection for the transfer of personal data abroad for multinational group companies operating in countries where binding corporate laws do not provide sufficient protection.

Through the announcement published by the Authority, the procedures and principles for the implementation of the Rules have been determined and it has been stated that the application can be made to the Authority by hand or by e-mail under the guidance of the ‘Binding Corporate Rules Application Form for Data Controllers’ and the ‘Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers’ (the Auxiliary Document). In this context, the application regarding the Rules will be evaluated, finalised, and announced within a year from the date of application. This period may be extended up to six months, if necessary. If the application is approved by the Authority, multinational group companies operating on a global scale will not be required to obtain explicit consent or submit a letter of undertaking for transfers between themselves.

‘Personal data processing and transfers overseas demand robust data protection.’
Eren Can Ersoy, Kılınç Law & Consulting

Definition of binding corporate rules within the scope of the auxiliary document regulated as ‘Personal data protection policies to be adhered to by a data controller within a group of undertakings established in Türkiye for transfers or a set of transfers of personal data to companies and enterprises operating abroad in one or more countries within the same group of companies and to data controllers that engage in a joint activity or have a joint decision making mechanism regarding data processing activities.’

Elements to be included in binding corporate rules

The elements that should be included in the Binding Corporate Rules are regulated within the scope of the Supplementary Document based on the regulations established by the Authority under Directive 95/46/EC of the European Parliament and of the Council of the European Union on the Protection of Individuals with Regard to the Processing and Free Movement of Personal Data.

During the period when the Directive was in force in the European Union, multinational companies operating on a global scale were obliged to fulfil the obligations arising from the legislation of more than one country at the same time when transferring data to group companies. Over time, it was observed that this obligation disrupted the business order of companies and delayed transactions, and the European Commission Working Group 29 determined the minimum requirements that data transfer policies should meet and named them ‘Binding Corporate Rules’.

This regulation, which is required in accordance with professional life requirements in European Union legislation, has also been recognised by the Authority, and an Auxiliary Document has been prepared in accordance with these regulations, as have regulations on the minimum elements that the rules should bear.

Pursuant to the Auxiliary Document, the elements to be included in the Binding Corporate Rules and the application to be made within this scope are as follows;

In order for the application to be successful, it would be appropriate to make the application with the assistance of an expert, in addition to fulfilling all of the obligations.

Conclusion

The Authority has regulated the Binding Corporate Rules in light of global regulations, particularly those enacted by the European Union, in order to prevent and eliminate current and future problems encountered in the transfer of personal data abroad by group companies operating on a global scale as a result of developing technology and the use of the internet, which has eliminated borders, and this situation has a direct impact on both business and individual life. In this case, the application form must be completed and sent to the Authority in accordance with the Authority’s Auxiliary Document. In order for the application to be successful, it would be appropriate to make the application with the assistance of an expert, in addition to fulfilling all of the obligations.

For more information, please contact:

Eren Can Ersoy, senior associate

Kılınç Law & Consulting
Ayazağa Mah. Azerbaycan Cad. No:3B Vadistanbul, B1 Ofis Blok, Kat:26 Bağımsız Bölüm No:58 Sarıyer/İstanbul

T: +90 (212) 217 12 55
E: info@kilinclaw.com.tr

kilinclaw.com.tr/en