The Turkish Data Protection Authority (the “DPA”) has released an announcement on 10 April 2020 stating that data transfers between multinational group companies may be carried out by relying on the legal mechanism of “Binding Corporate Rules” (“BCR”).

Pursuant to Turkish Law No. 6698 on the Protection of Personal Data (the “Law”), unless the explicit consent of data subjects is obtained, personal data may only be transferred from Turkey to countries which do not provide an adequate level of protection by executing a written undertaking letter with the recipient entities and obtaining the prior approval of the DPA. The DPA announcement highlights the insufficiency of the undertaking letter mechanism for data transfers among multinational group companies, and indicates that BCR may be substituted to these undertaking letters, even though this mechanism is not explicitly defined under the Law.

Binding Corporate Rules mechanism

Similar to the widely used legal mechanism within the scope of the European Union’s General Data Protection Regulation, BCR consist in a set of rules applicable to data transfers to be performed by a data controller located in Turkey which is part of a group of companies, to companies and undertakings within the same group having business activities in one or more countries abroad, or to data controllers engaged in a joint economic activity or having a common decision-making mechanism. Companies within this scope may apply to the DPA for the approval of their BCR by submitting a completed application form. Companies which obtain the approval of the DPA will not be required to obtain explicit consent from data subjects or submit undertaking letters to the DPA for intra-group data transfers.

Application procedure

If the group has headquarters in Turkey, the application to the DPA must be submitted by the company located in Turkey. If there are no headquarters in Turkey, then the company in Turkey which is mandated by the group as an “authorised group member” will be authorised to make the application. The application form, the draft BCR text and other relevant information and documents must be submitted to the DPA by hand or by mail. The application form requests information on how the group will ensure that the BCR have a binding effect on each group member and on those who perform data processing activities on behalf of the group, the contemplated mechanisms to guarantee the effective application of the BCR, coordination with the DPA, details regarding data processing and data transfer, reporting and amendment notification mechanisms, data protection safeguards, accountability, and ancillary information and documents regarding the application and the general provisions of the BCR. The application documents are largely modelled on those contemplated for the Binding Corporate Rules mechanism under the EU General Data Protection Regulation.

Application timeframe

The application form indicates that applications will be assessed by the DPA within one year. This time period may be extended for up to six months if necessary. This fairly protracted application process should be taken into account by group companies willing to adopt BCR. The announcement does not provide for any interim regime for data transfers among multinational group companies before their BCR are approved. The current rules applicable to international data transfers will thus continue to apply.

Please do not hesitate to contact us for any further information on this briefing.