PERSONAL DATA PROTECTION AUTHORITY

BINDING CORPORATE RULES

BINDING CORPORATE RULES FOR CONTROLLERS

APPLICATION FORM

DEFINITIONS

Binding Corporate Rules: Personal data protection rules to be adhered to by Group Members, for personal data transfers carried out by a data controller or processor established in Turkey to a data controller or processor established abroad within the same Group engaged in a joint economic activity.

BCR Member: A Group Member bound by the Binding Corporate Rules for Controllers.

Group: A group engaged in a joint economic activity.

Group Member: Each entity within a group engaged in a joint economic activity.

Contact Person/Unit: The person or unit responsible for liaising with the Authority regarding matters related to the Binding Corporate Rules for Controllers.

ABBREVIATIONS

Application Form: Binding Corporate Rules Application Form for Controllers dated 04/06/2024 and numbered KVKK-BŞK/2024-1

Law: Personal Data Protection Law No. 6698

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

BCR-P: Binding Corporate Rules for Processors

BCR-C: Binding Corporate Rules for Controllers

Guidance Document: Binding Corporate Rules for Controllers Guidance Document dated 04/06/2024 and numbered KVKK-BŞK/2024-2

GENERAL INSTRUCTIONS AND EXPLANATIONS REGARDING THE APPLICATION

— Only one copy of the Application Form and the Guidance Document should be completed and submitted to the Authority. The Guidance Document is an appendix to the Application Form.

— Separate forms must be completed for each application if an approval application is made to the Authority for both BCR-C and BCR-P.

— Applications can be submitted to the Authority in person, by mail, or through other methods to be determined by the Board^[1].

— If there is insufficient space for answers in the relevant fields of the Application Form and the Guidance Document, additional pages or appendices may be used.

— Every document in a foreign language must have a notarized translation.

— Responses or documents that are commercially sensitive and deemed confidential can be indicated in the application.

— In the application to be made, documents proving the authorization to sign must be included along with details such as the full name, address, and signature of the authorized applicant. In this context, applications by legal entities must be made by persons authorized to represent and sign, and documents proving this authority must be attached to the application. Additionally, in applications to be made by an attorney, the original power of attorney or a certified copy must be included.

— The subsequent steps of the application process are explained in the Guidance Document.

— During the annual updates of BCR-C, the adequacy of assets must be confirmed by completing section 1.3 ("Assets") of Part 2 of the Application Form.

— If the Group's headquarters is in Turkey, the Application Form and the Guidance Document must be completed and submitted by this entity or another entity established in Turkey to which personal data protection responsibilities have been delegated under certain conditions^[2]. In the latter case, the Group must provide additional justification as to why another entity in Turkey was chosen as the applicant.

— If the Group's headquarters is outside of Turkey, the Group must designate a Group entity established in Turkey, to which personal data protection responsibilities have been delegated, as the Authorized Group Member. This entity must then submit the application to the Authority on behalf of the Group.

— The 'contact person/unit' to whom questions regarding the application can be addressed must be notified to the Authority. For practical reasons, it is recommended that this person/unit be located in Turkey.

SECTION 1: APPLICANT INFORMATION 1. STRUCTURE AND CONTACT INFORMATION OF THE GROUP ENGAGED IN JOINT ECONOMIC ACTIVITY

1.1. Name of the Group and address of the Group’s headquarters (parent company):

1.2. Name and address of the applicant:

1.3. Applicant's Tax Identification Number/MERSIS Number/Trade Registry Number and related Tax Office:

1.4. Legal status of the applicant (company, partnership, etc.):

1.5. Position of the applicant within the Group (Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey):

1.6. Name and role or unit of the contact person (since the contact person may change, specifying the ‘unit’ instead of the ‘person’ is recommended) (one or more contact persons/units may be specified):

1.7. Address of the contact person/unit:

1.8. Contact information of the contact person/unit:

— Phone Number:

— Fax:

— Email address:

2. SUMMARY OF PERSONAL DATA PROCESSING AND DATA FLOW^[3]

2.1. Explain the following:

— Nature of the personal data to be transferred under BCR-C; data categories, purposes of data processing activities; categories of data subjects affected by the processing of personal data (e.g., data of employees, customers, suppliers, and other third parties as a regular part of their business activities)^[4]

2.2. Will BCR-C apply only to transfers made from Turkey or to transfers between Group members?

2.3. Specify to which country personal data will be transferred most frequently from Turkey under BCR-C.

2.4. Provide information on the scope⁵ of intra-Group transfers under BCR-C, including a description and contact information of Group Members in Turkey and abroad to whom personal data may be transferred.

SECTION 2: VALIDITY PRINCIPLES

1. BINDING NATURE OF BINDING CORPORATE RULES FOR CONTROLLERS

1.1. Binding Nature for Group Members

1.1.1. How is BCR-C made binding on all Group Members?

— Intra-group agreements:

— Unilateral declarations^[5]:

— Other methods^[6] (Explain):

o If intra-group agreements/unilateral declarations/other methods signed at the Board level are chosen, a document demonstrating this must be attached to the Application Form.

1.1.2. Explain the legal basis ensuring that the Group Member(s) to whom personal data protection responsibilities have been delegated will ensure compliance with BCR-C obligations by other Group Members.

1.1.3. Is the binding effect of BCR-C within the Group applicable to the entire Group? (If it is necessary to exempt some Group members, explain the reasons and how the exemption is provided.)

1.2. Binding Nature for Employees^[7]

1.2.1. The Group may consider one or more of the following methods to ensure the binding nature of BCR-C for employees. However, other methods may also be considered. Provide details below.

— Individual and separate contract/commitment with penalties:

— Employment contract with penalties:

— Collective agreements with penalties:

— Internal policies with penalties:

— Other methods (Explain how BCR-C is made binding on employees):

1.2.2. Provide a summary of the relevant policies and procedures or confidentiality agreements, supported by excerpts, demonstrating how the binding nature of BCR-C is ensured for employees.

1.3. Assets⁹  

Confirm that the responsible BCR-C Member(s) established in Turkey (the Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey) have taken necessary measures to ensure the compensation of all damages arising from BCR-C violations by BCR Members not established in Turkey, and explain how this is guaranteed.

2. EFFECTIVENESS

It is important to demonstrate how BCR-C, which applies to data transfers based on BCR-C, is implemented within the Group. This will play a significant role in assessing the adequacy of existing protection measures.

2.1. Training and Awareness of Employees

— Existence of Special Training Programs:

— Testing the competence of employees regarding BCR-C and personal data protection:

— Making BCR-C available to all employees in print or online:

— Review and approval mechanism by senior management:

— Explain how employees are trained to understand the impact of their work on personal data protection and how they act accordingly (it does not matter whether the employees are located in Turkey).

2.2. Personnel Structure^[8]

2.2.1. Confirm that the personnel structure assigned to ensure compliance with and audit BCRC is determined by senior management.

2.2.2. Explain how the personnel structure operates:

— Internal Structure:

— Roles and Responsibilities:

Date, Applicant's Signature (must be signed by persons authorized to represent and sign)

(Name, legal status, contact information should also be specified.)

ANNEX 1: BINDING CORPORATE RULES FOR CONTROLLERS TEXT

A copy of the Binding Corporate Rules for Controllers text must be attached to the Application Form. All required information for the application must be included in the BCR-C documents (the content of the main documents or their appendices).

ANNEX 2: GUIDANCE DOCUMENT ON THE FUNDAMENTAL ELEMENTS REQUIRED IN BINDING CORPORATE RULES FOR CONTROLLERS

A copy of the Guidance Document on the Fundamental Elements Required in Binding Corporate Rules for Controllers must be completed and attached to the application.

ANNEX 3: SUPPORTING DOCUMENTS

Supporting documents related to the application (documents that are not part of BCR-C) can only be submitted to provide further explanation. These appendices can be named as (ANNEX3-1), (ANNEX-3-1-A).

All submitted documents may be subject to access requests under the information acquisition legislation, if deemed appropriate.