PERSONAL DATA PROTECTION AUTHORITY

BINDING CORPORATE RULES

BINDING CORPORATE RULES FOR PROCESSORS

APPLICATION FORM

DEFINITIONS

Sub-Processor: A natural or legal person who processes personal data on behalf of the processor in accordance with the processor's instructions.

Binding Corporate Rules: Personal data protection rules to be adhered to by Group Members, for personal data transfers carried out by a data controller or processor established in Turkey to a data controller or processor established abroad within the same Group engaged in a joint economic activity.

BCR Member: A Group Member bound by the Binding Corporate Rules for Processors.

Internal Sub-Processor: A sub-processor within a group engaged in a joint economic activity.

Group: A group engaged in a joint economic activity.

Group Member: Each entity within a group engaged in a joint economic activity.

External Sub-Processor: A sub-processor not within a group engaged in a joint economic activity.

Service Agreement: A legally binding agreement or other legal transaction under Turkish law that demonstrates data processing activities between the data controller and processor and between the processor and sub-processor.

Contact Person/Unit: The person or unit responsible for liaising with the Authority regarding matters related to the Binding Corporate Rules for Processors.

ABBREVIATIONS

Application Form: Binding Corporate Rules Application Form for Processors dated

04/06/2024 and numbered KVKK-BŞK/2024-3

Law: Personal Data Protection Law No. 6698

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

BCR-P: Binding Corporate Rules for Processors

BCR-C: Binding Corporate Rules for Controllers

Guidance Document: Binding Corporate Rules for Processors Guidance Document dated 04/06/2024 and numbered KVKK-BŞK/2024-4

GENERAL INSTRUCTIONS AND EXPLANATIONS REGARDING THE APPLICATION

— Only one copy of the Application Form and the Guidance Document should be completed and submitted to the Authority. The Guidance Document is an appendix to the Application Form.

— Separate forms must be completed for each application if an approval application is made to the Authority for both BCR-C and BCR-P.

— Applications can be submitted to the Authority in person, by mail or through other methods to be determined by the Board^[1].

— If there is insufficient space for answers in the relevant fields of the Application Form and the Guidance Document, additional pages or appendices may be used.

— Every document in a foreign language must have a notarized translation.

— Responses or documents that are commercially sensitive and deemed confidential can be indicated in the application.

— In the application to be made, documents proving the authorization to sign must be included along with details such as the full name, address, and signature of the authorized applicant. In this context, applications by legal entities must be made by persons authorized to represent and sign, and documents proving this authority must be attached to the application. Additionally, in applications to be made by an attorney, the original power of attorney or a certified copy must be included.

— The subsequent steps of the application process are explained in the Guidance Document.

— During the annual updates of BCR-P, the adequacy of assets must be confirmed by completing section 4 ("Assets") of Part 2 of the Application Form.

— If the Group's headquarters is in Turkey, the Application Form must be completed and submitted by this entity, or another entity established in Turkey to which personal data protection responsibilities have been delegated under certain conditions^[2]. In the latter case, the Group must provide additional justification as to why another entity in Turkey was chosen as the applicant.

— If the Group's headquarters is outside of Turkey, the Group must designate a Group entity established in Turkey, to which personal data protection responsibilities have been delegated, as the Authorized Group Member. This entity must then submit the application to the Authority on behalf of the Group.

— The 'contact person/unit' to whom questions regarding the application can be addressed must be notified to the Authority. For practical reasons, it is recommended that this person/unit be located in Turkey.

SECTION 1: APPLICANT INFORMATION 1. STRUCTURE AND CONTACT INFORMATION OF THE GROUP ENGAGED IN JOINT ECONOMIC ACTIVITY

1.1. Name of the Group and address of the Group’s headquarters (parent company):

1.2. Name and address of the applicant:

1.3. Applicant's Tax Identification Number/MERSIS Number/Trade Registry Number and related Tax Office:

1.4. Legal status of the applicant (company, partnership, etc.):

1.5. Position of the applicant within the Group (Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey):

1.6. Name and role or unit of the contact person (since the contact person may change, specifying the ‘unit’ instead of the ‘person’ is recommended) (one or more contact persons/units may be specified):

1.7. Address of the contact person/unit:

1.8. Contact information of the contact person/unit:

— Phone Number:

— Fax:

— Email address:

2. SUMMARY OF PERSONAL DATA PROCESSING AND DATA FLOW³

2.1. Explain the following:

— Nature of the personal data to be transferred under BCR-P; data categories, purposes of data processing activities; categories of data subjects affected by the processing of personal data (e.g., data of employees, customers, suppliers, and other third parties as a regular part of their business activities...):

2.2. Purposes of the anticipated personal data transfers:

2.3. Will BCR-P apply only to transfers made from Turkey or to transfers between Group members?

2.4. Description of intra-Group transfers within the scope of BCR-P, including a description and contact information of Group Members in Turkey and abroad to whom personal data may be transferred:

SECTION 2: VALIDITY PRINCIPLES BINDING NATURE OF BINDING CORPORATE RULES FOR PROCESSORS 1. INTERNAL BINDING NATURE^[3]

1.1. Binding Nature for Entities Acting as Internal Sub-Processors within the Group^[4]

1.1.1. How is BCR-P made binding on all Group Members?

— Existence of legally binding measures or rules applicable to all Group Members:

— Contracts or intra-group agreements among Group Members:

— Unilateral declarations or commitments made by the parent company that are binding on other Group members^[5]:

— Other methods^[6][7] (Please explain):

1.1.2. Explain how the binding nature of the above mechanisms is ensured for other Group members (especially the headquarters).

1.1.3. Is the binding effect of BCR-P within the Group applicable to the entire Group? (If it is necessary to exempt some Group members, explain the reasons and how the exemption is provided.)

1.1.4. Confirm that the data processing activities of internal sub-processors are only carried out after the data controllers have been informed in advance and have given their prior written consent.

1.2. Binding Nature for Employees⁸

1.2.1. The Group may consider one or more of the following methods to ensure the binding nature of BCR-P for employees. However, other methods may also be considered. Provide details below.

— Individual and separate contract/commitment with penalties:

— Employment contract with penalties:

— Collective agreements with penalties:

— Employees signing or confirming that they have read the BCR-P or relevant ethical rules:

— Internal policies with penalties:

— Other methods (Explain how BCR-P is made binding on employees):

1.2.2. Provide a summary of the relevant policies and procedures or confidentiality agreements, supported by excerpts, demonstrating how the binding nature of BCR-P is ensured for employees.

2. EXTERNAL BINDING NATURE

2.1. Binding Nature on External Sub-Processors

2.1.1. Confirm that written contracts or other legal instruments, under the law to which the external sub-processor is subject, have been executed to ensure compliance with the same data protection obligations imposed on Group Members under BCR-P, including adequate protection as specified in Articles 4, 9, 11, and 12 of the Law and sections 1.3, 1.4, 3, and 6 of KVKK-BŞK/2024-4^[8].

2.1.2. Explain how such contracts or other legal instruments address the consequences of non-compliance under the applicable law of the processor and specify the penalties for external sub-processors due to non-compliance.

2.1.3. Confirm that the data processing activities of external sub-processors are only carried out after the specific or general written consent of the data controller has been obtained.^[9]

2.1.4. Confirm that sub-processors agree to make their data processing facilities available for audit by the data controller upon request.^[10] Explain the system.

2.1.5. Explain how the rules in BCR-P are made externally binding for the benefit of data subjects (third-party beneficiary rights) or how such rights are planned to be provided. (For example, some third-party beneficiary rights may be provided in contracts or unilateral declarations.)^[11][12]

2.1.6. Provide a summary, supported by excerpts from the appropriately signed contracts, explaining how BCR-P is made binding on data controllers.¹³ 

2.1.7. Confirm that data controllers' rights will include the right to make claims before competent courts and the right to compensation.

3. LEGAL REQUESTS AND CLAIMS

3.1. Explain how the obligations under Articles 11, 14, and 11(1)(ğ) of the Law, regarding data subjects' rights, complaints to the Board, and the right to compensation, are fulfilled as detailed in section 1.3 of KVKK-BŞK/2024-4.^[13]

3.2. Explain whether appropriate arrangements have been made, and if so, how they have been ensured, for a data controller established in Turkey to remedy any damage caused by any Group member or external sub-processor, or to take appropriate measures to terminate such actions.^[14][15]

3.3. Confirm that the burden of proof for any alleged rule violation by a Group Member or external sub-processor, regardless of where the claim originates, will rest with the Group member established in Turkey, who assumes responsibility for violations caused by Group members or sub-processors not established in Turkey.

4. ASSETS¹⁶

Confirm that the responsible BCR-P Member(s) established in Turkey (the Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey) have taken necessary measures to ensure the compensation of all damages arising from BCR-P violations by BCR Members not established in Turkey, and explain how this is guaranteed.

5. EASY ACCESS TO BCR-P¹⁷

4.1. Confirm that BCR-P includes a provision stating that BCR-P is an appendix to the Service Agreements signed with data controllers, or that there is a clause in the Service Agreements providing electronic access to BCR-P.

4.2. Confirm that BCR-P is published on the website of the Processors Group, easily accessible to data subjects, or at least that a document is published containing all the information required in section 1.8 of KVKK-BŞK/2024-4. 

6. EFFECTIVENESS¹⁸

6.1. It is important to demonstrate how BCR-P, which applies to data transfers based on BCRP, is implemented within the Group. This will play a significant role in assessing the adequacy of existing protection measures.

6.1.1. Training and Awareness of Employees¹⁹

— Existence of Special Training Programs:

— Testing the competence of employees regarding BCR-P and personal data protection:

— Making BCR-P available to all employees in print or online:

— Review and approval mechanism by senior management:

— Explain how employees are trained to understand the impact of their work on personal data protection and how they act accordingly (it does not matter whether the employees are located in Turkey).

6.1.2. Internal Application Mechanism²⁰

— Does BCR-P include an internal application mechanism to (1) promptly forward claims and requests to the data controller and (2) have another agreed-upon data controller within the Group handle the applications of data subjects in cases where the data controller has legally or practically ceased to exist?

— Explain how the internal application mechanism works.

6.1.3. Compliance Audit²¹

6.1.3.1. Explain which mechanisms are used to audit and verify compliance with BCR-P for each Group Member (e.g., an audit program, compliance program, etc.).

6.1.3.2. Explain how compliance audit programs operate within the Group (e.g., recipients of any compliance audit reports, information about their positions within the Group, etc.).

6.1.3.3. Indicate which of the following audit mechanisms are included in BCR-P to verify compliance:

— Internal auditor:

— External auditor:

— Both internal and external auditor:

— Audit by an internal compliance unit:

— Other (explain):

6.1.3.4. Confirm whether the audit mechanisms in BCR-P are included in one of the following:

— A document containing the personal data protection policy:

— Other internal procedure documents and audits:

6.1.4. Personnel Structure²²

6.1.4.1. Confirm that the personnel structure assigned to ensure compliance with and audit BCR-P is determined by senior management.

6.1.4.2. Explain how the personnel structure operates:

— Internal Structure:

— Roles and Responsibilities:

7. COOPERATION WITH THE AUTHORITY²³

7.1. Explain how cooperation with the Authority is addressed in BCR-P.

7.2. Confirm that you allow the Authority to audit compliance.

7.3. Confirm that the Group as a whole and each Group member will comply with the Board's recommendations regarding the interpretation and application of BCR-P.

8. COOPERATION WITH DATA CONTROLLERS²⁴

8.1. Explain how cooperation with data controllers is addressed in BCR-P.

8.2. Confirm that data processing facilities are made available for audit by the data controller (or an audit body consisting of independent members selected by the data controller) upon request.

9. DETAILED EXPLANATIONS ON PERSONAL DATA PROCESSING AND DATA FLOW²⁵

9.1. Provide explanations on the following:

— Categories of data to be transferred under BCR-P (e.g., personal data, special categories of personal data):

— Nature of personal data to be transferred under BCR-P:

— General scope of data flow:

— Purposes and types of processing for data transfers to other countries under BCR-P:

— Scope of intra-group transfers within the scope of BCR-P, including which personal data categories and nature are transferred to which Group Members and their contact information:

9.2. Explain whether BCR-P will apply only to personal data transfer activities from Turkey or to all transfer activities among Group members.

10. MECHANISMS FOR RECORDING AND REPORTING CHANGES²⁶

10.1.      Confirm that BCR-P includes a provision on how other Group Members, the Authority, and data controllers will be informed of any changes to BCR-P or the list of BCR members and provide a summary.

10.2.      Explain whether you have a system for recording any changes to the BCR text and its implementation.

10.3.      Confirm that data controllers will be informed a reasonable time in advance, allowing them to terminate the contract or object to the change before any changes affecting the conditions of personal data processing activities are made.

11. DATA PROTECTION MEASURES²⁷

Explain how the following issues are addressed in BCR-P, referring to any supporting documents if applicable:

— Compliance with the law and the rule of good faith (e.g., a general obligation to assist the data controller):

— Accuracy and, if necessary, up-to-dateness:

— Processing for specific, explicit, and legitimate purposes:

— Processing that is relevant, limited, and proportionate to the purposes for which they are processed (e.g., processing personal data only on behalf of the data controller and in accordance with its instructions and returning personal data to the data controller at the end of the contract):

— Retention for a period prescribed by relevant legislation or necessary for the purposes for which they are processed:

— Data security:

— Rights of data subjects (e.g., a general obligation to assist the data controller):

— Intra-group sub-processing:

— Restrictions on subsequent transfers to external sub-processors:

— Other issues (if any):

12. ACCOUNTABILITY AND OTHER PRINCIPLES/TOOLS²⁸

12.1. Confirm and explain how BCR Members will provide the necessary information and documents to the data controller to demonstrate that they have fulfilled their obligations.

12.2. Explain how the records of processing activities carried out under BCR-P on behalf of each data controller will be kept by BCR Members.

12.3.  Explain the obligations of BCR Members to the data controller in implementing appropriate technical and administrative measures to ensure compliance with data protection principles and facilitate compliance with the obligations set forth in BCR-P.

12.4.  Attach any supporting documents related to the requested information above, if any.