Turkiye - ENG (Machine Translation) - BCR Application Form (Processor)
PERSONAL DATA PROTECTION AUTHORITY
BINDING CORPORATE RULES
BINDING CORPORATE RULES FOR PROCESSORS
APPLICATION FORM
DEFINITIONS
Sub-Processor: A natural or legal person who processes personal data on behalf of the processor in accordance with the processor's instructions.
Binding Corporate Rules: Personal data protection rules to be adhered to by Group Members, for personal data transfers carried out by a data controller or processor established in Turkey to a data controller or processor established abroad within the same Group engaged in a joint economic activity.
BCR Member: A Group Member bound by the Binding Corporate Rules for Processors.
Internal Sub-Processor: A sub-processor within a group engaged in a joint economic activity.
Group: A group engaged in a joint economic activity.
Group Member: Each entity within a group engaged in a joint economic activity.
External Sub-Processor: A sub-processor not within a group engaged in a joint economic activity.
Service Agreement: A legally binding agreement or other legal transaction under Turkish law that demonstrates data processing activities between the data controller and processor and between the processor and sub-processor.
Contact Person/Unit: The person or unit responsible for liaising with the Authority regarding matters related to the Binding Corporate Rules for Processors.
ABBREVIATIONS
Application Form: Binding Corporate Rules Application Form for Processors dated
04/06/2024 and numbered KVKK-BŞK/2024-3
Law: Personal Data Protection Law No. 6698
Board: Personal Data Protection Board
Authority: Personal Data Protection Authority
BCR-P: Binding Corporate Rules for Processors
BCR-C: Binding Corporate Rules for Controllers
Guidance Document: Binding Corporate Rules for Processors Guidance Document dated 04/06/2024 and numbered KVKK-BŞK/2024-4
GENERAL INSTRUCTIONS AND EXPLANATIONS REGARDING THE APPLICATION
— Only one copy of the Application Form and the Guidance Document should be completed and submitted to the Authority. The Guidance Document is an appendix to the Application Form.
— Separate forms must be completed for each application if an approval application is made to the Authority for both BCR-C and BCR-P.
— Applications can be submitted to the Authority in person, by mail or through other methods to be determined by the Board[1].
— If there is insufficient space for answers in the relevant fields of the Application Form and the Guidance Document, additional pages or appendices may be used.
— Every document in a foreign language must have a notarized translation.
— Responses or documents that are commercially sensitive and deemed confidential can be indicated in the application.
— In the application to be made, documents proving the authorization to sign must be included along with details such as the full name, address, and signature of the authorized applicant. In this context, applications by legal entities must be made by persons authorized to represent and sign, and documents proving this authority must be attached to the application. Additionally, in applications to be made by an attorney, the original power of attorney or a certified copy must be included.
— The subsequent steps of the application process are explained in the Guidance Document.
— During the annual updates of BCR-P, the adequacy of assets must be confirmed by completing section 4 ("Assets") of Part 2 of the Application Form.
— If the Group's headquarters is in Turkey, the Application Form must be completed and submitted by this entity, or another entity established in Turkey to which personal data protection responsibilities have been delegated under certain conditions[2]. In the latter case, the Group must provide additional justification as to why another entity in Turkey was chosen as the applicant.
— If the Group's headquarters is outside of Turkey, the Group must designate a Group entity established in Turkey, to which personal data protection responsibilities have been delegated, as the Authorized Group Member. This entity must then submit the application to the Authority on behalf of the Group.
— The 'contact person/unit' to whom questions regarding the application can be addressed must be notified to the Authority. For practical reasons, it is recommended that this person/unit be located in Turkey.
SECTION 1: APPLICANT INFORMATION 1. STRUCTURE AND CONTACT INFORMATION OF THE GROUP ENGAGED IN JOINT ECONOMIC ACTIVITY
1.1. Name of the Group and address of the Group’s headquarters (parent company):
1.2. Name and address of the applicant:
1.3. Applicant's Tax Identification Number/MERSIS Number/Trade Registry Number and related Tax Office:
1.4. Legal status of the applicant (company, partnership, etc.):
1.5. Position of the applicant within the Group (Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey):
1.6. Name and role or unit of the contact person (since the contact person may change, specifying the ‘unit’ instead of the ‘person’ is recommended) (one or more contact persons/units may be specified):
1.7. Address of the contact person/unit:
1.8. Contact information of the contact person/unit:
— Phone Number:
— Fax:
— Email address:
2. SUMMARY OF PERSONAL DATA PROCESSING AND DATA FLOW3
2.1. Explain the following:
— Nature of the personal data to be transferred under BCR-P; data categories, purposes of data processing activities; categories of data subjects affected by the processing of personal data (e.g., data of employees, customers, suppliers, and other third parties as a regular part of their business activities...):
2.2. Purposes of the anticipated personal data transfers:
2.3. Will BCR-P apply only to transfers made from Turkey or to transfers between Group members?
2.4. Description of intra-Group transfers within the scope of BCR-P, including a description and contact information of Group Members in Turkey and abroad to whom personal data may be transferred:
SECTION 2: VALIDITY PRINCIPLES BINDING NATURE OF BINDING CORPORATE RULES FOR PROCESSORS 1. INTERNAL BINDING NATURE[3]
1.1. Binding Nature for Entities Acting as Internal Sub-Processors within the Group[4]
1.1.1. How is BCR-P made binding on all Group Members?
— Existence of legally binding measures or rules applicable to all Group Members:
— Contracts or intra-group agreements among Group Members:
— Unilateral declarations or commitments made by the parent company that are binding on other Group members[5]:
— Other methods[6][7] (Please explain):
1.1.2. Explain how the binding nature of the above mechanisms is ensured for other Group members (especially the headquarters).
1.1.3. Is the binding effect of BCR-P within the Group applicable to the entire Group? (If it is necessary to exempt some Group members, explain the reasons and how the exemption is provided.)
1.1.4. Confirm that the data processing activities of internal sub-processors are only carried out after the data controllers have been informed in advance and have given their prior written consent.
1.2. Binding Nature for Employees8
1.2.1. The Group may consider one or more of the following methods to ensure the binding nature of BCR-P for employees. However, other methods may also be considered. Provide details below.
— Individual and separate contract/commitment with penalties:
— Employment contract with penalties:
— Collective agreements with penalties:
— Employees signing or confirming that they have read the BCR-P or relevant ethical rules:
— Internal policies with penalties:
— Other methods (Explain how BCR-P is made binding on employees):
1.2.2. Provide a summary of the relevant policies and procedures or confidentiality agreements, supported by excerpts, demonstrating how the binding nature of BCR-P is ensured for employees.
2. EXTERNAL BINDING NATURE
2.1. Binding Nature on External Sub-Processors
2.1.1. Confirm that written contracts or other legal instruments, under the law to which the external sub-processor is subject, have been executed to ensure compliance with the same data protection obligations imposed on Group Members under BCR-P, including adequate protection as specified in Articles 4, 9, 11, and 12 of the Law and sections 1.3, 1.4, 3, and 6 of KVKK-BŞK/2024-4[8].
2.1.2. Explain how such contracts or other legal instruments address the consequences of non-compliance under the applicable law of the processor and specify the penalties for external sub-processors due to non-compliance.
2.1.3. Confirm that the data processing activities of external sub-processors are only carried out after the specific or general written consent of the data controller has been obtained.[9]
2.1.4. Confirm that sub-processors agree to make their data processing facilities available for audit by the data controller upon request.[10] Explain the system.
2.1.5. Explain how the rules in BCR-P are made externally binding for the benefit of data subjects (third-party beneficiary rights) or how such rights are planned to be provided. (For example, some third-party beneficiary rights may be provided in contracts or unilateral declarations.)[11][12]
2.1.6. Provide a summary, supported by excerpts from the appropriately signed contracts, explaining how BCR-P is made binding on data controllers.13
2.1.7. Confirm that data controllers' rights will include the right to make claims before competent courts and the right to compensation.
3. LEGAL REQUESTS AND CLAIMS
3.1. Explain how the obligations under Articles 11, 14, and 11(1)(ğ) of the Law, regarding data subjects' rights, complaints to the Board, and the right to compensation, are fulfilled as detailed in section 1.3 of KVKK-BŞK/2024-4.[13]
3.2. Explain whether appropriate arrangements have been made, and if so, how they have been ensured, for a data controller established in Turkey to remedy any damage caused by any Group member or external sub-processor, or to take appropriate measures to terminate such actions.[14][15]
3.3. Confirm that the burden of proof for any alleged rule violation by a Group Member or external sub-processor, regardless of where the claim originates, will rest with the Group member established in Turkey, who assumes responsibility for violations caused by Group members or sub-processors not established in Turkey.
4. ASSETS16
Confirm that the responsible BCR-P Member(s) established in Turkey (the Group's headquarters in Turkey or an authorized Group Member in Turkey if the Group's headquarters is not in Turkey) have taken necessary measures to ensure the compensation of all damages arising from BCR-P violations by BCR Members not established in Turkey, and explain how this is guaranteed.
5. EASY ACCESS TO BCR-P17
4.1. Confirm that BCR-P includes a provision stating that BCR-P is an appendix to the Service Agreements signed with data controllers, or that there is a clause in the Service Agreements providing electronic access to BCR-P.
4.2. Confirm that BCR-P is published on the website of the Processors Group, easily accessible to data subjects, or at least that a document is published containing all the information required in section 1.8 of KVKK-BŞK/2024-4.
6. EFFECTIVENESS18
6.1. It is important to demonstrate how BCR-P, which applies to data transfers based on BCRP, is implemented within the Group. This will play a significant role in assessing the adequacy of existing protection measures.
6.1.1. Training and Awareness of Employees19
— Existence of Special Training Programs:
— Testing the competence of employees regarding BCR-P and personal data protection:
— Making BCR-P available to all employees in print or online:
— Review and approval mechanism by senior management:
— Explain how employees are trained to understand the impact of their work on personal data protection and how they act accordingly (it does not matter whether the employees are located in Turkey).
6.1.2. Internal Application Mechanism20
— Does BCR-P include an internal application mechanism to (1) promptly forward claims and requests to the data controller and (2) have another agreed-upon data controller within the Group handle the applications of data subjects in cases where the data controller has legally or practically ceased to exist?
— Explain how the internal application mechanism works.
6.1.3. Compliance Audit21
6.1.3.1. Explain which mechanisms are used to audit and verify compliance with BCR-P for each Group Member (e.g., an audit program, compliance program, etc.).
6.1.3.2. Explain how compliance audit programs operate within the Group (e.g., recipients of any compliance audit reports, information about their positions within the Group, etc.).
6.1.3.3. Indicate which of the following audit mechanisms are included in BCR-P to verify compliance:
— Internal auditor:
— External auditor:
— Both internal and external auditor:
— Audit by an internal compliance unit:
— Other (explain):
6.1.3.4. Confirm whether the audit mechanisms in BCR-P are included in one of the following:
— A document containing the personal data protection policy:
— Other internal procedure documents and audits:
6.1.4. Personnel Structure22
6.1.4.1. Confirm that the personnel structure assigned to ensure compliance with and audit BCR-P is determined by senior management.
6.1.4.2. Explain how the personnel structure operates:
— Internal Structure:
— Roles and Responsibilities:
7. COOPERATION WITH THE AUTHORITY23
7.1. Explain how cooperation with the Authority is addressed in BCR-P.
7.2. Confirm that you allow the Authority to audit compliance.
7.3. Confirm that the Group as a whole and each Group member will comply with the Board's recommendations regarding the interpretation and application of BCR-P.
8. COOPERATION WITH DATA CONTROLLERS24
8.1. Explain how cooperation with data controllers is addressed in BCR-P.
8.2. Confirm that data processing facilities are made available for audit by the data controller (or an audit body consisting of independent members selected by the data controller) upon request.
9. DETAILED EXPLANATIONS ON PERSONAL DATA PROCESSING AND DATA FLOW25
9.1. Provide explanations on the following:
— Categories of data to be transferred under BCR-P (e.g., personal data, special categories of personal data):
— Nature of personal data to be transferred under BCR-P:
— General scope of data flow:
— Purposes and types of processing for data transfers to other countries under BCR-P:
— Scope of intra-group transfers within the scope of BCR-P, including which personal data categories and nature are transferred to which Group Members and their contact information:
9.2. Explain whether BCR-P will apply only to personal data transfer activities from Turkey or to all transfer activities among Group members.
10. MECHANISMS FOR RECORDING AND REPORTING CHANGES26
10.1. Confirm that BCR-P includes a provision on how other Group Members, the Authority, and data controllers will be informed of any changes to BCR-P or the list of BCR members and provide a summary.
10.2. Explain whether you have a system for recording any changes to the BCR text and its implementation.
10.3. Confirm that data controllers will be informed a reasonable time in advance, allowing them to terminate the contract or object to the change before any changes affecting the conditions of personal data processing activities are made.
11. DATA PROTECTION MEASURES27
Explain how the following issues are addressed in BCR-P, referring to any supporting documents if applicable:
— Compliance with the law and the rule of good faith (e.g., a general obligation to assist the data controller):
— Accuracy and, if necessary, up-to-dateness:
— Processing for specific, explicit, and legitimate purposes:
— Processing that is relevant, limited, and proportionate to the purposes for which they are processed (e.g., processing personal data only on behalf of the data controller and in accordance with its instructions and returning personal data to the data controller at the end of the contract):
— Retention for a period prescribed by relevant legislation or necessary for the purposes for which they are processed:
— Data security:
— Rights of data subjects (e.g., a general obligation to assist the data controller):
— Intra-group sub-processing:
— Restrictions on subsequent transfers to external sub-processors:
— Other issues (if any):
12. ACCOUNTABILITY AND OTHER PRINCIPLES/TOOLS28
12.1. Confirm and explain how BCR Members will provide the necessary information and documents to the data controller to demonstrate that they have fulfilled their obligations.
12.2. Explain how the records of processing activities carried out under BCR-P on behalf of each data controller will be kept by BCR Members.
12.3. Explain the obligations of BCR Members to the data controller in implementing appropriate technical and administrative measures to ensure compliance with data protection principles and facilitate compliance with the obligations set forth in BCR-P.
12.4. Attach any supporting documents related to the requested information above, if any.
Date, Applicant's Signature (must be signed by persons authorized to represent and sign)
(Name, legal status, contact information should also be specified.)
ANNEX 1: BINDING CORPORATE RULES FOR PROCESSORS TEXT
A copy of the Binding Corporate Rules for Processors text must be attached to the Application Form. All required information for the application must be included in the BCR-P documents (the content of the main documents or their appendices).
ANNEX 2: GUIDANCE DOCUMENT ON THE FUNDAMENTAL ELEMENTS REQUIRED IN BINDING CORPORATE RULES FOR PROCESSORS
A copy of the Guidance Document on the Fundamental Elements Required in Binding Corporate Rules for Processors must be completed and attached to the application.
ANNEX 3: SUPPORTING DOCUMENTS
Supporting documents related to the application (documents that are not part of BCR-P) can only be submitted to provide further explanation. These appendices can be named as (ANNEX3-1), (ANNEX-3-1-A).
All submitted documents may be subject to access requests under the information acquisition legislation, if deemed appropriate.
[1] It is possible to submit the application by mail to the address 'Nasuh Akar Mahallesi 1407. Sok. No:4, 06520 Çankaya/Ankara/TURKEY'.
[2] A member of the group residing in Turkey must always accept responsibility if any relevant group member not residing in Turkey violates the binding corporate rules.
[3] Please refer to KVKK-BŞK/2024-4 Sections 1.1 and 1.2.
[4] Please refer to KVKK-BŞK/2024-4 Section 1.2 (i).
[5] This is only possible if the BCR-P member assuming responsibility and liability is located in a country that recognizes unilateral declarations or commitments as binding and if this BCR-P member has the authority to bind other members subject to the BCR-P.
[6] It is possible if the group can substantiate how the binding nature of the BCR-P is ensured.
[7] Section 1.2 (ii).
[8] Please refer to KVKK-BŞK/2024-4 Section 6.1 (vii).
[9] Please refer to KVKK-BŞK/2024-4 Section 6.1 (vii).
[10] Please refer to KVKK-BŞK/2024-4 Section 2.3.
[11] You should be aware that unilateral declarations or commitments may not have a binding effect according to some national regulations. In the absence of a specific legal provision regarding the binding nature of such declarations, only a contract containing provisions on third-party beneficiary rights among Group members can serve as proof of binding nature.
[12] Section 1.4.
[13] Please refer to KVKK-BŞK/2024-4 Section 1.3.
[14] Please refer to KVKK-BŞK/2024-4 Section 1.3. 16 4 Section 1.6.
[15] Section 1.8. 18 4 Section 2.