Turkish Law Blog
Binding Corporate Rules in the EU and Turkey
Founding Attorney Hatice Zümbül – Legal Intern Mehmet Turgut
The Turkish Data Protection Authority (“Authority”) published an announcement on 10.04.2020, and introduced “Binding Corporate Rules” (“BCRs”) that is enabled to be used for the transfer of personal data outside of Turkey by companies. Indeed, according to article 9 of the Law on Personal Data Protection no 6698 (“KVKK”), in the case of inadequate safeguards in the country to where personal data is transferred, personal data can be transferred to country herein provided that the data controller makes commitment in written form regarding adequate safeguards, and gets permission from the Personal Data Protection Board (“Board”). However now, multinational companies can transfer personal data outside of Turkey with the BCRs which is used for transfer of personal data to abroad, and is a text providing a written undertaking for adequate safeguards.
In the EU, Binding Corporate Rules which designed to allow multinational companies to transfer personal data outside the EU laid out by provisions contained in Articles 47, 63, 64 and (only if necessary) 65 of the General Data Protection Regulation (EU) 2016/679” (“GDPR”).
BCRs can be more useful than Standard Contractual Clauses; they can be tailored to fit the needs of the business and once implemented and operational, they are much easier to maintain compared to intra-group contracts incorporating the Standard Contractual Clauses. They also set a high standard for compliance with the GDPR which should reduce business exposure and are seen as the ‘gold standard’ for compliance. This can be very beneficial for brand image and reputation.
2. Corporate Binding Rules in the EU
2.1 Definition of Corporate Binding Rules
Binding Corporate Rules are legally binding and enforceable internal rules and policies for data transfers within multinational group companies and work in a way somewhat similar to an internal code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection for personal data as required under the GDPR. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group. Article 47 of the GDPR provides that the competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:
- are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
- expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
- fulfil the requirements explained detailly below.
Binding Corporate Rules are to be approved by the competent supervisory authority in the relevant jurisdiction in accordance with the consistency mechanism set out in Article 63. In this parallel, article 57 of the GDPR states; “without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory approve Binding Corporate Rules” and the article 58 says; “each supervisory authority shall have the investigative powers to approve Binding Corporate Rules.”
Companies must submit Binding Corporate Rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. Recital no 135 and the article 63 state that in order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established. The mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States, and where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. Additionally, under the Recital the mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties. This procedure may involve several supervisory authorities since the group applying for approval of its BCRs may have entities in more than one Member State.
The competent authority communicates its draft decision to the European Data Protection Board (“EDPB”), which will issue its opinion on the Binding Corporate Rules. When the BCRs have been finalised in accordance with the EDPB opinion, the competent authority will approve the BCRs. In order to be approved, BCRs must comply with provisions of the GDPR and address the following elements:
- right to lodge a complaint: Data subjects should be given the right to bring their claim, according to article 79 of the GDPR.
- Transparency: All data subjects benefitting from the third-party beneficiary rights should in particular be provided with information as stipulated in Articles 13 and 14 of the GDPR.
- Scope of application: The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members pursuant to article 42 of the GDPR.
- Data Protection principles: Along with the principles of transparency, fairness, purpose limitation, data quality, security, the BCR should also explain the other principles referred to in Article 47.2.d – such as, in particular, the principles of lawfulness, data minimisation, limited storage periods, guarantees when processing special categories of personal data, the requirements in respect of onward transfers to bodies not bound by the binding corporate rules.
- Accountability: According to article 5.2 of the GDPR, every entity acting as data controller shall be responsible for and able to demonstrate compliance with the BCRs.
Additionally, The BCRs should contain a commitment that where any legal requirement a member of the group of undertakings or group of enterprises engaged in a joint economic activity is subject to in a third country is likely to have a substantial adverse effect on the guarantees provided by the BCRs, the problem will be reported to the competent supervisory authority.
3. Corporate Binding Rules in Turkey
Transfer of personal data abroad is regulated in Article 9 of the Personal Data Protection Law No.6698 (Law No.6698). Pursuant to this article, in the event that adequate protection is not provided in the country to which personal data to be transferred, such data may be transferred abroad without explicit consent of the data subject upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and authorization of the Personal Data Protection Board. However, these commitments generally facilitate the bilateral transfers to be made between the companies, but they may fall behind in providing a practical implementation in respect to the data transfers to be made between the multinational corporation communities. Therefore, the Board announced Binding Corporate Rules on 10.04.2020 that enable the relevant parties to commit the adequate level of protection in writing as "Commitments" in terms of data transfer to be made by the data controllers established in Turkey to the data controllers established in countries where the adequate protection is not provided. In the announcement the minimum criteria which must be included in the BCRs is given.
The authorisation to apply is given to the registered office of group corporation in Turkey if available. Otherwise, a member of group companies located in Turkey should be authorised to make an application.
In order to facilitate BCRs, a group corporation must:
- undertake to take necessary action against acts of member of the group cooperation which is located outside of Turkey and is bounded by Binding Corporate Rules and to compensate any damage regarding the breach of BCRs by members of the group cooperation,
- include an undertaking in the application form that it has sufficient assets to compensate any damages regarding the breach of BCRs by members of the group cooperation located abroad and bounded by BCRs.
In the BCRs, they should be clearly expressed that if a member of BCRs infringes the BCRs, this matter will be governed by the courts of Turkey and Turkish Authorisations. Related Person will be enabled to request its right and compensation from the member of BCRs as if the breach has occurred in Turkey, instead abroad. The audit of compatibility to the BCRs carries particular importance. The matters that group cooperation gets regularly audited in order to act in compliance with the rules undertaken in the BCRs and by who the audit will be enforced, shall be stated in the BCRs. Also, the Board must be entitled to access the result of the audit and to carry out an inspection on a member of group cooperation. In this sense, BCRs contains an obligation imposed on group cooperation to accept that every member, if necessary, can be audited by the Board and will follow the recommendations of the Board about this matter.
Main elements that should be included in the BCRs are in the same direction with the elements required in the EU. In this context, the BCRs must be legally binding to every members of group cooperation including employees. In the application form, the qualification of binding rules must be specified. The bindingness of the BCRs shall be legally valid and provable and maintained by a method or methods.
The related person shall be enabled to request the practice of articles given below;
- general principles (article 4) ,
- obligation of controller to inform to the related person (article 10),
- Erasure, destruction or anonymizing of personal data (article 7),
- to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject (article 11/1/g),
- Application to the Controller (article 13),
- complaint to the Board (Article 14); with respect to the BCR, the authority is the Board and BCRs shall entitle the Board for complaints and entitle the courts for legal application,
- the obligation of co-ordinate with the Board,
- clearly expression regarding whether there are any regulations in the country to where data are transferred, which avoid enforcement of the BCRs,
- expression of any legal requirements which bind a member of the group cooperation and have negative effect on the guarantees provided by BCRs to the related person.
Additionally, BCRs shall enable the related person to follow all kinds of legal way including the right of requesting compensation for the damage stipulated by article 11/ğ of the KVKK.
It is also stated that transparency should be provided and it should be easy to access BCRs by the related person. The group cooperation shall create a process of management of complaints for the related person to use its right or to lodge a complaint against a member of BCRs. complaints will be responded within 30 days.
In the EU Binding Corporate Rules or BCRs aren’t new. However, with the GDPR the attractiveness of having Binding Corporate Rules in place is far higher as for international organizations it makes cross-border data transfers much easier. In Turkey, the Authority introduced Binding Corporate Rules and its details on 10.04.2020. Accordingly, the basis of Binding Corporate Rules is quite similar with the basis in the EU.
BCRs offer benefits and aren’t limited to a group of undertakings in both the EU and Turkey. They do require a lot of effort and mean that the GDPR and the KVKK compliance is attained, personal data processing principles are respected, data subject rights are ensured, legal grounds for lawful processing are in place, data practices are streamlined and far more.
In both areas, for approval of BCRs, it must contain some elements which are in the same line in the EU and Turkey. Briefly, BCRs ensure that all data transfers within a corporate group comply with the GDPR and must contain data protection principles, such as transparency, data quality, and security, tools of effectiveness (such as audit, training and complaint handling), an element proving that the BCRs is binding, both internally and externally.