An Alternative to Data Transfers Abroad: Binding Corporate Rules

With the announcement dated April 10  2020, Turkish Data Protection Authority (“DPA”) determined Binding Corporate Rules as a mean to be used for the data transfer abroad based on Article 9/2 of Law on Personal Data Protection numbered 6698 (“Law”) and introduced a new tool for the highly controversial and ambiguous matter in Turkey.

By indicating in the announcement that the undertakings taken as per Article 9/2 of the Law would be usually practical for the bilateral data transfers but insufficient with regards to data transfers among the subsidiaries of a global group companies, DPA introduced an alternative method for the data transfers among these entities.

While examining the minimum criteria prepared by DPA with regards to undertakings and intra-group data transfer agreements that are mostly used by global companies, it is inferred that the data transfer agreements among global group companies are generally framework agreements and they are complex, multi-lateral and unavailable to be re-drafted as bilateral or parties are required to sign bilateral undertakings in addition to the intra group transfer agreement which is found almost impractical by global companies. Furthermore, although it seems that these intra group transfer agreements fulfill the minimum criteria established by DPA, it is understood that they do not satisfy DPA’s expectations regarding the way the transfer is carried out either.

With Binding Corporate Rules method, multinational group companies operated in the countries that do not have sufficient level of protection can prepare written data protection rules which are used in data transfer abroad and guarantee sufficient level of protection and these rules can be submitted to the DPA for its approval. It is regulated that the companies that will apply for the approval of Binding Corporate Rules within this scope need to fill out the relevant form announced by the DPA, follow the necessary instructions and make an application to DPA regarding Binding Corporate Rules. We think that if the group company already has Binding Corporate Rules already approved in the EU level, this will be helpful but not sufficient in and of itself. The DPA has introduced specific requirements such as determining Turkish courts as authorized courts for any dispute thus local requirements must be satisfied.

The application for approval of the Binding Corporate Rules can be made through delivering the required documents by hand or mail sent to DPA and DPA has a period of 1 year for deciding on approval and allowing data transfer within the scope of Binding Corporate Rules, and the said period may be extended for another 6 months. It is worth saying that the DPA will handle its own review over the documents although the applicant has an already approved Binding Corporate Rules at EU level.

Finally, it is mentioned that the application of Binding Corporate Rules which is accepted by DPA will not have a validity period, but if DPA deems necessary, the application of it may be suspended or even terminated by DPA.

First published by Gün + Partners, in 16.04.2020

Find more insights