Transfer of Personal Data Abroad and Binding Corporate Rules
Transfer of personal data abroad is regulated in the Law numbered 6698 on the Protection of Personal Data (the “PDPL”) and in the decisions of the Personal Data Protection Board (the “Board”). However, in the implementation, the transfer conditions have led to impractical consequences, particularly for multinational companies. Therefore, with the “Public Announcement on Binding Corporate Rules”, dated 10.04.2020 , the Personal Data Protection Authority introduced an innovation that facilitates this matter.
1.Transfer of Personal Data Abroad
In principle, pursuant to the article 9 of the PDPL, personal data shall not be transferred abroad without obtaining explicit consent of the data subject. However, in case certain conditions take place, it is possible to transfer personal data abroad without obtaining the data subject’s explicit consent.
Accordingly, in order for personal data to be transferred abroad without obtaining explicit consent of the data subject, it is primarily necessary that one of the following conditions takes place, namely in case:
- the data processing activity is expressly permitted by the laws;
- the data processing activity is mandatory in order to protect the life or physical integrity of an individual or another person where the individual’s consent is not deemed legally valid or the individual is incapable of giving explicit consent because of de facto impossibility;
- it is necessary to process personal data pertaining to the parties of a contract, provided that this is directly related to the conclusion or performance of such contract;
- it is mandatory to process personal data in order for the data controller to fulfill its legal obligations;
- the personal data subject has made his/her data public;
- the data processing is mandatory for establishment, exercise or protection of a right;
- the data processing is mandatory for the data controller’s legitimate interests, provided that the fundamental rights and freedoms of the relevant personal data subjects are not harmed;
- for the special categories of personal data other than those related to health and sexual life, where permitted by the laws, such data are processed without the requirement to obtain explicit consent of the data subject; however, for the personal data related to health and sexual life, such data are processed without the requirement to obtain explicit consent of the data subject, by competent institutions and organizations or persons who are under the confidentiality obligation, only for the purposes of protecting the public health, conducting preventive medicine, medical diagnosis, treatment and nursing services and for the planning and management of healthcare services and their financing.
It is prescribed that, if one of the above conditions takes place, personal data may be transferred abroad without the requirement to obtain the data subject’s explicit consent, provided that:
- there is adequate protection in the country to which the personal data will be transferred, or
- in the absence of such adequate protection, the data controllers in Turkey and in the relevant foreign country make the written commitment for the provision of adequate protection and the Board grants the relevant permission.
In other words, even in case of the existence of the exceptional circumstances which are stated above and related to the possibility that personal data may be processed without obtaining the relevant explicit consent, it is necessary that there is adequate protection in the country to which the personal data will be transferred, or that both parties of the transfer make the written commitment and that the Board grants approval for this transfer.
Although the PDPL prescribes that the Board will announce the countries providing adequate protection, no announcement has been made yet by the Board within this context.
Hence, since the countries providing adequate protection are uncertain, the methods most frequently preferred in practice are: to obtain explicit consent of the data subject, or to obtain the relevant letter of commitment from the data controllers in the foreign country and to obtain the relevant approval by applying to the Board. The Board announced the explanations on the content of the letter of commitment and on how the letter of commitment shall be issued .
The PDPL determines the criteria to be taken into consideration by the Board while granting approval to such letters of commitment. The Board shall render its decision by evaluating:
- the international conventions and treaties to which Turkey is a party,
- the situation of the reciprocity related to data transfers between Turkey and the country that requests for personal data,
- in relation to each concrete personal data transfer, the characteristics of the personal data, and the processing purpose and period,
- the relevant legislation and practices of the country to which personal data will be transferred,
- the measures committed by the data controller situated in the country to which personal data will be transferred; and
by receiving opinions of the relevant institutions and organizations in case the Board needs such opinions.
On the other hand, in cases where the interests of Turkey or of the data subject would seriously be harmed, but without prejudice to the provisions of the international conventions and treaties, personal data may be transferred abroad only by the Board’s permission after receiving opinions of the relevant public institution or organization.
Briefly, in practice, the data subject’s explicit consent is obtained; or the approval is obtained from the Board after the letter of commitment is issued, until the countries providing adequate protection for transfer of personal data abroad are announced. However, problems may arise, since the aforementioned transactions cannot be carried out practically for multinational companies. Therefore, on 10.04.2020, the Personal Data Protection Authority published a new method on the basis of “Binding Corporate Rules”.
2.Binding Corporate Rules
The Board determined “Binding Corporate Rules” as another method to be used in the international data transfers that will be performed between multinational corporation groups.
Binding Corporate Rules refer to the personal data protection rules necessary to be followed by a data controller domiciled in Turkey as affiliated with a group of corporations, in transfers or a set of transfers of personal data to companies and enterprises operating abroad in one or more than one country as affiliated with the same group of corporations and to data controllers that engage in a joint activity or have a joint decision making mechanism in respect of data processing activities.
In other words, Binding Corporate Rules are the data protection rules which are used in the transfer of personal data abroad for the multinational group corporations operating in countries where adequate protection is not provided and which enable the commitment of adequate protection in writing.
The corporations falling under this scope should file an application with the Authority for Binding Corporate Rules, by filling out the application form  published on the Board’s web site and by following the necessary instructions. The condition “submission of the letter of commitment” will not be required for the companies to which Binding Corporate Rules apply.
The details pertaining to Binding Corporate Rules are provided in “The Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers” .
Briefly, the following points are set out in that document:
“In order to ensure binding nature, a legal contract or another legal act valid in Turkish law shall be arranged between the data controller and data processor, which will be included in the Binding Corporate Rules, and this shall be signed by all data processors. The obligations determined by the Binding Corporate Rules for the data controllers should also apply to the structures to which personal data are transferred as data processors within the group, in such a manner that does not contradict to that contract.
The Binding Corporate Rules must be legally binding and must impose a clear obligation for each participating member of the group, including their employees, in respect of compliance with these rules. In order to ensure that the rules are binding on the employees, it is recommended that one or more of the methods namely employment contract, collective agreement, confidentiality agreement, codes of conduct, company policies, workplace internal regulations, etc. are used.
In the text of the Corporate Binding Rules, there must absolutely be provisions regarding the rights of the data subjects and the obligations of the data controllers and data processors by virtue of the legislation applicable in the Turkish Law in respect of the personal data protection.
The Binding Corporate Rules must contain an obligation for the headquarters of the group  domiciled in Turkey or, if the headquarters of the group is not domiciled in Turkey, for a group member that is domiciled in Turkey and authorized for protection of personal data, which obligation specifies that the headquarters or the group member shall take necessary steps to remedy the actions of other group members that are outside the country and bound by the Binding Corporate Rules and shall pay compensation for recouping any material and non-material damages arising from the breach of the Binding Corporate Rules.
The following points must be expressly specified in the Binding Corporate Rules: If a Binding Corporate Rules member outside Turkey is in breach of the Binding Corporate Rules, the authority and jurisdiction in this regard shall lie with the competent courts and authorities in Turkey. The data subject will be entitled to claim rights and compensation against the Binding Corporate Rules member that accepts the responsibility, liability and obligation as if the breach has taken place in Turkey, not abroad.”
 “Group” refers to the companies and enterprises that operate as affiliated with a group of companies and all data controllers engaged in a joint economic activity or having a joint decision-making mechanism in respect of data processing activities.