Legal AlertPersonal Data Protection Authority Announced Public Consultation on Draft Documents for Standard Contracts and Binding Corporate Rules

20 May 2024

 

The Personal Data Protection Authority (“Authority“) announced on its website on May 17, 2024 (“Announcement“) that it has initiated the public consultation process on draft documents related to standard contracts and binding corporate rules (“BCRs“) as the appropriate assurance methods for the transfer of personal data abroad, pursuant to paragraph 4 of Article 9 of the Law on the Protection of Personal Data (“PDPL“) No. 6698.

As is known, paragraph 11 of Article 9 of the PDPL, entitled “Transfer of Personal Data Abroad,” which was amended by the Law No. 7499 on Amending the Code of Criminal Procedure and Some Other Laws (the “Law Amendment“) and will enter into force on 1 June 2024, provides that the procedures and principles for the implementation of this article will be regulated by a regulation. In this context, the Authority has prepared the “Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad” and made it available for public consultation on 9 May 2024.

This time, according to the Announcement published by the Authority, the draft documents on the establishment of standard contracts and binding corporate rules to be used in the transfer of personal data abroad is opened for public consultation.

Standard Contracts have been published for four possible scenarios for the transfer of personal data by data controllers and processors. They are as follows:

  • Standard Contract – 1 (From Data Controller to Data Controller): This contract sets out the rules and safeguards that the data transferor resident in Turkey and the data recipient located abroad must comply with when transferring personal data to the data controller.
  • Standard Contract – 2 (From Data Controller to Data Processor): This contract sets out the rules and safeguards that a data controller resident in Turkey must comply with when transferring personal data to a data processor abroad.
  • Standard Contract – 3 (From Data Processor to Data Processor): This contract sets out the rules and safeguards that a data processor resident in Turkey must comply with when transferring personal data to another data processor abroad.
  • Standard Contract – 4 (From Data Processor to Data Controller): This contract sets out the rules and safeguards that a data processor in Turkey must comply with when transferring personal data to a data controller abroad.

Immutability of the Standard Contracts, third party beneficiary rights, transfer details; party obligations such as safeguards for the protection of personal data, instructions, duty to inform, data security, sensitive personal data, methods of claiming rights, onward transfers, audit, responsibility, documentation and compliance, methods of claiming rights, obligations in case of access by national law and public authorities, termination in case of non-compliance with the Standard Contract and Notification of the Standard Contract to the Authority terms are included in the Standard Contract.

Furthermore, specific stipulations pertaining to sub-processors have been incorporated into data transfers originating from a data controller and processor to another processor. In such instances, two options are presented to the parties: obtaining the data transferor’s written consent on a case-by-case basis before appointing sub-processors, or acting in accordance with a list that has been approved by the data transferor during the signing of the contract and obtaining the data transmitter’s prior written consent in the event of any changes to this list.

In the standard contract regulating the transfer from the data processor to the data controller, the parties are authorised to determine the applicable law and the competent country courts for the settlement of disputes, unlike the other Standard Contracts, which require the applicable law to be Turkish law and stipulate that disputes will be resolved before the Turkish courts.

Regarding Binding Corporate Rules, separate application forms and draft assistance guides have been published specifically for data controllers and data processors.

It is stipulated that separate forms must be arranged for each application when submitting approval applications to the Authority for both Binding Corporate Rules for Data Controllers (“DC BCR”) and Binding Corporate Rules for Data Processors (“DP BCR”).

The initial stage of the application process requires the submission of basic information pertaining to the DP BCR or DC BCR group, and the contact details of the person or unit the Authority will communicate with must be provided.

In both application forms, detailed explanations are required regarding the nature of personal data intended to be transferred under BCR, data categories, the purposes of personal data processing activities, categories of individuals affected by the processing of personal data, and the purposes and scope of personal data transfers.

Both the DC BCR and DP BCR Application Forms must include a commitment verifying that each responsible BCR member has sufficient assets to compensate for damages arising from a breach of the DC BCR or DP BCR, or has made appropriate arrangements to be able to compensate for such damages. This commitment should be renewed in the annual notification related to the updating of the DC BCR or DP BCR.

In the DC BCR, a BCR member located in Turkey is held responsible for the actions of other members. In contrast, in the DP BCR, data processors are primarily responsible to the data controller.

The aforementioned guide, which pertains to both the DC BCR and DP BCR, stipulates that it should impose a clear obligation on all members of the group, including employees, regarding the legally binding nature of the BCR and adherence to it.

Furthermore, both the DC BCR and DP BCR stipulate that a summary of information, supported by excerpts from policies, procedures, confidentiality agreements, and other instruments, should be presented in the application form. This information should demonstrate how the binding nature of the respective BCR is ensured for employees.

Interested parties and all stakeholders are invited to send their comments, opinions and assessments on the draft documents can be sent to the email address “aktarim@kvkk.gov.tr” until May 27, 2024.

The documents and the Notice can be accessed via the following link:

https://www.kvkk.gov.tr/Icerik/7909/Standart-Sozlesme-ve-Baglayici-Sirket-Kurallarina-Iliskin-Taslak-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu