The Personal Data Protection Authority (“Authority“) announced on its website on July 10, 2024 (“Announcement“) the final documents related to standard contracts and binding corporate rules (“BCRs“) as the appropriate assurance methods for the transfer of personal data abroad, pursuant to paragraph 4 of Article 9 of the Law on the Protection of Personal Data (“PDPL“) No. 6698.
It may be recalled that, on 17 May 2024, the Authority published a notice on its official website announcing the commencement of the process of submitting documents pertaining to Standard Contracts and Binding Corporate Rules for public opinion. Following the receipt and evaluation of public opinion, the Authority announced on its website on July 10, 2024 that the Personal Data Protection Board (“Board”) reached a decision on 4 June 2024 (resolution 2024/959) to adopt standard contract texts for the transfer of personal data abroad, as well as company rules application forms and auxiliary guidelines on the basic issues that should be included in the BCRs as follows:
- Standard Contract Clauses for the Transfer of Personal Data Abroad – 1 (Data Controller to Data Controller)
- Standard Contract Clauses for the Transfer of Personal Data Abroad – 2 (From Data Controller to Data Processor)
- Standard Contract Clauses for the Transfer of Personal Data Abroad – 3 (Data Processor to Data Processor)
- Standard Contract Clauses for the Transfer of Personal Data Abroad – 4 (From Data Processor to Data Controller)
- Application Form for Binding Corporate Rules for Data Controllers
- Key Considerations for Binding Corporate Rules for Data Controllers – Auxilary Guide
- Application Form for Binding Corporate Rules for Data Processors
- Key Considerations for Binding Corporate Rules for Data Processors – Auxilary Guide
- Standart Contracts
Standard Contracts have been published for four possible scenarios for the transfer of personal data by data controllers and processors. They are as follows:
- Standard Contract – 1 (From Data Controller to Data Controller): This contract sets out the rules and safeguards that the data transferor resident in Turkey and the data recipient located abroad must comply with when transferring personal data to the data controller.
- Standard Contract – 2 (From Data Controller to Data Processor): This contract sets out the rules and safeguards that a data controller resident in Turkey must comply with when transferring personal data to a data processor abroad.
- Standard Contract – 3 (From Data Processor to Data Processor): This contract sets out the rules and safeguards that a data processor resident in Turkey must comply with when transferring personal data to another data processor abroad.
- Standard Contract – 4 (From Data Processor to Data Controller): This contract sets out the rules and safeguards that a data processor in Turkey must comply with when transferring personal data to a data controller abroad.
Immutability of the Standard Contracts, third party beneficiary rights, transfer details; party obligations such as safeguards for the protection of personal data, instructions, duty to inform, data security, sensitive personal data, methods of claiming rights, onward transfers, audit, responsibility, documentation and compliance, methods of claiming rights, obligations in case of access by national law and public authorities, termination in case of non-compliance with the Standard Contract and Notification of the Standard Contract to the Authority terms are included in the Standard Contract.
It is a requirement that the parties include information such as the addresses of the data transferor and the data recipient, the name and surname, title and contact information of their contact point, the name and surname and title of the signatories, signature and date in the Standard Contracts. In accordance with the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation“), published and entered into force on the same date as this Announcement regarding the Standard Contracts and BCRs, the standard contract must be notified to the Authority within five business days from the signing of the standard contract. Furthermore, any changes to the parties or the content of the standard contract, or the termination of the standard contract, must be communicated to the Authority. In the event of a failure to fulfil the aforementioned notification obligation regarding the Standard Contract, the PDPL stipulates an administrative fine ranging from 50,000 to 1,000,000 Turkish Liras.
Furthermore, specific stipulations pertaining to sub-processors have been incorporated into data transfers originating from a data controller and processor to another processor. In such instances, two options are presented to the parties: obtaining the data transferor’s written consent on a case-by-case basis before appointing sub-processors, or acting in accordance with a list that has been approved by the data transferor during the signing of the contract and obtaining the data transmitter’s prior written consent in the event of any changes to this list.
In the standard contract regulating the transfer from the data processor to the data controller, the parties are authorised to determine the applicable law and the competent country courts for the settlement of disputes, unlike the other Standard Contracts, which require the applicable law to be Turkish law and stipulate that disputes will be resolved before the Turkish courts.
- Binding Corporate Rules
Regarding Binding Corporate Rules, separate application forms and auxilary guides have been published specifically for data controllers and data processors.
It is stipulated that separate forms must be arranged for each application when submitting approval applications to the Authority for both Binding Corporate Rules for Data Controllers (“DC BCR”) and Binding Corporate Rules for Data Processors (“DP BCR”).
The initial stage of the application process requires the submission of basic information pertaining to the DP BCR or DC BCR group, and the contact details of the person or unit the Authority will communicate with must be provided.
In both application forms, detailed explanations are required regarding the nature of personal data intended to be transferred under BCR, data categories, the purposes of personal data processing activities, categories of individuals affected by the processing of personal data, and the purposes and scope of personal data transfers.
Both the DC BCR and DP BCR Application Forms must include a commitment verifying that each responsible BCR member has sufficient assets to compensate for damages arising from a breach of the DC BCR or DP BCR, or has made appropriate arrangements to be able to compensate for such damages. This commitment should be renewed in the annual notification related to the updating of the DC BCR or DP BCR.
In the DC BCR, a BCR member located in Turkey is held responsible for the actions of other members. In contrast, in the DP BCR, data processors are primarily responsible to the data controller.
The aforementioned guide, which pertains to both the DC BCR and DP BCR, stipulates that it should impose a clear obligation on all members of the group, including employees, regarding the legally binding nature of the BCR and adherence to it.
Furthermore, both the DC BCR and DP BCR stipulate that a summary of information, supported by excerpts from policies, procedures, confidentiality agreements, and other instruments, should be presented in the application form. This information should demonstrate how the binding nature of the respective BCR is ensured for employees.
The Announcement can be accessed via the following link:
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this document do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this document. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this document.