CHANGE IN THE TRANSFER OF PERSONAL DATA FROM KVKK ABROAD : BINDING COMPANY RULES
As is known, since the protection of Personal Data Law No. 6698 entered into force on April 7, 2016, permission was required to apply to the board with a commitment to protect and protect personal data in order to transfer data to unsafe countries in the transfer of personal data abroad. (Although the board does not have many numbers, it is known that some data managers have applied for permission). However, the Board has not yet released a list of countries that are safe. The reason ; It takes time because of the principle of “reciprocity” to explain countries that are safe and that are not. In such a case, the other option in the hands of the data officer who wanted to transfer personal data abroad was explicit consent. But while open consent is theoretically possible, it is close to impossible in practice (for reasons such as the problem of obtaining open consent of employees by free will, for reasons such as the fact that open consent can always be revoked).
But it should also be noted that the vast majority of foreign transfers currently carried out are carried out illegally (given that the law entered into force four years ago).
In its recent announcement, the board announced the adoption of “Binding Company Rules”. The board took action on foreign transfer and showed an alternative way for data managers. In other words, The “Binding Company rules”, which have been in place for many years in the European Union personal data protection legislation, are adapted to Turkey.
Binding Company rules in EU law
Before talking about binding company rules in Turkey, the EU was created during the period when Directive 95/46/EC, binding company rules in the EU, to mention binding company rules contained in the legislation on the protection of personal data, were in force.
According to the directive, multinational companies had to simultaneously meet obligations arising from the legislation of multiple countries when transferring data to group companies. This also slowed the business processes of multinational companies. In order to overcome this obstacle, multinational companies have created their own privacy policies and tried to get data protection authorities to agree.
Policies that sought to be adopted were policies that allowed personal data to be conveniently transferred abroad, but did not fully protect personal data. To avoid this situation, the European Commission Working Group 29 set the minimum requirements that these privacy policies must bear and called the rules with minimum requirements “Binding Corporate Rules”.
These rules, created as a result of the work of working group 29, were included in the GDPR, along with the minimum requirements that it must bear afterwards. According to GDPR, binding company rules must also carry the following minimum requirements:
Structure and contact information of a group of enterprises or a group of enterprises and each member engaged in common economic activity,
Data transfers or series of transfers, including categories of personal data, type and purposes of processing, type of data owners affected, and description of such third country or countries,
Their legally binding structure, both internally and externally,
Purpose limitation, minimizing of data, limited retention periods, data quality, special and ordinary data protection, the legal basis for data processing activities, the processing of personal data including special categories of the General Data Protection Principles on data security measures and ensuring that organs are not bound by the binding corporate rules relating to the implementation of the requirements of transfer of transit,
22. the right not to be subject to decisions based solely on automated processing activity, including profiling under the article,
79. competent supervisory authority and the competent courts of the member states in accordance with article to the right to make a complaint and to receive compensation and, where appropriate, binding corporate rules, including the right to compensation for violation of rights and those rights associated with the operation of data processing related methods of use,
A data controller or processor established on the territory of a member state shall assume an obligation to violate binding corporate rules by any member not established within the Union,
information on binding corporate rules, especially the provisions referred to in paragraphs (d), (e) and (f) 13. and 14. how data is provided to interested parties in addition to items,
37. duties of any data protection officer or other persons or organizations responsible for monitoring compliance with binding corporate rules within a group of enterprises or a group of enterprises engaged in a common economic activity, as well as monitoring training and handling complaints,
Complaint procedures,
Mechanisms to ensure compliance with binding corporate rules within a group of enterprises or a group of enterprises engaged in a common economic activity,
Mechanisms for reporting and recording changes to the rules and reporting these changes to the Supervisory Authority.
II.Binding Company Rules In Turkish Law
In its announcement, the board stated that existing data transfer routes abroad may not be sufficient to provide implementation practice in terms of data transfers between multinational corporate communities; therefore, binding company rules have been adopted. It also published” Binding Company Rules application form for data controllers “and” auxiliary document on the basic considerations that should be present in binding company rules for data controllers".
Before proceeding to the details of the application, the question of who or by whom the application will be made must be answered.
If the group has a resident Center in Turkey, if the group does not have a resident Center in Turkey, a resident group member in Turkey must be authorized to protect personal data and apply by an “authorized Group member”. The person authorized to apply must submit the application form to the board along with the binding company rules and all other information and documents related to the application by hand or by mail. Applications are evaluated by the institution within one year from the date of official application and are linked to the result. If necessary, it is also possible to extend this period by six months. If the application is approved by the board, this is the case
It is notified by the institution to the concerned person and announced if necessary.
In the application form, the applicant is asked to provide information on the following topics:
Applicant's information,
Information on the binding corporate rules (binding element in the effective application of the institution with the coordination, processing and transfer of personal data, reporting, and record mechanisms of change, data security, accountability, and other procedures/tools, help information, and documents).
The application form also includes general provisions on binding company rules. In this case, the group and the group members agree to act in accordance with the instructions of the institution related to the interpretation and application of the binding company rules, the person authorized to apply is the interlocutor, the group will process the personal data transferred under the rules in accordance with law and rules 6698, if compliance with the law and commitment is not achieved for any reason, the institution will be immediately notified of the issue, in which case the institution will be notified of the issue., if the personal data processed under the rules is obtained by others by illegal means, it will be notified to the person authorized to apply as soon as possible, and these people will notify the relevant person and the board as soon as possible, if necessary, the board may declare this situation on its website or by another method that it deems appropriate, under the rules, personal data cannot be transferred to persons other than group members, if the group members are not members of the group, the personal data to be transferred will be sent to the group's resident Center in Turkey or to a group member resident in Turkey authorized to protect personal data if the group's headquarters is not in Turkey or will be completely destroyed along with the backups., the transport of personal data subject to data processing activities by taking necessary administrative and technical measures to ensure the privacy can be restricted, your personal data committed by members of the group and the group, 6698, contrary to the provisions of Law No. explain it to someone else as she couldn't, and cannot use, except for the purpose of processing, and stated that this obligation was not limited to any period.
Another published document is”an auxiliary document on the basic considerations that must be present in The Binding Company rules for data controllers". In this document, the differences and similarities between the binding company rules and the application form and the explanations related to The Binding Company rules are expressed in a table.