ARTICLE
12 July 2024

Personal Data Protection Authority Binding Corporate Rules - Binding Corporate Rules For Processors Application Form

YL
YAZICIOGLU Legal

Contributor

YAZICIOGLU Legal logo
Yazıcıoğlu Legal is an Istanbul based boutique law firm. The firm has a strong focus on legal matters related to TMT, Data Protection, Corporate, Commercial matters and Dispute Resolution. The firm is ranked by The Legal 500 on IT and Telecoms and by Chambers and Partners on TMT.
Explore
Sub-Processor: A natural or legal person who processes personal data on behalf of the processor in accordance with the processor's instructions.
Turkey Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

DEFINITIONS

Sub-Processor: A natural or legal person who processes personal data on behalf of the processor in accordance with the processor's instructions.

Binding Corporate Rules: Personal data protection rules to be adhered to by Group Members, for personal data transfers carried out by a data controller or processor established in Turkey to a data controller or processor established abroad within the same Group engaged in a joint economic activity.

BCR Member: A Group Member bound by the Binding Corporate Rules for Processors.

Internal Sub-Processor: A sub-processor within a group engaged in a joint economic activity.

Group: A group engaged in a joint economic activity.

Group Member: Each entity within a group engaged in a joint economic activity.

External Sub-Processor: A sub-processor not within a group engaged in a joint economic activity.

Service Agreement: A legally binding agreement or other legal transaction under Turkish law that demonstrates data processing activities between the data controller and processor and between the processor and sub-processor.

Contact Person/Unit: The person or unit responsible for liaising with the Authority regarding matters related to the Binding Corporate Rules for Processors.

ABBREVIATIONS

Application Form: Binding Corporate Rules Application Form for Processors dated 04/06/2024 and numbered KVKK-BŞK/2024-3

Law: Personal Data Protection Law No. 6698

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

BCR-P: Binding Corporate Rules for Processors

BCR-C: Binding Corporate Rules for Controllers

Guidance Document: Binding Corporate Rules for Processors Guidance Document dated 04/06/2024 and numbered KVKK-BŞK/2024-4

GENERAL INSTRUCTIONS AND EXPLANATIONS REGARDING THE APPLICATION

  • Only one copy of the Application Form and the Guidance Document should be completed and submitted to the Authority. The Guidance Document is an appendix to the Application Form.
  • Separate forms must be completed for each application if an approval application is made to the Authority for both BCR-C and BCR-P.
  • Applications can be submitted to the Authority in person, by mail or through other methods to be determined by the Board1.
  • If there is insufficient space for answers in the relevant fields of the Application Form and the Guidance Document, additional pages or appendices may be used.
  • Every document in a foreign language must have a notarized translation.
  • Responses or documents that are commercially sensitive and deemed confidential can be indicated in the application.
  • In the application to be made, documents proving the authorization to sign must be included along with details such as the full name, address, and signature of the authorized applicant. In this context, applications by legal entities must be made by persons authorized to represent and sign, and documents proving this authority must be attached to the application. Additionally, in applications to be made by an attorney, the original power of attorney or a certified copy must be included.
  • The subsequent steps of the application process are explained in the Guidance Document.
  • During the annual updates of BCR-P, the adequacy of assets must be confirmed by completing section 4 ("Assets") of Part 2 of the Application Form.
  • If the Group's headquarters is in Turkey, the Application Form must be completed and submitted by this entity, or another entity established in Turkey to which personal data protection responsibilities have been delegated under certain conditions2. In the latter case, the Group must provide additional justification as to why another entity in Turkey was chosen as the applicant.
  • If the Group's headquarters is outside of Turkey, the Group must designate a Group entity established in Turkey, to which personal data protection responsibilities have been delegated, as the Authorized Group Member. This entity must then submit the application to the Authority on behalf of the Group.
  • The 'contact person/unit' to whom questions regarding the application can be addressed must be notified to the Authority. For practical reasons, it is recommended that this person/unit be located in Turkey.

To view the full article, click here.

Footnotes

1. It is possible to submit the application by mail to the address 'Nasuh Akar Mahallesi 1407. Sok. No:4, 06520 Çankaya/Ankara/TURKEY'.

2. A member of the group residing in Turkey must always accept responsibility if any relevant group member not residing in Turkey violates the binding corporate rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
YAZICIOGLU Legal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More