Turkiye: Adopted Personal Data Protection Board's Guide on Binding Corporate Rules (BCRs) for Data Controllers

On 10 July 2024, the Personal Data Protection Board (PDPB) adopted the Guide on Binding Corporate Rules (BCRs) for Data Controllers. The guide includes the application form controllers are required to use in order to obtain PDPB approval, clarifies the information and measures that have to be included in BCRs and specifies the documents that have to be made available. Furthermore, the guide specifies that the provisions for group members under the law are effective unless a higher protection level is mandated, and the PDPB's approval of BCRs is valid until any amendments or revocations are made. The approval confirms compliance with the required legal safeguards but does not imply compliance with all aspects of the law for every data processing activity. It remains the data controller's responsibility to ensure compliance for each transfer. The PDPB's approval specifically covers the transfer of personal data to countries not deemed to provide adequate protection. Groups are allowed to implement BCRs as global data protection policies for all affiliated entities, whether located inside or outside Turkey. However, the approval's scope is limited to transfers concerning data controllers within the law's jurisdiction and other group members linked through the BCRs to countries that don't have adequate protection levels.