Article 13
Elements to be found in binding corporate rules
(1) Binding corporate rules shall include at least the following elements:
- a) The organisational structure and contact details for each member of the group of undertakings engaged in a joint economic activity;
- b) Information regarding the data transfers under binding corporate rules, in particular the categories of personal data, processing activity and its purposes, data subject group or groups, and identification of country or countries receiving data transfer,
- c) A commitment confirming that binding corporate rules are legally binding both within the internal relations and external legal interactions of the group of undertakings engaged in a joint economic activity;
- ç) Data protection measures such as compliance with the general principles outlined in Article 4 of the Law, conditions for processing personal data, sensitive personal data, technical and organisational measures for ensuring data security, adequate measures for processing sensitive personal data, and restrictions on onward data transfers;
- d) A commitment to ensure that data subjects whose personal data is transferred can exercise of their rights specified in Article 11 of the Law and their right to lodge a complaint with the Board in accordance with the procedures and principles outlined in Article 14 of the Law, along with the existence of the procedures and principles for the exercise of these rights;
- e) A commitment that, in the event of a breach of the binding corporate rules by any member not established in Türkiye, a controller and/or processor established in Türkiye will assume liability for the breach;
- f) Explanations on how the data subjects will be informed about matters related to the binding corporate rules, in particular on the provisions referred to in subparagraphs (ç), (d) and (e), as well as the information provided to the data subjects within the scope of the obligation to inform under Article 10 of the Law;
- g) Explanations on the training to be provided to employees on the protection of personal data;
- ğ) The tasks of the persons or entities in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, including their role in responding to the requests of the data subjects;
- h) The mechanisms for auditing and verifying compliance with the binding corporate rules within the group of undertakings, in particular data protection audits and methods for ensuring corrective actions to protect the rights of the data subjects, and a commitment that such results will be communicated to the person or entity referred to in subparagraph (ğ) and to the board of the controlling company within the relevant group of undertakings, and to the Board upon request;
- ı) The mechanisms for reporting and recording changes to the binding corporate rules and reporting those changes to the Board;
- i) The obligation to cooperate with the Authority to ensure compliance with the binding corporate rules by the members of the group of undertakings, in particular the submission of the results from the audit and verification activities referred to in subparagraph (h);
- j) With respect to personal data to be transferred under the binding corporate rules, a commitment by the members of the group of undertakings that there is no national regulation in the country or countries receiving the data transfer that contradicts the guarantees provided by the binding corporate rules, and mechanisms to notify the Board in case of a legislative change which likely to have a substantial adverse effect on these guarantees;
- k) A commitment to provide appropriate data protection training to personnel having permanent or regular access to personal data;
(2) The Board shall be authorised to determine additional requirements beyond those specified in the first paragraph. The documents required for the application of binding corporate rules shall be determined by the Board.