EN 
TR 
Turkish Personal Data Protection Authority (“Authority”) has published a new announcement on April 10, 2020 regarding the transfer of personal data abroad. Accordingly, “Binding Corporate Rules” have been determined by Turkish Personal Data Protection Board’s (“Board”) as another tool to be used for the international data transfers.
Binding Corporate Rules are internal data protection rules that ensures the adequate level of data protection for the international data transfers within a group of companies which have some entities located in a country that does not ensure the adequate protection. Companies have to draft their Binding Corporate Rules and apply to the Board for approval of such rules. With the approval of the Board, companies within the same group shall be entitled to transfer data based on their approved Binding Corporate Rules granted that other data processing principles are fulfilled, even in cases where the receiving group company is in a country that does not ensure the adequate level of protection.
Background
Under the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”), personal data can only be transferred to a third country which does not ensure the adequate protection without the data subject’s explicit consent, if the adequate level of protection is provided by the parties with a commitment in writing granted that other data processing principles are fulfilled and the Board’s permission for such transfer exists.
Additionally, international transfer can be conducted, should the receiving party is subject to a third country’s legal system that ensures the adequate protection and other data processing principles are fulfilled. As regulated under the Law No. 6698, the countries which have the adequate level of protection should have been announced by the Board. It is worth to note that the Board has not announced such countries yet.
Co-Authors: Aslı Naz Ünlü & Deniz Çelikkaya
