The transfer of personal data abroad is regulated under article 9 of the Personal Data Protection Law numbered 6698 (“Law”). Pursuant to this article, in the event that adequate protection is not provided in the country to which the personal data will be transferred, such data may be transferred abroad without the explicit consent of the relevant personsubject to the existence of commitment for adequate protection in writing by the data controllers in Turkey and abroad and authorization of the Personal Data Protection Board (“Board”).
The Board has announcedthe “Commitments” as one of the methods that enable the relevant parties to commit the adequate level of protection in writing for the data transfer to be made by the data controllers established in Turkey to the data controllers/data processors established in countries where the adequate protection is not provided. The Board has also determined and announced the minimum criteria that must be included in the commitments to be prepared by the parties and submitted to the Board for approval. In this scope, the data transfer will be possible upon the approval of the commitments by the Board. Thesecommitments generally facilitate the bilateral transfers to be made between the companies, however they may fall short in providing a practical implementation in respect to the data transfers to be made between the multinational companies. Thus, the Board has determined the “Binding Corporate Rules” as another method to be used in cross-border data transfers between companies.
Binding Corporate Rules are data protection rules used in the transfer of personal data for the multinational group companies operating in countries where adequate protection is not provided which enable the commitment of adequate protection in writing. Companies that fall under this scope are required to make an application for Binding Corporate Rules to the Personal Data Protection Authority (“Authority”) by filling out the relevant form and following the instructions.The application form contains questions on how the Binding Corporate Rules become binding on the group members,the envisaged mechanisms ensuring the effective application of the Binding Corporate Rules, coordination with the Authority, details on the transfer and processing of personal data, mechanisms for reporting and recording changes, matters regarding data protection safety, accountability, questions about the supporting documentation and the general provisions of the Binding Corporate Rules.
This system enables the group companies whose applications for Binding Corporate Rules are approved by the Authority, to conduct the data transfer within the scope of the relevant Binding Corporate Rules without the necessity of conducting any other transaction.
Please do not hesitate to contact us at firstname.lastname@example.org for any questions.