Pursuant to the Article 9 of the Law on Personal Data Protection No.6698 (“Law No.6698”), personal data cannot be transferred abroad without explicit consent of the data subject. However, in circumstance of the provisions set forth in the second paragraph of the Article 5 and the third paragraph of the Article 6 of the Law No.6698 are met; personal data may be transferred to abroad without explicit consent of the data subject under the conditions hereinbelow:
(a)sufficient protection is provided in the foreign country where the data is to be transferred,
(b)data controller in Turkey and data controller in the related foreign country ensure a sufficient protection in writing and Turkish Personal Data Protection Board (“Board”) has authorized such transfer, where sufficient protection is not provided.
The Board has not determined and announced the countries in where sufficient level of protection is provided yet. Therefore, in order to transfer of personal data to abroad, data controllers prefer to procure the explicit consent of the data subjects or data controller in Turkey. In this respect, data controller in the related foreign country shall ensure a sufficient protection in writing before the Board.
In addition to these alternatives, “Binding Corporate Rules” method in the transfers of personal data abroad was determined regarding data transfers made between the multinational corporate companies as well.
According to the public announcement titled “Binding Corporate Rules” made by the Board on 10.04.2020, above mentioned requirements to transfer personal data to abroad are not a practical implementation for multinational corporate companies. Therefore, the Board has determined "Binding Corporate Rules" as an alternative method to be used in the cross-border data transfers to be made between these multinational corporate companies. For the full text of the announcement please check: https://www.kvkk.gov.tr/Icerik/6730/PUBLIC-ANNOUNCEMENT-ON-BINDING-CORPORATE-RULES
Binding Corporate Rules are data protection rules used in transfer of personal data for the multinational group corporations operating in countries where adequate protection is not provided, the explicit consent of the data subject is not procured and sufficient protection is not ensured in writing before the Board by the data controller in Turkey and data controller in the related foreign country. Corporations that fall under this scope need to make an application for Binding Corporate Rules to the Authority, filling out the relevant form and following the instructions required at the end of the announcement. Such applications are also subject to the approval of the Board.