The criteria to be taken as basis in transferring personal data abroad are regulated in Article 9 of the Code on Protection of Personal Data No. 6698. It is stated in the related article that if the data processing conditions stipulated in the code are fulfilled, data transfer to foreign countries with sufficient protection determined by the Personal Data Protection Board without the consent of the person concerned is stated. The data transfer can be made with the countries having insufficient protection thru the letter of undertaking stating that adequate protection is ensured in Turkey and in the relevant country, and the letter of undertaking is to approved and signed by the Authority.
However, with the announcement published on 10.04.2020 by the Personal Data Protection Authority, a new method for data transfer abroad has been announced. The Authority has published the main issues regarding the Binding Corporate Rules stating that “the letters of undertaking may not be able to provide implementation practice in terms of data transfers between multinational corporate groups”. In the relevant announcement, the Binding Company Rules are defined by the Authority as data protection rules used for the transfer of personal data abroad for multinational group companies operating in countries where there is not enough protection and which ensures a sufficient commitment in writing.
How to Apply?
In the application form, there are provisions regarding the binding nature of the Rules and methods for ensuring bindingness, the rights granted to the data subject, the obligations to be undertaken in case of violation, the notification and report obligations if the rules are changed, working in coordination with the Authority, data security and transfer, accountability. Along with the application form, the Binding Company Rules text and all information and documents regarding the application will be submitted to the Authority.
Application will be delivered by hand or sent by post to Authority by the head office of the multinational corporate group. If the multinational corporate group does not have a head office in Turkey, a group member who is resident in Turkey and authorized for the protection of personal data by the group can apply.
The Authority will evaluate the application within 1 year from the official application date and this period can be extended for 6 months if necessary.