Turkish Personal Data Protection Board (“Board”) has published an announcement on its website on April 10, 2020 regarding the personal data transfers within multinational group companies. Accordingly, a method originating from the EU law called Binding Corporate Rules (“BCR”) has been introduced by the Board and an application form with an auxiliary document are published.
According to the Article 9 of the Personal Data Protection Law (Law No. 6698), personal data cannot be transferred to a foreign country without an explicit consent of the data subject. However, it can be transferred without the explicit consent of the data subject only if;
► the data controllers both in Turkey and foreign country undertakes an essential protection in a written form and;
► a permission is granted by the Board
in the absence of an adequate protection in the foreign country where personal data will be transferred.
Board has announced the BCR by stating that undertakings generally facilitate the bilateral transfers to be made between the companies; however, in practice these undertakings given by data controllers is insufficient in terms of data transfers between multinational group companies.
Consequently, the BCR are essential for multinational group companies where the necessary protection is not provided. Within this scope, companies are required to complete the application form published by the Board and follow the instructions in order to apply for the BCR. Nonetheless, companies which have made the application for the BCR and got the approval of the Board are no longer required to receive explicit consent or submit a written undertaking regarding the data transfers between each other.