Sensitive and non-sensitive personal data can be transferred abroad if the explicit consent of the data subject is obtained.
Furthermore, other legal grounds will also apply to the transfer of personal data to the foreign country. However, the destination country must have “sufficient protection” in order to conclude the transfer abroad based on legal grounds (except for having obtained explicit consent). A list of jurisdictions that provide sufficient protection is to be determined by the Board. It has been confirmed by the DPA that they have been working on the issue of transfer to a foreign country; however, we do not expect the issuance of a safe country list in the near future, as the Board depends on the rule of reciprocity for determination of safe countries.
Pursuant to the Data Protection Law, if there is no sufficient protection in the destination country, for realisation of the data transfer, both:
- The data controller in Turkey and in the foreign country must provide a written commitment, stating that sufficient data protection will be provided; and
- The transfer must be authorised by the Board.
However, we have seen that obtaining a permit from the Board upon submitting a written commitment is not a clear process, and there is no predictable timeline either as to when the parties may reach such a permit from the Board. Thus, making an application to the Board through submission of commitments in and of itself, or submitting intercompany transfer agreements, are not considered to be adequate.
As an alternative method for the transfer of data between multinational group companies where there is no sufficient protection in the destination country, the DPA introduced the concept of Binding Corporate Rules (“BCR”). Accordingly, a BCR application must be submitted to the DPA, and the DPA’s approval must be obtained to transfer personal data legally between multinational group companies, without the need to obtain explicit consent (in cases where the processing of personal data may be made based on legal grounds other than explicit consent, i.e. execution of the agreement, exercise of legal rights, or fulfilling legal requirements…etc.).
The fact that there is currently no fast solution for the transfer of personal data abroad except for obtaining explicit consent, and that the legal instruments, such as standard contractual clauses, alone, are not adequate for the transfer of personal data abroad, undisputedly reveals that this issue must be resolved by an amendment to the Law. Concrete steps are expected to be taken to resolve this issue in the short term in accordance with the current legislation, as it also affects commercial relations.