Turkiye: Adopted Personal Data Protection Act including cross-border data transfer

On 24 March 2016, the Personal Data Protection Act, including cross-border data transfer, was adopted by the Grand National Assembly of Turkiye. The Act requires entities to obtain users' consent. Without consent, the entities would be allowed to transfer data based on an adequacy decision by the Personal Data Protection Board. In the absence of an adequacy decision, the entities would have to obtain permission from the Personal Data Protection Board including if they sign a contract including commitments for adequate protection of the data abroad. Furthermore, the Act specifies that the transfers would be authorised based on the international conventions Turkiye signed and the state of reciprocity that Turkiye has with other jurisdictions. The Act comes into force 6 months after its publication in the official Gazette.