Turkiye: Implemented Personal Data Protection Act including cross-border data transfer

On 7 October 2016, the Personal Data Protection Act, including cross-border data transfer, was implemented, 6 months after its publication in the official Gazette. The Act requires entities to obtain users' consent. Without consent, the entities would be allowed to transfer data based on an adequacy decision by the Personal Data Protection Board. In the absence of an adequacy decision, the entities would have to obtain permission from the Personal Data Protection Board including if they sign a contract including commitments for adequate protection of the data abroad. Furthermore, the Act specifies that the transfers would be authorised based on the international conventions Turkiye signed and the state of reciprocity that Turkiye has with other jurisdictions.