Turkiye: Opened consultation on Personal Data Protection Board's draft Binding Corporate Rules Application Form for Data Controllers

On 17 May 2024, the Personal Data Protection Board (PDPB) opened a public consultation on the draft Binding Corporate Rules Application Form for Data Controllers until 27 May 2024. The binding corporate rules were issued following the release of the regulation implementing Article 9 of the Personal Data Protection Law No. 6698, amended by Law No. 7499, which specifies the mechanisms data processors can use to transfer data to other jurisdictions. The draft outlines the information that has to be included and submitted to the PDPB for approval. Furthermore, the draft specifies that the approval of binding corporate rules by PDPB does not guarantee that each data transfer abroad complies with all requirements of Article 9 of Law No. 6698. Group Members must ensure compliance with all obligations under the Law and binding corporate rules for each transfer. Before transferring personal data based on the binding corporate rules, the transferring Group Member must, with the receiving Group Member's help, assess whether the destination country's regulations impede compliance with the binding corporate rules, particularly concerning criminal laws and national security. If necessary, the transferor in Turkey must implement additional measures to ensure data protection that is equivalent to that in Turkey. If such measures cannot be implemented, the transfer cannot proceed. Additionally, if regulations in the destination country change to weaken data protection, the transferor must suspend or stop the data transfer.