Turkiye: Implemented Personal Data Protection Board’s Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad

On 10 July 2024, the Personal Data Protection Board (PDPB)’s Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad entered into force. The regulation implements Article 9 of the Personal Data Protection Law No. 6698, amended by Law no. 7499, specifying the mechanisms data processors can use to transfer data to other jurisdictions. Data transfers are allowed if the conditions for the processing of personal data from Articles 5 and 6 are met and there is an adequacy decision for the destination country, international organisation, or sectors within the country where the transfer will occur. The PDPB has the power to determine the jurisdictions that provide adequate protection for the transfer of personal data abroad. If no adequacy decision exists, personal data can be transferred abroad based on appropriate safeguards, such as non-international agreements and PDPB permission for the transfer, binding corporate rules approved by the PDPB, standard contracts approved by the PDPB, or written commitments ensuring adequate protection and PDPB permission for the transfer. The regulation lists the appropriate safeguards that each mechanism has to include. Finally, in the absence of an adequacy decision and the appropriate safeguards specified cannot be provided, the regulation lists exceptional cases allowing the transfer. Exceptional cases for transferring personal data abroad include situations where the data subject explicitly consents, is necessary for contractual obligations or legal claims, and for transfers required by overriding public interests or from accessible public registers. Transfers may also occur to protect the vital interests of those unable to consent.