Support Centre

Turkey: KVKK issues statement on data transfers abroad

The Personal Data Protection Authority ('KVKK') issued, on 26 October 2020, a statement on data transfers abroad. In particular, the statement notes among other things that, the Law on Protection of Personal Data No. 6698 ('the Law') entered into force allowing a grace period for compliance with the Law, and that several deadlines had been extended due to the Coronavirus pandemic, however there is criticism from private sector representatives and academic institutions regarding the implementation of the Law, related secondary legislation, and the activities of the KVKK. In addition, the KVKK noted that although this criticism is welcomed, it considers that misunderstandings that may arise should be eliminated and that the statement has also been published in order to prevent these misunderstandings by revealing the work and perspective of the KVKK, especially in the transfer of personal data abroad.

Moreover, the statement contains information clarifying the position on, the transfers of data abroad under the provisions of the Law, transfers of data to countries without sufficient protection, and the transfer of personal data abroad under other laws, among other things. In particular, in regard to the determination of adequacy, the statement notes that, as per Article 9 of the Law, the Board of the KVKK will make assessments on whether there is adequate protection in foreign countries with a relevant factor being the state of reciprocity concerning data transfer between the requesting country and Turkey. Furthermore, the statement notes that the issue of reciprocity is prevalent in all correspondence with the Ministry of Foreign Affairs regarding the determination of adequacy status, and it is emphasised that the negotiations to be carried out should be based on mutual recognition decisions in all cases and conditions. 

Notably, the KVKK also indicated that Binding Corporate Rules ('BCRs') may be applicable and used in data transfers between multinational group companies, and that it can be used as a method to fulfil obligations to commit to adequate protection set out under the Law, for instance where the European Commission has not made an adequacy decision under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

You can read the Statement, only available in Turkish, here