The Turkish Parliament adopted the Law on the Protection of Personal Data (New Law), which took effect on April 7th 2016. The New Law establishes a set of rules specifically aiming to protect personal data.
If your company collects, stores, processes or transfers personal data you will be directly affected. You will be asked to have data controllers in your organization and shall have specific obligations such as to register with the data protection registry. The main rule to collect and process personal data is to obtain explicit consent of the person whose data will be collected.
Data Protection Board (“Board”) (an independent decision making body) and Data Protection Authority is established to watch over the data processing and transferring activities.
According to the New Law, organizations shall have specific obligations such as to register with the Data Controllers Registry (VERBIS). The Board has announced deadlines of the obligation to register to the VERBIS for different categories of data controllers that are not exempt. For most of the companies the deadline will end on June 30th, 2020.
If you are a global organization, where there has been personal data being transferred between the group companies globally, or between the third parties outside of the organization who are considered themselves as “data controller” regarding the personal data received from Turkey, should register themselves with VERBİS as “data controllers residing abroad” by June 30th, 2020.
In addition to the above, since the Board has not designated the list of the countries with adequate protection and the European Commission has not recognized Turkey as a country providing adequate protection yet, there are two ways of data transferring abroad:
Undertaking: The group companies globally and their local subsidiaries who are considered themselves as “data controller” regarding the personal data received from Turkey may apply to the Data Protection Authority for its approval with the adequate Data Transfer Agreements (“Undertaking”) whether controller to controller or controller to processor.
Binding Corporate Rules (“BCR”): Even though the Undertaking procedure is a way of transferring data abroad, in most cases it is inadequate for national or multinational group companies; therefore, on April 10th, 2020, the Board has announced that BCRs are another way of transfer of data between the group companies. Group companies as mentioned may manage the data transfer process with this method right after their application for Binding Corporate Rules is approved by the Board.
Although the second method facilitates the practical implementation of data transfers to be made between group companies, it is important to emphasize that both options have their own advantages and risks. Analyzing the companies’ needs and making up your decision wisely is vital.
The companies as being non-compliant with the rules will face serious consequence.
Be ready before the deadline.