April 2020



For further information please contact:

Gökseli Cengiz
Senior Associate, Istanbul

Ergün Avukatlık Bürosu İstanbul | Levent 199, D: 79/B, Levent
T +90 (212) 280 90 91

Ankara | Next Level, A Blok, D: 33, Çankaya
T +90 (312) 220 30 60



Binding Corporate Rules for Personal Data Transfers

On April 10, 2020, the Personal Data Protection Authority (the “Authority”) announced the Binding Corporate Rules (the “BCRs”) for personal data transfers between the multinational group companies.

Under Article 9/2 of the Personal Data Protection Law No. 6698 (the “Data Protection Law”), personal data may be transferred to abroad without obtaining the explicit consent of the data subject provided that (i) an adequate level of protection is ensured in the transferred country[1] or (ii) if an adequate level of protection is not ensured in the transferred country (a) a written undertaking is signed by the data controllers residing both in Turkey and abroad and (b) the approval of the Authority is obtained for such transfer.

The Authority stated in its announcement that BCRs must be prepared and complied with in relation to the data transfers from a data controller located in Turkey to its group companies located abroad. Each BCRs should be drafted tailor-made and include general principles and personal data protection mechanisms of the relevant group companies.

The companies preferring to proceed with such alternative BCRs option in the data transfer should make an application to the Authority by submitting the application form, together with their BCRs text and any other documentation deemed as necessary.

The Authority further introduced the draft application form and instructions to be followed for the application. The application form should cover detailed information such as relevant group company members’ contact details, stipulated mechanisms for ensuring the data protection, coordination with the Authority, details of the personal data transfer and process, mechanisms for reporting and recording, accountability, supporting documentation for the data protection and general provisions on the BCRs.

The applications will be concluded by the Authority within 1 (one) year and such period may be extended for the periods of 6 (six) months, where necessary.


[1] The list of countries providing adequate level of protection has not been specified by the Authority yet.


This information is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This should not be acted upon in any specific situation without appropriate legal advice. This information is protected by copyright and may not be reproduced or translated without the prior written permission of Ergün Avukatlık Bürosu.