A First Time Decision by the Turkish Personal Data Protection Board: Allowing Cross-Border Data Transfer by Approving a Letter of Undertaking Application

The Turkish Data Protection Board (the “Board”) stated that the letter of undertaking (taahhütname) application submitted by TEB Arval Fleet Management Company (as the data controller) for cross-border transfer of personal data was accepted on 9 February 2021 as per Article 9/2 of the Turkish Personal Data Protection Law No.6698. Thus, the Board allowed a data controller to transfer the personal data by way of issuing a letter of undertaking. The announcement was published on the official website of the Turkish Personal Data Protection Authority.

The decision matters since for the first time the Board accepts a letter of undertaking application of a company to exercise personal data transfer to another country. As known, according to the Turkish Personal Data Protection Law, a data controller is allowed to transfer personal data to a third country if (i) the data subject gives explicit consent or (ii) the third country assures adequate data protection. Alternatively, both the data exporter and importer (data controllers at both sides) may undertake procurement of adequate protection by issuing a letter of undertaking and seeking for the Board’s approval for this.

Until now, the Board issued no such decision. This way, it starts setting the precedence for allowing personal data transfer to other countries through letter of undertaking.

You may find the link of the announcement below (in Turkish language):