ARTICLE
8 December 2020

Transfer Of Data To Third Party

G+
Gun + Partners

Contributor

Gun + Partners logo
Gün + Partners is a full-service institutional law firm with a strategic international vision, providing transactional, advisory and dispute resolution services since 1986. The Firm is based in Istanbul, with working offices Ankara and Izmir. The Firm advises in life sciences, energy, construction & real estate, technology, media and telecoms, automotive, FMCG, chemicals and the defence industries.”
Explore
Sensitive and non-sensitive personal data can be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds is applicable for such transfer.
Turkey Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Sensitive and non-sensitive personal data can be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds is applicable for such transfer.

The Data Protection Law does not provide a definition for a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially in relation to transfers between data controllers and data processors, as there is no explicit provision in relation to data transfers between data controllers and data processors. As a result, any transfer of personal data from a data controller to a data processor may be interpreted as a transfer to a third party. Such an interpretation means that any such transfer would need to be made either:

  • With the explicit consent of the data subject; or
  • Where additional legal grounds exist.

"Data processor" is defined under the Data Protection Law as the natural or legal person who processes personal data on behalf of the data controller upon his/her authorization. As the data processor is an individual or a legal entity processing personal data "on behalf of" the data controller, it can be stated that the data processor is different from an ordinary third party. It acts under the authority of the data controller, making the data processor a part of the data controller's organisation. As the transfer of personal data between the employees of a data controller cannot be considered a transfer to a third party (although the data controller and each employee is a separate person), the transfer to the data processor should also not be considered as a transfer to a third party. This is a far-reaching interpretation, but if the Board adopts a decision in this respect, such an interpretation would be strong, and its chances of holding out against the test of a court would be high.

Originally published 18 September 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Gün + Partners
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More