ARTICLE
14 April 2022

Transfer Of Personal Data To Third Parties

G+
Gun + Partners

Contributor

Gun + Partners logo
Gün + Partners is a full-service institutional law firm with a strategic international vision, providing transactional, advisory and dispute resolution services since 1986. The Firm is based in Istanbul, with working offices Ankara and Izmir. The Firm advises in life sciences, energy, construction & real estate, technology, media and telecoms, automotive, FMCG, chemicals and the defence industries.”
Explore
Sensitive and non-sensitive personal data may be transferred to third parties if the data subject's explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer.
Turkey Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Sensitive and non-sensitive personal data may be transferred to third parties if the data subject's explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer.

The Data Protection Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors, as there is no explicit provision concerning data transfers between data controllers and data processors. As a result, any transfer of personal data from a data controller to a data processor may be interpreted as a transfer to a third party. Such an interpretation means that any such transfer would need to be made either:

  • With the explicit consent of the data subject; or
  • Where additional legal grounds exist.

Data Protection Law defines a "Data Processor" as the natural or legal person who processes personal data on behalf of the data controller upon their authorisation. As the data processor is a natural person or a legal entity processing personal data "on behalf of" the data controller, it can be stated that the data processor is different from an ordinary third party. It acts under the authority of the data controller, making the data processor a part of the data controller's organisation. As the transfer of personal data between the employees of a data controller cannot be considered a transfer to a third party (although the data controller and each employee is a separate person), then transfer to the data processor should also not be considered as a transfer to a third party. This is a far-reaching interpretation, but if the Board adopts a decision in this respect, such an interpretation would be strong, and its chances of holding out against the test of a court would be high. However, under the current circumstances, each transfer made to a data processor is considered a data transfer to a third party.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Gün + Partners
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More