The Turkish Parliament has enacted on March 12, 2024, significant amendments (the “Amendments“) to the Turkish Personal Data Protection Law (“PDPL“). The Amendments concern sensitive personal data, sanctions and the transfer of personal data abroad, which is the most problematic area of personal data law in Türkiye.
Following the aforementioned Amendments, regarding the importance of data transfer “The Draft Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad” (“Draft Regulation“) is published in order to determine the details of the procedures and principles for the transfer of personal data abroad. The Draft Regulation has been submitted for public consultation and has not yet entered into force.
This article provides a comprehensive examination of the Draft Regulation highlighting the key revisions and their implications for data controllers, data processors and data subjects alike.
- Procedures for Transferring Personal Data Abroad
The Amendments and the Draft Regulation provide that both data controllers and data processors may transfer personal data abroad. When transferring data, data controllers and data processors must act in accordance with the PDPL and with the procedures and principles laid down in the Draft Regulation.
According to the Draft Regulation, there are three main ways in which personal data can be transferred abroad. In each instance, the data transfer must fall within one of the conditions outlined in Articles 5 and 6 of the legislation.
- The existence of an “adequacy decision” for the country of transfer, sectors within the country or an international organization,
- One of the “adequate measures” set out in Article 10 of the Draft Regulation is present and the subjects could exercise their rights and have recourse to effective remedies in the country of transfer,
- The existence of one of the exceptional circumstances referred to in Article 16 of the Draft Regulation.
- Transfers Based on Adequacy Decision
Adequacy decision is a decision by the Board that in a country or one or more sectors within a country or an international organization provides an adequate level of protection. The Board considers various factors, including reciprocity, when making adequacy decisions.
It’s worth noting that the Board has not issued any adequacy decisions since the PDPL came into force in 2016. With regard to the detailed provisions of the Draft Regulation on data transfers abroad and the adequacy decision, we believe that the Board is preparing to announce adequacy decisions and make data transfers abroad more feasible.
The adequacy decision issued by the Board shall be re-evaluated at least every four years. Re-evaluation periods shall be clearly stated in the relevant adequacy decision. If, the Board will be on the opinion that at any time that the relevant country or one or more sectors within the country or the international organization does not provide adequate protection, it may amend, suspend or revoke the adequacy decision prospectively. Therefore, we believe that a review of the adequacy decision prior to the transfer of personal data would be beneficial for data controllers and data processors.
- Transfers Based on Adequate Measures
As mentioned above, data transfer may also be made in the presence of adequate measures specified in the Draft Regulation.
The adequate measures are listed in the Article 10 of Draft Regulation as follows:
- the existence of an agreement, that is not in the nature of an international convention, between the public institutions and organizations abroad or international organizations and public institutions and organizations or professional organizations having the character of public institutions, and the authorization for the transfer of data,
- the existence of binding corporate rules approved by the Board which contain provisions on the protection of personal data within the group companies engaged in joint economic activities,
- the existence of a standard contract, that is published by the Board, which contains the categories of data, the purposes of the transfer, the recipients and the groups of recipients, technical and administrative measures and the additional technical and administrative measures taken for special categories of personal data taken by the data transferee,
- the existence of a written commitment containing the provisions to ensure adequate protection and the Board’s authorization for the data transfer.
3.1. Providing Adequate Measures Through An Agreement That Does Not Constitute An International Convention
An agreement that is not in the nature of an international convention, between the public institutions and organizations abroad or international organizations and public institutions and organizations or professional organizations having the character of public institutions may provide an opportunity for data transfer abroad. The agreement shall be concluded between the parties involved in the transfer of personal data.
The Draft Regulation specifically requires the following issues to be included in the provisions of the agreement.
- Purpose, scope, nature, framework, and legal reason of the data transfer,
- Definitions of basic concepts in accordance with the PDPL and relevant secondary legislation,
- A statement that the general principles set out in Article 4 of the PDPL will be complied,
- Procedures and principles of the clarifications to be made to the data subjects in relation to the agreement and the data transfer,
- Commitment that the data subjects may exercise the rights specified in Article 11 of the PDPL and the procedures and principles of the application regarding the exercising of the mentioned rights,
- Commitment that any technical and administrative measures necessary to ensure the appropriate level of data security will be taken,
- Commitment that in case of transfer of special categories of personal data, the adequate measures determined by the Board will be taken,
- Restrictions on the subsequent transfer of personal data,
- The remedies that the data subject may apply in case of a violation of the provisions for the protection of personal data,
- Audit mechanisms regarding the protection of personal data,
- The right to suspend the data transfer and the right to terminate the agreement by the data transferor in case the data transferee’s failure to comply with the provisions of data protection,
- Commitment of the data transferee to return the personal data with their backups to the data transferor or to destroy the personal data completely in the event of termination or expiry of the agreement, depending on the sole discretion of the data transferor,
We would like to emphasize that the Board should be consulted during the negotiation process of the agreement. The application shall be accompanied by the final text of the agreement and other information and documents necessary for the Board’s assessment. The transfer of personal data shall commence after the authorization granted by the Board.
3.2. Providing Adequate Measures Through Binding Company Rules
Binding corporate rules for the protection of personal data to which group companies engaged in joint economic activities prepare may also provide adequate measures for transferring data abroad.
In order to transfer personal data abroad on the basis of binding corporate rules, a request for approval must be submitted to the Board. The request for approval should include the text of the binding corporate rules and other information and documents necessary for the Board’s assessment. If the documents to be submitted are in a foreign language, the application must be accompanied by a certified translation of each document. In case the binding corporate rules are prepared in both Turkish and foreign languages, the Turkish text shall prevail, and the assessment of Board shall be made in accordance with the Turkish text.
The Board shall determine the appropriateness of the binding corporate rules, in particular with regard to;
- The commitments contained in the binding corporate rules shall be legally binding and practical to all the members of the group companies and their employees,
- The binding corporate rules contain a commitment that the data subjects are entitled to use their rights,
- The binding corporate rules contain the minimum requirements set out in Article 13 of the Draft Regulation.
As the binding corporate rules are subject to review and approval by the Board, the transfer of personal data will commence after the approval of the Board.
As mentioned above, in order for the Board to give approval to the binding corporate rules, the binding corporate rules must contain the following provisions. The Board is entitled to determine other requirements that must be contained in the binding corporate rules.
Application forms and supplementary guides for data controllers and data processors have been published for public consultation.
- The organizational structure and contact information of each member of the group company,
- Matters in relation to the data transfers, especially categories of personal data, processing activities and purposes, group or groups of persons concerned, the country or countries where the transfer will take place,
- The commitment that the binding company rules are legally binding both in internal relations of the group companies and relations with other third persons,
- The commitment of compliance with the general principles specified in Article 4 of the PDPL, conditions for processing personal data (including special categories of personal data), technical and administrative measures ensuring data security, adequate measures to be taken in the processing of special categories of personal data and data protection measures, such as restrictions on the subsequent transfer of personal data,
- The commitment and the procedures for the exercising the data subject’s rights,
- The commitment of a data controller and/or data processor resident in Turkey will assume responsibility for the breach of binding corporate rules by any member not resident in Turkey,
- In addition to the matters containing in the clarification text, explanations on how information will be provided to the data subjects related to binding company rules,
- Explanations regarding the training to be given to employees on the protection of personal data,
- Persons or the unit’s duties in relation to the group companies’ compliance with binding company rules,
- Commitment to notify the corrective actions to protect the rights of data subjects to be made to the persons or the unit’s and the board of directors of the controlling company and the Board,
- Recording, reporting, and notifying mechanisms regarding the changes to binding corporate rules,
- Commitment to co-operate with the Board in relation to the compliance with binding corporate rules,
- The group companies’ commitment that there are no national regulations contrary to the safeguards provided by the binding company rules and that the group companies shall notify the Board if such a legislative amendment is made,
- Commitment to provide data protection training to the employees with permanent or regular access to personal data.
3.3. Providing Adequate Measures Through A Standard Contract:
A standard contract containing the provisions of categories of personal data, purposes of data transfer, recipients and recipient groups, technical and administrative measures and the additional measures taken for special categories of personal data may also give opportunity for data transfers abroad.
As the name suggests, a standard contract is a format that has been determined by the Board. Consequently, parties wishing to transfer data in accordance with the standard contract will not draft an agreement but will use the standard format published by the Board. In this context, it is imperative to use the standard contract in its original form, without any modifications. If the standard contract is concluded in both Turkish and a foreign language, the Turkish text shall prevail.
It is also mandatory to notify the Personal Data Protection Authority (“Authority“) of the standard contract. The Draft Regulation also regulates by whom, when and how the standard contract will be notified to the Authority. In this context, it must be notified to the Authority physically or via a registered electronic mail (KEP) address or other methods determined by the Board within five business days following the completion of the signatures. The transfer parties may determine in the standard contract who will fulfil the notification obligation. In the absence of such a determination, the standard contract shall be notified to the Authority by the data transferor.
The notification to the Authority must be accompanied by documents certifying that the signatories of the standard contract are authorized and a notarized translation of each foreign language document.
Currently, four standard contracts are submitted for public consultation: one between data controllers, one between data controllers and data processors, one between data processors, and one between data processors and data processors.
3.4. Providing Adequate Measures Through A Written Commitment
The last but not least option for the transfer of data to a foreign country is a written commitment. In order to transfer personal data abroad in accordance with the terms of the written commitment, the data transferor is required to apply to the Board for authorization. In the context of the aforementioned application, the text of the written commitment and other pertinent information and documents are submitted to the Board for review. If the written commitment is drafted in a language other than Turkish, the Turkish version shall prevail, meaning that the Board will assess the document in line with the Turkish text. The transfer of personal data shall commence only after the Board has granted its authorization.
The provisions on the protection of personal data to be included in the written commitment are set out in the Draft Regulation as follows.
- Purpose, scope, nature, framework and legal reason of personal data transfer,
- Definitions of basic concepts in accordance with the PDPL and relevant secondary legislation,
- A statement that the general principles set out in Article 4 of the PDPL will be complied,
- Procedures and principles regarding the clarification to be made to the data subject regarding the written commitment and the data transfers,
- The commitment and the procedures for the exercising the data subject’s rights,
- Any technical and administrative measures necessary to ensure the appropriate level of data security commitment that measures will be taken,
- Commitment that adequate measures determined by the Board will be taken in case of transfer of special categories of personal data,
- Restrictions on the subsequent transfer of personal data,
- The methods of seeking rights that the data subject may apply in case of breach of the written commitment,
- Commitment of the data transferee to comply with the Board’s decisions and views on the processing of personal data,
- Commitment of the data transferee that there are no national regulations contrary to the safeguards provided by the written commitment and that it shall notify the data transferor as soon as possible if such a legislative amendment is made and data transferor’s right to suspend the data transfer and terminate the agreement,
- If the data transferee fails to comply with the written commitment, transferor’s right to suspend the data transfer and terminate the agreement,
- Commitment of the data transferee to return or to destroy the personal data with their backups completely depending on the preference of the data transferor, in the event of termination or expiry of the written commitment,
- The provision that the written commitment is governed by Turkish law and in case of any dispute Turkish courts have jurisdiction and competence, and the data transferee’s recognition of the jurisdiction of Turkish courts.
- Transfers Based on Exceptional Circumstances
In the absence of the adequacy decision and adequate measures explained above, personal data may be transferred abroad in certain exceptional circumstances. The Draft Regulation defines exceptional data transfers as those that are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business.
According to the Draft Regulation, the situations described below are considered as exceptional circumstances and the data may be transferred abroad in accordance with these circumstances.
- Explicit consent of the data subject is obtained, provided that the data subject has been informed about the potential risks,
- The transfer is necessary for the performance of a contract between the data subject and the data controller, or to perform the precautions requested by the data subject before the contract was executed,
- The transfer is necessary for establishment or performance of a contract for the benefit of the data subject that is signed between the data controller and another natural or legal person,
- The transfer is necessary for a superior public benefit,
- The transfer is necessary for the establishment, exercise, or protection of a right,
- Processing data is necessary for the protection of the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid,
- The transfer is made from a registry open to the public or to persons with legitimate interests, provided that the necessary conditions set by the relevant legislation to access the registry are met and transfer is requested by a person with legitimate interest.
Even if the data transfer is in accordance with the register, which is open to the public or to persons with a legitimate interest, the data transfer should be limited to the data that needs to be transferred. In other words, the transfer of all personal data or categories of personal data contained in the register is prohibited. Furthermore, transfers from registers accessible to persons with a legitimate interest may only be made to the persons interested or at the request of such persons.
- Conclusion
In summary, with the Amendments and the Draft Regulation, many regulations have been made and submitted to public opinion in relation to the transfer of data abroad, which is one of the most problematic areas in data protection legislation.
In addition, documents regarding the standard contract and binding corporate rules have also been prepared and submitted for public opinion. We believe and are encouraged that the problems that have arisen in relation to the transfer of personal data abroad will be resolved when the Draft Regulation comes into force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
First published by Mondaq on 30 May 2024.