DPA Issues Announcement On Commitment Letters For Cross-Border Data Transfers

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
On May 7, 2020, the Personal Data Protection Authority ("DPA") issued an announcement regarding commitment letters for cross-border personal data transfers.
Turkey Privacy

Recent Development

On May 7, 2020, the Personal Data Protection Authority ("DPA") issued an announcement regarding commitment letters for cross-border personal data transfers. The DPA provided explanations on the principles and procedures, as well as the relevant information and documentation required, for cross-border data transfer approval applications. The DPA's announcement is available online here (in Turkish).

What's New?

According to the Law on the Protection of Personal Data ("Law"), data controllers may transfer personal data without obtaining the data subjects' explicit consent to countries that do not provide an adequate level of data protection by executing an undertaking letter with the recipient entities and obtaining the Personal Data Protection Board's approval.

Accordingly, data controllers applying for cross-border data transfer approval must provide the DPA with information on the persons authorized to file the application and any other documentation certifying that these persons are authorized signatories. All documents in foreign language must be translated into Turkish and certified by a notary public. Data controllers must prepare their commitment letters using the commitment letter templates published on the DPA's website and ensure that all requirements in the templates are included in the commitment letter. In addition, undertakings under the commitment letter must be drafted in the future tense (e.g. "The party transferring personal data shall/will inform the data recipient that the transferred personal data will be processed in accordance with the Law No. 6698 and the provisions of this commitment letter.")

The applicant data controllers must identify the relationship between the parties to the transfer and use the relevant commitment letter template published by the DPA. In this regard, data controllers provide sufficient explanation about the legal status of the parties to the transfer, and submit to the DPA any document that certifies the relationship between the parties along with the commitment letter (e.g. agreement), if any. Data controllers must take into consideration the general principles under the Law when preparing the commitment letter and any other document annexed to the application file. Data transfers based on the data subject's explicit consent will not be included in the commitment letter.

In relation to the explanations under the Annex of the DPA's commitment letter template, data controllers must avoid using vague terms like "such as, similar to, possible, likely" and must clearly indicate the data subject groups. In this respect, data controllers must explain in detail which personal data of the data subject groups will be subject to the transfer and the purposes of the transfer, and the legal grounds for the transfer by establishing a connection between the relevant sections in the Annex.

According to the DPA, subsequent data transfers from the recipient to any other data controller or data processor do not fall within the scope of the commitment letter. If the applicant wishes to carry out subsequent data transfers, it must execute the commitment letter with the data recipient and the relevant data controllers/processors together, or execute a separate commitment letter with these parties. Subsequent data transfers will only be allowed if the data is transferred to the competent institutions and organizations according to the data recipient's legal obligations under the relevant applicable law.

Conclusion

The DPA continues to provide guidance to data controllers regarding cross-border personal data transfers. In this respect, data controllers applying for the DPA's cross-border transfer approval must follow the DPA's instructions and prepare their commitment letters accordingly.

Originally published 12 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More