Turkey: Trans-Border Data Transfers In Turkey: A Considerably Strict Regime

Last Updated: 9 December 2016
Article by Şahin Ardiyok and Barış Yüksel

With employees and customers from all around the world, multinational companies need to keep the personal data they deal with safe. Due to some legal concerns and management policies, these companies tend to store the personal data they own—which is mainly related to their customers, employees, consumers and business transactions—in a centralized location where they can reach and utilize the data when in need. In addition, often the relevant data needs to be shared internally within the branches of multinational companies to provide services to international clients or to coordinate the operations of the company. Besides various methods on transferring the vast amount of data, companies frequently use cloud storage due to these necessities.

Cloud services and other methods that may require the transfer of data are highly popular for business life nowadays. Companies which need to transfer their data safely to other locations frequently resort to these services. However certain legal concerns must be considered when it comes to trans-border data transfer. In this regard, Protection of Personal Data Law No.6698, which was fully entered into force on 7 October 2016, has to be taken into account with respect to the Turkish Legislation. Data Protection Law embodies certain distinctive features from EU Directive 95/46/EC, on which it was based.

Trans-border data transfer pursuant to the Data Protection Law

Before moving on with the relevant provisions of the Data Provision Law, we note that although these provisions are currently in force, the Data Protection Board is not established yet—as only five Board members are appointed to this date, whereby the Board must consist of nine members, and the quorum for meetings is six members. Furthermore, the personnel of the Data Protection Authority are also not yet appointed. Therefore, the provisions of the Law are not yet being implemented. However, the violations of this law constitute misdemeanours under Turkish Law and are subject to a time bar of five years in accordance with the Article 20/2(a) of the Misdemeanours Law.

Within the framework of the Data Protection Law, trans-border data transfers that are based on the explicit consent of the data subject are deemed to be legal without any further requirements. However, in absence of data subject's explicit consent, there are different rules concerning the transfer of personal data to countries that ensure an adequate level of protection and those that do not.

Pursuant to Article 9/2 of the Data Protection Law, the Data Protection Board should publish a list of the countries that ensure an adequate level of protection by taking into consideration the following factors; international agreements, reciprocity and the legislations of the other countries. This list has not been published yet. However, there is an understanding that the EU member states will be deemed as countries that ensure an adequate level of protection as the Data Protection is based on the Directive.

Article 9/2 on the trans-border data transfer to the countries that ensure an adequate level of protection refers to the requirements set forth in  Article 5/2 Protection Law concerning the processing of data. Accordingly, trans-border data transfer is deemed to be lawful in cases where at least one of the legal grounds for the lawful processing of personal data laid down in Article 5/2 is present.

Trans-border data transfer to the countries that do not ensure an adequate level of protection requires additional elements for legitimacy of the transfer. In addition to the conditions set forth in Article 5/2 of the Data Protection law, two additional criteria must also be met. First, both the data controller in Turkey and the data controller in the relevant country shall commit to provide an adequate level of protection in writing. Second, the permission of the Board regarding the transfer shall be obtained.

Trans-border data transfer pursuant to the Directive

Most of the multinational companies are familiar with the EU-wide data protection regulations, and this constitutes an advantage for compliance with the Turkish regulations since these are mostly based on the EU acquis. Still, it should be kept in mind that there are some key differences especially with respect to the rules concerning the transfer of personal data. We first summarize the general principles in the EU and then set forth the main differences with the Turkish legislation.

The provisions concerning trans-border data transfer under the Directive differentiates between the transfer of personal data to EU countries and to non-EU countries, and it is assumed that transfer of data between EU countries is always lawful. Other than that, the Directive also defines countries ensuring an adequate level of protection and those that do not.

Per the Directive, if a third country ensures an adequate level of protection regarding the protection of personal data measures, there is no other criterion that should be fulfilled, and the transfer is deemed to be legitimate even in the absence of explicit consent.

Concerning the transfer of data to countries that do not ensure an adequate level of protection, the Directive requires the approval of the supervisory authority in the relevant EU member state for the legitimacy of the transfer. Relevant authorities allow such transfer if it is guaranteed that the adequate level of protection will be provided in the third country. In practical terms, contractual stipulations between the data-exporting controller and the foreign data recipient or binding corporate rules applicable for data transfers within a multinational group of companies are being used in this context.

Certain derogations are foreseen in Article 26 of the Directive regarding the above requirements for the transfer of personal data to countries that do not ensure an adequate protection in absence of explicit consent of the data subject. In cases where these derogations exist, the transfer of the personal data to countries that do not ensure adequate level of protection without approval of the relevant supervisory authority is legitimate.

Differences between the Data Protection Law and the Directive concerning trans-border data transfer

There are certain differences regarding trans-border data transfer pursuant to the Data Protection Law and the Directive. Although the explicit consent of the data subject always legitimizes transfer of data to any country, the application differs in the absence of explicit consent. Trans-border transfer of data to countries that ensure adequate level of protection are allowed in EU without any additional requirements while in Turkey data exporter must rely on the legal grounds stipulated in Article 5/2 of Data Protection Law concerning the lawful processing of data.

Secondly, although the trans-border transfer of data to countries that do not ensure adequate level of protection requires the approval of the supervisory authority in the EU, the approval is not required in cases where the derogations set forth under Article 26 of the Directive are present. There are no such derogations in the Data Protection Law. Trans-border data transfers are allowed only if the following requirements are cumulatively satisfied; (i) the transfer is based on a legal ground for processing (ii) both data controllers must make written commitments to provide adequate level of protection (iii) the Board must approve the transfer.

In addition, the Data Protection Law requires written commitments from both data controllers. Whereas the Directive stipulates that the adequate level of protection may be ensured via contractual stipulations between the data controllers.

How will companies in Turkey transfer their data abroad?

Despite the strict nature of the Data Protection Law concerning trans-border data transfer, the provisions which may enable flexibility for the potential data controllers are also present. The legal grounds stipulated in articles 5/2(c) concerning the processing of data as a contractual requirement and 5/2(f) concerning the processing of data as a contractual requirement in line with the legitimate interests of the data controller are of crucial significance.

Since the secondary legislation concerning the protection of personal data has not been promulgated in Turkey yet, the European Union legislation and practice may be taken into consideration for interpretation of these legal grounds. The Opinion 06/2014 of the Data Protection Working Party on the notion of legitimate interests of the data controller under Article 7 of Directive is a perfect guideline.

The Working Party tends to interpret the contractual requirements widely and assume that this could constitute a legal basis for processing only if the processing is fundamental for the formation or the performance of the contract.

Hence, when relying on Article 5/2(c) of the Data Protection Law as a legal basis for the transfer of data abroad, companies must be extra cautious and ensure that this is mandatory.

The Working Party seems to be much more liberal with respect to the legitimate interests of the data controller and suggests that this could be a valid legal basis for processing as long as the data subjects are not harmed.

Still, we should note that a meticulous case-by-case analysis is required in Turkey when determining whether Article 5/2(f) of the Data Protection Law may constitute the proper legal basis for certain data transfers. This requires the proper identification of the legitimate interests of the data controller and all the potential threats to the data subjects. The balance between these two should then be analysed with due care.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Şahin Ardiyok
Barış Yüksel
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions