Turkey: Another Significant Decision On International Data Transfer From The Turkish Data Protection Board

On 4 March 2021, the Turkish Personal Data Protection Board (the “Board”) announced, for the second time, that it allowed the applications of a written undertaking prepared for the transfer of personal data abroad. The Board allows the transfer of data abroad by approving the applications of the Undertaking made by Amazon Turkey Perakende Hizmetleri Ltd. Şti. and Amazon Turkey Yönetim Destek Hizmetleri Ltd. Şti. The Board's announcement is available  here (in Turkish). Last month, the Board announced for the first time that it approved the application for a letter of undertaking to transfer data abroad. Please find our review of the relevant announcement  here.

In May 2020, the Board had also evaluated the procedures of data transfer abroad within the scope of its Decision No. 2020/173, dated 27.02.2020, regarding personal data processed by Amazon Turkey Perakende Hizmetleri Limited. Under this evaluation, the Board decided that Amazon did not obtain the valid explicit consents of the data subjects for the personal data transferred abroad within the scope of the activities carried out on Amazon's website. In this respect, the Board imposed an administrative fine of TRL 1,200,000 together with other violations it detected.

The Board also highlighted that the data controller may transfer the personal data abroad if:

• the data subject has provided its explicit consent;
• the third country provides adequate protection for personal data; however, the Board has not provided the list of countries which provide adequate protection as yet; or
• both the importing and exporting data controllers give written undertaking to adequately protect data and obtain an approval from the Board.

At the time of the decision, Amazon also submitted its application for the letter of undertaking, however the Board did not allow the application back then. Consequently, the Board emphasized that the only way to transfer data abroad was to obtain explicit consent and determined that Amazon had not received the explicit consent of the data subjects at any stage regarding its services offered through neither the website nor the connected mobile applications. This contradiction took its place among the violations within the scope of the decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.