Turkey: Data Transfer Within The Scope Of The Legal Obligation Of The Data Controller

The concept of personal data is frequently encountered by many of us in daily life, and as the field of application expands, it is also important whether personal data is processed and transferred in accordance with the law by persons who have the title of data controller. It is necessary to briefly mention personal data; In subparagraph (d) of paragraph 1 of Article 3 of the Law No. 6698 on the Law on the Protection of Personal Data ("LPPD"), personal data is defined as "Any information relating to an identified or identifiable natural person". In this context, the legislator has regulated in the LPPD that certain principles must be followed in the processing of personal data. Likewise, Article 4 of the LPPD stipulates that in the processing of personal data; personal data must comply with the law and good faith, be accurate and up-to-date, when necessary, be processed for specific, explicit and legitimate purposes, be relevant, limited and proportionate to the purpose for which they are processed, and be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

As a matter of fact, in the following articles of the LPPD, the conditions for processing personal data are regulated and the concept of explicit consent, which is important within the scope of the protection of personal data, is mentioned. Explicit consent means the consent of the natural person whose personal data is processed, which is based on the information on which the personal data will be processed and which is expressed with free will. In this context, the processing of personal data can only be carried out with the explicit consent of the data subject. Likewise, the transfer of personal data is also based on obtaining the explicit consent of the data subject.

However, paragraph 2 of Article 5 of the LPPD regulates the exceptional cases where personal data may be processed and transferred without the consent of the data subject. These are; (i) It is clearly stipulated in the laws (ii) It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid (iii) Provided that it is directly related to the establishment or performance of a contract, (iv) It is mandatory for the data controller to fulfill its legal obligation (v) It has been made public by the data subject (vi) Data processing is mandatory for the establishment, exercise or protection of a right (vii) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

In this article, the exceptional case regulated regarding the transfer of personal data based on the mandatory of the data controller to fulfill a legal obligation without obtaining the explicit consent of the data subject shall be examined. Namely; as mentioned before, personal data can only be processed and transferred to a third party if the data subject has explicit consent. However, as defined in the LPPD, the data controller, who is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, may transfer personal data to third parties without obtaining the explicit consent of the data subject in certain circumstances.

To give an example to this; the courts request real and private legal entities to submit information and documents belonging to many real persons such as their personnel, personnel candidates, customers, visitors to the court in order to conduct the trial of a pending lawsuit. The submission of the information and documents requested by the court can be considered as a legal obligation of the data controller. What is meant by legal obligation can be stated as a situation that obliges the parties to comply with the relevant request and regulation within the framework of the provisions of the legislation. In this case, the data controller is not required to obtain explicit consent from the data subject in any way in the submission of the information and document requested through the writ to the court. However, if any information and document containing any personal data other than the information and document requested by the court is submitted to the court, this will lead to the unlawful transfer of personal data. Likewise, in such a case, the risk of administrative fines will arise due to the data controller's failure to fulfill the obligation regarding data security.

There are different opinions in the doctrine as to whether the legal obligation of the data controller is limited to the legislation of the country to which it is subject. In this context, there are opinions in the doctrine that the transfer of personal data can be made without obtaining explicit consent in accordance with the obligations arising under the legislation in the country where the private law legal entity carries out its activities and even registered in the data controller's registry.

In this respect, we are of the opinion that in cases where the transfer of personal data of the data subject is requested within the framework of the applicable legislation of a foreign country, this request may be considered as the transfer of personal data abroad rather than the fulfillment of the legal obligation of the data controller under the LPPD. Moreover, in the transfer of personal data abroad regulated in Article 9 of the LPPD, reference is made to the exceptional circumstances regulated in paragraph 2 of Article 5 of the LPPD. Thus, in the transfer of information and documents containing personal data requested by the relevant authorities of the foreign country, the provision of Article 9 of the LPPD, which regulates the principles regarding the transfer of personal data abroad, will be applicable.

In this context, the legislator has made a binary distinction within the scope of whether the country to which the personal data will be transferred has adequate protection in data transfer abroad without seeking the explicit consent of the data subject. In order to be able to transfer data to countries where there is no adequate protection, it is required that the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and the Personal Data Protection Board's permission is sought. However, we would like to point out that the countries with adequate protection have not yet been announced by the Personal Data Protection Board. Therefore, there is currently no specific legal basis in practice regarding the transfer of personal data abroad.

As a result, if the transfer of personal data belonging to the data subject pursuant to the legal legislation is evaluated within the framework of the legal obligation of the data controller, personal data can be transferred without obtaining explicit consent from the data subject. The limit to this is, of course, that personal data must comply with the law and good faith, be accurate and up-to-date when necessary, be processed for specific, explicit and legitimate purposes, and be relevant, limited and proportionate to the purpose for which they are processed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.