ARTICLE
13 January 2025

Guidelines On The Cross-Border Transfer Of Personal Data Published

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Following the amendments to the Law on the Protection of Personal Data ("Law") adopted in March 2024 ("Amendments") and the Regulation on the Procedures...
Turkey Privacy

Recent development

Following the amendments to the Law on the Protection of Personal Data ("Law") adopted in March 2024 ("Amendments") and the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data ("Regulation") published by the Personal Data Protection Authority ("Authority"), the Authority published the Guidelines on the Cross-Border Transfer of Personal Data ("Guidelines") to provide further information and guidance regarding cross-border data transfers within the scope of Article 9 of the Law, on its website on 2 January 2025.

You may access the Guidelines here (in Turkish). For further information on the Amendments, you can visit our legal bulletin dated 12 March 2024 here.

What's new with the Guidelines?

The Guidelines provide information on (i) the objective and grounds of the Amendments, (ii) which transfers are considered as cross-border data transfers under Article 9 of the Law, (iii) how the mechanisms stipulated for the cross-border transfer of personal data, in particular standard contractual clauses, shall be implemented, and (iv) the occasional cases where the cross-border data transfer is permitted as per the Law. In addition to explanations, the Guidelines also include various examples regarding the implementation and interpretation of the Amendments.

Significant explanations provided in the Guidelines are as follows:

1. Objective and Grounds of the Amendments
The Guidelines reiterate that the Amendments were introduced with the objective of complying with the European Union's General Data Protection Regulation ("GDPR"), as set forth in various action plans. Accordingly, -as stated in the preamble to the Amendments- prior to the Amendments, cross-border transfers were possible by only relying on the explicit consent of the data subjects, in practice. The Guidelines indicate that this made it nearly impossible to use cloud-based software systems and applications lawfully that are commonly used by most companies and real persons in business and most of these systems' servers are located abroad. In this regard, the Guidelines highlight that the Amendments aim to pave the way for investments to be made in Türkiye.

2. Scope of the Cross-border Data Transfers

In line with the definition provided in the Regulation, the Guidelines set forth the criteria that must be met for a personal data transfer activity to be qualified as a crossborder transfer under Article 9 of the Law. Accordingly, for a transfer to be considered as a cross-border transfer within the scope of Article 9 of the Law, the following criteria must be met:

  1. The controller or processor must be subject to the Law for the personal data processing activity in question;
  2. The personal data processed by the data exporter must be transferred or made accessible through another way; and
  3. The data controller or processor to which the data is transferred must be located in a third country.

Various examples are provided in the Guidelines regarding the interpretation of these criteria. In this regard, noteworthy examples are as follows:

Direct Collection of Personal Data

According to the Guidelines, remote access from a third country (even if it only takes place through the display of personal data on a screen, e.g. in support situations, for troubleshooting or administration purposes) and/or storage in a cloud located outside of Türkiye offered by a service provider must also be considered as a crossborder data transfer, provided that foregoing criteria are met. On the other hand, criterion (ii) above is not met in cases where there is no data controller or processor (data exporter) who transfers or makes accessible the personal data to another data controller or processor located outside of Türkiye, as in the case of data controller in the third country directly collecting personal data of data subjects in Türkiye. Accordingly, the Guidelines clarifies and confirms that direct collections are not considered as cross-border transfer of personal data under Article 9 of the Law.

Transferring Directly Collected Data to Another Party

While the Guidelines indicate that cases where a data controller in a third country directly collects personal data of data subjects in Türkiye will not be considered as a cross-border data transfer within the scope of Article 9 of the Law, the transfer of personal data directly collected by the data controller and/or data processor in a third country, to another data processor located abroad in order for certain processing activities to be carried out by a data processor outside of Türkiye would constitute a personal data transfer and appropriate mechanisms under the Article 9 of the Law must be relied on. In this scenario, the Guidelines highlights that the Law shall be interpreted in a way to ensure the protection of individuals' personal data based on the principle of territoriality, and therefore, the data exporter located in the third country is subject to the Law.

Data Transfer to the Parent Company for HR Purposes

The transfer of employee data by the data controller company, which is a subsidiary in Türkiye, to the parent company located in a third country with retention purposes in a central HR database is considered as cross-border transfer under the Article 9 of the Law. The Guidelines indicates that in this scenario, the Turkish subsidiary employer would be deemed as the data controller while the parent company located outside Türkiye would be the data processor for such transfers in question. The indication in the Guidelines as to whether the parties shall be considered as data controller or data processor is particularly significant for companies who plan to rely on standard contractual clauses for transferring employee data for the purpose of storage in a central HR database, to its parent company in a third country..

3. Transfers Based on Appropriate Safeguards

The Amendments introduce a three-tier structure for the cross-border transfer of personal data, namely (i) the existence of an adequacy decision, (ii) the provision of appropriate safeguards in the absence of an adequacy decision, and (iii) the cases in the absence of an adequacy decision and appropriate safeguards. Please see Annex1 for the table provided in the Guidelines on the current cross-border transfer framework. The Guidelines provide information under separate headings on this tiered system and the appropriate safeguards for cross-border transfers. The Guidelines also contain statistical information and it is stated that 84 applications for undertakings and 3 applications for binding corporate rules have been made since the date of entry into force of the Law, and only 10 applications for undertakings have been approved.

With respect to undertaking letters, binding corporate rules and standard contractual clauses ("SCCs"), the Guidelines mostly reiterate the provisions of the Law and the Regulation. However, in addition to the provisions of the Law and the Regulation, the Guidelines provide guidance on the minimum requirements for binding corporate rules and how annexes of the SCCs shall be filled out. Accordingly, the significant points in the Guidelines on appropriate safeguards are as follows:

Binding Corporate Rules

The Guidelines explain the history and rationale for the inclusion of binding corporate rules to the Law and provide information on the minimum content requirements for binding corporate rules. The Guidelines also provide guidance on the party who shall apply for binding corporate rules, depending on whether the associated group is mainly resident in Türkiye. In this regard;

  • If the group's headquarters is residing in Türkiye, the application forms must be completed and submitted to the Authority by this company or under certain conditions, another company located in Türkiye to which responsibilities for the protection of personal data are delegated.
  • If the group's headquarters is not located in Türkiye, the group must appoint the group company resident in Türkiye as the authorized group member to whom the responsibilities regarding the protection of personal data are delegated, and the appointed company must submit the application to the Authority.

The Guidelines also provide information on the supporting documents to be submitted within the application. Accordingly, documents that are not part of the application form must be submitted only for additional explanation purposes and the title of such annexes shall be "[(Annex-3-1), (Annex-3-1-A)]". In addition, pursuant to the Guidelines, information on the contact person/unit to whom the Authority may reach out for the questions about the application shall be provided in the binding corporate rules. For practical reasons, the Guidelines recommends that this person/unit to be located in Türkiye.

Standard Contractual Clauses

The information on SCCs available in the Guidelines, mostly reflect the provisions of the Law and the Regulation. However, the Guidelines also include additional guidance further to the provisions, as follows:

  • Explanations on filling out the annexes of the SCCs: The Guidelines provide useful information on how to fill out the sections in the annexes of the SCCs. For instance:
  • Preparing SCCs in dual column: The Guidelines confirm that, provided that the Turkish version would prevail, SCCs may be issued in both Turkish and foreign languages, in a dual column format.
    • Group or Groups of Data Subjects: The group or groups of data subjects to whom the transferred personal data relates must be specified on a personal data basis. In this regard, it is also expected to provide information on which data categories are transferred with respect to each data subject group
    • Categories of Personal Data Transferred and Categories of Sensitive Personal Data Transferred (if applicable): Personal data subject to the transfer must be specified according to their categories and types. Accordingly, for instance, if contact data is transferred, relevant type of data transferred under the category of contact data - such as telephone number, e-mail address – shall also be specified.
    • Official documents issued by foreign authorities: With regards to official documents issued by foreign authorities submitted together with SCCs, the Guidelines state that, in the absence of a separate regulation or international agreement, official documents issued in a country that is a party to the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents shall be apostilled before being submitted to the Authority.

    As exemplified above, while the Guidelines provide useful guidance in terms of transfers relied on SCCs, it does not address all problems and uncertainties experienced in practice, such as whether SCCs can be signed via e-signatures by the companies located outside of Türkiye.

    Nevertheless, SCCs would continue to be preferred by data exporters in practice, as an appropriate safeguard for cross-border data transfers, considering that it does not require the Authority's approval and/or authorization. However, the uncertainties experienced among sector actors are expected to be addressed by the Authority in future decisions.

4. Occasional Transfers

For a transfer to be considered "occasional", the Guidelines emphasize that, irrespective of whether it is made one or more times, the focus shall be on whether the transfer is made in the ordinary course of business. Accordingly, transfers made in the ordinary course of business are not considered occasional transfers. For instance, a tourism company's cross-border transfer of its customers' reservation information would not be considered an occasional transfer, as this transfer takes place within the relevant company's ordinary course of business.

The Guidelines state that in occasional transfers, cross-border transfers can be carried out without relying on a specific legal ground stipulated under Articles 5 and 6 of the Law. In the Guidelines, each of the 7 basis stipulated under the Law for occasional transfers are explained with examples. Accordingly, the significant cases of occasional transfers and related examples are as follows:

Data subject giving explicit consent to the transfer, provided that they have been informed about the potential risks When the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject When the transfer is necessary for the establishment, exercise or protection of a right

Parallel to the Regulation, the Guidelines states that explicit consent may only be relied upon on condition that the data subject is informed about the potential risks. Accordingly, such information must include the following issues, amongst other minimum information:

  1. explicit consent is the legal ground for the transfer;
  2. there is no adequacy decision published by the Authority regarding the country to which the data will be transferred; and
  3. potential risks that may occur due to the transfer.

In this regard, as an example, before obtaining explicit consent, data subjects must be informed that there may not be a supervisory authority in the country of transfer, and/or that general principles for data processing and/or data subject rights may not be ensured in the country of transfer.

The Guidelines indicate that in order to rely on the relevant basis, the conditions of "necessity" and "being occasional" must be met.

For instance, transfers to be made by a group company on the grounds that it carries out payroll and human resources activities abroad within the framework of its business organization would not meet the requirement of necessity, since such transfers do not have a direct and objective connection with the performance of the employment contract.

In terms of the requirement of being occasional, for instance, if a company resident in Türkiye transfers personal data to another company abroad to fulfill a customer's payment request, it is considered an occasional transfer provided that the transfers between the two companies do not occur on a regular basis but only once or a few times, and are not in the ordinary course of business or continuous.

Pursuant to the Guidelines, in certain cases, such as the exercise of the right of proof and defense, crossborder transfer of personal data can be conducted based on the legal basis that the transfer of personal data is necessary for the establishment, exercise or protection of a right.

For instance, the submission of documents containing personal data to judicial authorities to exercise the right of defense within the scope of an investigation carried out abroad would be considered an occasional transfer in this context.

Conclusion

The Guidelines address the problems experienced by data controllers and/or data processors in practice regarding the cross-border transfer of personal data, and illustrate the regulations with practical examples. In this regard, while the decisions of the Authority will be influential in the future regarding how the transfer processes will progress after the Amendments, it is significant for data controllers and data processors to consider the explanations and information provided in the Guidelines in addition to the Law and the Regulation in terms of cross-border transfer activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More