Recent development
Following the amendments to the Law on the Protection of Personal Data ("Law") adopted in March 2024 ("Amendments") and the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data ("Regulation") published by the Personal Data Protection Authority ("Authority"), the Authority published the Guidelines on the Cross-Border Transfer of Personal Data ("Guidelines") to provide further information and guidance regarding cross-border data transfers within the scope of Article 9 of the Law, on its website on 2 January 2025.
You may access the Guidelines here (in Turkish). For further information on the Amendments, you can visit our legal bulletin dated 12 March 2024 here.
What's new with the Guidelines?
The Guidelines provide information on (i) the objective and grounds of the Amendments, (ii) which transfers are considered as cross-border data transfers under Article 9 of the Law, (iii) how the mechanisms stipulated for the cross-border transfer of personal data, in particular standard contractual clauses, shall be implemented, and (iv) the occasional cases where the cross-border data transfer is permitted as per the Law. In addition to explanations, the Guidelines also include various examples regarding the implementation and interpretation of the Amendments.
Significant explanations provided in the Guidelines are as follows:
1. Objective and Grounds of the Amendments | ||
The Guidelines reiterate that the Amendments were introduced with the objective of complying with the European Union's General Data Protection Regulation ("GDPR"), as set forth in various action plans. Accordingly, -as stated in the preamble to the Amendments- prior to the Amendments, cross-border transfers were possible by only relying on the explicit consent of the data subjects, in practice. The Guidelines indicate that this made it nearly impossible to use cloud-based software systems and applications lawfully that are commonly used by most companies and real persons in business and most of these systems' servers are located abroad. In this regard, the Guidelines highlight that the Amendments aim to pave the way for investments to be made in Türkiye. | ||
2. Scope of the Cross-border Data Transfers |
||
In line with the definition provided in the Regulation, the Guidelines set forth the criteria that must be met for a personal data transfer activity to be qualified as a crossborder transfer under Article 9 of the Law. Accordingly, for a transfer to be considered as a cross-border transfer within the scope of Article 9 of the Law, the following criteria must be met:
Various examples are provided in the Guidelines regarding the interpretation of these criteria. In this regard, noteworthy examples are as follows: |
||
Direct Collection of Personal Data According to the Guidelines, remote access from a third country (even if it only takes place through the display of personal data on a screen, e.g. in support situations, for troubleshooting or administration purposes) and/or storage in a cloud located outside of Türkiye offered by a service provider must also be considered as a crossborder data transfer, provided that foregoing criteria are met. On the other hand, criterion (ii) above is not met in cases where there is no data controller or processor (data exporter) who transfers or makes accessible the personal data to another data controller or processor located outside of Türkiye, as in the case of data controller in the third country directly collecting personal data of data subjects in Türkiye. Accordingly, the Guidelines clarifies and confirms that direct collections are not considered as cross-border transfer of personal data under Article 9 of the Law. |
Transferring Directly Collected Data to Another Party While the Guidelines indicate that cases where a data controller in a third country directly collects personal data of data subjects in Türkiye will not be considered as a cross-border data transfer within the scope of Article 9 of the Law, the transfer of personal data directly collected by the data controller and/or data processor in a third country, to another data processor located abroad in order for certain processing activities to be carried out by a data processor outside of Türkiye would constitute a personal data transfer and appropriate mechanisms under the Article 9 of the Law must be relied on. In this scenario, the Guidelines highlights that the Law shall be interpreted in a way to ensure the protection of individuals' personal data based on the principle of territoriality, and therefore, the data exporter located in the third country is subject to the Law. |
Data Transfer to the Parent Company for HR Purposes The transfer of employee data by the data controller company, which is a subsidiary in Türkiye, to the parent company located in a third country with retention purposes in a central HR database is considered as cross-border transfer under the Article 9 of the Law. The Guidelines indicates that in this scenario, the Turkish subsidiary employer would be deemed as the data controller while the parent company located outside Türkiye would be the data processor for such transfers in question. The indication in the Guidelines as to whether the parties shall be considered as data controller or data processor is particularly significant for companies who plan to rely on standard contractual clauses for transferring employee data for the purpose of storage in a central HR database, to its parent company in a third country.. |
3. Transfers Based on Appropriate Safeguards | ||
The Amendments introduce a three-tier structure for the cross-border transfer of personal data, namely (i) the existence of an adequacy decision, (ii) the provision of appropriate safeguards in the absence of an adequacy decision, and (iii) the cases in the absence of an adequacy decision and appropriate safeguards. Please see Annex1 for the table provided in the Guidelines on the current cross-border transfer framework. The Guidelines provide information under separate headings on this tiered system and the appropriate safeguards for cross-border transfers. The Guidelines also contain statistical information and it is stated that 84 applications for undertakings and 3 applications for binding corporate rules have been made since the date of entry into force of the Law, and only 10 applications for undertakings have been approved. With respect to undertaking letters, binding corporate rules and standard contractual clauses ("SCCs"), the Guidelines mostly reiterate the provisions of the Law and the Regulation. However, in addition to the provisions of the Law and the Regulation, the Guidelines provide guidance on the minimum requirements for binding corporate rules and how annexes of the SCCs shall be filled out. Accordingly, the significant points in the Guidelines on appropriate safeguards are as follows: |
||
Binding Corporate Rules |
The Guidelines explain the history and rationale for the inclusion of binding corporate rules to the Law and provide information on the minimum content requirements for binding corporate rules. The Guidelines also provide guidance on the party who shall apply for binding corporate rules, depending on whether the associated group is mainly resident in Türkiye. In this regard;
The Guidelines also provide information on the supporting documents to be submitted within the application. Accordingly, documents that are not part of the application form must be submitted only for additional explanation purposes and the title of such annexes shall be "[(Annex-3-1), (Annex-3-1-A)]". In addition, pursuant to the Guidelines, information on the contact person/unit to whom the Authority may reach out for the questions about the application shall be provided in the binding corporate rules. For practical reasons, the Guidelines recommends that this person/unit to be located in Türkiye. |
|
Standard Contractual Clauses |
The information on SCCs available in the Guidelines, mostly reflect the provisions of the Law and the Regulation. However, the Guidelines also include additional guidance further to the provisions, as follows:
|
|
4. Occasional Transfers |
For a transfer to be considered "occasional", the Guidelines emphasize that, irrespective of whether it is made one or more times, the focus shall be on whether the transfer is made in the ordinary course of business. Accordingly, transfers made in the ordinary course of business are not considered occasional transfers. For instance, a tourism company's cross-border transfer of its customers' reservation information would not be considered an occasional transfer, as this transfer takes place within the relevant company's ordinary course of business. The Guidelines state that in occasional transfers, cross-border transfers can be carried out without relying on a specific legal ground stipulated under Articles 5 and 6 of the Law. In the Guidelines, each of the 7 basis stipulated under the Law for occasional transfers are explained with examples. Accordingly, the significant cases of occasional transfers and related examples are as follows: |
|
Data subject giving explicit consent to the transfer, provided that they have been informed about the potential risks | When the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject | When the transfer is necessary for the establishment, exercise or protection of a right |
Parallel to the Regulation, the Guidelines states that explicit consent may only be relied upon on condition that the data subject is informed about the potential risks. Accordingly, such information must include the following issues, amongst other minimum information:
In this regard, as an example, before obtaining explicit consent, data subjects must be informed that there may not be a supervisory authority in the country of transfer, and/or that general principles for data processing and/or data subject rights may not be ensured in the country of transfer. |
The Guidelines indicate that in order to rely on the relevant basis, the conditions of "necessity" and "being occasional" must be met. For instance, transfers to be made by a group company on the grounds that it carries out payroll and human resources activities abroad within the framework of its business organization would not meet the requirement of necessity, since such transfers do not have a direct and objective connection with the performance of the employment contract. In terms of the requirement of being occasional, for instance, if a company resident in Türkiye transfers personal data to another company abroad to fulfill a customer's payment request, it is considered an occasional transfer provided that the transfers between the two companies do not occur on a regular basis but only once or a few times, and are not in the ordinary course of business or continuous. |
Pursuant to the Guidelines, in certain cases, such as the exercise of the right of proof and defense, crossborder transfer of personal data can be conducted based on the legal basis that the transfer of personal data is necessary for the establishment, exercise or protection of a right. For instance, the submission of documents containing personal data to judicial authorities to exercise the right of defense within the scope of an investigation carried out abroad would be considered an occasional transfer in this context. |
Conclusion
The Guidelines address the problems experienced by data controllers and/or data processors in practice regarding the cross-border transfer of personal data, and illustrate the regulations with practical examples. In this regard, while the decisions of the Authority will be influential in the future regarding how the transfer processes will progress after the Amendments, it is significant for data controllers and data processors to consider the explanations and information provided in the Guidelines in addition to the Law and the Regulation in terms of cross-border transfer activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.