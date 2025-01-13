1. Objective and Grounds of the Amendments

The Guidelines reiterate that the Amendments were introduced with the objective of complying with the European Union's General Data Protection Regulation ("GDPR"), as set forth in various action plans. Accordingly, -as stated in the preamble to the Amendments- prior to the Amendments, cross-border transfers were possible by only relying on the explicit consent of the data subjects, in practice. The Guidelines indicate that this made it nearly impossible to use cloud-based software systems and applications lawfully that are commonly used by most companies and real persons in business and most of these systems' servers are located abroad. In this regard, the Guidelines highlight that the Amendments aim to pave the way for investments to be made in Türkiye.

2. Scope of the Cross-border Data Transfers

In line with the definition provided in the Regulation, the Guidelines set forth the criteria that must be met for a personal data transfer activity to be qualified as a crossborder transfer under Article 9 of the Law. Accordingly, for a transfer to be considered as a cross-border transfer within the scope of Article 9 of the Law, the following criteria must be met: The controller or processor must be subject to the Law for the personal data processing activity in question; The personal data processed by the data exporter must be transferred or made accessible through another way; and The data controller or processor to which the data is transferred must be located in a third country. Various examples are provided in the Guidelines regarding the interpretation of these criteria. In this regard, noteworthy examples are as follows:

Direct Collection of Personal Data According to the Guidelines, remote access from a third country (even if it only takes place through the display of personal data on a screen, e.g. in support situations, for troubleshooting or administration purposes) and/or storage in a cloud located outside of Türkiye offered by a service provider must also be considered as a crossborder data transfer, provided that foregoing criteria are met. On the other hand, criterion (ii) above is not met in cases where there is no data controller or processor (data exporter) who transfers or makes accessible the personal data to another data controller or processor located outside of Türkiye, as in the case of data controller in the third country directly collecting personal data of data subjects in Türkiye. Accordingly, the Guidelines clarifies and confirms that direct collections are not considered as cross-border transfer of personal data under Article 9 of the Law. Transferring Directly Collected Data to Another Party While the Guidelines indicate that cases where a data controller in a third country directly collects personal data of data subjects in Türkiye will not be considered as a cross-border data transfer within the scope of Article 9 of the Law, the transfer of personal data directly collected by the data controller and/or data processor in a third country, to another data processor located abroad in order for certain processing activities to be carried out by a data processor outside of Türkiye would constitute a personal data transfer and appropriate mechanisms under the Article 9 of the Law must be relied on. In this scenario, the Guidelines highlights that the Law shall be interpreted in a way to ensure the protection of individuals' personal data based on the principle of territoriality, and therefore, the data exporter located in the third country is subject to the Law. Data Transfer to the Parent Company for HR Purposes The transfer of employee data by the data controller company, which is a subsidiary in Türkiye, to the parent company located in a third country with retention purposes in a central HR database is considered as cross-border transfer under the Article 9 of the Law. The Guidelines indicates that in this scenario, the Turkish subsidiary employer would be deemed as the data controller while the parent company located outside Türkiye would be the data processor for such transfers in question. The indication in the Guidelines as to whether the parties shall be considered as data controller or data processor is particularly significant for companies who plan to rely on standard contractual clauses for transferring employee data for the purpose of storage in a central HR database, to its parent company in a third country..

3. Transfers Based on Appropriate Safeguards

The Amendments introduce a three-tier structure for the cross-border transfer of personal data, namely (i) the existence of an adequacy decision, (ii) the provision of appropriate safeguards in the absence of an adequacy decision, and (iii) the cases in the absence of an adequacy decision and appropriate safeguards. Please see Annex1 for the table provided in the Guidelines on the current cross-border transfer framework. The Guidelines provide information under separate headings on this tiered system and the appropriate safeguards for cross-border transfers. The Guidelines also contain statistical information and it is stated that 84 applications for undertakings and 3 applications for binding corporate rules have been made since the date of entry into force of the Law, and only 10 applications for undertakings have been approved. With respect to undertaking letters, binding corporate rules and standard contractual clauses ("SCCs"), the Guidelines mostly reiterate the provisions of the Law and the Regulation. However, in addition to the provisions of the Law and the Regulation, the Guidelines provide guidance on the minimum requirements for binding corporate rules and how annexes of the SCCs shall be filled out. Accordingly, the significant points in the Guidelines on appropriate safeguards are as follows:

Binding Corporate Rules The Guidelines explain the history and rationale for the inclusion of binding corporate rules to the Law and provide information on the minimum content requirements for binding corporate rules. The Guidelines also provide guidance on the party who shall apply for binding corporate rules, depending on whether the associated group is mainly resident in Türkiye. In this regard; If the group's headquarters is residing in Türkiye, the application forms must be completed and submitted to the Authority by this company or under certain conditions, another company located in Türkiye to which responsibilities for the protection of personal data are delegated.

If the group's headquarters is not located in Türkiye, the group must appoint the group company resident in Türkiye as the authorized group member to whom the responsibilities regarding the protection of personal data are delegated, and the appointed company must submit the application to the Authority. The Guidelines also provide information on the supporting documents to be submitted within the application. Accordingly, documents that are not part of the application form must be submitted only for additional explanation purposes and the title of such annexes shall be "[(Annex-3-1), (Annex-3-1-A)]". In addition, pursuant to the Guidelines, information on the contact person/unit to whom the Authority may reach out for the questions about the application shall be provided in the binding corporate rules. For practical reasons, the Guidelines recommends that this person/unit to be located in Türkiye.

Standard Contractual Clauses The information on SCCs available in the Guidelines, mostly reflect the provisions of the Law and the Regulation. However, the Guidelines also include additional guidance further to the provisions, as follows: Explanations on filling out the annexes of the SCCs : The Guidelines provide useful information on how to fill out the sections in the annexes of the SCCs. For instance:

: The Guidelines provide useful information on how to fill out the sections in the annexes of the SCCs. For instance: Preparing SCCs in dual column : The Guidelines confirm that, provided that the Turkish version would prevail, SCCs may be issued in both Turkish and foreign languages, in a dual column format. Group or Groups of Data Subjects: The group or groups of data subjects to whom the transferred personal data relates must be specified on a personal data basis. In this regard, it is also expected to provide information on which data categories are transferred with respect to each data subject group Categories of Personal Data Transferred and Categories of Sensitive Personal Data Transferred (if applicable): Personal data subject to the transfer must be specified according to their categories and types. Accordingly, for instance, if contact data is transferred, relevant type of data transferred under the category of contact data - such as telephone number, e-mail address – shall also be specified. Official documents issued by foreign authorities : With regards to official documents issued by foreign authorities submitted together with SCCs, the Guidelines state that, in the absence of a separate regulation or international agreement, official documents issued in a country that is a party to the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents shall be apostilled before being submitted to the Authority. As exemplified above, while the Guidelines provide useful guidance in terms of transfers relied on SCCs, it does not address all problems and uncertainties experienced in practice, such as whether SCCs can be signed via e-signatures by the companies located outside of Türkiye. Nevertheless, SCCs would continue to be preferred by data exporters in practice, as an appropriate safeguard for cross-border data transfers, considering that it does not require the Authority's approval and/or authorization. However, the uncertainties experienced among sector actors are expected to be addressed by the Authority in future decisions.

: The Guidelines confirm that, provided that the Turkish version would prevail, SCCs may be issued in both Turkish and foreign languages, in a dual column format.

4. Occasional Transfers For a transfer to be considered "occasional", the Guidelines emphasize that, irrespective of whether it is made one or more times, the focus shall be on whether the transfer is made in the ordinary course of business. Accordingly, transfers made in the ordinary course of business are not considered occasional transfers. For instance, a tourism company's cross-border transfer of its customers' reservation information would not be considered an occasional transfer, as this transfer takes place within the relevant company's ordinary course of business. The Guidelines state that in occasional transfers, cross-border transfers can be carried out without relying on a specific legal ground stipulated under Articles 5 and 6 of the Law. In the Guidelines, each of the 7 basis stipulated under the Law for occasional transfers are explained with examples. Accordingly, the significant cases of occasional transfers and related examples are as follows:

Data subject giving explicit consent to the transfer, provided that they have been informed about the potential risks When the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject When the transfer is necessary for the establishment, exercise or protection of a right