Introduction
The Article 9 of the Law No. 6698 on the Protection of Personal Data ("Law") on cross-border data transfer was amended with the publication of the Official Gazette dated 12 March 2024. These amendments entered into force on 1 September 2024, raising new questions for the Turkish data protection community. On 2 January 2025, the Turkish Personal Data Protection Authority ("Authority") shared the Guideline on Cross Border Transfer of Personal Data ("Guideline") with the public to eliminate these question marks and create standardization in practice.
The Guideline consists of seven chapters in total, with the first three chapters consisting of introduction, definitions and abbreviations respectively. First, cross-border transfer of personal data is covered in general and then three levels of transfer methods are included. The methods are as follows: (i) Adequacy decision, (ii) appropriate safeguards and (iii) exceptional transfers.
Cross-Border Data Transfer in General
The Guideline sets forth criteria for the activity of "cross-border data transfer", which is not explicitly defined in the Law, to create uniformity in practicing. Pursuant to this, it is stated that for the relevant processing activity to be considered as "cross-border data transfer", it is necessary to check whether the following three criteria are met:
i. The requirement that the data controller or data processor is subject to the Law
The Authority reminded that the Convention on the Protection of Individuals regarding Automatic Processing of Personal Data obliges each state party to protect the data of data subjects in its own country. Nevertheless, the Authority pointed out that cross-border data transfer has increased with the development of new technologies. The most comprehensive interpretation should be sought in terms of the application of the Law. Thus, it is underlined that it would be appropriate to interpret the Law with the "principle of effect" instead of the "principle of territoriality".1
ii. The personal data processed by the data exporter must be transmitted or otherwise made accessible
As the second criterion for cross-border data transfer, the Authority has stated that the data exporter must transmit or make accessible the personal data concerned. In terms of this criterion, it has given the following examples in terms of situations where the cross-border transfer has occurred: (i) Creating an account, (ii) granting access to an existing account, (iii) approving a request for remote access, (iv) inserting the hard drive and (v) sending a password to the file. In addition, the Authority emphasized that direct collection does not constitute a cross-border transfer. In other words, it is stated that the direct transmission of personal data by the data subject does not constitute cross-border data transfer.
The Authority included a total of seven examples and clarified whether they met this criterion:
- If a data subject living in Türkiye makes a purchase by entering his/her data on the website of a company that is not a resident in Türkiye but is targeting Türkiye, it will not constitute a cross-border data transfer.
- A data subject living in Türkiye makes a purchase by entering his/her data on a website that is not a resident in Türkiye but targets the Turkish market. The website has a data processor residing in a third country. Thus, since the website transfers data to the data processor, it will constitute a cross-border data transfer.
- If a data subject living in Türkiye makes a reservation with an online travel agency in Türkiye to a hotel abroad, a cross-border data transfer will take place. This is because the travel agency will transfer the data to the hotel.
- If the data controller company resident in Türkiye transfers the personal data of its employees and customers to a company in a third country acting as a data processor on behalf of the company, this will constitute a cross-border data transfer.
- If a nonresident data controller company in Türkiye transmits employee data to a data processor in Türkiye for processing, there will be no cross-border data transfer. On the other hand, if the data is transferred back to this company due to the data controller being in a third country, it will constitute a cross-border transfer.
- If the data controller company resident in Türkiye appoints a Turkish company as a processor on its behalf and the Turkish processor has a sub processor in a third country. The data transfer of the data controller and the data processor resident in Türkiye will not constitute a cross-border transfer. Transfers to the sub processor in the third country will constitute a cross-border transfer.
- The subsidiary transmits employee data to the parent company in the third country for storage in a centralized human resources database. When processing this data, the parent company is the data processor, and the subsidiary is the data controller. This transfer will also constitute a cross-border data transfer.
iii. The data controller or processor to whom the data is transferred must be located abroad, regardless of whether they are subject to the Law
In parallel with Article 9 and the provisions of the Regulation,2 the Authority underlined that the data importer party must be in a third country for the transfer to be considered as a cross-border transfer within the scope of Article 9 of the Law.
As regards the issue, which may be considered to lead to a difference of interpretation in practice due to the discrepancy in the pre-amendment approach, the Authority has also correctly stated that the provisions of Article 9 should be applied if the transferred party is located abroad.
Transfers Based on Adequacy Decision
An adequacy decision is a decision of the Turkish Personal Data Protection Board ("Board") confirming that the data protection level of the country, sector or international organization to which the transfer will be made is the same as the level in Türkiye.
The Guideline states that the following criteria will be taken into consideration in making the adequacy decision:
- Reciprocity between the country to which personal data will be transferred and Türkiye regarding data transfer,
- The relevant country's legislation on the processing of personal data and its implementation,
- Whether the relevant country has an independent data protection authority,
- Being a party to international agreements on the protection of personal data and being a member of international organizations,
- Membership status of global and regional organizations of which Türkiye is a member,
- The volume of trade conducted with the relevant countries, and Other considerations.
On the other hand, the Board re-emphasized that "international conventions to which Turkey is a party" will be prioritized in the assessment of whether to authorize the transfer with an adequacy decision. Finally, it was reminded that with the recent amendment to the Law, the adequacy decision will be re-evaluated every four years at the latest.
Transfers Based on Appropriate Safeguards
i. Agreement that is not an international convention
One of the cases where personal data may be transferred abroad based on appropriate safeguards is the fulfillment of the prerequisites set out in the fourth paragraph of Article 9 of the Law and the existence of an agreement that does not constitute an international agreement between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of public institutions in Türkiye and the Board authorizes the transfer. The existence of this agreement and authorization by the Board may provide appropriate safeguards. The Guideline sets out that the agreement commits to put in place adequate data protection safeguards for data transfers. It is reminded that the provisions should include individual rights, remedies and effective supervision.
The Authority mentioned cooperation protocols, memoranda of understanding and administrative agreements as examples of agreements. The agreement between the Pharmaceuticals and Medical Devices Agency of Türkiye and the European Commission was given as an example of such an agreement.3
ii. Binding corporate rules
It is stated that the binding corporate rules ("BCR") that must be complied with by the group members in terms of personal data transfer activities carried out by a data controller or data processor resident in Türkiye within a group of undertakings engaged in a common economic activity to a data controller or data processor resident abroad within the same group company.
Since the publication of the BCRs,4 a total of three applications were submitted until 1 June 2024, all of which were declined.
Minimum requirements for the BCRs
Organizational structure and contact details of the group: The organizational structure and contact information of each member of the group of undertakings engaged in joint economic activity should be clearly included.
Explanations regarding the flow of personal data: Detailed information such as personal data categories, processing activities and purposes, the relevant group or groups of people and the country or countries to which the transfer will be made must be clear.
The binding nature: The group of undertakings engaged in joint economic activity will commit to be binding both in its internal relations and in other legal relations must be declared.
Data protection measures: It is expected to include information such as compliance with general principles, processing conditions, technical and administrative measures to ensure data security, adequate measures to be taken in the processing of sensitive personal data and subsequent transfers.
Data subject rights: Commitments regarding the rights of data subjects and the exercise of the right to file a complaint with the Board and the exercise of these rights must be secured and clear.
Assumption of responsibility: It is expected to provide information that in the event of a breach, a data controller or data processor based in Türkiye will assume responsibility for the breach.
Easy access of the data subjects to the BCR: A procedure to how data subjects will be informed within the scope of the disclosure obligation.
Existence of an appropriate training program: It is expected that explanations will be made regarding the training to be provided to employees on the protection of personal data.
Appropriate staff structure and compliance oversight mechanisms are in place to oversee compliance, and the rights of individuals are protected: The corporate structure must be secured on the duties of the employees or units responsible for the BCRs.
Mechanisms for recording and reporting changes: It is expected to provide information on the mechanisms for reporting and recording changes to the BCRs and notifying the Board. Records must to be kept up to date.
Obligation to cooperate with the Authority: Appropriate mechanism must be established to inform the Authority to ensure compliance with the BCRs.
National regulations and practices affecting compliance with the BCRs: Information and assesment that there are no regulations in the countries to which the transfer will be made that are contrary to the safeguards provided by the BCRs.
Applying to the Board for BCR
The Authority has stated that it is possible to include additional pages or annexes in addition to the BCRs. On the other hand, in cases where the text of the BCR is also prepared in a foreign language, it is stated that the Turkish text will be taken as a basis. It is further stated that separate approval BCRs for the data controller and the data processor are expected to be created, and approval is expected to be obtained. It is underlined that the documents to be attached to the application can only be submitted for further clarification.
Approval of the BCR application by the Board
The Board emphasized that the approval granted by the Board to the application for a BCR does not mean that an assessment has been made as to whether each data processing activity complies with all the requirements of the Law. It was underlined that each data exporter must comply with the transfer provisions in the Law for each transfer. It was added that it is also possible to design the BCRs in accordance with global data protection policies.
iii. Standard contracts
The Authority has not provided any definition of standard contracts in the Guideline. The Authority has stated that they shall be signed between the data controller or data processor transferring the personal data abroad and the data controller or data processor abroad receiving the personal data from the data exporter. It is also emphasized that the contract must be signed by the parties to the personal data transfer in accordance with the Regulation.
The Authority eliminated the question marks in this regard by stating that standard contracts may be arranged in double columns, but that the Turkish text will be taken as the basis even if they are arranged in this way. In addition, the Authority emphasized that standard contracts may not be amended except for optional or alternative clauses.
Annexes of standard contracts
Activities of the data exporter and data importer regarding the personal data transferred under the standard contract: General explanations are expected to be made regarding the transfer of personal data.
Data subject group(s): Group or groups of data subjects the transferred personal data are transferred must be declared.
Categories of personal data transferred, and categories of sensitive personal data transferred: The categories and types of personal data subject to transfer.
The legal basis for the transfer: It is expected to explain which processing conditions under Articles 5 and 6 of the Law are relied upon.
Frequency of transfer: The nature of the transfer on whether the transfer is one-time or continuous must be clear.
The nature of the processing activity: It is expected to include qualifications such as storage, recording, publication, aggregation, and categorization.
Purposes of data transfer and subsequent processing: Dara transfer purposes and the subsequent processing to be carried out by the data importer must be clear.
Personal data retention period: Information on how long personal data will be retained and/or the criteria used to determine the retention period should be clear.
Recipients or groups of recipients: It is expected that the data recipient will specify the recipients to whom the data is transferred in the context of the subsequent transfer. This section is expected to be kept up to date throughout the duration of the standard contract.
The data exporter's data controller's registry information system ("VERBIS") information: It is expected to be specified if the data controller of the data exporter has a registration and notification obligation to the VERBIS. It is also emphasized that the information in the annexes and the information in VERBIS are expected to be compatible.
The subject matter, nature and duration of the processing in case of transfers to sub-processors: It is expected to be disclosed by the data importer data processor in cases of subsequent transfers to sub-processors.
Submission to the Authority
The Guideline reminds that standard contracts must be notified to the Authority physically, via registered electronic mail and alternative methods (standard contract notification module) within five days following the completion of signatures by both parties. Thus, it is stated that the agreement must be signed by the transfer parties themselves or by the people authorized to represent and sign the transfer parties, the authorization certificate and a notarized translation of the foreign language documents.
Subsequent notifications
It is reminded that in the event of certain changes in the Guideline, the Authority should be notified of these changes. Accordingly, under the supervision of subsequent transfers, it is stated that if there is a change in the recipients or groups of recipients transferred and if there is a change in the sub-data processors, the annexes of the relevant agreement should be updated and notified to the Authority again.
iv. Written undertaking
The Guideline emphasizes that the Board's authorization is required for transfers to be made through the written undertaking mechanism. Thus, initiating a transfer with a written undertaking signed by the parties would be unlawful if the Board is still in the evaluation process.
Exceptional Transfers
It is stated in the Guideline that exceptional transfers are only possible in cases that are incidental, in other words, that occur only once or a few times, are not continuous and are not in the ordinary course of business.
Although the existence of the data processing conditions in Articles 5 and 6 of the Law is a prerequisite for cross-border data transfers based on an adequacy decision or appropriate safeguards, there is no such prerequisite for exceptional transfers. Accordingly, transfers based on exceptional transfers may be initiated without seeking these conditions. The Authority underlined that a narrow interpretation should be made with respect to transfers made in incidental circumstances.
It is stated that such transfers are a last resort. It is stated in the Guideline that these transfers may occur more than once, but if they occur more than once, they should not be regular, should not be continuous, and should be outside the ordinary course of action under unforeseen circumstances and within uncertain time intervals. Only in this way can it be exceptional.
It is emphasized that transfers in the ordinary course of business cannot be subject to exceptional transfers. As an example, a tourism company's transfers regarding the reservation information of its customers are not exceptional transfers as they are within the ordinary course of business of the company.
In transfers within the scope of explicit consent as an exceptional transfer method, the conditions of explicit consent to be related to a specific subject, to be based on information, to be informed about possible risks and to be expressed with free will are reminded. Therefore, it is stated that the data exporter must obtain explicit consent for the transfer abroad before the transfer takes place, even if it is after the data collection activity has taken place.
For transfers based on Article 9(6) of the Law,5 the criteria of necessity and incidental nature are emphasized. For example, it is stated that it cannot be relied upon to be mandatory for the performance of the contract within the scope of a company group carrying out its payroll activities abroad within its business organization. On the other hand, it has been stated that it is mandatory for travel agencies to transfer the data of their individual customers to organize the accommodation of these customers abroad.
As part of the performance of the employment contract, it is stated that the transfer of data by the employer for the purpose of organizing meetings with customers for customer visits abroad will be considered incidental. On the other hand, it is stated in the Guideline that it will not be incidental for a multinational company to organize training at a training center abroad and systematically transfer the data of its employees.
Conclusion
The Guideline was prepared in a very comprehensive manner and responded to the differences in the practices of the Turkish personal data protection sphere. The Authority's enlightening Guideline has reduced the question marks on how the new regime on cross-border data transfers will be implemented. We will follow what will happen after the Authority provides a roadmap on standard contracts, which is the most preferred method.
Footnotes
1 The Board's decision (24.01.2019, 2019/10).
2 Regulation on the Procedures and Principles Regarding the Cross-Border Data Transfer.
3 https://titck.gov.tr/Dosyalar/VeriKoruma/tr/1IdariAnlasma.pdf , Last Access Date: 03.01.2025 .
4 10 April 2020.
5 The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.