Recent amendments to Article 9 of the Turkish Law on the Protection of Personal Data No. 6698 ("Law"), introduce new mechanisms for international data transfers. These changes are part of the efforts to align with the GDPR and broader EU harmonization initiatives. New mechanisms also raised practical uncertainties.
The Turkish Personal Data Protection Board ("Board") published a guideline on transferring personal data to third countries. ("Guidelines"). This document aims to address uncertainties, provide practical guidance on cross-border data transfers, and clarify the safeguards required by the Board. It is largely based on EU practices and Guidelines, incorporating similar examples.
This information note offers a Q&A-style overview of the key issues covered in the legislation and the Guidelines.
1. What elements are required for an activity to qualify as a transfer of personal data to a third country?
For an activity to be considered a transfer of personal data to a third country, three key criteria must be met:
- The data exporter must be subject to the Law. The Guide clarifies, similar to the GDPR, that the data exporter's activity falls within the scope of the Law if it affects or targets data subjects in Turkey.
- The personal data must be transmitted or made accessible to the data importer. This includes actions such as displaying personal data on a screen or granting access to an account.
- The data importer must be located in a third country.
2. Is it considered a data transfer abroad if a Turkish data processor established in Turkey delegates part of its processing activities to a sub-processor located abroad?
Yes. Turkish data processor's personal data processing activity falls within the scope of its establishment in Turkey and is therefore subject to the Law. On the other hand, the processing activity performed by the sub-processor in a third country occurs in that country. As a result, the transfer of personal data by the Turkish data processor to the sub-processor in a third country constitutes a data transfer abroad.
3. If a data controller abroad obtains personal data directly from a data subject residing in Turkey, for example, within the scope of an e-commerce purchase, does this qualify as a data transfer abroad?
No. The personal data is transmitted directly by the data subject. It is not obtained through a data controller or processor acting as a data exporter. Therefore, this does not qualify as a data transfer abroad.
4. What are the mechanisms of data transfer abroad? Can these mechanisms be used at the same time?
In parallel with GDPR, the legislation outlines ways to transfer data abroad in a three-tier structure. In cases where an adequacy decision is not available, one of the appropriate safeguards must be used. If none of the appropriate safeguards are applicable, exceptional transfer conditions may be applied.
- Transfers Based on Adequacy Decisions
- Transfers Based on Appropriate Safeguards
- Non-International Agreements for Public Authorities
- Binding Corporate Rules
- Standard Contracts
- Commitment Letter subject to Board's Approval
- Exceptional Transfer Cases
5. What is the scope of the adequacy decision? Is it possible to issue an adequacy decision for a specific sector?
An adequacy decision is a confirmation mechanism that evaluates whether the level of data protection in a foreign jurisdiction is equivalent to the level in Turkey. Based on various criteria, the Board may issue an adequacy decision.
With the recent amendments, the scope of adequacy decisions has been expanded. Such decisions may now be issued concerning a foreign country, a specific sector, or an international organization.
6. What is a standard contract, and what elements does it include?
Standard contracts are model agreements designed to ensure appropriate safeguards for the transfer of personal data abroad. These contracts are entered into between the data controller or processor transferring the personal data and the data controller or processor receiving the data. The content of these contracts is determined by the Board.
A standard contract consists of clauses specified by the Board and an annex to be completed by the parties to the data transfer. Many of the obligations included in these contracts are also found in the standard contractual clauses published by the European Commission.
7. What are the types of standard contracts?
The Board has adopted four different standard contract templates based on potential transfer scenarios, considering the roles of the parties involved in the transfer. These templates are as follows:
- From data controller to data controller,
- From data controller to data processor,
- From data processor to data processor,
- From data processor to data controller.
8. What should be considered when using standard contracts?
The Guidelines emphasizes that, apart from optional or alternative clauses, no modifications should be made to the standard contract templates.
It also states that questions included in the annexes to the contract must be answered completely, clearly, and in a manner consistent with the nature of the transfer. Additionally, the information regarding the data subject group(s) must be specified in each categories of personal data. The categories (e.g., contact information) and also types (e.g., email address) of personal data subject to transfer must also be explicitly stated. Furthermore, the information provided in the standard contract by the data controller must align with the records in the Data Controllers' Registry (VERBIS).
The Guidelines also addresses the important topic under discussion concerning the languages of standard contracts. It considers that contracts may be submitted to the Authority in a dual-column format, with one column in Turkish and the other in another language. However, it is explicitly stated that the Turkish version will prevail in all cases.
9. What is the notification process to the Authority following the signing of a standard contract?
The standard contract must be submitted to the Board within five business days from the date it is signed by both parties. The methods for notifying the Authority, as outlined, are as follows:
- Physically (e.g., in person or by e-mail),
- Via a registered electronic mail (KEP) address,
- Other alternative methods determined by the Board (e.g., the Standard Contract Notification Module).
The notification must include the following documents and information:
- The final version of the standard contract, duly completed and signed by the parties to the transfer,
- Documents demonstrating the authority of the individuals signing the standard contract,
- Notarized translations of documents in a foreign language.
Additionally, it is noted that if the notification includes official documents issued by foreign authorities, the authenticity of signatures or seals on such documents may need to be verified by consular authorities. If these official documents are exempt from legalization under the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents, the presence of an apostille certificate will be required.
10. What are the minimum elements required in binding corporate rules?
Before the amendments to the Law, binding corporate rules ("BCRs") were recognized as an appropriate safeguard based on the decisions of the Board. With the recent changes, BCRs are now directly regulated under the Law and explicitly recognized as an appropriate safeguard.
Binding corporate rules must include certain minimum elements. These elements encompass the organizational structure of the group and contact information, explanations regarding personal data transfers, and a binding commitment. They also cover data security measures, the rights of data subjects, and ensuring easy access to the rules for data subjects. In addition, BCRs must include a commitment to accept responsibility, provide training for employees, and establish mechanisms for compliance and auditing. Procedures for recording and reporting changes, an obligation to cooperate with the Authority, and a requirement to report national regulations and practices affecting compliance are also necessary components.
Detailed explanations regarding these elements are included in another Guidelines published by the Authority. Moreover, the Board is authorized to establish additional requirements beyond these elements.
11. Are binding corporate rules applicable for data processors as well?
Before the amendments to the Law, the transfer of personal data by data processors under BCRs was not regulated. The new amendments explicitly state that personal data can be transferred abroad by both data controllers and data processors within the framework of BCRs. Accordingly, data processors may also transfer personal data abroad, provided that their applications are approved by the Board.
12. What is exceptional transfer, and under what conditions may it be used?
Exceptional transfer is regulated as an exceptional method of data transfer. It is defined in the Guidelines as transfers of personal data abroad that are irregular, occur only once or a few times, are not continuous, and are not part of the regular flow of activities.
Transfers that are systematic and recurring should not be considered exceptional transfers. For instance, granting direct access to a database or a tourism company transferring its customers' reservation information as part of its regular operations would not qualify as an exceptional transfer.
To perform a transfer based on exceptional circumstances, it is first necessary to determine whether an adequacy decision or appropriate safeguards are available. If neither is present, exceptional transfer should only be used as a last resort.
The circumstances under which exceptional transfers may be performed are regulated as follows:
- The data subject has given explicit consent to the transfer, provided that he/she has been informed of the potential risks involved,
- The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures implemented at the data subject's request,
- The transfer is necessary for the establishment or performance of a contract between the controller and another natural or legal person, carried out in the interest of the data subject,
- The transfer is necessary for a substantial public interest,
- The transfer of personal data is necessary for the establishment, exercise, or protection of any right,
- Transfer of personal data is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
- The transfer is made from a registry that is open to public or accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are fulfilled, and that the person with a legitimate interest has requested the transfer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.