Article 9 of the Law No. 6698 on the Protection of Personal Data ("DPL"), which regulates the transfer of personal data abroad, provides that personal data can be transferred abroad without the explicit consent of the data subject only if it satisfies either one of the conditions set out under paragraph two of Article 5 and paragraph three of Article 6, and provided that the country to which the personal data will be transferred offers an adequate level of protection. If the level of data protection in such country is not deemed to be adequate, then the data controllers in Turkey and abroad can provide a written undertaking, warranting the delivery of an adequate level of protection, which can be approved by the Turkish Data Protection Board ("Board"). The same provision also states that the Board shall determine the countries in which there is an adequate level of data protection and announce them (i.e., publish a list of such countries).
The countries with adequate levels of data protection are yet to be announced by the Board1. However, in accordance with the foregoing requirements, the Board published the decision numbered 2019/125 and dated May 2, 2019 ("Decision")2 which stipulates the criteria and methodology used for determining the countries with adequate levels of protection. According to this Decision, the Board will evaluate each country based on the criteria set forth under the Decision, and announce the list of safe countries in this respect.
The criteria to be considered for the determination of the countries with adequate levels of protection had already been regulated under Article 9 of the DPL prior to the Decision, which set out the following criteria for the Board to evaluate in determining the countries with adequate levels of protection:
- The international agreements to which Turkey is a party to,
- The reciprocity related to data transfer between Turkey and the country demanding personal data,
- The category of the personal data, as well as the purpose and period of processing for each specific data transfer,
- The relevant legislation and practice in the foreign country to which the data will be transferred,
- The measures that the data controller (in the foreign country to which the data will be transferred) commits to provide.
With the recent Decision, the Board has introduced further criteria, in addition to those already laid out in Article 9 of the DPL (discussed above), and provided further details. The following criteria are also in line with the conditions set forth under Article 45 of the General Data Protection Regulation ("GDPR"), which regulates the data transfers on the basis of an adequacy decision:
- The legislation and practice of the relevant country regarding personal data processing,
In terms of this criterion, the Board evaluates the information as to (i) whether protection of personal data is a constitutional right, (ii) the existence of a fundamental law regarding the processing of personal data, (iii) the enforcement date of the fundamental law, (iv) the secondary legislation and compliance of such secondary legislation with the Turkish legislation, (v) fundamental notions regarding the protection of personal data, (vi) general principles related to the protection of personal data, (vii) the compliance of the personal data processing conditions with the personal data processing conditions set forth under the DPL, (viii) the existence of special processing conditions and additional security measures for the processing of special categories of personal data, (ix) the requirements of legal assurances ensuring that the personal data processing operations are in compliance with the transparency principle, (x) the requirements to implement technical and administrative measures to ensure that a sufficient level of security exists for the prevention of illegal processing and access of personal data, and the assurance of the protection of personal data through technical measures and administrative measures, (xi) information on whether administrative and/or criminal sanctions are applied for data breaches and whether other mechanisms are in place to ensure the prevention of data breaches, (xii) the rights of the data subjects, (xiii) the rights of the data subjects to apply to the data controller and to complain to the data protection authority, (xiv) information on whether parties whose rights regarding personal data are violated have the right to claim compensation, within the scope of general provisions, (xv) reference guides and/or publications on the practice, (xvi) the exemptions regarding the application of the relevant law, and (xvii) the data transfer regime.
- Information on whether there is an independent data protection authority,
In terms of the independent data protection agency criterion, the Board evaluates the following matters:
(i) its structure, (ii) its status as an independent authority, (iii) its duties and authorities, (iv) its audit/examination competence, (v) information on whether an appeal process against the decisions of the data authority exists.
- Accession to international agreements on personal data protection and membership in international organizations. In the Decision, these agreements and organisations were listed as follows:
(i) Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, (ii) Additional Protocol No: 181 to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and trans-border data flows, (iii) Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters (CETS 182), (iv) European Convention on Human Rights, (v) International Conference of Data Protection and Privacy Commissioners (ICDPPC), and (vi) Global Privacy Enforcement Network (GPEN).
- Status of membership in global and regional organizations in which Turkey is a member,
- Volume of trade between Turkey and the relevant country, and
- Other criteria.
The Board will apparently evaluate each country based on the foregoing criteria and methodology, and we might expect the Board to announce a list of safe countries, or to issue data protection adequacy decisions, in the near future.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in December 2019. A link to the full Legal Insight Quarterly may be found here
1 As of the date that this newsletter went to press.
2 See https://www.kvkk.gov.tr/Icerik/5469/-Yeterli-korumanin-bulundugu-ulkelerin-tayininde-kullanmak-uzere-olusturulan-form-hakkindaki-02-05-2019-tarihli-ve-2019-125-sayili-Kurul-Karari (last accessed on September 17, 2019).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.