Turkey is the first 2022 stop on our global tour about data localization. What is Turkey's approach to cross-border transfers of personal data about its citizens and residents?
Turkey's Law on Protection of Personal Data is comprehensive and like the European Union's former Data Protection Directive, though it differs in some respects. Data localization is not part of this existing Turkish law. Instead, Turkey takes a sectoral approach to cross-border collection and processing of personal data of its residents. Turkish banks must collect and store Turkish customer data within Turkey. Data localizations requirements apply to payment and electronic money institutions, forcing companies like Paypal or Venmo to locate a payment system within Turkey and to comply with Turkish data privacy regulations. Social media providers must register with and report every six months to Turkish authorities about Turkish social media users.
In August 2021, the Turkish Data Protection Authority (KVKK) proposed to amend Turkish law to permit cross-border data transfers if it issues an adequacy decision about another country. But unlike GDPR, the amendment would require the foreign country to be reciprocal in its data privacy laws, a unique approach that extends beyond adequacy. If adopted, the KVKK approach would encourage multinational companies to use Turkish-based servers and a Turkish subsidiary to have broad access to the Turkish market but would allow flexibility through binding corporate rules and notifying the Turkish authorities of a standard undertaking.
Tune in to Episode 78 to learn how and why Turkey may be aligning with evolving European standards instead of more authoritarian and protectionist rules evident in China, Russia, and India.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
