ARTICLE
16 September 2024

Recent Regulatory Changes In Cross-Border Data Transfers In Turkey

DL
DKB Legal Consultancy & Compliance

Contributor

DKB Legal was founded by Didem Kalaycıoğlu Birol and based in Istanbul, Turkey. DKB Legal provides consultancy and compliance management services to local and foreign clients, particularly in the areas of Personal Data Protection, Telecommunications Law, Competition Law, E-Commerce & Consumer Law.
Significant regulatory developments regarding the cross-border transfer of personal data in Turkey have recently emerged.
Turkey Privacy

INTRODUCTION

Significant regulatory developments regarding the cross-border transfer of personal data in Turkey have recently emerged. Introduced by the Turkish Data Protection Authority ("Turkish DPA"), these changes carry critical implications for both local and international companies operating within Turkey. This article provides a comprehensive overview of these new regulations, their implications, and the necessary steps organizations must take to ensure compliance.

These changes were based on the enactment of Law No. 7499, effective as of March 12, 2024, which introduced amendments to several laws, including the Turkish Data Protection Law ("Turkish DPL"). Among the most noteworthy amendments are those made to Article 9 of the Turkish DPL, which pertains to the "Transfer of Personal Data Abroad."

The amendments to Article 9 have introduced three distinct procedures for the transfer of personal data abroad:

  1. Adequacy Decision: The cross-border transfer of personal data abroad by data controllers and data processors is permitted, provided that one of the conditions specified in Articles 5 and 6 is met and there is an adequacy decision regarding the country, sectors within the country, or international organizations to which the data will be transferred.
  2. Appropriate Safeguards: In the absence of an adequacy decision, cross-border data transfers are allowed if one of the conditions specified in Articles 5 and 6 is fulfilled, provided that the data subject has the opportunity to exercise their rights and seek effective legal remedies in the country of transfer. This transfer is only permitted if one of the following safeguards is provided by the parties: a non-international agreement, binding corporate rules, a standard contract, or a letter of undertaking. In practice, we anticipate that companies will most frequently resort to the standard contract mechanism among these options due to the following reasons: (i) the implementation pose significant operational challenges and incur substantial costs, and they also require the approval of the Board, and (ii) the letter of undertaking also requires the Board's approval.
  3. Incidental Transfers: If neither an adequacy decision nor appropriate safeguards exist, incidental transfers of personal data are allowed only when one of the exceptional transfer cases specified in the second paragraph of Article 9 is met. These transfers are characterized by their non-regular, non-continuous, and atypical nature within the context of business.

On July 10, 2024, the anticipated Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (the "Regulation") was published in the Official Gazette and took effect immediately. Concurrently, the Turkish DPA released standard contract templates on its official website.

The Standard Contracts detail the categories of data involved, the purposes of the data transfer, recipients and recipient groups, technical and administrative measures that must be taken by the data exporter, and additional measures for the transfer of special categories of personal data. These contracts must be implemented as is, without any modifications. Any changes to the provided information or termination of these contracts must be promptly reported to the Turkish DPA following the prescribed procedures.

Under these new regulations, companies involved in cross-border data transfers must ensure compliance by selecting one of the three established methods and notifying the Turkish DPA of their choice. This compliance process includes reviewing international data transfer procedures, updating privacy notices, revising data protection policies, maintaining accurate data inventories, and ensuring VERBIS (Turkish Data Controllers Registry) registrations are up to date.

Companies opting to use standard contracts for cross-border data transfers must also:

  • Notify the Turkish DPA of all standard contracts related to cross-border data transfers.
  • Monitor and document any changes to the parties or the information contained within these contracts.
  • Inform the Turkish DPA upon the termination of any standard contracts related to cross-border data transfers.

CONCLUSION

These new regulations represent a significant shift in the landscape of data protection and cross-border data transfers in Turkey. Companies must swiftly adapt to these changes to ensure compliance with the Turkish DPL and the newly issued Regulation. Non-compliance could result in severe penalties and reputational damage.

For further assistance in aligning your data protection practices with these new regulations, please do not hesitate to contact us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More