Turkish personal data legislation has been substantially amended since March 2024. Especially, important legislative texts relating to the transfer of personal data abroad, a longtime debated topic due to practical uncertainties, have been introduced:
- Law on the Amendment of the Criminal Procedure Code No. 7499 and Certain Other Laws published in the Official Gazette No. 32487 dated March 12, 2024, significantly amended Article 9 of the Law No. 6698 on the Protection of Personal Data ("Law") regulating the transfer of data abroad.
- The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Regulation") published in the Official Gazette No. 32598 dated July 10, 2024, set out the procedures and principles regarding the implementation of Article 9 of the Law as amended in March, which regulates the transfer of personal data abroad.
- On July 10, 2024, the Personal Data Protection Authority ("Authority") published a Public Announcement on Documents on Standard Contracts and Binding Corporate Rules.
The recent amendments specify the conditions for transferring personal data abroad. The scope of the cases where explicit consent is not required for data transfer abroad has been expanded, and new provisions have introduced certain facilities under specific conditions.
Law Article 9(1) is amended to permit the transfer of personal data abroad "if there is an adequacy decision regarding the country, the sectors within that country or the international organizations to which the personal data is to be transferred".
In principle, an adequacy decision must be issued by the Personal Data Protection Board ("Board") and published in the Official Gazette.
When making its adequacy decision, the Board takes into consideration the following points:
- Reciprocity relating to the transfer of personal data between Türkiye and the country, the sectors within that country or international organizations to which the personal data is to be transferred,
- The relevant legislation and practice of the country and the rules governing the international organization to which personal data is to be transferred,
- Whether there is an independent and effective data protection authority in the destination country or over the international organization receiving the personal data; and whether there are administrative and judicial remedies
- Whether the country or the international organization to which personal data is to be transferred, has a membership to same global or regional organizations as Türkiye.
- International treaties to which Türkiye is a party.
In the absence of an adequacy decision, the new Article 9(4) allows the transfer of personal data abroad if appropriate safeguards are established, provided that one of the data processing conditions in Articles 5 and 6 of the Law are fulfilled. Additionally, the data subject must have the ability to exercise their rights and to have recourse to effective remedies in the destination country.
In cases where there is neither an adequacy decision nor appropriate safeguards, the transfer of personal data abroad is permitted on an incidental basis in the presence of the circumstances set out in Article 9(6). The Regulation defines incidental transfers as those "that are not regular, occur on a single or sporadic occasions, are not continuous, and are not in the ordinary course of business".
In summary, the new mechanism operates under the following conditions:
Conditions for transfer with Adequacy Decision
[Law Art. 9(1), (2), (3), Regulation Art. 9,10] |
Conditions for transfer with Appropriate
Safeguards
[Law Art. 9(4), Regulation Articles 10-15] |
Conditions for transfer in Limited Incidental
Cases
[Law Art. 9(6), Regulation Art. 16] |
Existence of one of the conditions specified in Articles 5 and 6 of the Law, | Existence of one of the conditions specified in Articles 5 and 6 of the Law, | Existence of one of the following limited number of circumstances1 (Art. 9(6): |
An adequacy decision issued by the Board and published in the Official Gazette. | Possibility of data subject to exercise their rights and to recourse to effective remedies in the destination country, | The data subject's explicit consent to the transfer, provided that they are informed of possible risks. |
Fulfillment of one of the following appropriate safeguards set out in Article 9(4) of the Law by the Parties: | The transfer is imperative for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures requested by the data subject. | |
Agreements that do not constitute international treaties with foreign organizations and the Board's authorization of the transfer, | The transfer is imperative for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject. | |
Binding corporate rules on the group companies pursuing joint economic activities, which contain provisions on the protection of personal data, and is approved by the Board, | The transfer is imperative for an overriding public interest. | |
A standard contract announced by the Board, | The transfer of personal data is imperative for the establishment, exercise or protection of a right. | |
A written letter of commitment containing appropriate safeguards and authorization of the transfer by the Board. | The transfer is imperative to protect the life or physical integrity of the person who is unable to give consent due to factual impossibility or whose consent is not legally valid. | |
The transfer is from a registry that is open to the public or to the persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it. |
While the Regulation contains provisions aligned with the Law regarding the adequacy decision and exceptional circumstances, it further details the conditions for transfer with appropriate safeguards as shown in the table below:
Providing appropriate safeguards in an agreement that is not an international treaty |
|
Providing appropriate safeguards in the binding corporate rules |
|
Providing appropriate safeguards in a standard contract |
|
Providing appropriate safeguards in a written letter of commitment |
|
On 10 July 2024, the Authority, through the Public Announcement on Documents on Standard Contracts and Binding Corporate Rules, published various documents regarding standard contracts and binding corporate rules, two methods of international transfer with appropriate safeguards. These documents include standard contract texts to be used in the transfer of personal data abroad, binding corporate rules application forms and auxiliary guidelines on key issues that should be included in binding corporate rules.
The Authority has established a practical and concrete framework for the transfer of personal data abroad by clarifying the details and implementation methods with the amendment to the Regulation and supplemented it with the supporting documents on standard contracts and binding corporate rules.
Footnote
1. The first three of these circumstances will not be applied to the activities of public institutions and organizations subject to public law. In other words, it is not possible for public institutions and organizations to transfer data abroad on the grounds that it is incidental and based on explicit consent or based on contract without an adequacy decision or appropriate safeguards in their activities subject to public law.
Originally published 26 July 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.