With employees and customers from all around the world, multinational companies need to keep the personal data they deal with safe. Due to some legal concerns and management policies, these companies tend to store the personal data they own—which is mainly related to their customers, employees, consumers and business transactions—in a centralized location where they can reach and utilize the data when in need. In addition, often the relevant data needs to be shared internally within the branches of multinational companies to provide services to international clients or to coordinate the operations of the company. Besides various methods on transferring the vast amount of data, companies frequently use cloud storage due to these necessities.
Cloud services and other methods that may require the transfer of data are highly popular for business life nowadays. Companies which need to transfer their data safely to other locations frequently resort to these services. However certain legal concerns must be considered when it comes to trans-border data transfer. In this regard, Protection of Personal Data Law No.6698, which was fully entered into force on 7 October 2016, has to be taken into account with respect to the Turkish Legislation. Data Protection Law embodies certain distinctive features from EU Directive 95/46/EC, on which it was based.
Trans-border data transfer pursuant to the Data Protection Law
Before moving on with the relevant provisions of the Data Provision Law, we note that although these provisions are currently in force, the Data Protection Board is not established yet—as only five Board members are appointed to this date, whereby the Board must consist of nine members, and the quorum for meetings is six members. Furthermore, the personnel of the Data Protection Authority are also not yet appointed. Therefore, the provisions of the Law are not yet being implemented. However, the violations of this law constitute misdemeanours under Turkish Law and are subject to a time bar of five years in accordance with the Article 20/2(a) of the Misdemeanours Law.
Within the framework of the Data Protection Law, trans-border data transfers that are based on the explicit consent of the data subject are deemed to be legal without any further requirements. However, in absence of data subject's explicit consent, there are different rules concerning the transfer of personal data to countries that ensure an adequate level of protection and those that do not.
Pursuant to Article 9/2 of the Data Protection Law, the Data Protection Board should publish a list of the countries that ensure an adequate level of protection by taking into consideration the following factors; international agreements, reciprocity and the legislations of the other countries. This list has not been published yet. However, there is an understanding that the EU member states will be deemed as countries that ensure an adequate level of protection as the Data Protection is based on the Directive.
Article 9/2 on the trans-border data transfer to the countries that ensure an adequate level of protection refers to the requirements set forth in Article 5/2 Protection Law concerning the processing of data. Accordingly, trans-border data transfer is deemed to be lawful in cases where at least one of the legal grounds for the lawful processing of personal data laid down in Article 5/2 is present.
Trans-border data transfer to the countries that do not ensure an adequate level of protection requires additional elements for legitimacy of the transfer. In addition to the conditions set forth in Article 5/2 of the Data Protection law, two additional criteria must also be met. First, both the data controller in Turkey and the data controller in the relevant country shall commit to provide an adequate level of protection in writing. Second, the permission of the Board regarding the transfer shall be obtained.
Trans-border data transfer pursuant to the Directive
Most of the multinational companies are familiar with the EU-wide data protection regulations, and this constitutes an advantage for compliance with the Turkish regulations since these are mostly based on the EU acquis. Still, it should be kept in mind that there are some key differences especially with respect to the rules concerning the transfer of personal data. We first summarize the general principles in the EU and then set forth the main differences with the Turkish legislation.
The provisions concerning trans-border data transfer under the Directive differentiates between the transfer of personal data to EU countries and to non-EU countries, and it is assumed that transfer of data between EU countries is always lawful. Other than that, the Directive also defines countries ensuring an adequate level of protection and those that do not.
Per the Directive, if a third country ensures an adequate level of protection regarding the protection of personal data measures, there is no other criterion that should be fulfilled, and the transfer is deemed to be legitimate even in the absence of explicit consent.
Concerning the transfer of data to countries that do not ensure an adequate level of protection, the Directive requires the approval of the supervisory authority in the relevant EU member state for the legitimacy of the transfer. Relevant authorities allow such transfer if it is guaranteed that the adequate level of protection will be provided in the third country. In practical terms, contractual stipulations between the data-exporting controller and the foreign data recipient or binding corporate rules applicable for data transfers within a multinational group of companies are being used in this context.
Certain derogations are foreseen in Article 26 of the Directive regarding the above requirements for the transfer of personal data to countries that do not ensure an adequate protection in absence of explicit consent of the data subject. In cases where these derogations exist, the transfer of the personal data to countries that do not ensure adequate level of protection without approval of the relevant supervisory authority is legitimate.
Differences between the Data Protection Law and the Directive concerning trans-border data transfer
There are certain differences regarding trans-border data transfer pursuant to the Data Protection Law and the Directive. Although the explicit consent of the data subject always legitimizes transfer of data to any country, the application differs in the absence of explicit consent. Trans-border transfer of data to countries that ensure adequate level of protection are allowed in EU without any additional requirements while in Turkey data exporter must rely on the legal grounds stipulated in Article 5/2 of Data Protection Law concerning the lawful processing of data.
Secondly, although the trans-border transfer of data to countries that do not ensure adequate level of protection requires the approval of the supervisory authority in the EU, the approval is not required in cases where the derogations set forth under Article 26 of the Directive are present. There are no such derogations in the Data Protection Law. Trans-border data transfers are allowed only if the following requirements are cumulatively satisfied; (i) the transfer is based on a legal ground for processing (ii) both data controllers must make written commitments to provide adequate level of protection (iii) the Board must approve the transfer.
In addition, the Data Protection Law requires written commitments from both data controllers. Whereas the Directive stipulates that the adequate level of protection may be ensured via contractual stipulations between the data controllers.
How will companies in Turkey transfer their data abroad?
Despite the strict nature of the Data Protection Law concerning trans-border data transfer, the provisions which may enable flexibility for the potential data controllers are also present. The legal grounds stipulated in articles 5/2(c) concerning the processing of data as a contractual requirement and 5/2(f) concerning the processing of data as a contractual requirement in line with the legitimate interests of the data controller are of crucial significance.
Since the secondary legislation concerning the protection of personal data has not been promulgated in Turkey yet, the European Union legislation and practice may be taken into consideration for interpretation of these legal grounds. The Opinion 06/2014 of the Data Protection Working Party on the notion of legitimate interests of the data controller under Article 7 of Directive is a perfect guideline.
The Working Party tends to interpret the contractual requirements widely and assume that this could constitute a legal basis for processing only if the processing is fundamental for the formation or the performance of the contract.
Hence, when relying on Article 5/2(c) of the Data Protection Law as a legal basis for the transfer of data abroad, companies must be extra cautious and ensure that this is mandatory.
The Working Party seems to be much more liberal with respect to the legitimate interests of the data controller and suggests that this could be a valid legal basis for processing as long as the data subjects are not harmed.
Still, we should note that a meticulous case-by-case analysis is required in Turkey when determining whether Article 5/2(f) of the Data Protection Law may constitute the proper legal basis for certain data transfers. This requires the proper identification of the legitimate interests of the data controller and all the potential threats to the data subjects. The balance between these two should then be analysed with due care.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.