Compliance to the rules and procedures in cross-border transfers of personal data from Turkey to outside under Turkish Data Protection Law is currently on agenda. Turkish Personal Data Protection Authority and Turkish Personal Data Protection Board are actively inspecting and imposing penalties for the breach of rules in cross-border transfers of personal data from Turkey to outside. It should be noted here that the rules and procedures related to cross-border transfers of personal data from Turkey to outside under the scope of Turkish Data Protection Law is very similar to that of the General Data Protection Regulation (GDPR) 2016/679 of European Union.
Therefore; all data controllers (the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system) and data processors (the natural or legal person who processes personal data on behalf of the controller upon his authorization) must comply with the expectation of Turkish laws and regulations.
Law on the Protection of Personal Data Nr. 6698 (hereinafter referred to as 'Turkish Data Protection Law') was published on 7 April 2016 in the Official Gazette numbered 29677 as part of the European Union harmonization aiming to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.
It should be clarified at the very beginning that this Turkish Data Protection Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Under the scope of this informative article, we will discuss the cross-border transfers of personal data from Turkey to outside.
Article 9 of the Turkish Data Protection Law regulates the cross-border transfer of personal data from Turkey to outside. It states under paragraph 1 that personal data cannot be transferred abroad without explicit consent of the data subject whereas data subject is defined under Article 3 of Turkish Data Protection Law as the natural person, whose personal data is processed.
Furthermore; paragraph 2 of Article 9 indicates that personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 (which provides certain conditions where personal data can be processed without seeking the explicit consent of the data subject) and the third paragraph of Article 6 exist (which provides that personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws) and that;
- sufficient protection is provided in the foreign country where the data is to be transferred,
- the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
The Board determines and announces the countries where sufficient level of protection is provided.
Moreover; paragraph 4 of Article 9 provides the criteria for Turkish Personal Data Protection Board in its decision-making procedure whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorized under above sub-paragraph (b) of paragraph 2.
Under paragraph 5, it is put forward that in cases where interest of Turkey or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.
In conclusion, the cross-border transfer of personal data from Turkey to outside should carefully be studied and all mechanisms, policies and procedures of data controllers and data processors should be in compliance with the Turkish Data Protection Law and its secondary legislation.
Otherwise; there are serious outcomes including criminal prosecution and administrative fine may be applied. Under Article 17 the criminal prosecution is mentioned whereas under Article 18 the administrative fines are elaborated.
Pursuant to Article 17 paragraph 1; Articles 135-140 of Turkish Penal Code No. 5237 of 26/9/2004 shall apply in terms of the crimes concerning personal data.
Pursuant to Article 18 paragraph 1/b; those who fail to comply with obligations related to data security provided for in Article 12 herein shall be required to pay an administrative fine of 15.000 to 1.000.000 TL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
