The Turkish Personal Data Protection Authority ("DPA") published the summary of its decision evaluating the cross-border transfer of personal data by a data controller relying on Convention 108. The DPA also evaluated the relationship between the restrictions under the Law No. 6698 on the Protection of Personal Data ("DPL") regarding cross-border transfers and the legal status of the Convention 108.
The DPA's full announcement is available online here (in Turkish).
What Does the Decision Say?
The DPA provided detailed explanations and comments as part of its evaluation on the matter. The key takeaways from the decision may be summarized as follows:
- Data controller's cross-border transfer of personal data (based on the Convention 108) does not comply with the requirements under Article 9 of the DPL.
- Being a party to the Convention 108 is not sufficient to declare that party a "safe country". However, being a party might yield positive effects during the DPA's evaluation on the matter.
- Therefore, the cross-border transfer of personal data based on Convention 108 without complying with the requirements under the DPL constitutes the unlawful processing of personal data.
- As a result, the data controller failed to comply with its obligation "to prevent the unlawful processing of personal data" as part of its obligations regarding data security.
- The data controller received an administrative fine of TRY 900,000.
- The DPA ordered the data controller to delete/destruct the personal data that the data controller unlawfully transferred outside of Turkey, in compliance with the DPL; and to inform the DPA regarding the execution of this order.
The DPA confirmed once more that a cross-border transfer to an "unsafe" country without the explicit consent of the data subject is only possible if one of the legal bases for processing personal data under the DPL exists, the parties sign a commitment letter and obtain the DPA's approval regarding the transfer. Considering that currently the DPA has not yet announced any country as "safe" and does not appear able to conclude the approval procedure within short time periods, the only option left for data controllers in the short term is obtaining explicit consent for cross-border transfers. The DPA recommends that data controllers refrain from relying on consent to the extent possible. Moreover, there are practical and economic concerns and obstacles in daily economic life with respect to implementing a consent mechanism, which may become redundant after a while. In that regard, one might argue that the issues the data controllers face with respect to cross-border transfers will likely continue to take up the time and costs for all parties concerned. In any case, the decision is a significant development as it clarifies the status of the Convention 108 with respect to data privacy requirements by confirming that it does not provide a valid mechanism for cross-border transfer of personal data as an alternative to the mechanisms under the DPL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.