988682a.jpgThe Turkish Data Protection Authority recently fined an automotive company for cross-border data transfers to an EU country. The decision involved arguments of the carmaker on the applicability of the Convention 108, and the evaluations of the Authority on these arguments. The Authority stated that being a signatory of the Convention 108 is not enough to regard a country as "safe" for cross-border data transfers.

The Turkish Data Protection Authority (TDPA) recently announced its decision imposing an administrative fine of TRY 900,000 (approx. USD 120,500) on an automotive company (Data Controller) for its cross-border data transfer. The decision was handed down in conclusion of an investigation initiated by the TDPA ex officio, due to the statements of the Data Controller about explicit consent being found contradictory. The TDPA mainly questioned the Data Controller on its cross-border data transfers, and whether such transfers comply with Turkish data privacy legislation, specifically the Act on the Protection of Personal Data (Data Protection Act).

The highlights from the Data Controller's defences

  • Data Controller is outsourcing its SMS marketing services to a foreign company. Due to this outsourcing, personal data of the data subject are transferred abroad. In this scene, however, no sensitive data are being transferred.
  • Data subjects gave explicit consents for the cross-border data transfer.
  • Such transfer is not violating the fundamental rights and freedoms of the data subjects, and it is necessary for the legitimate interests of the Data Controller.
  • The cloud servers where the data is transferred are located in an EU country, which is a signatory of the Convention 108.
  • Data transfer in question is based on the provisions of the Convention 108 that require the signatory countries to enable free flow of personal data. Since the Constitution puts the international treaties on the same applicability level as the national legislation, the cross-border data transfer shall be considered lawful.

TDPA mostly did not agree with the Data Controller's arguments, and provided its own interpretation of the relation between the Data Protection Act and the Convention 108.

The key takeaway points from the assessment of the TDPA

  • TDPA perceived that the Data Controller based certain part of its cross-border data transfer on explicit consent, and certain part of it on its legitimate interest and the Convention 108. However, TDPA stressed that the differentiation is unclear, causing the explicit consent of data subjects being impaired.
  • TDPA also noted that the Data Controller failed to provide a balance test to assess the relation between fundamental rights of data subject, and the legitimate interest of the Data Controller on its cross-border data transfer.
  • TDPA regarded the Convention 108 as a legal text that is not directly enforceable in national law, and rather a text of principles. Therefore, the TDPA stated that the Constitution does not require the Convention 108 to override the rules of the Data Protection Act.
  • TDPA stated that simply being a signatory of the Convention 108 is not enough to be regarded as a country with adequate level of protection.
  • TDPA stated that it is yet to announce the list of the countries with adequate level of protection, hence, there are only two ways to transfer personal data abroad as per the Data Protection Act: (I) explicit consent of data subject, (II) commitment application and approval of the TDPA.
  • Since the explicit consent document of the Data Controller is lacking the standards of the Data Protection Act, and there is no commitment application submitted for approval, the TDPA found the cross-border data transfer in question unlawful.
  • The TDPA also stated that there were irregularities in the privacy notices of the Data Controller.

As a result of these assessments, the TDPA ordered the transferred data to be destructed immediately, and imposed an administrative fine of TRY 900,000 (approx. USD 120,500) on the carmaker.

No list of "safe" countries yet

The TDPA has not declared the list of the countries with adequate level of protection, narrowing down the data controller's ability to transfer data abroad. In order to transfer personal data abroad, data controllers can either get the explicit consent of the data subject or apply to the TDPA with a commitment. In practice, however, data controllers left with explicit consent option, since TDPA yet to approve a commitment application. The approach of the TDPA on cross-border data transfers is criticized as a form of data localization, since the TDPA many times found the explicit consents used by the data controllers unfitting its standards.

It is worth to mention that the TDPA based its legal assessments on the Explanatory Note of the Convention 108. TDPA also referenced the role of the Convention 108 on the Directive 95/46/EC and the GDPR in its assessments. In order to ensure the necessary level of compliance with the evaluations of the TDPA, data controllers should be up to date with supplementary references of international treaties and the EU rules on data privacy, since the TDPA frequently addresses these sources in its decisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.