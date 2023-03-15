CURATED

To print this article, all you need is to be registered or login on Mondaq.com.

INTRODUCTION

While prior to the entry into force of the GDPR the transfer of personal data to third countries through so-called SCCs under Directive 95/46 was handled differently within the Union, the GDPR has largely harmonized this mechanism. Particularly noteworthy in this context is that an SCC no longer needs to be confirmed by a national authority. In other words, the mere signing of the document by the parties is sufficient to legitimize a foreign transfer of personal data.

However, this should not be understood to mean that merely signing the relevant documents is sufficient for a lawful transfer of personal data to third countries through SCCs. Rather, the ECJ explicitly clarified in its "Schrems-II" decision that a so-called transfer impact assessment must be carried out. In this context, special attention is paid to the legal as well as factual access possibilities of governmental authorities to the data in private hands, thus in particular to the importers.

It is aimed to give a brief overview of these access possibilities of state authorities to personal data. This is also intended to explain the key points that need to be considered in a transfer impact assessment in connection with a data transfer in Turkey.

LEGAL BACKGROUND AND PRACTICE

1-Exemptions from the Turkish Data Protection Law

Art. 28 of the Turkish Data Protection Law contains important exceptions to the scope of application. Some of these exceptions are directly related to the access rights of state authorities to personal data, as in these cases the law does not apply. These cases are the (i) processing of personal data for statistical purposes, (ii) processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defense, national security, public security, public order or economic security and (iii) processing of personal data by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

As can be seen, there is no equivalent to the Law Enforcement Directive (2016/680 EU) in Turkish Law. However, the exemption provisions should not be understood as if the aforementioned activities do not require a legal basis at all. Rather, the special provisions like the Turkish Criminal Procedure Code apply in these cases.

In the case of the relative exemptions, on the other hand, the controller is exempt from the obligations under Art. 10 (data controller's obligation to inform), Art. 11 (rights of the data subject, excluding the right to claim compensation) and Art. 16 (obligation to register with the Data Controllers' Registry). These cases are that the processing of personal data is (i) necessary for the prevention of committing a crime or for crime investigation, (ii) carried out on the data which are made public by the data subject himself/herself, (iii) necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorized public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law and (iv) personal data processing is necessary for protection of economic and financial interests of State related to budget, tax and financial matters.

2- Regulative Authorities

Another case group of access rights concerns regulative authorities. The most important of these authorities are: Information Technology Authority ('ITA'), Personal Data Protection Authority, Competition Authority, Banking Regulation and Supervision Agency, Capital Markets Authority.

What these regulations have in common is that they limit the data access rights to the activities of the respective authorities that are assigned to them by law. In other words, the authorities can only request and process data within the scope of the tasks assigned to them by law. What is inconsistent, on the other hand, is the scope and the possibility of taking legal action against such an instruction. While the ITA in particular can connect to information technology systems for cybersecurity purposes and thus interface with the system, other agencies' access is limited only to what is presented to them. The data subject always has recourse to general administrative law, but this is not always promising, particularly with regard to immediate legal protection. In certain regulations, on the other hand, the affected person can file an immediate complaint on the spot. The efficiency of the legal process must therefore be reviewed on a case-by-case basis.

3- Intelligence Services and other Authorities

Although being exempted from the Data Protection Law, there are very important decisions of the Turkish Constitutional Court regarding data access rights of these authorities. The Constitutional Court has, for example, deemed the powers of the Turkish Intelligence Service to be appropriate and thus constitutional, while an online search power of the police was declared unconstitutional, as a violation of the principle of proportionality was assumed.

While there are numerous other authorities that are granted data access rights by law, the Presidential Communications Authority is especially worth mentioning. This Authority is entitled to require any information from legal entities and individuals in order to carry out its duties. This power was also the subject of a procedure before the Constitutional Court. However, the court declared the provision constitutional on the grounds that the power of the Authority did not include access to personal data.

CONCLUSION

In conclusion, the principle of proportionality is an essential component of Turkish constitutional and administrative law. On the other hand, there is no uniform line regarding the exercise of data access powers. Therefore, it must be examined on a case-by-case basis which authority is asserting a data access claim and whether this claim complies with the principle of proportionality. The case law of the Constitutional Court in this regard is also not always uniform, especially when it comes to security policy issues

In addition, it should also be noted that Turkish law is very dynamic, especially with regard to secondary legislation. It is therefore not possible to draw a definitive conclusion based on the primary legislative framework. Rather, the specifics of sector-specific legislation must always be taken into account. There is a fragmented legal framework which is not free from contradictory practices. It is therefore very important to consider the specifics of each transfer and to always keep an eye on the current state of the legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.