Turkey

Information On The Draft Regulation On The Procedures And Principles Regarding The Transfer Of Personal Data Abroad

Gen Temizer is a leading independent Turkish law firm located in Istanbul's financial centre. The Firm has an excellent track record of handling cross-border matters for clients and covers the full bandwidth of most complex transactions and litigation with its cross-departmental, multi-disciplinary and diverse team of over 30 lawyers. The Firm is deeply rooted in the local market with over 80 years of combined experience of the name partners while providing the highest global standards of legal services.

Explore

On 12 March 2024, Law No. 6698 on Personal Data Protection ("PDPL") was amended by law focusing on the transfer of personal data abroad.

Turkey Privacy

Data Privacy

On 12 March 2024, Law No. 6698 on Personal Data Protection ("PDPL") was amended by law focusing on the transfer of personal data abroad. On 9 May 2024, the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Draft Regulation") was opened for public comments until 20 May 2024 by the Personal Data Protection Authority ("Authority").

Recent amendments to the PDPL have stipulated that personal data may be transferred abroad by data controllers and data processors without explicit consent provided there is compliance one of the three following conditions (though condition 3. provides authorisation on an irregular, standalone basis only). The Draft Regulation also includes detailed regulations regarding these three options.

Existence of an Adequacy Decision

According to Article 8 of the Draft Regulation, the Personal Data Protection Board ("Board") may decide that a country, one or more sectors within a country, or an international organisation provides an adequate level of protection. Pursuant to Article 9, the adequacy decision shall be reassessed by the Board at a frequency of at least every four years.

The Board shall take into consideration the following criteria when making an adequacy decision: (i) The level of reciprocity between Turkey and the country, sectors within the country, or international organisations to which personal data will be transferred; (ii) the country's relevant legislation; (iii) the existence of an independent and effective data protection authority in the country or international organisation; (iv) the country's or international organisation's status as a party to or member of international conventions on the protection of personal data, (v) the country's or international organisation's status as a member of global or regional organisations of which Turkey is a member, (vi) international conventions to which Turkey is a party.

Existence of Appropriate Safeguards

In the absence of an adequacy decision regarding the fitness of the transferee country, transfer of personal data abroad may still be possible provided that the following safeguards are met. However, the data subject must also be able to exercise his/her rights and have recourse to effective remedies in the country of transfer.

i. The existence of a non-international agreement between public, international or professional organisations and the Board's authorisation of the transfer.

Pursuant to Article 11, the agreement shall be concluded between the parties to the personal data transfer transaction. The Board shall be consulted during the agreement's negotiation process and the data transfer may be initiated when the Board authorises the agreement. The agreement's provisions must include: (i) the purpose, scope, nature, framework and legal grounds for the transfer of personal data; (ii) definitions of key concepts of the personal data protection; (iii) a commitment to comply with the general principles of personal data protection; (iv) informing data subjects of their rights; (v) a commitment to ensuring data security; (vi) commitment to protection of special categories of personal data in event of transfer; (vii) restrictions on subsequent transfer; (viii) remedies in case of breach; (ix) an audit mechanism for the protection of personal data; (x) arrangements to terminate the data transfer in case of breach; (xi) commitment to return relevant personal data to the data transferor or to destroy it completely.

ii. Binding corporate rules must have been prepared between group companies and approved by the Board.

Pursuant to Article 12, the Board's approval is required for the transfer of personal data abroad based on binding corporate rules. A notarised translation of each foreign language document to be submitted to the Board must be attached to the application. Following the approval of the company rules by the Board, the data transfer may commence.

When approving the corporate rules, the Board is required to pay particular attention to whether the corporate rules: (i) are legally binding and enforceable in respect of each relevant member of the group engaged in joint economic activity; (ii) contain a commitment to the exercise of data subject rights; (iii) contain information on each member of the group, categories of personal data subject to data transfer, and processing activity and purposes.

iii. Existence of a standard contract announced by the Board and notification of the contract to the Board.

Pursuant to Article 14, the standard contract will be determined and announced by the Board and notified to the Authority within 5 business days following signing. The transfer parties may specify who will fulfil the notification obligation. If no determination is made, the standard contract must be notified to the Authority by the data transferor.

iv. Existence of a written undertaking containing provisions ensuring adequate protection and authorisation of the transfer by the Board.

Pursuant to Article 15, an adequate guarantee may be provided by a written undertaking to be concluded between the parties to the transfer. The provisions are the same as those to be included in a non-international agreement (2. (i) above).

Absence of Conditions 1. and 2. (Exceptional Circumstances)

Where the above conditions are not met, the existence of one of the following conditions is required for transfer (however said transfer is not continuous and of standalone nature).

Obtaining explicit consent from the data subject if he/she is informed of the risks.
The transfer constitutes an obligation for the performance of a contract between the data subject and the data controller.
The transfer is mandatory for precontractual measures taken on the request of the data subject.
The transfer is mandatory due to overriding public interest.
The transfer is mandatory for the establishment, exercise, or protection of a right.
The transfer is necessary for the protection of the life or physical integrity of the data subject or of another person who is unable to give consent.
Transfer from a register open to the public or persons with a legitimate interest, provided that the conditions for access to the register are met and the person with a legitimate interest request it.

The transfer under the last point may not include all the data or categories of data contained in the registers. Finally, transfers from registers accessible to persons with a legitimate interest may only take place at the request of persons with said legitimate interest.

The Draft Regulation provides that these changes will take effect as of 1 September 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.