ARTICLE
17 July 2024

New Regulation On Cross-Border Data Transfer Has Been Published

ÖD
Ozdirekcan Dundar Senocak Ak Avukatlik Ortakligi

Contributor

Ozdirekcan Dundar Senocak Ak Avukatlik Ortakligi logo
A full-service law firm based in Istanbul, acting in professional association with Gide Loyrette Nouel.
Explore
In line with the recent amendments made to the Law No 6698 on the Protection of Personal Data (the "Law") aiming to harmonize the Law with GDPR standards...
Turkey Privacy
Photo of Arpat Şenocak
Photo of Ecem Nur Aksoy
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In line with the recent amendments made to the Law No 6698 on the Protection of Personal Data (the "Law") aiming to harmonize the Law with GDPR standards, the Regulation on the Procedures and Principles regarding the Cross-border Transfer of Personal Data (the "Regulation") has been published in the Official Gazette dated 10.07.2024 and numbered 32598. This harmonization is essential for ensuring that data protection practices in Türkiye meet international standards, thereby facilitating smoother cross-border data transfers and enhancing the protection of personal data. The Regulation mainly sets out the procedures and principles for the implementing the amendments1 made to Article 9 of the Law for cross border data transfers.

One shall note that the Regulation, which the Personal Data Protection Authority (the "DPA") shared as a draft on 09.05.2024 and opened for comments until 20.05.2024, has been published in substantially the same context as the draft version. The new matters introduced and regulated by the Regulation are summarised below.

NEW TERMS AND THEIR DEFINITONS

The Regulation introduces definitions for the key terms within the scope of the cross border data transfer as follows:

Cross-border Personal Data Transfer
  • Refers to the transfer of personal data by a data controller or data processor within the scope of Law No. 6698 to a data controller or data processor located abroad or making it accessible by any other means.

Data Exporter
  • Refers to the data controller or data processor who transfers personal data abroad.

Data Importer
  • Refers to the data controller or data processor abroad who receives personal data from the data exporter.

EXPLANATION OF SIGNIFICANT PROVISIONS

The Regulation explains the adequacy decision, the safeguards required in the absence of an adequacy decision, and the exceptional transfer procedures introduced/regulated by the amendment of Article 9 of the Law.

  • Adequacy decision: Within the framework of the amendment to the Law, it has been stipulated that an adequacy decision can be made not only for a country, but also for one or more sectors within a country or an international organization. Articles 8 and 9 of the Regulation determine the principles to be taken into account by DPA when rendering an adequacy decision and the procedures regarding the review and re-evaluation of the adequacy decision.
  • Safeguards-based transfers: The Law now allows for appropriate safeguards to be established for cross-border transfers between public authorities or professional organizations in Türkiye and their corresponding public authorities or international organizations abroad, based on an agreement signed between the relevant correspondent authorities. Article 11 of the Regulation sets out the minimum requirements for agreements to be concluded between the transfer parties. To transfer personal data outside Türkiye under such agreements, the relevant public authority or professional organization in Türkiye must also apply to the Board for permission.
  • Binding corporate rules: Articles 12 and 13 of the Regulation details the procedures to be followed for the cross-border data transfer through binding corporate rules and the necessary conditions to be fulfilled. In this respect, it is stated that to transfer personal data abroad based on binding corporate rules,
  • An application for approval must be made to the DPA,
  • Notarized translation of each document in a foreign language submitted in the application regarding the binding corporate rules must be attached to the application,
  • In case the text of the binding corporate rules is also issued in a foreign language, the Turkish version will be taken as basis.

On 10.07.2024, the DPA published on its website the application forms for binding corporate rules and guidelines on the necessary conditions to be included in binding corporate rules. It must be noted that even before the amendment of the Law this mechanism was already put in place by the DPA through its decision dated 10 April 2020 for data transfers between companies within a group of undertakings engaged in economic activities (in between the multinational group companies). However, there have been no "Binding Corporate Rules" approved by the Board yet and the DPA was criticized on that matter due to the fact that approval process was taking long time and putting a heavy burden on the companies as they require extensive research and examination by the DPA.

  • Standard contractual clauses: Article 14 of the Regulation explains the details of data transfer through the standard contractual clauses, which is determined and published by the DPA. The standard contracts include provisions on general terms, obligations of the parties, obligations in case of access by national law and public authorities, and miscellaneous such as termination, applicable law, and the determination of the competent court. It should be reminded that the approval of the DPA is not required for a transfer to be made in this way. Pursuant the relevant article it is stipulated that:
  • It is obligatory to use the standard contract text without any modification.
  • In case the standard contract is concluded in a foreign language, the Turkish text shall be taken as basis.
  • The standard contract shall be notified to the Authority physically or by registered electronic mail (REM) address or other methods determined by the DPA within 5 business days following the completion of the signatures. The transfer parties may determine in the standard contract who will fulfil the notification obligation. If no determination is made in this regard, the standard contract shall be notified to the DPA by the data exporter.
  • Documents certifying that the signatories of the standard contract are authorized and notarized translation of each foreign language document shall be attached to the notification.
  • In case of any change in the content of the standard contract or termination of the standard contract, the DPA shall be notified.

On 10.07.2024, the DPA published the 4 templates of the standard contracts on its website to be used for cross-border transfers from data controllers to data controllers, data controllers to data processors, data processors to data controllers, and data processors to data processor.

  • Written Undertaking: This method was already stipulated under the Law before the amendment and applied by a limited number of data controllers in practice. Article 15 of the Regulation sets out the conditions for a transfer to be made with a written undertaking containing provisions to ensure adequate protection and the authorization of the DPA. We can note that recently we have seen an increase in the number of approvals granted by the DPA to the written undertakings and also shortening in the period.
  • Exceptional Transfer Procedures: Article 16 of the Regulation describes the exceptional transfer procedures, including explicit consent of the data subject. It is stipulated that in the absence of the aforementioned safeguards and adequacy decision, only incidental data transfers can be made under the specified conditions. To that end, term of incidental data transfer defined as transfers that are not regular, realized only once or a few times, are not continuous and are not in the ordinary course of business.
  • Finally, Article 17 of the Regulation states that the DPA is authorized to decide on issues that are not covered in the Regulation or that may cause doubt.

CONCLUSIONS AND RECOMMENDATIONS

To date, due to the limited number of transfers permitted by the Board, it is well-known that in practice nearly all data controllers transferring data abroad have relied, and continue to rely, on explicit consent. However, since explicit consent will only be a valid legal ground for exceptional cases starting from 1 September 2024, it is crucial for data controllers and processors to promptly begin adjusting their procedures to comply with the new requirements. We strongly advise that data controllers and data processors promptly begin preparations to ensure compliance with the requirements for cross-border data transfers by 1 September 2024.

As part of these preparations, companies should establish appropriate safeguards for cross-border data transfers, including standard contractual clauses or binding corporate rules. It is inevitable that certain modifications will be required in the administrative procedures of data controllers, as well as in the existing privacy notices and consent forms. By taking these steps, companies can ensure they are well-prepared to meet the new regulatory requirements and avoid potential penalties.

Footnote

1. Please see our client alert on this matter : https://www.odsavukatlik.com/sites/www.odsavukatlik.com/files/odsa_-_client_alert_-_amendment_of_turkish_data_protection_law_-_en_-_20032024.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Arpat Şenocak
Arpat Şenocak
Photo of Ecem Nur Aksoy
Ecem Nur Aksoy
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More