ARTICLE
2 September 2024

Cross-Border Data Transfer; Why Your Inbox May Be Flooded With Standard Contract Requests From Turkey?

CL
Canpolat Legal

Contributor

Canpolat Legal logo
Canpolat Legal is a tech-savvy specialist law firm with an agile mindset, located in Istanbul. Canpolat Legal, which has been ranked by Chambers&Partners and World Trademark Review, especially take pride in dealing with complex Fintech and IP matters, and also legal issues of emerging technologies.
Explore Firm Details
In recent times, companies engaged in data exchanges with Turkish entities — whether as group companies, technical providers, or customers — are likely finding their inboxes filled with requests...
Turkey Privacy
Photo of Yasar K. Canpolat
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In recent times, companies engaged in data exchanges with Turkish entities — whether as group companies, technical providers, or customers — are likely finding their inboxes filled with requests to sign Turkish Standart Contracts ("Turkish SCs") which are largely modeled after Standard Contractual Clauses ("SCC") of the European Union ("EU").

This surge is linked to recent legal changes in Turkey, aligning its cross-border data transfer mechanisms with the EU'S General Data Protection Regulation (GDPR).As a result, the landscape for cross-border data transfers involving Turkish businesses has changed significantly.

1509964.jpg

Understanding the Recent Legal Changes in Turkey

On March 12, 2024, significant amendments to Turkey's Data Protection Law were published in the Official Gazette. These changes primarily affect cross-border data transfers, replacing the previous requirement for explicit consent with a new framework.

This framework now emphasizes an "adequacy decision," the implementation of "appropriate safeguards," and "occasional transfers" as the main avenues for legally transferring personal data abroad.

One of the most critical safeguards introduced is the requirement for data exporters and data importers to sign a Standard Contract, namely SC.

While Binding Corporate Rules (BCRs) or providing a Written Commitment are also recognized as appropriate safeguards, they are less commonly preferred due to the necessity of obtaining approval from the Data Protection Authority. This additional approval process makes Standard Contracts the more practical and expedient option for ensuring compliance with the new regulations.

Following these amendments, the Regulation on The Procedures and Principles for Cross-Border Transfers of Personal Data ("Regulation") was published and became effective on July 10, 2024.

Along with this, the Turkish Data Protection Authority (DPA) released four specific SC modules to be used for different types of data transfer relationships, including Data Controller-Data Controller, Data Controller-Data Processor, Data Processor-Data Processor, and Data Processor-Data Controller.

What Does This Mean for Data Exporters and Importers?

Given these legal changes, data controllers in Turkey are now working diligently to ensure that their cross-border data transfer processes comply with the new regulations. This involves mapping out data flows and contacting data importers — who are based outside of Turkey — to formalize these transfers under the newly required SCs.

It's crucial to note that the previous mechanism for transferring personal data abroad based on explicit consent will become invalid after September 1, 2024. This deadline has created urgency among Turkish data controllers to secure compliance before the transition, which explains the sudden influx of SC requests.

Key Considerations for International Data Exporters and Importers

While Turkish SCs are largely modeled after the EU's standard contractual clauses, there are several critical differences that data exporters and importers need to be aware of:

  1. Non-modifiability of SCs: Under Turkish regulations, the SCs published by the DPA cannot be altered. Any changes could trigger a review by the DPA, potentially rendering the contract invalid and jeopardizing the legality of the data transfer.
  2. No Multi-Party Signatures: Unlike in the EU, Turkish SCCs cannot be signed by multiple parties. The contract must be signed exclusively between the data exporter and the data importer, meaning multiparty agreements common in the EU are not applicable.
  3. Absence of a Docking Clause: Turkish SCs do not include a docking clause, which means that additional parties cannot be added to the contract at a later date. This limits the flexibility that is often found in EU data transfer agreements.
  4. Language Requirements: Currently, Turkish SCs are only available in Turkish and they have to be signed in Turkish. Although the Turkish Data Protection Authority (DPA) is expected to release an official English version in the future, the Turkish version will take precedence.
  5. Signature Requirements: Turkish SCs must be signed with either a wet ink signature or a secure electronic signature. Electronic signatures commonly used in the EU, such as those via DocuSign, are not yet accepted, potentially causing operational challenges.
  6. Notification Obligations:  Unlike in the EU, where SCCs do not require reporting to the authorities, in Turkey, SCCs must be submitted to the Data Protection Authority (DPA) within five business days of signing. This submission must be accompanied by supporting documents, including proof of signatory authority, as well as apostilled and notarized translations of these documents. Compliance with this requirement is crucial to ensure the validity of the data transfer under Turkish law.

What Should Global Companies and Data Importers Do?

Turkey's new cross-border data transfer regime is undoubtedly a step forward in aligning with GDPR, making data transfer processes more robust and legally sound. However, the practical application of these regulations, including potential flexibilities, will become clearer with future guidelines from the Turkish DPA.

It is essential for global companies with subsidiaries in Turkey, as well as international data importers, to closely monitor these developments. Ensuring that all details of the data transfer, including the signing of SCs and any necessary appendices, are handled in compliance with the new regulations will be crucial in avoiding potential legal risks.

Even though the DPA will not ex officio examine the content of the SCs, failure to comply with the aforementioned requirements could lead to the DPA, during a potential investigation triggered by a complaint, declaring the SC invalid. This would result in the data transfer being deemed illegal. This underscores the critical importance of meticulous adherence to the new standards, ensuring that both data exporters and importers remain within the bounds of the law.

Conclusion

As Turkey continues to refine its data protection framework, it is imperative for international companies involved in cross-border data transfers with Turkish entities to stay informed and proactive.

By understanding and complying with the new SCs requirements, businesses can avoid potential legal pitfalls and ensure the seamless continuation of their data flows with Turkey.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Yasar K. Canpolat
Yasar K. Canpolat
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More