Turkish Data Protection Board rejects Convention 108 as legal basis for cross-border data transfers and imposes another significant fine

The Turkish Personal Data Protection Board (the “Board”) published the summary of a decision assessing the cross-border transfer of personal data on the basis of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). In this decision, the Board assessed the legal impact of Convention 108 on cross-border transfers and confirmed, as it had done in the Amazon decision, that a cross-border data transfer to an “unsafe” country can only be realised if one of the legal grounds for processing of personal data exists, the parties enter into a written undertaking, and the Board’s approval regarding the transfer is obtained.

The decision is notable for the size of the fine once again imposed in relation to the transfer of personal data outside Turkey, and because it brings to an end the discussions regarding Convention 108 as a potential alternative mechanism to the provisions of Law no. 6698 on the Protection of Personal Data (the “Law”) with respect to cross-border data transfers. The circumstances in which the decision came about also underscore the need for companies to have a well-prepared data inventory clearly identifying the legal grounds upon which they process and transfer data, as well as proper internal processes in place to provide a satisfactory legal response to enquiries from the Board and to claims from data subjects.

In this matter, a data subject had applied to the Board in relation to a short message sent by a data controller operating in the automotive industry for advertising/informational purposes, which prompted the Board to ask the data controller for an explanation. In their defence letter, the data controller indicated that the legal ground for the transfer of personal data to the foreign data processor service provider was the legitimate interest of the data controller, but also stated that the explicit consent of the data subjects had been obtained for the transfer of personal data. Since these were contradictory statements regarding the legal ground for the transfer of data abroad, the Board initiated an ex officio investigation and requested detailed information regarding the legal basis for the transfer of personal data outside Turkey.

A summary of the key points of the Board’s decision is set out below.

• Based on the statements made by the data controller, the Board determined that the personal data processed for marketing purposes was transferred based on explicit consent, and the personal data processed for other purposes was transferred on the basis of Convention 108 within the scope of the legitimate interest of the data controller. The Board concluded that the data controller’s transfer of personal data based on Convention 108 failed to comply with the requirements set out under Article 9 of the Law, since the balancing test between the legitimate interest of the data controller and the fundamental rights of the data subjects had not been carried out by the data controller, and the data controller had not applied to the Board for its prior approval after entering into a written undertaking with the relevant service provider to which the transfer is made.
• The Board underscored that a foreign country being a party to Convention 108 was not a sufficient criterion to determine that that country provides an adequate level of protection for the purpose of the Law.
• The Board found that the privacy notice and explicit consent text submitted by the data controller to the data subjects did not clearly indicate the legal reason for the transfer of personal data, and that the language used in the text conveyed the impression that the processing was solely carried out on the basis of the explicit consent of the data subjects.
• For the aforementioned reasons, the Board concluded that the transfer of personal data outside Turkey without complying with the necessary requirements constituted an unlawful processing of personal data, and thus imposed an administrative fine of TL 900,000 (approx. EUR 100,000) on the data controller.
• In addition, the Board ordered the data controller to delete/destruct the personal data that the data controller unlawfully transferred outside Turkey in accordance with Article 7 of the Law, and to inform the Board of the performance of this order.