The amendments to Turkish Law No. 6698 on the Protection of Personal Data (DPL) which entered into force on 1 June 2024 provide for a complete overhaul of the legal basis to transfer data abroad.

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, which was issued by the Turkish Data Protection Authority (DPA) on 10 July 2024 and entered into force on the same day, aims to clarify the procedures and principles for the implementation of Article 9 of the DPL with regard to cross-border data transfers, in particular those based on appropriate safeguards.

Pursuant to the amendments to the DPL, cross-border data transfers would now be possible in one of the following cases: (i) where the DPA has issued an adequacy decision; (ii) where one of the appropriate safeguards is in place; or (iii) in other exceptional cases. Pursuant to the Regulation, personal data can be transferred outside Türkiye by the data controller and data processor only in accordance with the procedures and principles specified in the DPL and the Regulation.

Adequacy decision. The DPL provides that where an exception to consent applies (e.g. the transfer is necessary to comply with a legal obligation or pursue a legitimate interest), personal data can be transferred abroad in the presence of an adequacy decision taken by the DPA with respect to a specific country, international organisation or sector. The Regulation reiterates the necessary considerations for adoption of an adequacy decision set forth in the DPL.

As the DPL, the Regulation provides that the DPA may seek the opinion of relevant institutions and organisations if needed during its assessment related to the adequacy decision, and that the adequacy decisions made by the DPA will be published in the Official Gazette and on the DPA’s website. The Regulation also provides that the DPA is authorised to determine additional criteria required for an adequacy decision to be obtained. The DPA has not published any adequacy decision or determined any additional criterion to date.

The adequacy decision will be reassessed at least every four years. The Regulation specifies that the reassessment periods will be clearly defined in the adequacy decision. Furthermore, the DPA is entitled to amend, suspend, or revoke the decision for the future if it determines, whether as a result of the reassessment or independently of the reassessment period, that the relevant country, one or more sectors within that country, or an international organisation does not provide an adequate level of protection. Such decisions will also be published in the Official Gazette and on the DPA’s website.

Appropriate safeguards. Where one of the exceptions to consent applies, the DPL contemplates that personal data can be transferred outside Türkiye if one of the listed appropriate safeguards is put in place, on the condition that the data subject has the opportunity to exercise their rights and apply for effective legal remedies in the country where the transfer will be made.

The Regulation reiterates what these appropriate safeguards are, as stated in the DPL and provides further details on the relevant processes:

  • Agreements between foreign and Turkish public institutions. Appropriate safeguards can be provided through provisions for the protection of personal data included in agreements that are not of an international treaty nature. These agreements can be made between public institutions and organisations in Türkiye, professional organisations with public institution status, and public institutions and organisations or international organisations in foreign countries.

    The agreement must be concluded between the parties involved in the personal data transfer and the DPA’s opinion will be sought during the negotiation process. The agreement must include certain mandatory items such as the purpose, scope, nature and legal ground for the data transfer. To transfer personal data abroad based on the agreement, the data exporter must apply to the DPA for permission. The final version of the agreement and other necessary information and documents for the DPA’s evaluation must be submitted as part of the application. The personal data transfer can start once the authorisation is granted by the DPA.

  • Binding corporate rules. Appropriate safeguards can be provided through binding corporate rules (BCRs) for the protection of personal data, to which companies engaged in joint economic activities within an enterprise group must adhere. To transfer personal data abroad based on BCRs, an application for approval must be submitted to the DPA.

    As part of the application, the text of the BCRs and other necessary information and documents should be submitted for the DPA’s evaluation. A notarised translation must be included for each document submitted in a foreign language. If the BCRs are drafted in a foreign language, the Turkish version will prevail.

    The factors to be considered by the DPA for the approval of the BCRs and the minimum contents that must be included in the BCRs are specified under the Regulation. These include the organisational structure and contact details of each member of the enterprise group engaged in joint economic activities, categories of personal data, processing activities and purposes, groups of data subjects, and countries to which transfers will be made under the BCRs.

    The application form for the BCRs for data controllers and data processors and additional guidelines on key issues were published on the DPA’s website on 10 July 2024.

  • Standard contractual clauses. Appropriate safeguards can be ensured through standard contractual clauses (SCCs) that include elements such as data categories, purposes of data transfers, recipients and recipient groups, technical and organisational measures to be taken by the data recipient, and additional measures for sensitive personal data. The SCCs to be used for the transfer of personal data abroad between data controllers and data processors were published on the DPA’s website on 10 July 2024. The SCCs published by the DPA must be used without any modifications. If the SCCs are also executed in a foreign language, the Turkish version will prevail.

    The SCCs should be concluded between the parties involved in the transfer of personal data. The SCCs must be notified to the DPA within five business days from the completion of signatures, either in person, through registered electronic mail (KEP) or by other methods specified by the DPA. The parties to the transfer may determine who will fulfil the notification obligation in the SCCs and if no determination is made in this regard, the data exporter must notify the DPA. The notification should include documents evidencing the powers of the signatories to the SCCs and notarised translations of all documents established in a foreign language.

    If any changes are made to the SCCs announced by the DPA or if one or both parties to the SCCs do not have valid signatures, the DPA will conduct an examination in accordance with the DPL. A further notification must be made to the DPA in case of any change in the parties to the SCCs or the information and statements provided, or if the SCCs are terminated.

  • Undertakings. Appropriate safeguards can be ensured through written undertakings to be concluded between the parties involved in the transfer, which include provisions for the protection of personal data. In this option, the personal data transfer can be started once the authorisation is granted by the DPA.

    The Regulation details the matters to be included in the undertaking. These include the purpose, scope, nature, and legal basis of the personal data transfer, definitions of fundamental concepts in accordance with the DPL and relevant legislation, restrictions on subsequent transfers of personal data, and methods for the data subject to seek remedies in case of breach of the undertaking.

    The application for approval by the DPA must include the undertaking letter and other necessary information and documents for the DPA’s evaluation. If the undertaking is also executed in a foreign language, the Turkish version will prevail.

Exceptional cases. Under the DPL, where there is no adequacy decision and none of the appropriate safeguards is available, personal data can be transferred abroad in the following exceptional cases, provided that the transfer remains occasional:

  • the data subject has given explicit consent to the transfer, provided that they have been informed of the possible risks;
  • the transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject;
  • the transfer is mandatory for the conclusion or performance of a contract between the controller and another natural or legal person for the benefit of the data subject;
  • the transfer is mandatory for an overriding public interest;
  • the transfer is mandatory for the establishment, exercise or protection of a right;
  • the transfer is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to give consent or whose consent is not legally valid; or
  • the transfer is made from a registry open to the public or to persons with a legitimate interest, at the request of the person with a legitimate interest and provided that the legal conditions for access to the registry are met.

The Regulation clarifies that for a transfer to be considered occasional, it should not be regular, should occur only once or a few times, should not be continuous and should not be realised in the ordinary course of business.

In relation to transfers from a registry open to the public, the Regulation specifies that the transfer cannot include all personal data or categories of personal data included in the records, and transfers from records accessible to individuals with a legitimate interest can only be made to these individuals or upon their request.

On a separate note, in case personal data is transferred by the data processor, the latter must comply with the instructions of the data controller. However, if the data processor is required to notify the SCCs to the DPA, it can do so without the need for instructions from the data controller. The transfer of personal data abroad by a data processor does not relieve the data controller of their responsibility to comply with the procedures and safeguards under the DPL and the Regulation. The data controller is responsible for ensuring that adequate technical and organisational measures are taken by the data processor.

The DPA is entitled to further clarify certain aspects of the Regulation and to make decisions on matters not covered by the Regulation within the framework of the relevant legislation. Therefore, further guidance through the decisions of the DPA will likely be required in practice in order to apply the new rules.

Please do not hesitate to contact us for any further information on this briefing.

Share


Legal Information

This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.