Regulation on the Procedures and Principles for Transferring Personal Data Abroad in Turkey
The “Regulation on the Procedures and Principles for Transferring Personal Data Abroad” (“Regulation”) in Turkey was published in the Official Gazette No. 32598 on July 10, 2024, and has come into effect.
Procedures and Principles for Transferring Data Abroad
Adequacy Decisions
According to Article 6, paragraph 1 of the Regulation, in order to transfer data abroad, it is a prerequisite to have an adequacy decision regarding the country, international organization, or sectors within the country to which the transfer will be made. An adequacy decision is issued by the Personal Data Protection Board (“Board”) and signifies that a country, one or more sectors within a country, or an international organization provides an adequate level of protection.
It should be noted that adequacy decisions will be reassessed by the Board every four years. The periods for reassessment will be specified in the relevant adequacy decision issued by the Board, and the Board may review the adequacy at any time regardless of the specified periods. If it is determined that the relevant country, one or more sectors within the country, or the international organization does not provide an adequate level of protection, the Board may amend, suspend, or revoke the adequacy decision with prospective effect. Turkish Regulations on International Data Transfers
Establishing Appropriate Safeguards for Data Transfers
In the absence of an adequacy decision, if there is no adequacy decision for the country, international organization, or sectors within the country to which the data transfer will be made, one of the appropriate safeguards regulated in Article 10 of the Regulation must be established between the parties involved in the data transfer. According to the Regulation, appropriate safeguards can be:
- Agreements that are not international treaties (to be signed between public institutions, organizations, professional organizations, and international organizations in Turkey and abroad)
- Binding Corporate Rules (BCR)
- Standard Contractual Clauses (SCC)
- Declarations of Commitment
The methods for establishing these appropriate safeguards and the procedures and principles are detailed in Articles 11 to 15 of the Regulation.
Providing Appropriate Safeguards through Non-International Agreements
According to Article 11 of the Regulation, if appropriate safeguards are provided through an agreement that is not an international treaty, the agreement will be signed by the parties involved in the personal data transfer. During the negotiation process of the agreement, the opinion of the Board will be sought. After the agreement is made, the data exporter must apply to the Board for permission to transfer the personal data abroad. The final text of the agreement and other necessary information and documents for the Board’s assessment will be submitted to the Board. Personal data transfer will commence following the Board’s approval.
Binding Corporate Rules
According to Article 12 of the Regulation, if appropriate safeguards are provided through Binding Corporate Rules, an approval application must be submitted to the Board for the transfer of personal data abroad.
Standard Contractual Clauses
According to Article 14 of the Regulation, if appropriate safeguards are provided through standard contractual clauses, these clauses, determined by the Board, will include details such as the categories of data, the purposes of the data transfer, the recipients and groups of recipients, the technical and administrative measures to be taken by the data recipient, and additional measures for sensitive personal data. No changes will be made to the standard contractual clauses, and they will be applied as determined by the Board. Following the signing process by the parties, the standard contractual clauses will be physically or electronically submitted to the Board within five business days.
Declarations of Commitment
According to Article 15 of the Regulation, if appropriate safeguards are provided through a declaration of commitment, the parties involved in the data transfer will sign a written declaration. This declaration must include provisions for the protection of personal data as outlined in paragraph 2 of the article. An application for permission to transfer personal data abroad will be submitted to the Board along with the declaration and other necessary information and documents. The transfer will commence following the Board’s approval.
Exceptional Circumstances
According to Article 6, paragraph 2 of the Regulation, in the absence of an adequacy decision and the appropriate safeguards listed above, personal data may be transferred abroad in exceptional cases outlined in Article 16 of the Regulation. These exceptional cases, applicable only in incidental situations, are as follows:
- The data subject has given explicit consent to the transfer, having been informed about potential risks.
- The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person.
- The transfer is necessary for an overriding public interest.
- The transfer is necessary for the establishment, exercise, or defense of legal claims.
- The transfer is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that is open to public access or to any person who can demonstrate a legitimate interest, provided that the conditions for accessing the register are met according to applicable laws.
It should be noted that, according to Article 7 of the Regulation, if personal data is transferred abroad by a data processor, the data processor must act on behalf of and in accordance with the instructions of the data controller, within the scope and purpose determined by the data controller. The transfer of personal data by the data processor does not relieve the data controller of the responsibility to comply with the procedures and principles set forth in the Law and this Regulation and to ensure the appropriate safeguards. Therefore, the data controller is obligated to ensure that technical and administrative measures are taken by the data processor.
Finally, according to Article 17 of the Regulation, the Board is authorized to resolve any uncertainties that may arise during the implementation of the Regulation and to make decisions on matters not covered by the Regulation in accordance with relevant legal provisions.
Documents Related to Standard Contractual Clauses and Binding Corporate Rules
As part of the changes, “standard contractual clauses” and “binding corporate rules” have been envisaged as methods for providing appropriate safeguards for personal data transfers abroad by data controllers and data processors. On July 10, 2024, the Personal Data Protection Authority also published the “Announcement on Documents Related to Standard Contractual Clauses and Binding Corporate Rules” to be used by parties involved in data transfers.
You can access the relevant issue of the Official Gazette from here.
As CCS Law, we are here to assist with all your data protection and international data transfer needs. Contact us for tailored legal solutions and expert advice.
Disclaimer: This article is intended for informational purposes only and does not constitute legal advice.