The protection of personal data is becoming increasingly important today. With the advancement of technology and the rise of international trade and digitalization, the transfer of personal data abroad has become widespread. The Law No. 7499 on Amendments to the Criminal Procedure Law and Some Other Laws, referred to as the 8th Judicial Package, was published in the Official Gazette on March 12, 2024, introducing changes related to the transfer of personal data abroad and indicating that details would be regulated by a regulation. This regulation has been issued based on the aforementioned law.

You May Be Interested: Changes Made to Privacy Laws with the 8th Judiciary Package in Turkey

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, envisaged by the law amendment, was published in the Official Gazette on July 10, 2024, and came into effect. The regulation sets out the procedures and principles for the transfer of personal data abroad and applies to data controllers and data processors involved in the transfer of personal data abroad. This article will discuss the new regulations introduced by the regulation and their implications.

Definitions

The regulation has introduced definitions for data exporter and data importer that are not included in the law. According to these definitions, a data exporter refers to the data controller or processor that transfers personal data abroad, while a data importer refers to the data controller or processor abroad that receives personal data from the data exporter.

Additionally, the regulation defines the transfer of personal data abroad. According to this, the transfer of personal data abroad refers to the transmission of personal data by a data controller or processor under the Personal Data Protection Law to a data controller or processor abroad or making it accessible in some other way. Therefore, in addition to the specific sending of personal data, uploading it to a system and enabling access to this system from abroad is also considered a transfer of personal data.

Transfer of Personal Data Abroad

Personal data can only be transferred abroad by the data controller and processor in accordance with the procedures and principles stipulated by law. When personal data is transferred by a data processor, it is also mandatory to comply with the instructions of the data controller. At this point, it is worth noting that the data controller is the natural or legal person responsible for determining the purposes and means of processing personal data and establishing and managing the data recording system within the scope of the law and regulation. These rules apply not only to the initial transfer but also to subsequent transfers of personal data and transfers to international organizations. Therefore, if data is to be transferred abroad, these procedures and principles must be followed, and actions should be taken accordingly in the specific case.

Procedures for the Transfer of Personal Data Abroad

For personal data to be transferred abroad, one of the conditions for processing personal data stipulated in Articles 5 and 6 of the law must be met. In addition, personal data can only be transferred abroad if there is an adequacy decision, appropriate safeguards, or exceptional cases. Furthermore, personal data can only be transferred abroad with the permission of the Board, taking into account the opinion of the relevant public institution or organization, if Turkey’s or the relevant person’s interests would be severely harmed.

Transfers Based on Adequacy Decision

An adequacy decision is issued by the Personal Data Protection Board and published in the Official Gazette and on the Institution’s website. The Board may decide that a country, one or more sectors within the country, or an international organization provides an adequate level of protection for the transfer of personal data abroad. When issuing an adequacy decision, the Board will primarily consider the following issues and may define additional criteria if necessary:

a) The reciprocity status regarding personal data transfer between Turkey and the country, sectors within the country, or international organizations to which personal data will be transferred.

b) The legislation and practices of the country to which personal data will be transferred and the rules to which the international organization is subject.

c) The existence of an independent and effective data protection authority in the country to which personal data will be transferred or the international organization and the availability of administrative and judicial remedies.

d) The status of the country to which personal data will be transferred or the international organization being a party to international agreements on data protection or a member of international organizations.

e) The status of the country to which personal data will be transferred or the international organization being a member of global or regional organizations to which Turkey is a member.

f) International agreements to which Turkey is a party.

The periods for re-evaluation are explicitly determined in the adequacy decision, but this period is at most four years. This period is not absolute, and the Board may make changes to the adequacy decision before the end of this period if deemed necessary. Changes include suspending or revoking the adequacy decision. In such a case, decisions regarding changes are also published in the Official Gazette and on the Institution’s website. If the Board determines, as a result of re-evaluation, that the relevant country, one or more sectors within the country, or the international organization does not provide an adequate level of protection, it may change, suspend, or revoke its decision to take effect prospectively.

Transfers Based on Appropriate Safeguards

In the absence of an adequacy decision, personal data can be transferred abroad only if one of the conditions specified in Articles 5 and 6 of the Law is met, the data subject has the opportunity to exercise their rights in the country where the transfer is made, and one of the following appropriate safeguards is provided by the transfer parties:

  • The existence of an agreement, which is not an international treaty, between public institutions and organizations or professional organizations with public institution status in Turkey and public institutions and organizations or international organizations abroad, and the Board’s permission for the transfer.
  • The existence of binding corporate rules that companies within the same corporate group engaged in joint economic activities are obliged to comply with regarding personal data protection and approved by the Board.
  • The existence of a standard contract that includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data, published by the Board.
  • The existence of a written undertaking containing provisions ensuring adequate protection and the Board’s permission for the transfer.

Ensuring Appropriate Safeguards through Non-International Treaty Agreements

Appropriate safeguards can be provided for personal data transfers to be made between public institutions and organizations or professional organizations with public institution status in Turkey and public institutions and organizations or international organizations abroad through provisions regarding personal data protection included in non-international treaty agreements. The agreement is made between the parties involved in the personal data transfer.

For personal data to be transferred abroad based on the agreement, the data exporter must apply to the Board for permission. The personal data transfer can begin after the Board grants permission.

Ensuring Appropriate Safeguards through Binding Corporate Rules

Appropriate safeguards can be provided through binding corporate rules that companies within the same corporate group engaged in joint economic activities are obliged to comply with regarding personal data protection. For personal data to be transferred abroad based on binding corporate rules, the company must apply to the Board for approval, and the transfer can begin after approval. If the binding corporate rules document is prepared in a foreign language, the Turkish version takes precedence.

Ensuring Appropriate Safeguards through Standard Contracts

Another alternative element necessary for the transfer of personal data abroad is standard contracts. Standard contracts are determined by the Board and published on the Board’s website. Therefore, it is mandatory to use the standard contract text without any changes.

If the standard contract is made in a foreign language, the Turkish version takes precedence. The standard contract is made between the parties involved in the personal data transfer. The standard contract is physically or electronically submitted to the Institution within five working days from the completion of the signatures. The transfer parties may specify in the standard contract which party will fulfill the notification obligation. If no specification is made, the standard contract is notified to the Institution by the data exporter. The notification includes documents proving the authority of the signatories to the standard contract and a notarized translation of any document in a foreign language. If there is any change in the parties to the standard contract or the information and explanations provided by the parties in the standard contract, or if the standard contract terminates, the Institution is notified.

Ensuring Appropriate Safeguards through Written Undertakings

Appropriate safeguards can also be provided through a written undertaking containing provisions for personal data protection made between the transfer parties. For personal data to be transferred abroad based on the undertaking, the data exporter must apply to the Board for permission. If the undertaking is made in a foreign language, the Turkish version takes precedence. The personal data transfer can begin after the Board grants permission.

Exceptional Transfers

In the absence of an adequacy decision and if none of the appropriate safeguards are provided, personal data can be transferred abroad only if one of the exceptional transfer conditions is met. This article applies to non-regular, one-time or occasional, non-continuous transfers that are not part of the ordinary course of business.

Exceptional transfer conditions are as follows:

  • The data subject gives explicit consent to the transfer after being informed about the possible risks.
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject’s request.
  • The transfer is necessary for the establishment or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person.
  • The transfer is necessary for the protection of an important public interest.
  • The transfer is necessary for the establishment, exercise, or protection of a legal right.
  • The transfer is necessary to protect the life or physical integrity of the data subject or another person when the data subject is physically or legally incapable of giving consent.
  • The transfer is made from a register that is open to the public or accessible to those with a legitimate interest, provided that the conditions set forth in the law regarding the register are met.

Transfer of Personal Data Abroad by the Data Processor

In the event that personal data is transferred abroad by the data processor, the data processor acts within the scope and for the purposes determined by the data controller, on behalf of the data controller, and in accordance with their instructions. The data processor takes all necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing, unlawful access, and to ensure the preservation of personal data, depending on the nature of the personal data.

The transfer of personal data abroad by the data processor does not relieve the data controller of its responsibilities to comply with the procedures and principles set forth in the Law and this Regulation and to provide safeguards. The data controller is responsible for ensuring that the data processor takes the necessary technical and administrative measures. If the data processor is obligated to notify the standard contract, the data processor fulfills this notification obligation without the need for instructions from the data controller.

Conclusion

The new regulation on the procedures and principles regarding the transfer of personal data abroad has introduced significant changes and clarified many aspects related to the transfer of personal data. Data controllers and processors must comply with the procedures and principles set forth in the regulation to ensure that personal data is transferred abroad in a secure and legally compliant manner. It is essential for organizations to stay updated with these changes and implement appropriate measures to protect personal data and ensure compliance with the law.

For your inquiries or legal assistance regarding this matter you may contact us at info@paldimoglu.av.tr.

Comment