Kemal Kumkumoğlu
Selin Çetin Kumkumoğlu
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published in the Official Gazette on 10 July 2024.[1] On 12 March 2024, Article 9 of the Personal Data Protection Law No. 6698 ("PDPL" or "Law") regulating the transfer of personal data abroad was amended.[2] This Regulation was prepared in order to determine the procedures and principles regarding the implementation of Article 9 of the PDPL regulating the transfer of personal data abroad.
According to Article 6 of the Regulation, personal data may be transferred abroad by data controllers and data processors in the presence of one of the conditions specified in Articles 5 and 6 of the Law and in the following cases:
(1) There is an adequacy decision on the country, sectors within the country, or international organizations to which the transfer will be made.
(2) In the absence of an adequacy decision, one of the appropriate safeguards specified in Article 10 of the Regulation is provided by the parties, provided that the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer.
Transfer of Personal Data Abroad with an Adequacy Decision
Pursuant to Article 8 of the Regulation, the Personal Data Protection Board ("Board") may decide that a country, one or more sectors within a country, or an international organization provides an adequate level of protection in relation to the transfer of personal data abroad. The adequacy decision will be re-evaluated every four years at the latest.
The following issues will be taken into account in the adequacy decision by the Board:
The reciprocity status regarding the transfer of personal data between the country, sectors within the country, or international organizations and Türkiye.
The relevant legislation and practice of the country to which personal data will be transferred and the rules governing the international organization to which personal data will be transferred.
The existence of an independent and effective data protection authority and administrative and judicial remedies in the country or international organization to which personal data will be transferred.
The status of the country or international organization to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organizations.
The membership status of the country or international organization to which personal data will be transferred to global or regional organizations of which Türkiye is a member.
International conventions to which Türkiye is a party.
Transfer of Personal Data Abroad with the Provision of Appropriate Safeguards
Pursuant to Article 10 of the Regulation, in the absence of an adequacy decision, provided that one of the conditions specified in Articles 5 and 6 of the Law exists and the relevant person has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made, the transfer may be made abroad if one of the following appropriate assurances is provided by the parties to the transfer:
The existence of an agreement that is not in the nature of an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations in Türkiye or professional organizations in the nature of public institutions and the Board permits the transfer.
Existence of binding corporate rules approved by the Board and containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
Existence of a standard contract announced by the Board containing data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data.
Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.
Pursuant to Article 14 of the Regulation, it is stipulated that the standard agreements[3] to be announced by the Board shall be concluded between the parties to the personal data transfer and shall contain matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for sensitive personal data. It is obligatory to use the standard contract text without any changes.
The standard contract must be signed by the parties to the transfer or by persons authorized to represent and sign the parties, and it must be notified to the Authority physically or by registered electronic mail (REM) address or other methods determined by the Board within five business days following the completion of the signatures. In addition, the transfer parties may determine who will fulfill the notification obligation in the standard contract; however, if no determination is made, the standard contract will be notified to the Personal Data Protection Authority (“Authority”) by the data transmitter.
On the other hand, if there is a change in the parties to the standard contract or in the information and explanations provided by the parties in the content of the standard contract or if the standard contract is terminated, notification to the Authority will be required.
Finally, Article 16 of the Regulation regulates exceptional cases of transfer. Accordingly, personal data may be transferred abroad only in the presence of one of the exceptional transfer cases listed in the second paragraph of Article 16, provided that it is incidental, in the absence of an adequacy decision and any of the appropriate safeguards cannot be provided. Transfers that are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business will be considered incidental.
[1] See Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad https://www.resmigazete.gov.tr/eskiler/2024/07/20240710-2.htm
[2] See Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws https://www.resmigazete.gov.tr/eskiler/2024/03/20240312-1.htm
[3] "Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules" was published on the website of the Authority: https://www.kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu
Comments