The Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Draft Regulation”) was published by the Personal Data Protection Authority (“Authority”) on 9 May 2024 (following amendments to the Personal Data Protection Law No. 6698 (“PDPL”) made on 12 March 2024). Closing of public comments on 20 May 2024 gave the authority nearly two months to finalise the Draft and publish the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) in the Official Gazette dated 10 July 2024 (when it also entered into force).
On the same day, the Authority released documents on Standard Contractual Clauses (“SCC”) and Binding Corporate Rules (“BCR”) on its website.
What Does the Regulation Bring?
As in the Draft Regulation, the Regulation stipulates that data controllers and data processors may transfer personal data abroad when one of three conditions are present (existence of an adequacy decision, existence of appropriate safeguards, and existence of exceptional circumstances provided they are incidental) in addition to the existence of one of the PDPL’s personal data or special categories of personal data processing conditions.
However, the Regulation introduces additional provisions on procedures for submission of SCCs. After a standard agreement is signed and notified to the Authority, further notification is required in the event of any change in its content or its termination.
The framework introduced by the Regulation is as follows:
Presence of an Adequacy Decision
Pursuant to Article 8 of the Regulation, the Personal Data Protection Board (“Board”) may decide that a country, one or more sectors within a country, or an international organization provides an adequate level of protection. The issues to be considered when making an adequacy decision are as follows:
- Reciprocity between Turkey and the country, sectors within the country or international organizations to which personal data will be transferred.
- The relevant legislation and practice of the country or the rules applicable to the international organization.
- The existence of an independent and effective data protection authority to which the country or international organization is subject.
- The status of the country or international organization as a party to or member of international conventions on the protection of personal data.
- A country’s or international organization’s membership in global or regional organizations of which Turkey is a member.
- International conventions to which Turkey is a party.
Article 9 of the Regulation stipulates that the adequacy decision will be reassessed by the Board every four years. If it is determined that an adequate level of protection is not provided, the Board may change, suspend or revoke its decision with prospective effect.
Presence of Appropriate Safeguards
In the absence of an adequacy decision, “appropriate safeguards”, are an alternative option for transferring personal data abroad. Data may be transferred abroad even in the absence of an adequacy decision when the following three conditions are present:
- Existence of one of the personal data and special categories of data processing conditions in the PDPL.
- Data subjects can exercise their rights and employ effective remedies in the country of transfer.
- Presence of one of the appropriate safeguards.
Appropriate safeguards are defined as:
An Agreement that is not an International Convention
Appropriate safeguards may be provided in respect of personal data transfers between public institutions and organizations in Turkey and professional organizations in the form of public institutions, and public institutions and organizations or international organizations in foreign countries.
Article 11 of the Regulation provides that the Board will be consulted during the agreement’s negotiation process and that the issues the agreement should include will be explained in detail. To transfer data based on the agreement, the transferor must apply to the Board for authorization after which the transfer must commence.
Binding Corporate Rules
Pursuant to Article 12, appropriate safeguards may be provided by binding corporate rules (“BCR”) which apply to companies within the group engaged in joint economic activity. As with contractual transfer the Board’s authorization is required. In addition, foreign language documents submitted to the Board must include notarized translations.
When approving the BCR, particular attention will be paid to whether they are: (i) legally binding and enforceable for each relevant member of the group engaged in joint economic activity; (ii) contain a commitment to the exercise of data subject rights; (iii) contain at least the issues specified (regulated in detail by Article 13 of the Regulation).
The announcement also included: (i) the BCR application form for data controllers; (ii) supplementary guidelines for data controllers on fundamental matters they must include in the BCR; (iii) the BCR application form for data processors; and (iv) supplementary guidelines for data processors on fundamental matters they must include in the BCR.
Standard Contractual Clauses
The introduction of transference of data abroad by signing of an SCC is an important development. SCCs may provide appropriate safeguards that include data categories, purposes of the data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data.
In this context, the SCC: (i) must be submitted to the Board in Turkish; (ii) must be signed by the parties to the transfer (or persons authorized to represent them); (iii) must be notified to the Authority within five business days after signing; and (iv) have any change in content or its termination notified to the Authority.
Final versions of the SCCs were also published by the Authority on the date of publication. It is possible to transfer data abroad using four standard contracts: (i) from data controller to data controller; (ii) from data controller to data processor; (iii) from data processor to data processor; and (iv) from data processor to data controller.
Written Undertaking
Providing appropriate safeguards through a written undertaking to be signed between the data transfer parties has been determined as an alternative method. Accordingly, Article 15 of the Regulation sets out the minimum conditions that the written undertaking must contain.
The written undertaking requires an application for authorization to the Board after which data transfer must be initiated.
Exceptional Circumstances
In the absence of an adequacy decision or appropriate safeguards, data may only be transferred abroad in exceptional circumstances which must be incidental. Article 16 of the Regulation defines an incidental transfer as “transfers that are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business”.
Exceptional circumstances are defined as:
- Obtaining explicit consent from the data subject.
- The transfer constitutes an obligation for the performance of a contract between the data subject and the data controller.
- The transfer is mandatory for pre-contractual measures taken at the request of the data subject.
- The transfer is mandatory due to overriding public interest.
- The transfer is mandatory for the establishment, exercise or protection of a right,
- The transfer is mandatory for the protection of the life or physical integrity of a person who is unable to give his/her consent or of another person.
- Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry are met and the person with a legitimate interest requests it. Transfers under this condition may not include all the data or categories of data contained in the registers. Moreover, transfers from registers accessible to people with a legitimate interest may only take place at the request of persons with said legitimate interest.
Conclusion
The Regulation, SCCs and BCRs represent a new era in the transfer of data abroad for Turkish data protection law. Applicable data controllers and data processors must adopt a data transfer regime that complies with the PDPL by 1 September 2024.