Regulation, SCCs and BCRs published
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) entered into force on its publication in the Official Gazette on 10 July 2024. The Turkish Data Protection Authority also published documents on Standard Contractual Clauses (“SCC”) and Binding Corporate Rules (“BCR”) on its website.
The Regulation stipulates that data controllers and data processors may transfer personal data abroad when one of three conditions are met: (i) the existence of an adequacy decision; (ii) the existence of appropriate safeguards; and (iii) the existence of exceptional circumstances, provided they are incidental, in addition to the existence of one of the special categories of personal data processing conditions.
The following key documents were also published:
- SCC 1: Data controller to data controller.
- SCC 2: Data controller to data processor.
- SCC 3: Data processor to data processor.
- SCC 4: Data processor to data controller.
- Application form for BCR for data controllers.
- Key considerations for BCR for data controllers (guidelines).
- Application form for BCR for data processors.
- Key considerations for BCR for data processors (guidelines).
You can read our article on the Regulation here.
The Authority’s report
The Authority also published a report on common mistakes made in complaints and notifications submitted to the Personal Data Protection Board (“Board”). Examples include: (i) failure to complete the application to the data controller; (ii) failure to include a power of attorney stamp; (iii) failure to submit the complaint within the legal time limit.
Goal of full compliance with the GDPR
The Investment Office of the Presidency of the Republic of Türkiye has published its “Türkiye International Direct Investment Strategy and Action Plan 2024-2028”. A key area identified is digital transformation, where full harmonization of Turkish personal data protection law with the EU’s General Data Protection Regulation is the ultimate goal.
The DPA announced the following data breach notifications in July:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
| Creditwest (Bank) | Employees and customers | Identity, contact, location, personal, customer transaction | N/A |
| Uber (App) | App users, drivers, couriers | N/A | N/A |
| SunExpress (Airline) | Employees, customers and potential customers | Contact | N/A |
| Ann & Robert H. Lurie Children’s Hospital (Hospital) | Patients, relatives, current and former employees, relatives of employees, contractors | Communication, identity, health | N/A |
