REGULATION ON THE TRANSFER OF PERSONAL DATA ABROAD

8/26/2024
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad has been published in the Official Gazette on July 10, 2024.
July 10, 2024

REGULATION ON THE TRANSFER OF PERSONAL DATA ABROAD

Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad (“Regulation”) has been published in the Official Gazette on July 10, 2024, and has entered into force on this date.

Significant amendments have been made to the Personal Data Protection Law No. 6698 (“PDPL”) through Law No. 7499 on the Amendment to the Code of Criminal Procedure and Certain Laws, also known as the 8th Judicial Package. In line with these amendments, the principles regarding the transfer of personal data abroad are specified in Article 9 of the PDPL, and the procedures and principles for the implementation of this article are regulated by Regulation.

Accordingly, the Regulation sets out the procedures and principles to be followed in the transfer of personal data abroad pursuant to Article 9 of the PDPL. The Regulation aims to enhance transparency in the processes of transferring personal data abroad and to establish certain standards for data controllers and processors. The provisions of the Regulation apply to data controllers and processors involved in the transfer of personal data abroad in accordance with Article 9 of the PDPL, and personal data can only be transferred abroad in compliance with the procedures and principles stipulated in the PDPL and the Regulation.

1. Procedures for Transfer of Personal Data Abroad

Personal data may be transferred abroad by data controllers and processors if one of the conditions specified in Articles 5 “Conditions for Processing Personal Data” and 6 “Conditions for Processing Special Categories of Personal Data” of the PDPL is met and if one of the following conditions is fulfilled:

• Existence of an adequacy decision regarding the country, sectors within that country, or international organizations to which the data will be transferred.

• In the absence of an adequacy decision, the provision of one of the appropriate guarantees specified in Article 10 of the Regulation by the parties provided the data subject has the opportunity to exercise their rights and to have recourse to effective legal remedies in the country to which the data will be transferred.

Regulation grants both data controllers and processors the possibility to transfer personal data abroad. If the data processor transfers personal data abroad, the processor is obliged to act within the purposes and scope determined by the data controller, on behalf of and in accordance with the instructions of the data controller. The processor must take all necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure the protection of personal data.

2. Transfers Based on Adequacy Decision

Personal data may be transferred abroad if there is an adequacy decision regarding the country or international organization to which the data will be transferred. The adequacy decision is made by the Personal Data Protection Board (“Board”) and is reviewed periodically.

When making an adequacy decision, the Board considers factors such as (i) the reciprocity status between Türkiye and the country, sectors within the country, or international organizations regarding the transfer of personal data, (ii) the relevant legislation and practices of the country and the rules applicable to the international organization to which the data will be transferred, and (iii) the existence of an independent and effective data protection authority and administrative and judicial remedies in the country or international organization. Board’s decisions are published in the Official Gazette and on Board’s website.

3. Transfers Based on Appropriate Guarantees

In the absence of an adequacy decision regarding the target country or international organization, personal data may only be transferred abroad if appropriate guarantees as regulated in Regulation are provided. These appropriate guarantees include (i) agreements that are not of an international treaty nature between the parties, (ii) binding corporate rules, (iii) standard contractual clauses determined by the Board, and (iv) the existence of a sufficient protection commitment and Board’s permission for the transfer.

a. Provision of Appropriate Guarantees with Agreements that do not Constitute International Treaty

Appropriate guarantees may be provided through agreements not of an international treaty nature for personal data transfers between public institutions and organizations in Türkiye and public institutions and organizations or international organizations in foreign countries. These agreements must include provisions for the protection of personal data as specified in Article 11/3 of the Regulation. For the transfer of personal data based on such an agreement, the data exporter must apply to Board for permission and the transfer can commence following Board’s approval.

b. Provision of Appropriate Guarantees with Binding Corporate Rules

Companies within a group of undertakings engaged in joint economic activity may provide appropriate guarantees by establishing binding corporate rules for the protection of personal data. These rules must be legally binding for all group members, include a commitment to uphold the rights of the data subject, and contain the provisions specified in Article 13 of the Regulation. The transfer of personal data can commence following the Board’s approval of these rules.

c. Provision of Appropriate Guarantees with Standard Contractual Clauses

Appropriate guarantees may be provided through standard contractual clauses determined and announced by the Board for use in the transfer of personal data abroad. Standard contractual clauses must cover issues such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data. These standard contractual clauses must be used without any modifications and executed between the parties to the data transfer. The standard contractual clause must be submitted to the Personal Data Protection Authority (“Authority”) within five business days from the completion of signatures, either physically or through a registered electronic mail (KEP) address or other methods determined by the Board.

d. Providing Appropriate Guarantees with a Written Commitment

Appropriate guarantees may also be provided through a written commitment for the transfer of personal data abroad. This commitment must include the provisions for the protection of personal data specified in Article 15/2 of the Regulation. The commitment must detail the purpose, scope, nature, and legal basis of the data transfer, necessary commitments for the exercise of data subject rights, and the technical and administrative measures to ensure data security. The commitment is submitted to the Board, and the transfer of personal data can commence following the Board’s approval.

4. Exceptional Transfers

In the absence of an adequacy decision and appropriate guarantees, personal data may only be transferred abroad under exceptional circumstances of a temporary nature. The Regulation defines temporary transfers as irregular, one-time or infrequent transfers that are not continuous and do not fall within the normal course of business activities.

These exceptional circumstances include:

• Explicit consent of the data subject,

• Necessity of transfer for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject’s request,

• Necessity of transfer for the conclusion or performance of a contract between the data controller and a third party for the benefit of the data subject,

• Existence of a superior public interest, • Necessity of transfer for the establishment, exercise, or defense of a legal claim,

• Necessity of transfer to protect the vital interests of the data subject or another person when the data subject is physically or legally incapable of giving consent due to actual impossibility,

• Transfers made from public registers.

Please do not hesitate to contact us if you have any questions regarding above matters.

Best Regards.

Atty. Selim DÜNDAR
sdundar@dundarsir.com