1. Introduction

The latest amendments to the Personal Data Protection Law No. 6698 ("Law") were accepted[1]  on March 12, 2024, and a transition period was envisaged until September 1, 2024, for the regulations regarding the cross-border transfer of personal data. Within the scope of the amendments to the Law, a regulation was awaited from the Personal Data Protection Authority ("Authority") regarding the implementation of the new system, especially regarding the cross-border transfer of personal data. As expected, the Regulation on the Procedures and Principles for the Cross-Border Transfer of Personal Data (“Regulation”) was published in the Official Gazette No. 32598 dated 10 July 2024. The aim of the Regulation is to determine the procedures and principles regarding the implementation of Article 9 of the Law, which regulates the cross-border transfer of personal data. With this newsletter, we would like to inform you about the provisions of the relevant Regulation that specifies the procedures and principles of cross-border transfer of personal data.

2. Legal Reasons for Cross-Border Transfer of Personal Data in accordance with the Regulation

2.1. Adequacy Decision

In parallel with the Law, the Regulation stipulates that personal data can be transferred abroad based on an adequacy decision. Accordingly, the Personal Data Protection Board (“Board”) might decide that (i) a country, (ii) one or more sectors within the country, or (iii) an international organization provides an adequate level of protection regarding the cross-border transfer of personal data and personal data can be transferred abroad in line with such adequacy decision.

In the Regulation, the issues such as reciprocity status with the country to which personal data will be transferred, the legislation to which the relevant country is subject, the rules to which the organization to be transferred is subject, the existence of an independent and effective protection institution to which they are subject, and the existence of administrative and judicial appeals and their status as parties to relevant international agreements and membership in international organizations are listed among the issues to be taken into consideration when making an adequacy decision. It is stated in the Regulation that these issues are not limited in number and that the Board is authorized to take additional issues into consideration when making the adequacy decision.

Pursuant to the provisions of the Regulation, the adequacy decisions taken by the Board will be published in the Official Gazette and on the Authority's website and will be re-evaluated by the Board at least every four years. As a result of the re-evaluation, if the Board determines that the country, sector or organization for which it made the adequacy decision does not provide adequate protection, it may change, suspend or revoke its decision with prospective effect.

2.2. Appropriate Safeguards

In the absence of an adequacy decision, personal data may be transferred abroad if one of the appropriate safeguards which are set out in the Law and repeated in the Regulation is present, provided that one of the conditions specified in Articles 5 and 6 of the Law is met, and that the relevant person has the opportunity to exercise his/her rights and take effective legal remedies in the country where the transfer will be made. Appropriate safeguards regulated in the Regulation parallel with the Law are explained below.

2.2.1. Concluding an agreement that is not an international agreement and the Board’s permission for the transfer.

The existence of an agreement, which does not have a nature of an international agreement, between public institutions and organizations abroad or international institutions and public institutions and organizations or professional organizations with public institution status in Türkiye is accepted as one of the appropriate safeguards. According to the provisions of the Regulation, the opinion of the Board must be sought during the negotiations of such an agreement. The Regulation sets out in detail the provisions regarding the protection of personal data that must specifically be included in such agreement. The mere existence of an agreement does not mean that the appropriate safeguard is ensured. In parallel with the Law, it is stated in the Regulation that in order to transfer personal data abroad based on such an agreement, an application must be made to the Board and the Board’s permission must be obtained. Cross-border transfer of personal data within the scope of the agreement can begin after the Board’s permission is obtained.

2.2.2. Binding corporate rules and the Board’s approval.

Another appropriate safeguard is binding corporate rules. In parallel with the Law, the Regulation stipulates that an application must be made for the Board’s approval in order to transfer personal data abroad based on binding company rules. Within the scope of such approval application, the text of the binding company rules and other information and documents required for the evaluation by the Board must be submitted to the Board. A notarized translation of each document in a foreign language submitted in the application must be attached to the application. It is regulated in the Regulation that if the text of binding company rules is prepared in a foreign language, the Turkish version thereof will be relied upon.

Pursuant to Article 13 of the Regulation, the following issues will need to be taken into consideration by the Board when approving binding corporate rules:

a) Being legally binding and enforceable of the binding corporate rules for every relevant member of the enterprise group engaged in joint economic activity, including their employees,

b) Committing in the binding corporate rules that the rights of the relevant person can be exercised, and

c) Including at least the issues listed in Article 13 of the Regulation under the binding corporate rules.

In Article 13 of the Regulation, the issues that must be included under the binding corporate rules are regulated in detail. On July 10, 2024, the binding corporate rules application form for data controllers and data processors and additional guidance on basic issues were published on the Authority's website.

2.2.3. Ensuring appropriate safeguard through standard contractual clauses.

As envisaged by the Law, existence of the standard contractual clauses which include issues such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data, ensures appropriate safeguard in the cross-border transfer of personal data. It is regulated in the Regulation that the standard contractual clauses will be determined and announced by the Board. In parallel with this, the Board announced the standard contractual clauses that must be signed between the data controller and the data controller, the date controller and the data processor, the data processor and the data processor and the data processor and the data controller on 10 July 2024 which is the date on which the Regulation was published in the Official Gazette.

The regulations that must be fulfilled regarding the standard contractual clauses in accordance with the Regulation are as follows:

(i) It is mandatory to use the text of standard contractual clauses without any modifications.

(ii) If the standard contractual clauses is concluded in a foreign language, the Turkish version thereof will be relied upon.

(iii) The standard contractual clauses must be concluded between the parties of personal data transfer and signed by persons authorized to represent and sign them.

(iv) The standard contractual clauses will be notified to the Authority physically or via registered e-mail address or other methods determined by the Board, within five business days from the completion of the signatures.

(v) The transfer parties may specify in the standard contractual clauses the party who will fulfill the notification obligation; if not specified, the standard contractual clauses must be notified to the Authority by the data transferor.

(vi) The documents certifying the authority of the signatories those who signed the standard contractual clauses and the notarized translation of each document in a foreign language must be attached in the notification to the Authority.

(vii) The Authority must be notified in the same procedure as envisaged when the contractual clauses were concluded if there is a change in the content or parties of the standard contractual clauses or if the standard contractual clauses are terminated.

Pursuant to the Regulation, in the event that a modification would be made in the text of standard contractual clauses announced by the Board or that the valid signature of one or both of the transfer parties is not included on the standard contractual clauses, the Board will conduct an examination in accordance with Article 15 of the Law.

2.2.4. Ensuring appropriate safeguard through undertaking letter.

Appropriate safeguard can be ensured for cross-border transfer of personal data through an undertaking letter which has provisions for the protection of personal data and to be signed between the transfer parties. With the Regulation, the provisions regarding the protection of personal data to be included in the undertaking letter are detailed. To be able transfer the personal data abroad based on an undertaking letter, the data transferor must apply for permission to the Board. Personal data transfer can begin after permission is given by the Board in this regard. Within the scope of the application to be made, the text of the undertaking letter and other necessary information and documents for the evaluation to be made by the Board must be submitted to the Board. If the undertaking letter is concluded in a foreign language, the Turkish version thereof will be relied upon.

3. Occasional Cases

If there is no adequacy decision for the cross-border transfer of personal data and if any of the appropriate safeguards listed above are not ensured, personal data may be transferred abroad in case of any of the exceptional circumstances listed below, provided that the transfer remains occasional. Occasional circumstances were introduced for the first time with the amendment to the Law and are repeated in the Regulation. However, an explanation has been introduced with the Regulation, regarding the newly accepted "occasional" nature. Accordingly, transfers that are not regular, occur once or a few times, are not continuous and are not in the normal course of activity are occasional. Exceptional transfer cases, provided that they are occasional, are as follows:

a. Data subject’s explicit consent to the transfer, provided that they have been informed about the potential risks.

b. Transfer is being necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject.

c. Transfer is being necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.

d. Transfer is being necessary for an overriding public interest.

e. Transfer is being necessary for the establishment, exercise or protection of a right.

f. Transfer is being necessary to protect the life or physical integrity of the data subject or another natural person where the data subject cannot disclose their consent due to actual impossibility or whose consent is not legally valid.

g. Transfer is being made from a registry that is open to the public or persons with a legitimate interest, to the extent that the conditions laid down by applicable law for accessing the registry is met and transfer is requested by those having legitimate interest. 

The Regulation also brings an explanatory provision regarding the application of paragraph (g) above, which is one of the exceptional cases. Accordingly, in transfers to be made within the scope of paragraph (g);

i. The transfer should not be carried out in a way that includes all personal data or categories of personal data existing in the registries.

ii. Transfers from accessible registries can only be made to these persons or upon the request of these persons.

In addition, regarding exceptional transfers, the Regulation stipulates that paragraphs (a), (b) and (c) above will not apply to the activities of public institutions and organizations subject to public law.

4. Conclusion

The Regulation on the Procedures and Principles for the Cross-Border Transfer of Personal Data entered into force on the date of its publication on the Official Gazette. In accordance with the new system introduced by the Law and repeated by the Regulation, the existence of an adequacy decision and of appropriate safeguards must first be ensured in cross-border transfer of personal data. If these cannot be ensured, in exceptional and occasional cases, personal data may be transferred abroad with explicit consent and with other legal reasons. However, in accordance with the temporary article in the Law, the old system of transferring personal data abroad with the explicit consent of the relevant persons will continue to be applied until September 1, 2024, together with the new system explained above. For this reason, those who transfer personal data abroad based on explicit consent must comply with the amended version of the Law which is also repeated by the Regulation by September 1, 2024. In this regard, it is now possible to use the standard contractual clauses announced on the Authority’s website on the date the Regulation was published.

Kind regards,

For information and inquiries please contact:

info@ozel-law.com

ÖZEL Attorneys-at-Law

This bulletin has been prepared on 8/11/2024 in order to share the legal developments in Turkish law. It does not include any legal advice nor guidance; for general information only.