Article on Transfer of Personal Data Abroad
Transfer of personal data to third parties located abroad is regulated under article 9 of the Law on Protection of Personal Data No. 6698 (“Law”). According to article 9 of the Law, personal data can be transferred to third parties located abroad (including servers located abroad) in the presence of one of the following conditions:
- Explicit consent of the data subject is obtained; or
- One of the exceptional cases where personal data or sensitive personal data can be processed without explicit consent of data subject as per article 5/2 or article 6/3 of the Law is present and the country to which data will be transferred is a country having adequate protection as determined by the Board of Protection of Personal Data (“Board”); or
- One of the exceptional cases where personal data or sensitive personal data can be processed without explicit consent of data subject as per article 5/2 or article 6/3 of the Law is present, the country to which data will be transferred is not a country having adequate protection as determined by the Board however the data controllers in Turkey and abroad or the data processors abroad have obtained permit from the Board by providing a written undertaking for adequate protection (or by signing binding corporate rules between the group companies).
The Board has not determined the countries having adequate protection yet (Although it is stated that the Board continues to its works regarding determination of countries having adequate protection in the announcement published in the official website of the Board, it is still not clear when/if such determination will be made).
Therefore, currently option (b) stated above cannot be used therefore personal data can be lawfully transferred abroad by either obtaining explicit consent from the data subjects in accordance with the Law and principles of the Board, as stated in option (a) or by obtaining a general permit from the Board with a written undertaking regarding adequate protection between the data controller in Turkey and data controller or data processor abroad, as stated in option (c).
Note that previously the Board has only accepted the undertaking to be signed in accordance with the Board’s format for undertaking of adequate protection in writing however as per the announcement of the Board dated 10.04.2020, similarly to the legislation of European Union, it is stated that for transfer of data between group companies, binding corporate rules may be signed instead of undertaking. In this regard, if the data controller in Turkey transfers personal data to a group company located abroad, binding corporate rules may be signed to make an application to the Board for obtaining permit, instead signing an undertaking.
Obtaining explicit consent from data subjects can be a feasible option for the employees however generally, the data controllers are not able to obtain explicit consent from each employee and authorized persons of their customers/suppliers. Therefore, data controllers have difficulties in obtaining explicit consent from all data groups.
On the other hand, process regarding the permit to be obtained from the Board can be a very long process and surely, the permit cannot be guaranteed as a result of the application. Furthermore, as the permit to be obtained will be effective for the future, the permit will not legalize the data tranfers performed without the explicit consent of data subject in the past. Note that until very recently, there was no company that has obtained such permit from the Board however as per the information provided to public, the Board has provided such permit to two companies in February 2021 and March 2021.
Lastly, in the announcement made by the President on 31.03.2021, it is stated that certain regulations and amendments can be made in the Law until March 2022 with regards to transfer of personal data abroad, in accordance with the standards of European Union under the scope of Human Rights Action Plan. Such amendment can make transfer of personal data abroad more feasible under the Law (e.g. countries having adequate protection can be determined or transfer of personal data abroad in exceptional cases can be permitted).
 According to the Law, personal data is any information relating to an identified or identifiable real person.  According to article 5/2 of the Law, personal data can be processed without explicit consent of data subject in the following cases: a) It is expressly provided for by the laws, b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract, d) It is necessary for compliance with a legal obligation to which the data controller is subject, e) Personal data have been made public by the data subject himself/herself, f) Data processing is necessary for the establishment, exercise or protection of any right, g) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
According to article 6/3 of the Law, personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. According to the Law, data controller means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
Data processor means the natural or legal person who processes personal data on behalf of the data controller upon its authorization.