Newsletter Regarding Regulation on the Transfer of Personal Data Abroad
The Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published in the Official Gazette on 10.07.2024.
The Regulation, in line with recent amendments to the Personal Data Protection Law (“Law”), outlines the procedures for transferring data abroad and specifies the responsibilities of data controllers and data processors.
According to the Regulation, personal data may be transferred abroad (a) with the adequacy decision of the Personal Data Protection Board (“Board”), (b) based on appropriate safeguards, or (c) temporarily in exceptional cases.
The Board also published on its website[1] (“Website“) on 10.07.2024 Turkish versions of standard documents on binding corporate rules and agreements among the transfer options included in “appropriate safeguards”.
The Regulation entered into force as of the date it was published in the Official Gazette; however, the option for transferring data abroad based on explicit consent will remain in effect until 01.09.2024. In this context, if personal data is transferred abroad (not temporary) based on explicit consent, since such transfers cannot be made based on explicit consent as of 01.09.2024, the transfer should be conducted through one of the following methods by this date. As the compliance process may take time, we recommend starting compliance efforts as soon as possible.
Details:
A. Board’s Adequacy Decision:
The Board may decide that a country, one or more sectors within a country, or an international organization ensures an adequate level of protection regarding the transfer of personal data abroad. The Board’s adequacy decisions will be published in the Official Gazette and on the website of the Personal Data Protection Authority (“Authority”). As such a decision has not been published yet, this option cannot be currently used.
The adequacy decision of the Board will be re-evaluated at least every four years. As a result of the re-evaluation, the Board has the authority to change, suspend or revoke its decision with future effect.
B. Transfers Based on Appropriate Safeguards:
In the absence of the above adequacy decision, personal data may be transferred abroad based on appropriate safeguards. Accordingly, personal data can be transferred abroad if: (i) one of the conditions specified in Articles 5 and 6 of the Law is met, (ii) the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made, and (iii) one of the appropriate safeguards specified in the Regulation is provided.
Such appropriate safeguards are as follows:
a. The existence of an agreement that is not an international treaty between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations having public institution status in Turkey, and the Board’s authorization of the transfer;
b. The existence of binding corporate rules*, which contain provisions regarding the protection of personal data, that are mandatory for companies within a group engaged in joint economic activities, and that are approved by the Board;
*The Authority has published auxiliary guidelines and application forms (in Turkish) to be used in the submission of binding corporate rules to the Board on its Website.
c. The existence of a standard contract**, announced by the Board, which includes details such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data;
**The Authority has published the standard contracts (in Turkish) on the Website. The standard contract must be used without any alterations. These contracts contain the basic regulations for personal data transfers between data controller to data controller, data controller to data processor, data processor to data processor, and data processor to data controller.
The standard contract will be concluded between the parties involved in the data transfer and will be signed by the parties or persons authorized to represent and sign on behalf of the parties. It must be notified to the Authority physically or by registered electronic mail (KEP) address or other methods determined by the Board within 5 business days following the completion of the signatures.
In addition, in the event of any change in the parties to the agreement or in the information and explanations provided by the parties in the content of the agreement or in the event of termination of the agreement, a notification shall be made to the Authority in accordance with the above-mentioned procedure.
d. Providing appropriate assurance with an undertaking approved by the Authority following an application by the parties to the Authority.
C. Exceptional/Temporary Transfer Cases:
In the absence of above adequacy decision and above appropriate assurances stipulated in the Regulation, provided that it is temporary, personal data may be transferred abroad in the presence of one of the exceptional transfer cases regulated in Article 16 of the Regulation. You can find details regarding this transfer in our prior newsletter[2].
[1] https://kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu
[2] https://bener.com/newsletter-on-important-changes-in-the-transfer-of-personal-data-abroad-and-processing-of-sensitive-personal-data/