The Regulation on Procedures and Principles Regarding the Cross-border Transfer of Personal Data (the “Regulation”) is published in the Official Gazette on 10 July 2024. Additionally, the Personal Data Protection Board (the “Board”) announced the standard contract texts, binding corporate rules application forms and supplementary guidelines about essential issues required to be covered by binding corporate rules.
Except for cross-border transfers that are irregular, occur on one or a few occasions, are not continuous and are not in the ordinary course of business of the relevant data controller, data controllers and processors must provide one of the following appropriate safeguards set out in the Regulation until 1 September 2024 for all cross-border data transfers.
The relevant appropriate safeguards that can be provided by data controllers and data processors are as follows:
- Binding Corporate Rules: Data controllers that are a part of a multinational group of companies may prepare binding corporate rules regarding intra-group data transfers in accordance with the new guidelines and submit them to the Board for approval. Within the framework of the binding corporate rules approved by the Board, data may be transferred to the parent company and its affiliates located abroad.
- Undertaking: Data exporter and importer may prepare a written undertaking providing adequate protection for personal data in accordance with the Regulation, and apply for the permission of the Board. In the existence of an undertaking authorized by the Board, data may be transferred to the parties of the undertaking.
- Standard Contracts: Standard contract texts announced by the Board suitable for the relevant transfer may be signed by data exporters and data importers. The Board has prepared and announced 4 different standard texts for the transfer (i) from data controller to data controller, (ii) from data controller to data processor, (iii) from data processor to data controller and finally (iv) from data processor to data processor. Standard contracts shall not be amended except as permitted in the texts prepared by the Board and the standard contracts to be signed should be notified within 5 business days from the date of signature (along with documents evidencing the authorization of the persons authorized to sign and notarized Turkish translations of such documents). Data controllers and data processors who wish to continue their transfers abroad by providing this safeguard must specify in each relevant contract (i) who the parties are (whether they act as a data controller or a processor for the subject matter data categories and purposes), (ii) the activities of the data exporter and data importer regarding personal data to be transferred, (iii) the relevant groups of data subjects, (iv) the scope of the transferred personal data, (v) the legal grounds for the transfers, (vi) the frequency of the transfers, (vii) the nature of the processing activity, (viii) the purposes of the transfer and subsequent processing activities, (ix) the retention periods, (x) the recipient groups and (xi) the data transferor's Data Controllers' Registry information (if available).
At least one of the above safeguards should also be provided for the subsequent cross-border transfers of personal data.
In case that data controllers fail to provide the necessary safeguards until 1 September 2024, an administrative fine amounting from TRY 141,934 to TRY 9,463,213 may be imposed on them whereas failure to make the required notifications within 5 business days about executed standard contracts may also be subject to an administrative fine amounting from TRY 50,000 to TRY 1,000,000 for each contract against both data controllers and data processors. Administrative fines are subject to an increase each year in accordance with the official revaluation rate.
Especially in terms of transfers to data controllers located abroad, it is extremely important to check whether the relevant data controller located abroad has registered with the Data Controllers Registry, and if not yet registered, it is extremely important to complete such registrations as soon as possible.