Within the framework of the amendments to the Turkish Personal Data Protection Law (the “Law”), which will come into force on 1 June 2024, the draft regulation on cross-border data transfer was being expected and has now published by the Turkish Personal Data Protection Authority (the “DPA”) for commentary from public in general.
For consideration of data controllers and data processors, major issues set forth under the draft regulation are as follows:
Cross-Border Transfers Subject to Adequacy Decisions: As it is known, within the framework of the amendment to the Law, it has been stipulated that an adequacy decision can be made not only for a country, but also for one or more sectors within a country or an international organization. The Law also specifies what should be considered by the DPA when issuing an adequacy decision. The draft regulation also allows the Personal Data Protection Board (the "Board") to make further determinations in terms of adequacy criteria later on. It is also regulated that the Board may (i) review existing adequacy decisions at certain intervals if any, and to the extent the Board determines an adequate level of protection is not maintained as a result of the relevant reviews, (ii) change, suspend or revoke the relevant decisions with future effect and negotiate with the competent authorities of the relevant country or the corresponding international organization in order to remedy the situation to re-effect the adequacy decision.
Cross-Border Transfers Based on Agreements between Correspondent Authorities except for International Convention/Treaties: It was introduced to the Law that an appropriate safeguard could be provided for cross-border transfers between the public authorities or professional organizations in Turkiye and a correspondent public authority in other countries or international organizations as per an agreement signed between the relevant correspondent authorities. With the draft regulation, the minimum requirements for such agreements to be concluded between the transfer parties have been regulated. In order to transfer personal data outside Turkiye within the scope of such agreements, the relevant public authority or professional organization in Türkiye must also apply to the Board for its permission.
Cross-Border Transfers Based on the Binding Corporate Rules: As it is known, even though there was no explicit provision before the amendments to the Law, the “Binding Corporate Rules” mechanism was acceptable by the Board and announced by the DPA on 10 April 2020 for data transfers between companies within a group of undertakings engaged in economic activities (in other words, between subsidiaries of multinational companies). Although “Binding Corporate Rules” were explicitly regulated for the first time under the amendments to the Law, it was a method that was known in practice and whose standards, procedures and principles were determined by Boad in the past. However, there have been no “Binding Corporate Rules” approved by the Board yet. In the draft regulation, the regulations on the minimum requirements for binding corporate rules are set out in parallel with the Board's previous practices and rules (i.e., regulations on the application form and the basic requirements of these rules). On 17 May 2024, the DPA also announced application forms and guideline for “Binding Corporate Rules” applications for both data controllers and data processors. Approval processes for “Binding Corporate Rules” may take a long time and require a comprehensive study for data controllers/data processors, as they require extensive research and examination by the Board. As emphasized in the draft regulation, transfers based on “Binding Corporate Rules” can only be considered as an appropriate data transfer after the approval by the Board.
Providing Appropriate Safeguards through Standard Contracts and Cross-Border Data Transfers Based on Standard Contractual Clauses: The most remarkable change in the Law regarding the cross-border transfer of personal data abroad he adoption of a new mechanism similar to the “Standard Contractual Clauses” in the European Union General Data Protection Regulation (“GDPR”). The procedures and principles applicable to this mechanism have also been expected. Unlike GDPR, the Law now also requires the standard contracts to be reported to the Board within 5 business days. In the draft regulation, it is seen that a number of additional regulations have been made in respect of the cross-border transfer based on standard contracts. The draft regulation further clarifies various issues such as who will sign the standard contracts, whether the contracts can be amended, which party will make the notification of the signed copies, etc. As per the draft regulation, the standard contracts shall be signed without any changes by the legal representatives of data exporters and data importers and the sufficient documents showing signature powers of such representative will also need to be shared with the Board. Furthermore, it has also been clarified that unless otherwise agreed, the data exporter shall notify the signed contracts.
On 17 May 2024, the DPA also announced four templates in relation to transfers. Before using any template, the parties shall evaluate whether the parties can be considered as a data controller or a data processor in relation processing activity requiring cross-border transfer.
Until today, since there are only a limited number of transfers permitted by the Board, it is known that almost all data controllers who transfer data abroad rely and should rely on explicit consent. On the other hand, as explicit consent will be a legal ground only applicable to exceptional cases as of 1 September, it is of utmost importance that the data controllers and processors shall immediately start preparations to adjust their procedures in order to comply with the new necessities. We assume that this “Standard Contract” mechanism will be widely applied by the data controllers processing personal data of Turkish residents.
Data Transfers Made Based on Undertakings Permitted by the Board: This is a method explicitly stipulated under the Law before the amendment and applied by a limited number of data controllers in practice. In parallel with the undertaking examples previously set and published by the Board, the issues required to be included in such undertakings have been comprehensively regulated. No significant change is expected in this process following the adoption of the draft regulation.
Exceptional Cross-Border Transfers of Personal Data: Some exceptional legal grounds have also been determined as per the amendments made in the Law, which may be an applicable basis for cross-border transfers. In the draft regulation, it is explained in which cases exceptional transfers may be possible (in other words, which cases can be considered exceptional). Accordingly, the draft regulation stipulates that transfers which are “irregular, occasional/unsystematic, continuous and outside ordinary course of business” are allowed provided that there is also a legal ground to so. Therefore, data controllers will only be able to transfer personal data abroad by taking advantage of the relevant provisions in highly exceptional cases. As of the end of the transition period specified in the Law (i.e., as of September 1, 2024), explicit consent will also be an exceptional legal ground for cross-border data transfers.
We anticipate that the draft regulation and the templates announced by the Board will be finalized and will come into force as of 1 June 2024, following the evaluation of the public opinions about the same. The Board will also be authorized to resolve any doubts that may arise during the implementation of the regulation and to decide on matters not stipulated under the regulation.
We recommend that data controllers and data processors urgently initiate preliminary preparations in order to ensure that appropriate assurance for cross-border transfers can be made by September 1, 2024. Within the framework of the actions to be taken, it is inevitable that some changes will also be required in relation to administrative procedures of data controllers and in privacy notices/consent forms used by data controllers.