On 26 October 2020, the Turkish Data Protection Authority (“Authority”) published a public announcement on foreign data transfers, including details on assessments by the Data Protection Board (“Board”) on whether a relevant country has adequate protection and the requirements for transferring personal data to countries that lack such protection.
The public announcement summarizes the following information:
According to the Article 9 of the Data Protection Law No. 6698 (“DPL”), personal data may not be transferred abroad without obtaining explicit consent of the data subject. In case one of the exceptions prescribed in Article 5(2) (general exceptions to explicit consent) or Article 6(3) (exceptions relating to sensitive personal data) applies and there is adequate protection in the country where the data will be transferred or, when there is no adequate protection, if the data controller in Turkey and in the related foreign country undertake adequate protection in writing and permission of the Board is obtained, explicit consent is not required.
Determination of the countries with adequate protection:
- Assessment on whether adequate protection is available in the relevant country
In accordance with the Article 9(b) of the DPL, the Board will make an assessment on whether there is adequate protection in the foreign country by considering:
- whether the recipient country is party to an international agreement which Turkey is a party to,
- reciprocity in terms of data transfer between Turkey and the country the data is to be transferred to,
- the nature of the personal data and the purpose and term of data processing relating to each data transfer,
- the legislation of the country the data is to be transferred to and the implementation of the legislation,
- precautions undertaken by the data controller residing in the country where the data will be transferred.
This assessment shall include other considerations such as membership to global or regional organizations and volume of the commercial transactions performed with the relevant country.
Determination of the list of countries with adequate protection by the Board is a long process considering different national legal systems, absence of general data protection regulations or existence of legislation only covering specific areas in countries subject to examination and differences between federal states.
Once a determination is made on whether a country qualifies as providing adequate protection, such qualification decision will be periodically reviewed by the Board and subject to change, suspension or cancellation depending on the changing circumstances.
At the time of writing, we understand that the Authority did not receive any requests for safe-country status, although meetings are being held with a number of countries concerning existing and potential commercial relations, geographical and cultural ties, and political and diplomatic relations, and activities are being carried out in this context.
Transfer of personal data to countries without adequate protection
Under Article 9-2(b) of the DPL, in order for a transfer to be carried out to a country where there is no adequate protection, the transferring parties must ensure that there will be adequate protection, undertake this in writing and receive permission for the transfer from the Board. The minimum requirements to be included in the undertakings have been determined by the Board.
In addition, “Binding Company Rules” have been introduced by the Authority as an alternative method to provide appropriate assurance considering that organizational structure and business procedures vary for each data controller. The idea is to facilitate practice, especially for multinational companies, considering that preparing an undertaking for each country where the data is transferred would be burdensome. Accordingly, multinational companies operating in countries where there is no adequate protection can make use of this method and by applying to “Binding Company Rules” there will be no further obligation to acquire explicit consent or provide additional undertaking to the Authority. However, it is worth mentioning that the Authority has one year to finalize the assessment of applications for Binding Company Rules following the official date of application. This time period can also be extended by the Authority if deemed necessary.
The procedures to be followed for data transfers abroad under the DPL have been criticized for being burdensome due to onerous requirements and ambiguities over whether a country is considered safe. The recent developments indicate that the Authority is taking action to address these issues and provide some insight into the Board’s assessment process.
For more information on this announcement and the regulation it is based on, please do not hesitate to contact us at firstname.lastname@example.org, email@example.com or firstname.lastname@example.org.