On 10 July 2024, the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad (the “Regulation”), which governs the implementation of Article 9 of the Personal Data Protection Law (“PDPL”) concerning cross-border data transfers, was published. This Regulation primarily addresses the obligations of data controllers and processors in managing cross-border data transfers and establishes corresponding procedures.
According to the Regulation, cross-border data transfers must strictly adhere to the procedures and principles outlined in both the PDPL and the Regulation itself. It stipulates that ongoing transfers of personal data across borders must consistently comply with these regulations.
Under the Regulation, personal data can be transferred abroad under the following conditions: (i) with an adequacy decision issued by the Personal Data Protection Board (“Board”), (ii) in the absence of such a decision, provided appropriate safeguards are established between the parties involved, or (iii) if neither adequacy nor appropriate safeguards are feasible, in exceptional circumstances where the cross-border data transfer is incidental.
I. Cross-Border Data Transfer Based on an Adequacy Decision
Personal data can be transferred abroad based on an adequacy decision issued by the Board, in the presence of the legal grounds specified in Article 5 or 6 of the PDPL. The Board can issue adequacy decisions concerning the country, international organization, or specific sectors within a country where the data will be transferred. These decisions will be published in the Official Gazette and on the website of the Personal Data Protection Authority. The Regulation outlines minimum requirements that the Board must consider when making an adequacy decision.
The Board will periodically review its adequacy decisions, with the evaluation period explicitly stated in each decision. According to the Regulation, this evaluation period cannot exceed four years. However, the Board reserves the right to evaluate, amend, suspend, or revoke an adequacy decision if deemed necessary, regardless of the specified evaluation period.
II. Cross-Border Data Transfer on Appropriate Safeguards
In the absence of an adequacy decision, personal data can be transferred abroad under the following conditions: (i) if one of the legal grounds specified in Articles 5 and 6 of the PDPL is met, (ii) if data subjects can exercise their rights and seek effective legal remedies in the recipient country, and (iii) if one of the appropriate safeguards established by the Regulation is in place. The appropriate safeguards specified in the Regulation are as follows:
1. Existence of an agreement, which is not of the nature of an international agreement, between public institutions and organizations, international organizations, or professional organizations with public institution status in Turkey and the country to which the data will be transferred, and the approval of the Board
The agreement, which is not classified as an international agreement, will be executed between the parties and must be approved by the Board. The Regulation outlines the minimum requirements for the agreement's content. Cross-border data transfer can commence only upon approval by the Board, not solely upon execution of the agreement. The data transferor is responsible for submitting the application for the Board’s approval.
2. Existence of binding corporate rules approved by the Board, containing provisions on the protection of personal data, which companies within the undertaking engaged in joint economic activity are obliged to comply with
Companies within an enterprise engaged in joint economic activity can establish rules for the protection of personal data in their cross-border transfers. The Regulation specifies the minimum requirements that binding corporate rules must include. The Board is authorized to evaluate the content of these rules, assess whether they provide adequate assurance, and approve the transfer accordingly. The transfer of personal data can commence upon the Board's approval of the binding corporate rules.
3. Execution of the standard contractual clause published by the Board between the parties and notifying this agreement to the Board within five business days
Personal data may be transferred abroad upon execution of standard contractual clauses issued by the Board. These clauses must be submitted to the Board by the data transferor physically, via a registered electronic mail address (KEP address), or through other means determined by the Board within five business days following the execution of such agreements.
The parties have the option, through these standard contractual clauses, to require the data recipient to notify the Board of the agreement. Failure to notify within the specified period may result in an administrative fine ranging from TRY 50,000 to TRY 1,000,000. The Board is expected to issue various categories of standard contractual clauses, taking into account whether the parties involved in the transfer act as data controllers or data processors. Parties may select and execute the standard contractual clause that aligns with their specific transfer structure. However, according to the Regulation, parties are not permitted to make amendments to the standard contractual clauses. Parties are required to complete the information in the annex of the standard contractual clauses, sign them, and submit them to the Board for approval.
4. Signing an undertaking between the parties, without signing a standard contractual clause, containing provisions that will provide adequate protection for the data transfer and the approval of the Board
The parties are free to enter into an undertaking concerning the protection and appropriate safeguards for cross-border transfers of personal data, and they may proceed with such transfers upon obtaining approval from the Board. The Regulation specifies the minimum requirements for the content of this undertaking. Cross-border transfer of personal data can commence only upon approval from the Board, not solely upon signing the agreement.
III. Exceptional Cross-Border Data Transfer Circumstances
In the absence of an adequacy decision or one of the appropriate safeguards, personal data may be transferred abroad under one of the exceptional circumstances defined in Article 16 of the Regulation, provided that the transfer is incidental. The Regulation defines an incidental transfer as “a transfer that is not regular, occurs only once or a few times, is not continuous, and is not within the ordinary course of business.” There are seven different exceptional circumstances defined in the Regulation. For instance, one such circumstance involves transferring data with the explicit consent of the data subject after informing them of the potential risks. The Regulation came into force upon publication, and the former provisions of the PDPL governing cross-border data transfer will remain effective alongside the Regulation until 1 September 2024.