The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad introduced important rules regarding the principles to be followed in the transfer of personal data abroad and the existence of an adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made within the scope of these principles.
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”), published in the Official Gazette dated July 10, 2024, with number 32598, and set to be effective from the date of publication, introduced a new regulation on the transfer of personal data abroad by the data controller and the data processor and the application permissions of the Personal Data Protection Board (“Board“) in accordance with Article 9 of the Personal Data Protection Law No. 6698 (“Law“).
The Regulation will be implemented by the President of the Personal Data Protection Authority.
Notable amendments, introduced with the Regulation are as follows:
- The purpose of the Regulation is to set out the rules on the transfer of personal data abroad.
- In relation to the transfer of data abroad, the Board may make an adequacy decision on certain countries, sectors or international organizations that provide an adequate level of protection. These decisions are re-evaluated every four years at the latest and published in the Official Gazette.
- When making an adequacy decision, the following issues are taken into account the reciprocity between Turkey and the country to which the personal data will be transferred; the legislation and practice of the country to which the personal data will be transferred and the rules of the international organization; the existence of an independent and effective data protection institution in the country or international organization to which the personal data will be transferred and the availability of administrative and judicial remedies; whether the country or international organization to which the personal data will be transferred is a party to international conventions or a member of international organizations; whether the country or international organization to which the personal data will be transferred is a member of global or regional organizations of which Turkey is a member; and international conventions to which Turkey is a party.
- In the absence of an adequacy decision, personal data may be transferred abroad provided that the conditions specified in Articles 5 and 6 of the Law are met and the data subject has the opportunity to exercise his/her rights. This transfer is possible if certain appropriate safeguards are provided.
- These safeguards are the following: Agreements between public institutions or international organizations in Turkey and abroad and authorized by the Board; binding corporate rules approved by the Board, which must be complied with by the companies of the group of undertakings engaged in joint economic activities; standard contracts announced by the Board; a written undertaking that provides adequate protection by the Board.
- Provisions on the protection of personal data to be included in agreements that are not international conventions may provide appropriate safeguards for personal data transfers between public institutions in Turkey, professional organizations in the nature of public institutions and public institutions or international organizations in foreign countries. These agreements shall be signed between the parties to the personal data transfer. During the negotiation process of the agreement, the Board’s opinion is consulted, and the transfer is realized after permission is granted.
- Binding corporate rules may provide appropriate safeguards for the protection of personal data that companies within a group of undertakings engaged in joint economic activities are obliged to comply with.
- In order to transfer personal data abroad on the basis of binding corporate rules, the Board’s approval shall be applied for.
- Appropriate assurance can be provided through a standard contract that includes data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data. The standard contract shall be determined and announced by the Board and shall be used without modification.
- Appropriate assurance may be provided by provisions for the protection of personal data to be included in a written commitment letter between the transfer parties. The transfer shall be made after obtaining the Board’s authorization for data transfer based on the letter of undertaking.
- In the absence of an adequacy decision and if the appropriate safeguards provided for in the Regulation cannot be provided, personal data may be transferred abroad in certain exceptional circumstances. These exceptional circumstances include: the data subject’s explicit consent to the transfer provided that he/she is informed about the possible risks; the transfer is mandatory for a superior public interest; the transfer of personal data is necessary for the establishment, exercise or protection of a right; the transfer of data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
- Data processors are obliged to take the necessary technical and administrative measures to prevent unlawful processing and access to personal data. In addition, the transfer of data abroad by data processors does not eliminate the responsibility of the data controller.
The full text of the Regulation can be reached via this link. (Only available in Turkish)