TRANSFER
Article 9 of the Law on the Protection of Personal Data (“LPPD”), which regulates cross-border personal data transfer, was amended on March 12, 2024, in order to eliminate legal issues regarding cross-border personal data transfer and to comply with the GDPR. The amendment to the law stipulates that secondary regulation shall be enacted for the purpose of implementing the mentioned article. In this context, the Regulation on the Procedures and Principles Regarding the Cross-Border Personal Data Transfer (“Regulation”) was published in the Official Gazette dated July 10, 2024 and numbered 32589 and entered into force. Information about the regulations introduced by theRegulation is shared below.
Within the scope of the Regulation, the following general rules shall be implemented regarding cross-border personal data transfer.
- In order to use the personal data transfer opportunities shown in the table below, the existence of one of the legal reasons in Article 5 or 6 of the LPPD is also required.
- Personal data may also be transferred cross-border by a data processor under the instruction of a data controller. In such cases, the data controller shall be responsible for the legality of the personal data transfer.
- Compliance with the rules regarding cross-border personal data transfer is not only in the first transfer cross-border; It will also find application to subsequent transfers. For example, when a contract is made with a cloud computing service provider, all persons (such as group companies or subcontractors) to whom the cloud computing provider transfers data shall also comply with the requirements of the Law and the Regulation.
The opportunities for private sector actors to transfer personal data cross-border under the Regulation are shown in the table below:
Personal Data Transfer Basis | Legal Instrument to be used | Board[1] Involvement | Comments |
Adequacy decisions on countries, sectors or international organizations | N/A | The qualification decision shall be made by the Board according to the conditions specified in the LPPD and the Regulation. | Since reciprocity is still required for the qualification decision, no significant change is expected compared to the situation before the law change. |
Providing appropriate safeguards, provided that data subjects have the opportunity to exercise their rights and apply for effective legal remedies in the | The existence of an agreement that is not an international contract between Turkish and foreign public institutions and organizations and professional organizations. | Board’s permission is required. | It is envisaged that these newly envisaged data transfer opportunities crossborder will facilitate cross-border personal data transfer. |
country where the transfer will be made | Binding corporate rules signed between companies engaged in joint economic activity. | Board’s permission is required. | On the other hand, since the use of the possibility of explicit consent has been made exceptional, data controllers will need to significantly change their current practices. |
The existence of a standard contract between the parties to the transfer. | Draft standard contracts shall be published by the Board. Each signed standard contract must be notified to the Board within 5 business days[2]. Any amendment or termination of the standard contract is subject to the same notification requirement. | ||
The signing of a letter of undertaking between the parties on the provision of an adequate level of protection. | Board’s permission is required. | ||
Derogations about cross-border transfers may be available if appropriate safeguards are not provided | Obtaining explicit consent provided that the data subject is informed about the risks arising from the transfer cross-border. | The Board does not have any involvement in derogations about personal data transfer opportunities. | Derogations about cross-border transfers shall be available in incidental circumstances. Incidental transfers are defined in the Regulation as transfers that occur on a single or a few occasions, are not continuous and are not in the ordinary course of activity. Therefore, it is considered that derogations about cross-border transfers will not provide any benefit in terms of main or regular data transfers of companies. |
The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the measures taken prior to the contract upon the request of the data subject. | |||
The transfer is mandatory for the establishment or performance of a contract between the data controller and a third party for the benefit of the data subject. | |||
The transfer is mandatory for an overriding public interest. | |||
The transfer is mandatory for the establishment, exercise or protection of a right. | |||
The transfer is mandatory for the protection of the life of persons who cannot give their consent due to actual impossibility. |
Transfer to the public or to persons with legitimate interests within the scope of open registries. |
[1] Personal Data Protection Board.
[2] Which data transfer party will make the notification in question can be determined by the contract. If there is no such provision, the notification must be made by the data exporter.