Amendments to the Law on the Protection of Personal Data

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) entered into force after being published in the Official Gazette on 10.07.2024.

Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws (“Law Amendment”), which entered into force after being published in the Official Gazette on 12.03.2024, envisaged certain amendments to the Law on the Protection of Personal Data No. 6698 (“Law”). These amendments were implemented through the Regulation and led to changes in the Law.

The Regulation, established by the amendments to the Law, regulates in detail the procedures and principles to be considered in transferring data abroad.

Regulations and Amendments Introduced by the Regulation

1.    General Principles

Under the general provisions regulating the transfer of personal data abroad, the procedures and principles to be followed in data transfer are detailed. In this respect, personal data may only be transferred abroad by the data controller and the data processor by the procedures and principles stipulated in the Law and the Regulation.

For data transfer abroad, the data controller and processor must act according to the conditions set out in the Law and the Regulation. If the specified conditions and appropriate conditions are met together, data transfer abroad can be realized. Applying the explicit consent condition based on the Law will take a back seat in the presence of the conditions determined by the Regulation. The necessary conditions are regulated in Article 9 of the Regulation and are as follows:

• Qualification decision on the country of transfer, sectors within the country or international organizations

• If an adequacy decision is not available, one of the appropriate safeguards must be provided by the parties, provided that the person concerned has the opportunity to exercise his or her rights and to seek an effective remedy in the country of transfer

• If appropriate assurance cannot be provided, it is regulated that personal data may be transferred abroad only in exceptional cases

Article 6 of the Regulation stipulates that, without prejudice to the provisions of international agreements, personal data may be transferred abroad only with the consent of the Personal Data Protection Board (“Board”), after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the person concerned would be seriously harmed if the personal data were transferred abroad.

2.    Transfers Based on Qualification Decision

According to Article 8 of the Regulation, the Board decides whether a country, one or more sectors within the country, or an international organization provides adequate protection for the transfer of personal data abroad. The following considerations are taken into account when making an adequacy decision:

• Whether there is reciprocity between countries in data transfer

• The relevant legislation and practice of the country to which personal data will be transferred or the rules to which the international organization is subject

• Whether the country or international organization to which personal data will be transferred has an independent and effective data protection authority and administrative and judicial remedies, whether it is a party to international conventions or international organizations, and its membership to global or regional organizations of which Turkey is a member is taken into consideration

The qualification decision is re-evaluated at the latest every four years. The re-evaluation periods shall be specified in the relevant qualification decision. If the Board determines that the relevant country, one or more sectors within the country, or an international organization does not provide adequate protection as a result of the re-evaluation, it may amend, suspend, or revoke the decision with prospective effect. However, the Board may revise, suspend, or revoke the adequacy decision with prospective effect if it deems necessary, without being bound by the reassessment period.

3.    Transfers Based on Appropriate Safeguards

In case there is no adequate decision on the country, sectors within the country, or international organizations to which personal data will be transferred, explicit consent is sought by seeking the existence of one of the conditions specified in Articles 5 and 6 of the Law. Provided that the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer, personal data may be transferred abroad only if one of the following appropriate safeguards is provided by the transfer parties:

• Agreements that are not International Contracts (“Agreements”): The agreement is concluded between public institutions and organizations or international organizations abroad and public institutions and organizations or public professional organizations in Turkey and the transfer is authorized by the Board.

• Binding Corporate Rules (“Rules”): The existence of binding corporate rules approved by the Board and containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.

• Standard Contracts (“Contracts”): Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.

• Written Undertakings (“Undertakings”): Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.

Article 15 of the Regulation points out the elements that should be included in the content of the letter of undertaking and states that “appropriate assurance may be provided utilizing provisions for the protection of personal data to be included in a written letter of undertaking to be concluded between the transfer parties”.

4.    Exceptional Transfers

Personal data may be transferred abroad only in the presence of one of the exceptional transfer situations, provided that it is incidental in the absence of an adequacy decision and appropriate assurance cannot be provided.

Transfers that are not regular, occur once or a few times, are not continuous, and are not in the ordinary course of business are incidental.

Article 16 of the Regulation defines exceptional transfers:

a) Explicit consent of the data subject to the transfer by informing him/her about the possible risks

b) The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures

c) The transfer is necessary for the conclusion or performance of a contract for the benefit of the person concerned

ç) The transfer is mandatory for a superior public interest

d) The transfer is mandatory for the establishment, exercise, or protection of a right

e) It is mandatory to transfer personal data for the protection of the life or physical integrity of the person who is unable to disclose his consent or whose consent is not legally valid, or of another person

f) The transfer is made from a register that is open to the public or persons with a legitimate interest

5.    Conclusion

With the amendments introduced by the Regulation, the principle of explicit consent in the transfer of personal data abroad has taken a back seat and it is regulated that transfer abroad can be made if certain conditions are met and certain procedures are applied.

Within this scope, three different methods have been determined:

1. Transfers based on an adequacy decision

2. Transfers based on the eligibility principle

3. Exceptional transfers

Following this procedure, data may be transferred abroad only when the data subject is sufficiently informed, his/her rights are protected the conditions set out in the Regulation are complied with, and appropriate assurance is provided. If the relevant conditions are not met, personal data may be transferred abroad only and only in exceptional cases.

For access to the Regulation (in Turkish): https://www.resmigazete.gov.tr/eskiler/2024/07/20240710-2.htm 

For access to the With the decision of the Personal Data Protection Board dated 4/6/2024 and numbered 2024/959 (in Turkish), auxiliary guidelines on the basic issues that should be included in the standard contract texts and binding company rules to be used in the transfer of personal data abroad: https://www.kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. 

For further clarification or to address specific inquiries, you can contact us.