In lieu of a comprehensive list of countries that personal data can be transferred to freely, the procedure for data transfers outside of Turkey is more complicated than most. Begüm Okumuş and Selin Başaran Savuran, Managing Associate and Senior Associate respectively at Gün + Partners, explore this process and how it is likely to evolve in the future.
In an increasingly digitalised and globalised world, the need for transferring personal data abroad is inevitable and increasing day by day. Thus, the issue of transferring personal data abroad is of great importance for data controllers in Turkey, as in the rest of the world.
This article aims to provide information about the transfer of personal data abroad based on commitments to be approved by the Board pursuant to the Law on Protection of Personal Data No. 6698 ('the Law').
Transfer of personal data abroad within the scope of the Law
Pursuant to Article 9 of the Law, in principle personal data can be transferred abroad only with the explicit consent of the data subject. However, personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in Article 5(2) and Article 6(3) of the Law exist, which are the legal bases by which data controllers can process personal data and personal data of special nature without the need for consent. Moreover, it must be the case that sufficient protection is provided in the foreign country where the data is to be transferred or, where such protection is not provided, the controllers in Turkey and those in the related foreign country must guarantee sufficient protection in writing with the Board authorising such transfer.
As obtaining explicit consent of data subjects is difficult in practice and burdensome in most cases, using other options stipulated under the Law for the transfer of personal data abroad is very important for data controllers. One of the options is related to transfers to be made to secure countries; however, the secure country list has not yet been published by the Board and is not expected to be published any time soon.
Therefore, the only option that data controllers can benefit from is to prepare a commitment related to data transfers abroad and obtain an approval from the Board for such commitment. However, as explained in detail below, it is not easy to obtain such approval.
Developments regarding commitment mechanism
The Law allows transfers of personal data abroad based on a commitment; however, the Law does not include any detail concerning the content or the approval process of commitment. Thus, in May 2018, the Personal Data Protection Authority ('KVKK') published commitment templates that include minimum elements to be covered herein. Following the publication of these templates, data controllers started to apply to the Board, but for a very long time could not get any result regarding their applications.
In May 2021, the KVKK made an announcement explaining important issues to be considered while preparing commitments and making an application to the Board in relation to the transfer of personal data abroad.
Following the above developments, the first commitment belonging to a fleet car rental company was approved by the Board in December 2020 and two more commitments were approved in 2021.
General information about the commitment templates
In May 2018, the Board published two separate commitment templates; one of the templates should be used for data transfers from a data controller in Turkey to a data controller located abroad and the other template should be used for data transfers from a data controller in Turkey to a data processor located abroad.
The relationship between the parties of the transfer should be determined correctly and the appropriate commitment template published by the Board must be used. The commitments must be prepared, submitted to, and approved by the Board before commencing any data transfer abroad. Detailed explanations concerning the legal status of the parties and substantiating documents (if any) showing the relationship between them should be provided to the Board as well.
Commitment templates consist of two parts, a part regulating the rights and obligations of the parties and an annex that must contain the details of the transfer to be made.
The first part of templates includes general and reasonable provisions which regulate the obligations and rights of the data controller who transfers personal data abroad and the data controller/data processor who receives the transferred personal data. Concerning the second part of templates, parties must fill in detailed information under the headings provided in the templates.
Obligations and rights of parties under the commitment
Both commitment templates to be used for data transfers to a data controller as well as to a data processor include similar provisions and undertakings. According to the requirements of the Board, while preparing the commitment, the parties to the commitment must include the same provisions as in the commitment templates published by the Board. In other words, the transferring party and the receiving party are not allowed to use their own contract/commitment templates concerning data transfers. However, if they would like to include additional provisions, such additional provisions can be included under a separate section titled 'additional provisions'. Alternatively, if there are other contracts signed between transferring party and receiving party in relation to data transfers, those documents can be provided additionally to the Board for their information.
The obligations of transferring party in both templates mainly include undertakings regarding:
- compliance with the Law and other relevant legislation,
- taking necessary technical and organisational measures for providing appropriate level of security for the purposes of preventing unlawful processing of personal data and unlawful access to personal data and ensuring the protection of personal data;
- providing necessary information/instructions to receiving party about relevant legislation;
- notifying the Board in case of a data breach;
- informing the Board about any notifications of the receiving party and issues arising from fulfilment of the provisions of the commitment by the receiving party;
- providing necessary documents and information to data subjects and the Board in case of any question; and
- having the commitment approved by the Board before transferring any personal data abroad.
The obligations of the receiving party in both templates mainly include the below undertakings regarding:
- compliance with the Law and other relevant legislation as well as decisions and opinions of the Board, provisions of the commitment, and the instructions of transferring party in case receiving party is a data processor;
- taking necessary technical and organisational measures for providing an appropriate level of security for the purposes of preventing unlawful processing of personal data and unlawful access to personal data and ensuring the protection of personal data;
- informing the transferring party in case of any legislative changes affecting fulfilment of the provisions of the commitment, any requests from judicial authorities, or any data breaches;
- duly responding to the questions of transferring party;
- enabling the transferring party to conduct audits;
- sending the data personal data subject to the transfer back to transferring party along with its backup or destroying the personal data entirely upon termination or expiration of the term of the commitment; and
- informing and obtaining consent of transferring party if the receiving party has to transfer the personal data, subject to the commitment to a subcontractor and including at least the same provisions in the subcontractor agreement.
Both the transferring party and the receiving party undertakes not to disclose personal data to third parties in violation of the Law and not to use such data for any purpose other than processing purposes and this obligation is for an unlimited period.
The commitment gives the transferring party the right to temporarily suspend or terminate the commitment in certain situations (e.g. if the receiving party breaches its obligations under the commitment) and if the commitment is suspended or terminated, the transferring party must inform the Board within the shortest time.
Detailed information concerning data transfer activity
In addition to the rights and obligations explained above, the Board requires parties of the commitment to submit a detailed document in the annex of the commitment, which includes information about data subject groups; data categories, purposes of data transfer, legal bases for data transfer, recipient groups, technical and organisational measures including additional measures taken for sensitive personal data, information about registration of transferring party in the Data Controllers Registry Information System ('VERBİS'), contact information, and additional information such as storage periods. Parties must establish a connection among this information (e.g. by using a table).
While preparing this annex, clear information should be included and ambiguous expressions or expressions such as 'like, etc'. should be avoided.
One of the most critical parts required to be included in this annex is the legal bases of the data transfers. In this section, the parties to the commitment must provide information about which personal data processing conditions (legal bases) specified in Article 5/2 and Article 6/3 of the Law are used for the data transfer together with justifications for using such legal bases.
Any data transfers abroad which are based on explicit consent cannot be subject to the commitment. Only data transfers that are based on the legal bases regulated under Article 5(2) and Article 6(3) of the Law (these are the legal bases based on which data controllers can process personal data and personal data of special nature without a need for consent) can be subject of a commitment.
In case the data transfer is made, the parties must apply the balance test according to the criteria published by the Board and the positive outcome of the balance test must be shown in the annex in detail. This is pursuant to Article 5(2)(f) of the Law, which provides that processing must be mandatory for the legitimate interests of the controller, but also shall not violate the fundamental rights and freedoms of the data subject.
With regard to the recipient and recipient groups, information about the transfers made by the receiving party to data controllers or data processors in the country where the receiving party is located must be provided. The Board requires that onward transfers to any data controller must be limited to the transfers made to authorised authorities and institutions (e.g. courts, public authorities, and institutions) in the scope of the legal obligations of the receiving party under the relevant legislation.
On the other hand, in the scope of the commitment personal data cannot be transferred to any data controller in the country of residence of the receiving party other than specified above or to any data controller or a data processor outside the country of residence of the receiving party. For this type of data transfer, separate commitments must be signed with these data controllers or data processors. Alternatively, one single commitment can be signed by the receiving party and these data controllers or data processors by explaining the details and differences of each data transfer clearly.
With regards to the technical and administrative measures to be taken while processing personal data, the Personal Data Security Guidelines (Technical and Organisational Measures) published by the KVKK and the decision of the KVKK regarding Adequate Measures to be taken by Data Controllers While Processing of Personal Data of Special Nature data should be taken into consideration. Furthermore, certifying documents concerning the technical and organisational measures undertaken must be provided together with the commitment.
Finally, the period of processing of personal data must be specified, including at least the maximum period together with its justification. In case there is a retention period arising from the legislation, information about the relevant legislation must also be provided. In the absence of a retention period stipulated in the legislation, the reason behind the retention period should be clearly stated using the criteria explained as well.
Procedural issues to be considered for the commitment application
There are also procedural issues that the applicants must take into account. The Board gives importance to procedural issues as much as the content of the commitments. Important procedural issues to be considered while making an application to the Board are explained below:
- Parties to the commitment must include the same terminology used in the Law.
- The future tense should be used in sentences containing commitments.
- Signature and stamp of the signatories of the commitment must be placed at the end of the commitment and its annex(s) and each page must be initialed by the signatories.
- Name, surname, address, and signature of the person(s) authorised to represent and bind the parties of the commitment together with the documents proving their signature authority (e.g. original or certified copy of the signature circular) must be attached. In applications to be made by a proxy, the original or certified copy of the power of attorney must be submitted.
- Any supporting documents (e.g. signature circulars, power of attorney) issued abroad must be notarised and legalised in the relevant country (i.e. must be apostilled if it is issued in a country party to the 1961 Hague Convention Abolishing the Requirement of Legalization for Foreign Public Documents or must be legalised by following the process for the documents to be legally valid in Turkey).
- Notarised Turkish translation of all documents prepared in a foreign language must be submitted.
Commitment is an important mechanism for the transfer of personal data outside of Turkey; however, it could not be used effectively until now since clarification of the application and evaluation processes related to commitments took a long time. On the other hand, since the procedures and requirements requested by the Board have become clearer now, the use of commitment mechanism is expected to increase in the coming days. However, it must be noted that until and when the approval is granted by the Board, transfer of personal data must be transferred in line with the Law, meaning that explicit consent can stay on the agenda of the data controllers for some more time or at least until approval is obtained. To be able to conclude the approval process effectively, data controllers must pay utmost attention to comply with the requirements and procedures regulated by the commitment templates and announcements of the Board. As submission of global data transfer agreements with a Turkish translation will not work, the parties must comply with Board's instructions and procedural steps in this respect.
As a separate note, recently it has been announced in the new Economic Reform Package in Turkey that necessary amendments will be made to the Law concerning the transfer of personal data abroad, taking into account the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') until the end of March 2022. Although the extent of the amendments to be made is currently unknown, certain amendments may be expected to facilitate the transfer of personal data abroad through commitment mechanism as well.
First published by OneTrust DataGuidance, in 09.07.2021