Sensitive and non-sensitive personal data can be transferred abroad with the data subject’s explicit consent.
Other legal grounds also apply to transferring personal data to a foreign country. The destination country must have “sufficient protection” to conclude the transfer abroad based on legal grounds other than explicit consent. The Board is expected to determine a list of jurisdictions that provide sufficient protection. The Board has confirmed that they have been working on the list of safe countries regarding the data transfer abroad, yet since the referred list is prepared based on reciprocity, for now, no foreign country has been announced to be safe by the Board.
According to the Law, if sufficient protection in the destination country for the realisation of the data transfer does not exist, both:
- The data controller in Turkey and the foreign country must provide a written commitment stating that sufficient data protection will be provided; and
- Authorisation must be obtained from the Board to transfer data to the relevant foreign country.
However, we have seen that obtaining a permit from the Board upon submitting a written commitment is not a transparent process, and there is no predictable timeline either as to when the parties may receive such a permit from the Board. Thus, making an application to the Board through the submission of commitments in and of itself, or submitting intercompany transfer agreements cannot be considered a sure way of securing data transfers to foreign countries. It would also be appropriate to note that a only a limited number of business enterprises have succeded in obtaining a permit to transfer data abroad.
As an alternative method for transferring data between multinational group companies where there is insufficient protection in the destination country, the Board introduced the concept of Binding Corporate Rules (“BCR”). Accordingly, Binding Corporate Rules may be submitted to the Board, and the Board’s approval may be obtained to transfer personal data legally between multinational group companies where explicit consent is not relied on (i.e. in cases where the processing of personal data may be made based on legal grounds other than explicit consent, i.e. execution of the agreement, the exercise of legal rights, or fulfilling legal requirements, etc.).
The fact that there is currently no quick solution for the transfer of personal data abroad except for obtaining explicit consent and that other common legal instruments, such as standard contractual clauses, alone are not adequate for the transfer of personal data abroad, reveals that an amendment to the Law is needed. Concrete steps are expected in the short term due to the effect this inexpediency has on commercial relations. Within this scope, it is seen that certain amendments to Article 9 on the transfer of personal data abroad are planned as a part of the proposed amendments to the Data Protection Law which the Board has shared with stakeholders in the sector.
The amendment in question proposes a three-step assessment system for transferring data abroad. Firstly, whether or not an adequacy decision has been issued specifically to the sector will be evaluated. In the absence of an adequacy decision held by the Board, personal data will only be transferred if one of the appropriate guarantees has been given. The Board may also ask for other undertakings. In the absence of an adequacy decision and the provision of relevant by the data controller, personal data can be transferred abroad solely in the exceptional cases listed below, within the scope of the proposed amendment.
(i) Adequacy Decision
In the presence of the legal grounds outlined in Articles 5 and 6 of the Data Protection Law and upon issuance of an adequacy decision relating to the country, sector, or international organisation within the country where the data is to be transferred (including onward transfers), personal data may be transferred abroad. The Board will grant an adequacy decision based on the reciprocity rule and other aspects.
(ii) Appropriate Undertakings
- (i) In the absence of an adequacy decision issued by the Board, personal data can be transferred abroad provided that one of the following undertakings is provided by the data controller:
- Notification to the Board with a standard undertaking, which the Board has also published,
- Submission of a written agreement to the Board, including protective measures that will be applicable and obtaining the Board’s permission,
- Presence of binding corporate rules and approval of the BCRs by the Board,
- Presence of provisions on the protection of personal data in agreements to be executed between the public entities and bodies in Turkey and the corresponding public entities and bodies in the foreign country where the personal data is to be transferred and obtaining the Board’s permission.
Finally, in cases where an adequacy decision has not been issued or the data controller does not provide the necessary undertakings, the data transfer may only be made in exceptional cases based on the following conditions:
- (i) Upon explicit consent of the data subject after informing him/her about the potential risks originating from the absence of appropriate undertakings,
- (ii) transfer of personal data of the contracting parties is obligatory provided that such transfer is directly related to the establishment or performance of the contract,
- (iii) conclusion or performance of a contract that is executed for the benefit of this party data subject, under which transfer of the contracting parties’ personal data is obligatory,
- (iv) data transfer is mandatory for the protection of the life or bodily integrity of a person who is incapable of giving consent or whose consent is not legally valid or of another person,
- (v) data transfer is obligatory for the establishment, exercise or protection of a legal right, and
- (vi) solely as a temporary case, transfer of personal data is obligatory to perform duties and powers of public bodies and organisations or professional institutions with public duties, as outlined in the relevant regulations.
The above amendments are yet to proposed and enacted. However, it is a meaningful development in that the deficiency we pointed out has also been accepted by the Board, and that they have been working to remedy it.