According to Article 9 of the Data Protection Law; personal data may be transferred abroad solely (i) on the condition that explicit consent of the data subject has been obtained or (ii) provided that one of the conditions outlined in the second paragraph of Article 5 and the third paragraph of Article 6 of the Data Protection Law exist (other than explicit consent) and sufficient protection is provided in the foreign country where the data is to be transferred. As the DPA has not issued a safe country list yet, the latter’s application is not possible.
A three-step assessment system has been proposed with the amendment in question for transferring data abroad. Within this scope, it will be evaluated firstly whether an adequacy decision has been issued specifically to the sector. In the absence of an adequacy decision held by the DPA, personal data will be transferred if one of the appropriate guarantees has been given. Also, the Board may ask for other undertakings. In the absence of an adequacy decision and relevant undertakings provided by the data controller, personal data can be transferred abroad solely in the exceptional cases listed below, within the scope of the proposed amendment.
(i) Adequacy Decision
In the presence of the legal grounds outlined in Articles 5 and 6 of the Data Protection Law and upon issuance of an adequacy decision relating to the country, sector or international organisation within the country where the data is to be transferred (including onward transfers), personal data may be transferred abroad. The Board will grant an adequacy decision based on the reciprocity rule and consider other aspects.
(ii) Appropriate Undertakings
In the absence of an adequacy decision issued by the Board, personal data can be transferred abroad provided that one of the following appropriate undertakings is granted by the data controller:
- Notification to the Board with a standard undertaking, which the Board has also published,
- Submission of a written agreement to the Board, including protective measures that will be applicable and obtaining the Board’s permission,
- Presence of binding corporate rules and approval of the BCRs by the Board,
- Presence of provisions on the protection of personal data in agreements to be executed between the public entities and bodies in Turkey and the corresponding public entities and bodies in the foreign country where the personal data is to be transferred and obtaining the Board’s permission.
Finally; in cases where an adequacy decision has not been issued, or the data controller does not provide related undertakings, it is proposed that data transfer will be made in the exceptional cases based on the following conditions:
(i) Upon explicit consent of the data subject after informing him/her about the potential risks originating from absence of appropriate undertakings, (ii) transfer of personal data of the contracting parties is obligatory provided that such transfer is directly related to establishment or performance of the contract, (iii) conclusion or performance of a contract that is executed for the benefit of this party data subject, under which transfer of the contracting parties’ personal data is obligatory, (iv) data transfer is mandatory for protection of the life or bodily integrity of a person, who is incapable of giving consent or whose consent is not legally valid, or of another person, (v) data transfer is obligatory for establishment, exercise or protection of a legal right, and (vi) solely as a temporary case, transfer of personal data is obligatory for the performance of duties and powers of public bodies and organisations or professional institutions with public duties, as outlined in the relevant regulations.