Turkey: Decision of the Turkish Data Protection Board sheds light on cross-border data transfers without explicit consent


On 4 September 2020, the Turkish Data Protection Authority ("DPA") published a summary of the Turkish Data Protection Board’s ("Board") decision number 2020/559 of 22 July 2020 on cross-border data transfers carried out without explicit consent. The Board's decision has significant implications as it clarifies that signing the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention 108") does not necessarily guarantee "adequate protection in the foreign state concerned" in the case of cross-border data transfers.

The case concerns a complaint by a data subject alleging that a data processor transferred her personal data abroad without obtaining her explicit consent. Upon review, the Board found that the data processor had failed to obtain informed, freely given consent specifically for the purpose of transferring the personal data abroad.

The data processor argued that it had a lawful basis for the cross-border transfer of data without explicit consent anyway because, according to the Turkish Data Protection Law, (i) it was "necessary for its legitimate interests", (ii) "the fundamental rights and freedoms of the data subject were not prejudiced", and (iii) there were "sufficient protections in the foreign country concerned" as both the sending and receiving entities were located in jurisdictions that had ratified Convention 108.

There are certain legal bases defined in the law on the basis of which personal data may be transferred abroad without explicit consent. However, if a transfer is made without consent, the following conditions must be met for a proper transfer of personal data:

  1. There is adequate protection of personal data in the said jurisdiction and the transfer is based on a legal basis other than consent (e.g. legitimate interest); or
  2. If there is no sufficient protection in the recipient country, the Turkish and the foreign data controller undertake to ensure adequate protection of the personal data and the data protection authority allows the transfer.

In this case, the Board assessed that the data processor did not have a sufficient legal basis because it failed to explain its legitimate interests and to balance them against the fundamental rights and freedoms of the data subject.

With regard to the argument that there was sufficient protection of personal data in the foreign jurisdiction in question, the Board held that the signing of Convention 108 was merely a positive factor that it would take into account in its assessment of whether there was sufficient protection of personal data in the jurisdiction where the recipient was established, and that the mere signing of Convention 108 did not automatically qualify a jurisdiction as one with sufficient protection of personal data.

Therefore, the authority finally decided that this cross-border data transfer without consent as a legal basis violated the law and imposed a fine of TRY 900,000.00 (EUR 94,690.00) on the data controller for this violation of the Turkish Data Protection Law.

For more information on how the DPA's decision on cross-border data transfers affects your business, please contact your regular CMS advisor or CMS local experts: Dr. Döne Yalçın or Sinan Abra.