Türkiye adopts new legal framework for cross-border transfer of personal data

On 12 March 2024, Türkiye adopted significant changes to its Data Protection Law (DPL) concerning conditions for processing special categories of personal data, conditions for transferring personal data abroad, and legal remedies for aligning with the EU's General Data Protection Regulation (GDPR).

The changes regarding the cross-border transfer of personal data were also detailed in the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad. This article provides a comprehensive overview of these legal changes, highlighting the new mechanisms and frameworks established for cross-border data transfers, including adequacy decisions, appropriate safeguards, standard contractual clauses, and binding corporate rules.

Key changes in the legislation

The emphasis on obtaining clear consent for the cross-border transfer of personal data has been discarded, and instead these amendments establish specific requirements that data controllers and processors must meet in order to fulfil such transfers. Under these amendments, there are three different alternatives for the transfer of the personal data abroad:

1. A transfer based on an adequacy decision when at least one of the conditions for processing personal data or the special categories of personal data exists;
2. A transfer based on appropriate safeguards when at least one of the conditions for processing personal data or special categories of personal data exists, provided that the data subject has the opportunity to exercise his or her rights and apply for effective legal remedies in the country where the transfer will be made; and
3. A transfer based on exceptional circumstances.

At least one of the conditions for processing personal data, which must exist so that the first two alternatives listed above can apply for the cross-border transfer of personal data, are listed below:

• It is expressly provided for by law;
• It is necessary for the protection of life or physical integrity of the individual, or of any other person who is unable to explain consent due to physical disability or whose consent is not deemed legally valid;
• It is necessary to process the personal data of the parties of a contract, provided that the data processing is directly related to the establishment or performance of the contract;
• It is necessary for compliance with a legal obligation the data controller is subject to;
• The data subject made the personal data public;
• Data processing is necessary for the establishment, exercise or protection of any right; and
• Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing does not violate the fundamental rights and freedoms of the data subject.

In addition to the conditions listed above, the following three additional conditions must be met for the cross-border transfer of special categories of personal data. Note that special categories of personal data relate to race; ethnic origin; political opinion; philosophical beliefs; other beliefs; religion; association with a religious sect; appearance; membership with associations, foundations or trade-unions; health; sexual activity; criminal convictions; security measures; and biometric and genetic data.

• The processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, management and financing of health services by persons under the obligation to keep information confidential or by authorised institutions and organisations;
• The processing is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance; and
• The processing applies to current or former members of foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organisations and formations, provided that they comply with the legislation to which they are subject and their purposes are limited to their fields of activity and are not disclosed to third parties.

I. Adequacy Decisions

Similar to the eighth paragraph of Article 45 of the GDPR entitled “Transfers based on an adequacy decision”, under the new legal framework the Data Protection Board may issue adequacy decisions for countries, international organisations and sectors within the country. In addition, cross-border data transfer may be carried out in accordance with any relevant Board decision. Unlike the former version of the provision, it is now possible to issue an adequacy decision for a sector within a third country or for an international organisation, instead of the entire country. While issuing the adequacy decision, the Board will continue to consider the following criteria:

• The reciprocity status regarding the transfer of personal data between Türkiye and the country, sectors within the country or international organisations to which personal data will be transferred;
• The data protection laws and practices in the receiving country, and the rules governing the international organisation to which personal data will be transferred;
• The presence of independent and effective data protection authorities and administrative and judicial remedies in the receiving country;
• The status of the country or international organisation to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organisations;
• The membership status of the country or international organisation to which personal data will be transferred to global or regional organisations of which Türkiye is a member; and
• The international conventions to which Türkiye is a party.

Adequacy decisions are reviewed at least every four years, and any changes or suspensions to these decisions will be published in the Official Gazette and on the Data Protection Authority’s website.

II. Appropriate Safeguards

In the absence of an adequacy decision, personal data can be transferred abroad if appropriate safeguards are in place, provided that data subjects can exercise their rights and access effective legal remedies in the receiving country. The Regulation details the following mechanisms for providing these safeguards:

1. Non-International Agreements: The Regulation states that appropriate safeguards for personal data transfers can be established through non-international agreements. These agreements pertain to data transfers between public institutions and public organisations or professional organisations with public institution status in Türkiye, and public institutions and organisations or international organisations abroad. The Board must be consulted during the negotiation process of the agreement. The agreement must bear the minimum elements set out in the Regulation, and the Board must approve the personal data transfer process.
    
2. Binding Corporate Rules (BCRs): Companies within the relevant enterprise engaged in joint economic activities (i.e. affiliates in group of companies such as multinational companies) can implement BCRs to ensure data protection within their corporate group. The BCRs must bear the minimum elements set out in the Regulation, and the Board must approve the personal data transfer process. Necessary documents, if they are in a foreign language, must be submitted with notarised Turkish translations. If the BCRs are drafted in a foreign language, the Turkish versions will prevail.
   
   Additionally, the Authority released two types of application forms for BCRs for intra-group transfers of data controllers and processors, along with supplementary guidelines consistent with the GDPR's documents.
    
3. Standard Contractual Clauses (SCCs): The most significant amendment for data controllers and data processors is the acceptance of a mechanism similar to the "Standard Contractual Clauses" as per the GDPR. If SCCs published by the Authority on 10 July 2024 are, without modification, signed between the parties involved in cross-border transfers of personal data, personal data may be transferred abroad without explicit consent. Different from the EU's GDPR, however, the relevant contracts must be reported to the Authority within five business days following the completion of the signing phase through the methods specified in the Regulation. If the SCCs are drafted in a foreign language, the Turkish versions will prevail. In the event of a subsequent amendment or termination of the SCCs reviewed by the Board, the Authority must be notified again within five business days through the methods specified in the Regulation. Anyone failing to fulfil the notification obligation will be subject to an administrative fine from TRY 50,000 to TRY 1 million (approximately EUR 1,500 to EUR 30,000). 
   
   Furthermore, consistent with the GDPR, the Authority has issued four types of SCCs for data transfers: controller to controller, controller to processor, processor to processor, and processor to controller. While SCCs from the Authority are largely similar to those under the GDPR, they may differ in the case of specific legal requirements, such as data breach notifications and transparency exceptions. Unlike the GDPR, SCCs from the Authority only permit agreements between a single data exporter and a single data importer, and do not include provisions for multiple parties.
    
4. Undertaking Letters: Undertaking letters must bear the minimum elements set out in the Regulation, and the Board must approve the personal data transfer process.

III. Exceptional Transfers

The Regulation also defines specific circumstances under which personal data can be transferred abroad, in the absence of an adequacy decision and if appropriate safeguards cannot be ensured, provided these transfers are incidental and infrequent and not part of regular business operations. These exceptional transfers are permissible when:

• The data subjects give explicit consent to the transfer after being informed about potential risks;
• The transfer is necessary for the required performance of a contract between the data subject and the data controller, or for the implementation of preliminary actions to be taken upon the data subject's request before execution of a contract;
• The transfer is required for establishment or performance of a contract between the data controller and another individual or legal entity in the benefit of the relevant data subject,
• The transfer is necessary for an overriding public interest where the transfer is required for establishment, use and protection of a right;
• The transfer is mandatory for the establishment, exercise or protection of a right;
• The transfer is necessary to protect the life or physical integrity of the data subject or another person who is unable to give consent due to physical limitations or whose consent is not legally valid; and
• The transfer is made from a publicly available register intended for access by the public or persons having a legitimate interest, provided that the conditions laid down by law for access are met and the persons having a legitimate interest request access to the relevant data.

Conclusion

Although the relevant provisions amending the DPL entered into force on 1 June 2024, a transition period was introduced for cross-border transfer of personal data. Consequently, explicit consents obtained for cross-border transfer of personal data will remain valid until 1 September 2024. Data controllers and data processors, however, must review their cross-border transfer procedures in accordance with the amended DPL and the Regulation, determine the appropriate transfer mechanisms, and complete their compliance processes by the given deadline.

For more information on the new legal framework of cross-border transfer of personal data and its impact on your company or business, contact your CMS client partner or CMS experts: [email protected], [email protected] and [email protected].