Pursuant to the Law No. 7499 published in the Official Gazette dated 12.03.2024, important amendments were introduced to the Personal Data Protection Law (“Law”) regarding the processing of special categories of personal data and the transfer of personal data abroad. The amendments regarding the transfer of personal data abroad will enter into force on 01.09.2024. Further details regarding the aforementioned amendment can be found here.

The Personal Data Protection Authority (“Authority”) had prepared a draft regulation in order to regulate the procedures and principles regarding the transfer of personal data abroad and opened the draft for public opinion and assessment. The draft regulation, largely unchanged, has entered into force through its publication in the Official Gazette dated 02.07.2024 by the Authority under the title of Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation“).

In parallel with the Law, pursuant to the Regulation, transferring personal data abroad is permitted without explicit consent, provided that one of the conditions for processing general data or special categories of personal data is met, and one of the additional conditions gradually explained below is fulfilled.

1. Firstly, it will be required that the Personal Data Protection Board (“Board”) has issued an adequacy decision on the third country, international organisation, or a specified sector within that third country. The Board will take into account criteria such as reciprocity, rules and protection mechanisms in the place of transfer, and international conventions when making an adequacy decision. Adequacy decisions shall be reviewed at least every four years. In case the Board deems necessary, it may determine a shorter review period, or it may review the adequacy decision at any time, regardless of this period, and may amend, suspend or repeal the decision without retro-active effect. Adequacy decisions and the decisions to amend, suspend or repeal the adequacy decisions shall be published in the Official Gazette and on the website of the Authority.

2. In the absence of an adequacy decision made by the Board, it will be required that the controller or processor should provide appropriate safeguards such as agreements that are not international conventions, binding corporate rules, standard data protection clauses, commitment, etc., provided that enforceable data subject rights and effective legal remedies for data subjects are available in the country where the personal data are to be transferred.

i. Appropriate safeguard can be provided by concluding an agreement, which is not an international convention, between public institutions and organisations or professional organisations with the status of public institution in Türkiye and public institutions and organisations or international organisations in a foreign country. The agreement shall include the provisions that aims to protect personal data, which are listed in the Regulation. The agreement and related information and documents require Board’s approval, after which data transfer may commence.

ii. Appropriate safeguard can also be provided by employed binding corporate rules aiming to protect personal data, which the companies within the group of enterprises engaged in joint economic activity are obliged to comply with. The binding corporate rules require Board’s approval. Application forms for binding corporate rules for data controllers and data processors were published on the website of the Authority on 10.07.2024. The application form contains a commitment that the binding corporate rules are legally binding and enforceable for the parties and their employees, that the rights of the data subject can be exercised where the data are to be transferred, the structure of the group of undertakings, the safeguards and details of the data flow.

iii. Appropriate safeguard can also be provided by signing standard contractual clauses containing data categories, purposes of data transfer, the recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data. The standard contractual clauses to be used in data transfers between data controllers and data processors were published on the website of the Authority on 10.07.2024. These contracts shall be signed without any changes and the Authority shall be notified of the signature of the contract. Unlike the other methods, signing the standard contractual clauses and notifying the Board is sufficient to provide appropriate safeguard for data transfer. However, in case the clauses are amended, the Board will assume the amended contractual clauses as the commitment detailed below and will review it for approval.

In addition, the obligation to notify the Authority of standard contractual clauses regulated in the Law has been extended by the Regulation. Pursuant to the Law, parties shall notify the Authority of standard contractual clauses within five days, whereas the Regulation stipulates that any changes in the parties or the content of the clauses or the termination of the standard contractual clauses must also be notified to the Authority. This amendment may face criticism as the Regulation expands the scope of an obligation that imposes an administrative fine stipulated by the Law.

iv. Lastly, appropriate safeguard can be provided by employing a commitment to be signed between the parties of the data transfer. The commitment shall include the provisions aiming to protect the personal data, which are listed in the Regulation. The commitment requires Board’s approval, after which data transfer may commence.

3. Finally, in the absence of an adequacy decision, or of appropriate safeguards, transfer may be made on an incidental basis. Incidental transfer may take place only if the transfers are not regular, occur once or a few times, are not repetitive and are not in the ordinary course of business. However, it should be noted that this provision permits transfers to be made under certain compulsory conditions listed in the Law, such as the informed explicit consent of the data subject, performance of the contract, superior public interest.

Should you have any inquiries, please do not hesitate to contact us.