For further information,
please contact:

Senior Associate

Senior Associate

Legal Alerts

New Era in Cross-Border Data Transfers

Legal Alerts
Intellectual Property and Technology
General

Recent Developments 

With the amendments to the Law No. 6698 on the Protection of Personal Data (“Law“) adopted on 12 March 2024 (“Amendments“), the existing regime regarding the cross-border transfer was amended and new mechanisms -including, in particular, standard contractual clauses- were introduced. The Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data (“Regulation“) by the Turkish Data Protection Authority (“Authority“) was published in the Official Gazette dated 10 July 2024 and numbered 32598, regulating the cross-border data transfer regime. Following the publication of the Regulation, on the same day, the final versions of newly introduced standard contractual clauses and documents regarding binding corporate rules (“Final Texts“) were also published on the website of the Authority.

You can access the Regulation here (in Turkish) and the Final Texts here (in Turkish). For further information on the Amendments, you can visit our legal bulletin dated 12 March  2024 here.

What’s new with the Regulation?

The Regulation, which includes the procedures and principles regarding the transfer of personal data abroad, regulates the following issues in brief:

  • Transfers Based on Adequacy Decision: The Regulation stipulates that the Authority may decide that a country, one or more sectors within the country or an international organization provides an adequate level of protection for the cross-border transfer of personal data and specifies the issues to be taken into account while making this decision. In addition, it is regulated that an adequacy decision will be re-evaluated every four years at the latest.
  • Transfers Based on Appropriate Safeguards: In the absence of an adequacy decision, personal data may be transferred if one of the appropriate safeguards is ensured, provided that one of the conditions specified in Article 5 and 6 of the Law exists and the data subject has the opportunity to exercise their rights and to apply for effective legal remedies in the recipient country. The provisions introduced by the Regulation regarding these appropriate safeguards are as follows:
    • Provision of Appropriate Safeguards through Non-International Agreement: The Regulation indicates that appropriate safeguards can be provided through a non-international agreement on the protection of personal data, in terms of personal data transfers between public institutions and organizations abroad or international organizations, and public institutions and organizations or professional association with public entity status in Türkiye. The Regulation also lists issues that shall be included in such agreement.
    • Provision of Appropriate Safeguards through Binding Corporate Rules: In parallel with the Amendments, the Regulation stipulates data controllers and data processors must apply to the Authority for approval in order to transfer personal data abroad relying on binding corporate rules,  and the transfer of personal data may commence following the Authority’s approval. In addition, under Article 13, the Regulation sets out the information that must be included under binding corporate rules.
    • Provision of Appropriate Safeguards through Standard Contractual Clauses: Pursuant to the Amendments, standard contractual clauses must be notified to the Authority within five business days from the date of execution. The Regulation stipulates that the parties of the transfer may determine who will fulfil the notification obligation within the standard contract. Otherwise, the relevant notification must be made by the data exporter. The Regulation also indicates that the Authority must be notified (i) in the event of a change in the parties of the standard contract, or (ii) in the information and explanations provided by the parties under the standard contract, or (iii) in the event of termination of the standard contract.
    • Provision of Appropriate Safeguards through Undertaking Letter: For transferring personal data abroad relying on an undertaking letter, the data exporter must apply to the Authority for permission, as was the case prior to the Amendments. Article 15 of the Regulation set forth the clauses regarding protection of personal data that must be included in the undertaking letter.
  • Occasional Cases: With the Amendments, data controllers may transfer personal data abroad relying on explicit consent only until 1 September 2024, and transfers after this date can only rely on explicit consent if they are “occasional”. In this regard, the term “occasional” is defined in the Regulation as “transfers that are not regular, occur only once or a few times, are not continuous and are not in the ordinary course of business”. The Regulation also repeats the occasional transfer cases listed in the Amendments.

The Regulation entered into force on the date of publication.

What about the Standard Contractual Clauses and Binding Corporate Rules?

The Authority has published 4 types of standard contractual clauses (“SCCs“) for transfers from (i) controller to controller, (ii) controller to processor, (iii) processor to processor, and (iv) processor to controller in line with the European Union General Data Protection Regulation (“GDPR“). Although the SCCs published by the Authority and the SCCs published under the GDPR are mostly parallel, the SCCs published by the Authority differ from the ones published under the GDPR, mostly due to the differences between the current version of the Law and the GDPR (e.g. data breach notifications to the relevant data protection authority, the exceptions recognized in terms of transparency obligations, etc.). In addition to this, unlike the GDPR, one noteworthy point in the SCCs published by the Authority is that the standard contractual clauses can only be concluded between one data exporter and one data importer, and there are no provisions that allow more than one data exporter and/or data importer to be party to the contract.

Similarly, the Authority has published two types of application forms for binding corporate rules (“BCR“) regarding intra-group transfers of data controllers and data processors, as well as supplementary guidelines on the main issues to be addressed in the BCRs, and these documents are also mostly in line with the documents published under the GDPR.

Conclusion

Although the Amendments entered into force as of 1 June 2024, it is possible for data controllers to continue their cross-border transfer activities relying on explicit consent regulated under Article 9(1) of the Law until 1 September 2024 as per the foreseen transition period. However, data controllers and data processors are required to review their cross-border transfer processes in accordance with the published Regulation and Final Texts and determine the appropriate transfer mechanism to finalize their compliance processes by the specified date.