Within the Scope of Law No. 6698 on the Protection of Personal Data Transfer of Personal Data Abroad

Within the Scope of Law No. 6698 on the Protection of Personal Data Transfer of Personal Data Abroad

Introduction

Law No. 6698 on the Protection of Personal Data (LPPD) aims to secure the fundamental rights and freedoms of individuals by determining the principles regarding the processing and protection of personal data. Article 9 of the Law titled “Transfer of personal data abroad” regulates the procedures and principles regarding the transfer of personal data abroad.

With the Law No. 7499 published in the Official Gazette dated March 12, 2024, significant amendments were made to the said Article 9 of the LPPD, new regulations were introduced in data transfer processes, and the Regulation on the said regulation was subsequently published. Finally, the Personal Data Protection Authority published the “Guidelines on the Transfer of Personal Data Abroad” and provided detailed explanations on the implementation of these amendments. In this study, these legal amendments, the implementation principles stipulated by the Guidelines and data transfer methods will be discussed.

In order to transfer personal data abroad, at least one of the following conditions must be met.

1. Regulations on the Transfer of Personal Data Abroad in International Conventions or Laws:

Bilateral or multilateral international agreements to which Türkiye is a party may contain special provisions regarding the transfer of personal data abroad. Such international regulations, even if sometimes contrary to the provisions of the LPPD, validate the contractual regulations of the state parties.

For example, special agreements on data transfer between the European Union and Türkiye or international trade agreements may include provisions that facilitate the transfer of personal data. Even if such regulations are contrary to the general framework of the LPPD, the provisions of these agreements shall prevail due to the supremacy of international agreements.

Another situation is when there is a contrary regulation in the Laws. If there is a legal regulation on the transfer of personal data abroad and this regulation imposes a different provision from the restrictions imposed by the LPPD, personal data may also be transferred abroad. For example, pursuant to Article 40/6 of the Turkish Civil Aviation Law, the personal data of airline passengers may be shared with official institutions such as border police abroad to facilitate their travel and for security reasons, within the opinion of the Ministry of Interior .

2. Transfers Based on Adequacy Decision

According to the new regulation of Article 9 of the LPPD, an adequacy decision issued by the Personal Data Protection Board is required before personal data can be transferred abroad. An adequacy decision is only issued for countries where there are adequate legislation, audit mechanisms and data protection practices for the security of the data to be transferred. This decision ensures that data transfers are carried out in a secure manner. Accordingly,

• Qualification decisions can be made not only on a country-by-country basis, but also on the basis of international organizations or specific sectors.
• The Board shall take into account the country’s legislation on the protection of personal data and independent audit mechanisms when making the adequacy decision.
• For an adequacy decision to be made, the country of transfer must have a high level of data security and strong data protection laws.

Although a similar arrangement for qualification decisions existed before this amendment, no qualification decision has been taken for any country so far.

3. Transfers Based on Appropriate Safeguards

If an adequacy decision cannot be taken or adequate protection cannot be provided for the country of transfer, the following appropriate safeguard mechanisms may be used for the transfer of personal data abroad, provided that the data subject has the opportunity to exercise his or her rights and to seek effective remedies in the country of transfer.

1. Binding Corporate Rules (BCR)

Binding Corporate Rules are internal policies established to ensure that multinational corporate groups securely transfer personal data internally. Requirements for this mechanism:

• Determination of data security measures and audit processes,
• Fulfillment of transparency obligations towards data
• Approval by the Board

1. Standard Contracts (SCC)

Standard contracts must comply with the texts set by the Board for the transfer of personal data abroad. Four types of SCCs have been identified by the Board. These are the controller-to-data controller, controller-to-processor, processor-to-data controller and finally processor-to-processor versions. These contracts aim to ensure security measures and the rights of data subjects during data transfer.

The requirements for SCCs are:

• Notifying the Board within five business days of the completion of the signatures,
• Filling in the blank sections in the SCC where the details regarding data security and data transfer are determined and
• The notification shall be accompanied by documents certifying that the signatories of the standard contract are authorized and a notarized translation of each document in a foreign

1. Commitments:

It is possible to ensure the secure transfer of personal data abroad with the undertakings to be signed between the parties to the transfer.

In order to transfer personal data abroad based on the commitment letter, the data transferor shall apply to the Board for permission. Within the scope of the application to be made, the text of the commitment letter and other information and documents required for the evaluation to be made by the Board are submitted to the Board. The transfer of personal data shall commence after the Board grants permission.

Due to the long approval process, it does not find much place in practice. The SCC method mentioned above appears to be the method that will find the most application.

1. Providing appropriate safeguards by agreement that is not an international convention

By means of the provisions on the protection of personal data to be included in the agreement, which is not an international agreement, appropriate assurance can be provided in terms of personal data transfers between public institutions and organizations in Turkey and professional organizations in the nature of public institutions and public institutions and organizations in foreign countries or international organizations. The agreement shall be concluded between the parties regarding the personal data transfer.

4. Exceptional Circumstances and Occasional Condition

If an adequacy decision on data transfer cannot be taken or appropriate safeguards cannot be provided, data transfer abroad may be possible in exceptional circumstances. These are,

• Explicit consent of the person concerned
• Protection of vital interests
• Data transfer is required for the conclusion or performance of a contract
• The transfer is necessary for the establishment or protection of a right; and
• Protection of the legitimate interests of the data

In such exceptional cases, the requirement of “occasional” is also taken into account. Occasionally means that the transfer must only be temporary and one-off. This exception does not apply to continuous data transfers.

Conclusion

Under Law No. 6698 on the Protection of Personal Data, the transfer of personal data abroad is possible under certain conditions. Adequacy decisions, appropriate safeguards and exceptional circumstances are the main elements that constitute the legal basis of this process. Data controllers and data processors are under the obligation to act in compliance with the legal regulations regarding the transfer of personal data abroad. Any contrary practice will be subject to administrative fines.