In Emergency Situations
04 Feb, 2025

The Regulation on the Transfer of Personal Data Abroad (“Regulation”) was published in the Official Gazette dated July 10, 2024, and has come into effect. The Regulation has been prepared to regulate the procedures and principles for the transfer of personal data abroad.

Personal data can only be transferred abroad by the data controller and data processor in accordance with the procedures and principles set out in the Law on the Protection of Personal Data No. 6698 and the Regulation. The transfer of personal data may only occur if one of the conditions mentioned in Articles 5 and 6 of the Law on the Protection of Personal Data and one of the conditions listed below in the Regulation is met:

  • The country to which the transfer will be made, the sectors within the country, or international organizations having an adequacy decision.
  • If there is no adequacy decision, the transfer may occur if the data subject has the right to use their rights and access effective legal remedies in the country to which the transfer is made, provided that one of the appropriate safeguards mentioned in Article 10 is provided by the parties.

According to this Regulation, the adequacy decision will be reviewed at least every four years; the periods for re-evaluation will be clearly determined, and if the Personal Data Protection Board (“Board”) determines that the relevant country, one or more sectors within the country, or an international organization does not provide an adequate level of protection, it will change, suspend, or revoke its decision with prospective effect. Decisions on changes, suspensions, or revocations of adequacy decisions will be published in the Official Gazette and on the institution’s website.

Transfers Based on Adequacy Decisions

The Board may decide that a country, one or more sectors within the country, or an international organization provides an adequate level of protection regarding the transfer of personal data abroad. Adequacy decisions issued by the Board will be published in the Official Gazette and on the institution’s website.

When making an adequacy decision, the following factors will be considered:

  • The reciprocity situation between the country, sectors within the country, or international organizations to which personal data will be transferred and Turkey.
  • The relevant legislation and practices of the country to which the data will be transferred and the rules governing the international organization to which the personal data will be transferred.
  • The existence of an independent and effective data protection authority in the country to which personal data will be transferred or the international organization, and the availability of administrative and judicial remedies.
  • The country or international organization’s membership in international conventions or international organizations related to the protection of personal data.
  • The membership of the country or international organization in global or regional organizations to which Turkey is a member.
  • The international treaties to which Turkey is a party.

Transfers Based on Appropriate Safeguards

In the absence of an adequacy decision, personal data may be transferred abroad only if one of the conditions mentioned in Articles 5 and 6 of the Law is met, the data subject has the right to use their rights and access effective legal remedies in the country to which the transfer is made, and if one of the appropriate safeguards listed below is provided by the parties:

  • The existence of an agreement that is not an international treaty between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations of public institutions in Turkey, and if the Board permits the transfer.
  • The existence of binding corporate rules containing provisions related to personal data protection that the companies within a group engaged in common economic activities are obliged to comply with, and which have been approved by the Board.
  • The existence of a standard contract announced by the Board, covering issues such as data categories, purposes of data transfer, the obligations of the parties, details of the transfer, and technical and administrative measures to be taken for special categories of personal data.
  • The existence of a written commitment containing provisions ensuring adequate protection, and the Board’s permission for the transfer.

Non-International Treaty Agreements

According to the provisions in Article 11 of the Regulation, personal data can be transferred under agreements that are not international treaties between public institutions and organizations in Turkey and foreign countries or international organizations, ensuring adequate protection through provisions related to the protection of personal data.

To transfer personal data based on a non-international treaty agreement, the Board’s opinion must first be sought during the negotiation process. Once the agreement is finalized, the data controller must submit a request for the Board’s approval along with other necessary information and documents, and data transfer will begin after the Board grants permission.

Binding Corporate Rules

The Personal Data Protection Board has provided a legal framework for the possibility of ensuring adequate safeguards through Binding Corporate Rules, which companies within an economic group are obligated to comply with. Detailed application forms have been prepared for both Data Controllers and Data Processors. The forms must clearly outline the nature of the personal data to be transferred, the data categories, the purposes of the data processing and transfer, and the affected data subject categories.

Standard Contracts

The Personal Data Protection Board has prepared draft standard contracts for the transfer of personal data abroad, which will be used for transfers from one data controller to another, from a data controller to a data processor, from a data processor to another data processor, and from a data processor to a data controller. These contracts include details such as data categories, purposes of data transfer, the parties’ obligations, transfer details, and the technical and administrative measures to be taken for special categories of personal data. Additionally, it is stated that the standard contracts should be used without any changes, and in case of a foreign language contract, the Turkish version will prevail.

Commitment

If the country to which the personal data will be transferred does not provide adequate protection, the transfer can only occur if the data controllers in both Turkey and the foreign country provide written commitments ensuring adequate protection and submit them to the Board for approval.

Exceptional Transfers

With the change in the law, personal data can be transferred abroad, even if no adequacy decision exists and none of the appropriate safeguards are provided, under exceptional transfer conditions, as long as it is temporary and not continuous. Such exceptional transfer situations are outlined both in the Law and the Regulation.

It is important to note that the Regulation has removed the previous requirement for explicit consent for data transfers. Explicit consent is now only required in exceptional cases, and the general rule is to comply with the regulations for data transfers abroad.

  • For access to the Official Gazette of July 10, 2024, and the Regulation on the Transfer of Personal Data Abroad, click here and here for the Regulation.
  • If you require detailed information, feel free to contact us at any time using the contact numbers provided below.
Esenyel Partners | Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad
Similar Articles