The Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) have come into force upon its promulgation in the Official Gazette dated 10 July 2024. On the same day, the Turkish Data Protection Authority (“KVKK”) published on its website the standard contract templates, application forms for the binding corporate rules (“BCR”) and supplementary guidelines regarding the essential elements that must be included in the BCR (“Supplementary Guidelines”).
As is known, the requirements under the Law No. 6698 on the Protection of Personal Data (“Law”) for data transfers abroad have been recently amended. As from 1 September 2024, to transfer personal data abroad; (i) there must either be an adequacy decision rendered by the KVKK regarding the country to which data will be transferred or the relevant industry, or if there is no adequacy decision, (ii) one of the safeguards set out in the Law must have been implemented by the data controller or data processor conducting the transfer.
Adequacy decisions for data transfer abroad
The Regulation reiterates the provisions of the Law regarding the factors that will be considered by the KVKK when issuing adequacy decisions and the review of such decisions. Moreover, it provides that the adequacy decisions and the decisions regarding the modification, suspension, or revocation of same will be published in the Official Gazette and on the KVKK’s website. As of now, no adequacy decision has been issued by the KVKK yet.
The Regulation also provides detailed requirements for the safeguards that must be adopted by the data controllers or processors that will transfer data abroad in cases where no adequacy decision exists. In this article, we will focus only on those necessary for data transfers between parties other than public institutions.
BCR for data transfers among group companies
Data transfers to the group companies located outside Türkiye can be carried out based on BCR, encompassing rules for data protection applicable to the companies involved in the transfer.
Mandatory content and form of the BCR
The Regulation outlines in detail the minimum mandatory content for the BCR. The KVKK is authorized to require that the BCR covers additional items. If the BCR is prepared in bilingual form, the Turkish version prevails.
According to the Supplementary Guidelines: (i) the data controller BCR is for the transfers to another data controller or processor within the same corporate group by the transferring data controller, and (ii) the data processor BCR is for the data that is processed by a corporate group member by transferring such data to another data processor or sub-processor located abroad on behalf of a data controller located in Türkiye and who is not a member of the same corporate group as the data processor.
Approval application to the KVKK
The BCR is subject to the KVKK’s approval. Below documents must be submitted to the KVKK:
The KVKK is authorized to request additional information and/or documents from the applicant. A notarized translation must be provided for every document submitted in foreign language.
According to the BCR application forms published by the KVKK, if the group’s headquarters is in Türkiye, approval application must be filed by the headquarters, or another member located in Türkiye to which data protection responsibilities have been transferred. In the latter case, the group must provide a justification for designating this other group member as the applicant in lieu of the headquarters. If the group’s headquarters is located outside Türkiye, the group must designate a group company located in Türkiye as the “authorized group member” to whom the data protection responsibilities will be delegated. The approval application must be submitted to the KVKK by this authorized member on behalf of the group.
Assessment by the KVKK
The KVKK takes into consideration the following when reviewing the respective BCR:
Personal data can be transferred abroad only after the BCR is approved by the KVKK.
Execution of the standard contract published by the KVKK
As there is no provision under the Law to the contrary, this method can be used for transferring personal data abroad to a third party, as well as to a group company (as an alternative to the BCR). In the latter case, however, separate standard contracts must be executed with each recipient group company.
Mandatory content of the standard contract
The KVKK has published four different standard contracts depending on the roles of the parties involved in the transfer: from (i) data controller to data controller, (ii) data controller to data processor, (iii) data processor to data controller, (iv) data processor to data processor.
The Regulation requires that the standard contracts published by the KVKK must be used by the parties without any modifications. Otherwise, the KVKK will initiate an investigation on the parties pursuant to the Law. If the standard contract is executed in a bilingual form, the Turkish version prevails.
Notification requirement instead of approval process
Different from the BCR, standard contract is not subject to the KVKK’s approval; however, the KVKK must be notified through submission within five business days of signing, either physically, via registered e-mail (KEP), or through other means determined by the KVKK. The parties can designate who will fulfill the notification requirement under the standard contract. In the absence of any such designation, the data transferer must notify the KVKK.
As per the Regulation, the KVKK must be notified through the same procedure in the case of a change in the parties to the standard contract, the information and explanations provided by the parties thereunder, or if the standard contract is terminated. It is important to note that the Law does not mandate this additional notification requirement. Therefore, this expansion of the scope of the notification requirement by the Regulation could spark debates regarding its being contrary to the hierarchy of norms.
Execution of the undertaking published by the KVKK
This practice existed also prior to the recent amendments to the Law. At that time, the KVKK prepared and published template undertakings to be used for transfers abroad. However, the Regulation now sets out detailed rules for transfers based on an undertaking. The new template undertakings to be prepared by the KVKK in line with the Regulation are pending.
Mandatory content of the undertaking
The Regulation outlines the minimum mandatory content for the undertaking. If the undertaking is prepared in bilingual form, the Turkish version prevails.
Permission request from the KVKK
The data controller or processor who will transfer data abroad based on an undertaking must apply to the KVKK and submit the undertaking together with other necessary documents and information to obtain permission from the KVKK. The Regulation does not specify what these additional documents are. Information on this may be published by the KVKK as part of the template undertaking expected to be issued. Personal data can be transferred abroad only after the KVKK grants its permission.
Data transfer abroad by data processors
According to the Regulation, in the case where data is transferred abroad by the data processor, it must take all necessary technical and administrative measures to ensure an appropriate level of data security. The data processor must implement above safeguards, as appropriate, before transferring data abroad. The Regulation does not require data controller to follow a regulatory procedure such as to involve in the approval or permission process for the BCR or undertaking respectively, or to become a party to the standard contract.
Nevertheless, the transfer of personal data abroad by the data processor does not absolve data controller of its responsibility to comply with the Law and the Regulation, including ensuring the necessary safeguards. Therefore, the data controller must ensure that the safeguards are implemented appropriately by the data processor before transferring data abroad.
Exceptional data transfers abroad
The Regulation reiterates the Law regarding the exceptional cases where data can be transferred abroad in the absence of an adequacy decision and when appropriate safeguards cannot be provided. It further reminds that such transfers must only be irregular, one-time or infrequent, non-recurring, and not part of regular business activities.
Conclusion
Until 1 September 2024, data transfer abroad can continue to be conducted based on explicit consent of the data subject. However, following that date, explicit consents will be of no use. Given that the KVKK is not expected to issue an adequacy decision anytime soon, the data controllers and processors should commence necessary preparations as per the Regulation and documentation published by the KVKK, to ensure that appropriate safeguards for transferring data abroad are implemented by 1 September 2024 at the latest.
PARTNER
Müşavvir Enerji / Elektrik Petrol ve Doğal Gaz Madencilik Taşımacılık ve Lojistik Kamu Özel İşbirlikleri ve İmtiyazlar İnşaat ve Altyapı Finansal Hizmetler Projeler ve Proje Finansmanı Bankacılık ve Finans Şirketler ve Ticaret Hukuku Sermaye Piyasası Hukuku Kamu İhale Hukuku Gayrimenkul Hukuku
ASSOCIATE
Avukat Tüketim Ürünleri Enerji / Elektrik Madencilik Savunma Şirketler ve Ticaret Hukuku Birleşme ve Devralmalar Dava ve Uyuşmazlık Çözümleri
ASSOCIATE
Stajyer Avukat
Stay Informed
Subscribe to stay up to date on legal and regulatory information.
ÇAKMAK © 2024 | All rights reserved.