Melis Mert
The Turkish Personal Data Protection Law was amended in March 2024, with the new regime taking effect in June 2024. This amendment, long anticipated in line with Türkiye’s goals to harmonize with EU standards and enhance effective protection, addresses issues with cross-border personal data transfers, clarifies legal conditions for processing special personal data categories, and designates administrative courts as the appeal authority for Personal Data Protection Board decisions. We will focus on the first item.
Q1: What happened? What are the highlights?
The Turkish Personal Data Protection Law (Law) was amended in March 2024. With the new regime,
- Türkiye still has the adequacy decision option, but now such decisions can be granted for international organizations and sectors as well.
- Personal Data Protection Authority (DPA) approval will no longer be required for the standard contracts, leading to the introduction of “Turkish Standard Contractual Clauses (SCCs)” with some Türkiye-specific features.
- Contracts other than those published by the DPA can still be used but require DPA approval.
- Binding corporate rules (BCRs) are specifically regulated.
- Data processors are now within the scope of the Turkish cross-border data transfer rules.
- Onward transfers are also subject to these rules.
- Derogations for one-off transfers have been introduced for cases where there is no adequacy decision or appropriate safeguard.
Details are provided under the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Regulation) & Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules.
Q2: Why the change?
The previous mechanism was inefficient for several reasons:
- International agreements and other laws didn’t cover enough cases.
- Türkiye hadn’t designated any safe countries for free data transfer, making all countries inadequate.
- Ad hoc approval from the DPA was mandatory for all contract-based cases, even if the contract used was the standard one published by the DPA.
- Explicit consent from data subjects wasn’t a reliable basis.
Q3: What is the new framework for international data transfers under Turkish law?
The new framework includes the following, but only for continuous transfers. Please see Q7 to find out more about incidental transfers:
- Adequacy Decision: Adequacy decisions will be rendered by the DPA and can apply to a country, international organization, or sectors within a country. Due to Türkiye's reciprocity principle among other criteria, such decisions are not expected to be made swiftly.
- Safeguards: A transfer under safeguards is possible if (i) there is a legal basis for the transfer under the Law, and (ii) data subjects have the possibility to exercise their rights and have recourse to effective remedies in the country of transfer. Although Türkiye does not have a transfer impact assessment concept yet, this second element may require one in the future.
- Instruments: These include agreements for public institutions with DPA permission, Turkish BCRs for group companies with DPA permission, Turkish SCCs for bilateral transfers with DPA notification, and specific agreements with DPA permission.
Q4: What are the peculiarities of the Turkish SCC regime?
To ensure lawful transfer via Turkish SCCs:
- The executed documents must be submitted to the DPA within 5 business days.
- Turkish SCCs lack a docking clause and cannot be incorporated into other contracts by the parties.
- They must be used and signed verbatim.
- They can be bilingual, but the Turkish text will prevail.
- There should be an initial notification once the Turkish SCC is executed, notifications for any changes in the annexes (data type, purpose, onward transfer, etc.), and notification upon termination.
After the submission of a duly prepared Turkish SCC, the transfer directly becomes legalized (i.e. no waiting period).
Q5: What is required for agreements other than Turkish SCCs?
Specific agreements, such as intra-group data transfer agreements or Turkish BCRs, require DPA approval. BCRs have their own mandatory content, forms, guidelines, and secondary legislation. Specific agreements offer a relatively more relaxed structure but still need to ensure appropriate security. If the SCC text is not used as-is, the DPA will initiate an investigation. Therefore, any changes to the Turkish SCCs should be submitted for approval and not as SCCs. The downside is the waiting period for the DPA's decision and the inability to transfer data until approval is granted.
Q6: What are the requirements for onward transfers under the new regime?
For onward transfers, recipients must ensure one of the safeguards too (i.e., another SCC execution and notification) or the following conditions apply:
- Establishment, exercise, or defense of legal claims in the context of specific administrative or judicial proceedings.
- Vital interests or physical integrity of the data subject or another person if the data subject is unable to express consent due to a physical impossibility or if the data subject’s consent is not deemed legally valid.
For sub-processors, Turkish SCCs has separate regime – mostly in line with the EU’s SCCs.
Q7: What are the available derogations for incidental data transfers?
The available derogations for incidental (“not regular, occurs only once or a few times, is not continuous and is not in the ordinary course of business”) transfers are as follows:
- Explicit consent where data subjects are informed of the possible risks (as for continuous transfers, valid until September 2024).
- Necessity for the performance of the contract between the data controller and the data subject or for the implementation of pre-contractual measures taken at the data subject’s request.
- Necessity for the establishment or performance of a contract between the data controller and another person for the benefit of the data subject.
- Necessity for an outstanding public interest.
- Necessity for the for the establishment, exercise, or defense of legal claims.
- Necessity for the protection of the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent.
- Where the transfer is made from a register, which is open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest request it.
Q8: What are the responsibilities of data processors when transferring personal data abroad?
Previously, data processor transfers were not regulated, and the old cross-border data transfer article only mentioned Turkish data controllers transferring data outside of Türkiye. Now, data processors are explicitly within the scope:
- There are “processor to processor” and “processor to controller” Turkish SCCs.
- There is “binding corporate rules for data processors”.
- There is a new administrative fine for processors (also for controllers, where applicable) for not making the Turkish SCC notification to the DPA.
On the other hand, generally speaking; data processors must act on behalf of the data controller and in accordance with their instructions. They must take all necessary technical and administrative measures to ensure appropriate security levels to prevent unlawful processing and access, and to ensure the protection of personal data. Importantly, the data controller retains responsibility to ensure compliance with the Law and Regulation and that adequate safeguards are provided.
Q9: How does the new regime treat direct collection cases?
The new international data transfer rules do not specifically mention direct collection cases. However, the wording of the new article and secondary legislation suggests that direct collection is not considered a data transfer, aligning with the European Data Protection Board’s Guidelines 05/2021. The DPA’s interpretation should be monitored.
Q10: What are the penalties for non-compliance with the new data transfer rules?
In cases of non-compliance, the DPA may give instruction decision, render administrative fine up to TRY 9,463,213, fine the controller or processor up to TRY 1,000,000 for failing to notify the DPA about Turkish SCCs. The DPA may also publish penalty decisions on its official website, potentially resulting in reputational risks; and/or to decide to cease transfer abroad if it could lead to irreparable harm or are clearly unlawful, though this is a rare penalty. (The monetary fines are for year 2024.)
Q11: What proactive steps should companies take to ensure compliance with the new regime?
Companies that transfer personal data of those residing in Türkiye to entities located abroad (and to the extent this regard the lawfulness of the data collected by the foreign recipient, the recipient) should:
- Define the specifics of the data being transferred from Türkiye.
- Select the appropriate data transfer instrument based on the relationship between the Turkish entity and the recipient entity (e.g., Turkish SCCs, BCRs, or specific agreements such as intra-group data transfer agreements).
- Carefully evaluate the pros and cons of these mechanisms, especially for continuous transfers between group companies, JV structures, licensor-licensee relationships, etc.
- Obtain DPA permission for transfers involving BCRs and specific agreements.
- Manage timeframes effectively for DPA notifications when using Turkish SCCs & re-notify the DPA of any updates or terminations when using Turkish SCCs.
- For those having Data Controllers’ Registry (VERBIS) account, ensure that the declarations there are aligned with the those submitted to the DPA.
- Inform and train employees on the new requirements, update privacy-related documents and monitor ongoing data transfers for compliance.