Public Announcement on the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad

On 09.05.2024, the Turkish Personal Data Protection Authority (Authority) published the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Draft) and opened the Draft for public opinion and assessment. In this context, opinions and suggestions regarding the Draft can be shared with the Authority until 20.05.2024.

The Draft includes principles and procedures related to innovations brought to the provision of Law No. 6698 on the Protection of Personal Data (PDPL) on the cross-border transfer of personal data by Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws. Accordingly, personal data can be transferred abroad under the following conditions: (i) the existence of an adequacy decision regarding the country of transfer, sectors within the country or international organizations, (ii) in the absence of an adequacy decision, provision by the parties of one of the appropriate safeguards, on the condition that the data subject also can exercise his or her rights and to have recourse to effective remedies in the country of transfer, and (iii) in the absence of an adequacy decision and if one of the appropriate safeguards cannot be provided by the parties, the existence of one of the exceptional circumstances specified in Article 16 of the Draft.

Chapter Three of the Draft provides comprehensive explanations of transfers based on an adequacy decision. Accordingly, the Board may decide that a country, one or more sectors within a country, or an international organization provides an adequate level of protection for the transfer of personal data abroad. The adequacy decision shall be reassessed at the latest every four years.

Chapter Four of the Draft contains a detailed description of transfers based on appropriate safeguards. Appropriate safeguards for cross-border transfers can be summarized as (i) Agreements that are not international conventions, (ii) Binding company rules, (iii) Standard contracts, and (iv) Commitments.

The key issues in the Draft regarding standard contracts, which are not included in the current PDPL and are among the most notable innovations, are as follows: 

• Standard contract, that includes data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data shall be determined and announced by the Board. 
• It is mandatory to use the standard contract without any modification. 
• The standard contract must be signed by the parties to the transfer or by persons authorized to represent and sign on behalf of the parties; it must be notified to the Authority, and the notification must include documents proving the signatories’ authorization and notarized translations of any documents in a foreign language.

Lastly, Draft Chapter Five provides for exceptional cases of transfer. Personal data may be transferred abroad in the presence of one of the exceptional circumstances of transfer, provided that it is incidental if any of the other conditions cannot be met. Transfers that are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business are incidental. The data subject’s explicit consent is the most important exception for cross-border transfer.