With the rapid growth of international trade and various investments placed in different countries in the world as well as unstoppable growth in technology, personal data transfers on a global scale became irresistible easy. As a consequence, this leads countries to introduce certain legal measures to protect personal data as it is a fundamental right of their citizens. In Turkey, cross-border personal data transfers are also strictly regulated under the Personal Data Protection Law numbered 6698 (the "PDPL"), which is the main piece of legislation in Turkey on personal data protection. Article 9 of the PDPL regulates personal data transfers outside of Turkey. Unlike General Data Protection Regulation ("GDPR"), the PDPL does not rely on standard contractual clauses ("SCCs") for data transfers, which makes the cross-border transfer rules stricter than the GDPR. This causes several challenges in practice.

Article 9 of the PDPL sets forth the conditions for personal data transfers outside of Turkey. Accordingly, in principle, personal data cannot be transferred outside of Turkey without the data subject's explicit consent. Personal data can be transferred outside of Turkey without obtaining the data subject's explicit consent if (i) one of the legal bases set forth under the PDPL exits (e.g., legitimate interest, the performance of a contract, fulfillment of a legal obligation), and (ii) the country to which data will be transferred is listed by the Turkish Data Protection Board ("Board") as a safe country ("Safe Country"). If the country where the data will be transferred is not considered a Safe Country in the existence of one of the legal bases set forth under the PDPL, the parties must commit in writing that the transfer is concluded under an adequate level of protection, and must obtain the Board approval for the transfer.

The primary challenge occurs in the need for the data subject's explicit consent for transfer. As explicit consent must be given with free will and can always be withdrawn by the data subject, this leads in the long term, having the data subject's explicit consent in practice. That being said, the Board has not announced the Safe Country list yet, currently, all countries are deemed as not providing an adequate level of protection. Not having any Safe Country, brings certain challenges for personal data transfers outside of Turkey, as well. According to Article 9, if there is a legal base but no Safe Country, for transfers outside of Turkey, the parties must commit in writing that the transfer is concluded under an adequate level of protection, and the Board must approve such transfer. There are two mechanisms to obtain the Board's approval for transfer: (i) written undertaking ("Undertaking"), or (ii) binding corporate rules ("BCR") (i.e., only for the intra-group company transfers). The challenge either in Undertaking or BCR is the Board's approval process as it is not regulated in detail under the legislation. Thus, companies who want to apply one of these approval processes are left in the dark even without knowing how long the approval process may take.

According to the Board decisions that are published on the Board's official website, there are few approvals given by the Board for transfers outside of Turkey. It is also worth mentioning that the Board's decisions in this regard do not contain detailed information to analyse which elements the Board considers while assessing the decision to approve and how long the process may take. Transferring personal data outside of Turkey without complying with the abovementioned rules may lead to an administrative fine.

Practice Area News

On 03/2020, the Board published on its official website the sample form of Undertaking to be executed between the transferring party and the receiving party on personal data transfers outside of Turkey. The sample form of Undertaking is substantially similar to the SSCs as set forth under Article 46 of the GDPR, which outlines the measures to ensure adequate protection for cross-border personal data transfers.

On 04/2020, the Board also published an announcement to introduce BCR for cross-border transfers of personal data between affiliates of multinational group companies. Instead of executing an Undertaking, intergroup companies should have the option to fill out the form available on the Board's official website, follow the necessary instructions and apply for the Board's approval. The Board also published a guideline on 05/2020 to clarify the application procedure to obtain the approval of the Board for the transfer. Although such publications of the Board provide a slight shed on the procedure, it still needs several clarifications with respect to the Board's approval process (e.g., approval period).

While the above developments are happening, personal data transfer outside of Turkey is still a challenging issue for businesses as the Board's approval process is still not transparent and under the discretion of the Board. On 03/2021, the President of the Turkish Republic announced a new economic plan. Under this economic plan, it is stated that Article 9 of the PDPL regulating personal data transfers outside of Turkey will be amended in line with the GDPR. Accordingly, one of the expected amendments is removing the Board's approval. We believe that if this happens such an amendment will help businesses to ease the problems arising from complying with the cross-border personal data transfer rules of the PDPL. Although the expectation is to amend the PDPL within 2023, there is no official announcement as to when this amendment will take place. Until then or the approval process becomes faster and more transparent, personal data transfers outside of Turkey will continue to be challenging especially for multinational companies.

Originally published by Legal Industry Review.

© Kolcuoğlu Demirkan Koçaklı Attorneys at Law 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.