Public Announcement on the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad
On 09.05.2024, the Turkish Personal Data Protection Authority (Authority) published the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Draft) and opened the Draft for public opinion and assessment. In this context, opinions and suggestions regarding the Draft can be shared with the Authority until 20.05.2024.
The Draft includes principles and procedures related to innovations brought to the provision of Law No. 6698 on the Protection of Personal Data (PDPL) on the cross-border transfer of personal data by Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws. Accordingly, personal data can be transferred abroad under the following conditions: (i) the existence of an adequacy decision regarding the country of transfer, sectors within the country or international organizations, (ii) in the absence of an adequacy decision, provision by the parties of one of the appropriate safeguards, on the condition that the data subject also can exercise his or her rights and to have recourse to effective remedies in the country of transfer, and (iii) in the absence of an adequacy decision and if one of the appropriate safeguards cannot be provided by the parties, the existence of one of the exceptional circumstances specified in Article 16 of the Draft.
Chapter Three of the Draft provides comprehensive explanations of transfers based on an adequacy decision. Accordingly, the Board may decide that a country, one or more sectors within a country, or an international organization provides an adequate level of protection for the transfer of personal data abroad. The adequacy decision shall be reassessed at the latest every four years.
Chapter Four of the Draft contains a detailed description of transfers based on appropriate safeguards. Appropriate safeguards for cross-border transfers can be summarized as (i) Agreements that are not international conventions, (ii) Binding company rules, (iii) Standard contracts, and (iv) Commitments.
The key issues in the Draft regarding standard contracts, which are not included in the current PDPL and are among the most notable innovations, are as follows:
- Standard contract, that includes data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data shall be determined and announced by the Board.
- It is mandatory to use the standard contract without any modification.
- The standard contract must be signed by the parties to the transfer or by persons authorized to represent and sign on behalf of the parties; it must be notified to the Authority, and the notification must include documents proving the signatories’ authorization and notarized translations of any documents in a foreign language.
Lastly, Draft Chapter Five provides for exceptional cases of transfer. Personal data may be transferred abroad in the presence of one of the exceptional circumstances of transfer, provided that it is incidental if any of the other conditions cannot be met. Transfers that are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business are incidental. The data subject’s explicit consent is the most important exception for cross-border transfer.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On 18.04.2024, it was announced that a cooperation protocol (Protocol) was signed between the Turkish Personal Data Protection Authority and the Personal Data Protection Board of the Turkish Republic of Northern Cyprus...
The Law on Amendments to the Code of Criminal Procedure and Certain Acts numbered 7499 (Law), including Amendments to the Law on Personal Data Protection numbered 6698 (LPDP) was published in the Official Gazette dated 12.03.2024 and numbered 32487...
On 16.02.2024, the Justice Committee of the Turkish Grand National Assembly (TBMM) received the bill (Bill) on the long-awaited amendment to the Law on Personal Data Protection No. 6698 (LPDP). It can be said that the Bill, which introduces regulations similar to the European Union General Data Protection...
On 12.02.2024, the Information Note on Processing of Personal Data on the Legal Ground of Being Stipulated by Laws (Information Note) was published. The Information Note aims to clarify the scope and meaning of the personal data processing legal ground of “being expressly stipulated by law” in Article 5/2(a) of...
On 24.01.2024, the Personal Data Protection Authority published the Guidelines on the Protection of Personal Data in Election Activities (Guidelines). The Guidelines aim to remind public administrations, political parties, candidates, and voters involved in election activities of their obligations or rights under...
On 19.01.2024, the Personal Data Protection Authority published the Deepfake Information Note (Information Note). The purpose of the Information Note is to provide a better understanding of what Deepfake technology is, which is formed from the words deep learning and fake. The key points in the Information Note...
On 16.01.2024, the Personal Data Protection Authority published Guidelines on the Processing of Republic of Türkiye Identity Numbers (Guidelines). The purpose of the Guidelines are to provide guidance to data controllers by setting out the provisions of the legislation envisaging the processing of Turkish...
The Decision of the Personal Data Protection Board Regarding the Exemption of Village Legal Entities from the Registration Obligation in the Data Controllers Registry, dated 14/12/2023 and numbered 2023/2135 (Decision) is published in the Official Gazette dated 12.01.2024 and numbered 32427...
The Personal Data Protection Authority has published a public announcement dated 13.11.2023 regarding the personal data processed in order to send a verification code via SMS to the data subjects during the transactions at the cash register following shopping. You may find a brief explanation of the...
With the decision of the Personal Data Protection Board (Board) dated 06.07.2023 and numbered 2023/1154, the “annual financial balance sheet total” adopted by the Board as an exception criteria to the obligation to register to the Data Controllers’ Registry has been increased from 25 million Turkish Liras to...
The decision by the Irish Data Protection Authority (Authority) dated 12.05.2023 on Meta Platforms Ireland Limited (Meta Ireland) (Decision) has been announced on 22.05.2023. Pursuant to the Decision, an administrative fine of 1.200.000.000 Euros was imposed on Meta Ireland...
The Regulation on the Collection, Storage and Sharing of Insurance Data (Regulation) entered into force through publication in the Official Gazette dated 18.10.2022 and numbered 31987. Some of the important provisions introduced by the Regulation are summarized...
On 05.08.2022, the Personal Data Protection Authority (“Authority”), published Guideline on Banking Sector Good Practices Regarding the Personal Data Protection (“Guideline”). The purpose of the Guideline is guiding data controller banks regarding the personal data processing activities carried out...
On 14.07.2022, the European Parliament Research Service published a briefing (“Briefing”) for the impact assessment (“IA”) of the regulation of the European Parliament and the European Council on harmonised rules on fair access to and use of data (“Data Act”), submitted on 23.02.2022...
The Regulation on Processing of Land Registry and Cadastre Data and Transactions Held in Electronic Environment regulating the procedure and principles regarding the process of the data in the Central Database of the General Directorate of Land Registry and the transactions held in electronic...
The Regulation on Process and Protection of Personal Data by the Social Security Institution (“Regulation”) entered into force through its publication in the Official Gazette dated 19.02.2022 and numbered 31755.
Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector was Published
The Personal Data Protection Board Ex-Officio Initiated An Investigation against WhatsApp
The Personal Data Protection Authority’s New Resolution
The Board’s Decision Regarding Registration Obligation of Commercial Enterprises Affiliated to Associations, Foundations and Unions to the VERBIS has been Published
The Personal Data Protection Board Announced Its Decision Regarding the WhatsApp Investigation Initiated Ex-Officio