Introduction

Transferring personal data abroad is increasingly needed in today’s globalized world, concerning many companies conducting their business internationally. Given the fact that cross-border flow of personal data has become more frequent than ever and much more sophisticated with the advent of digital technology, international companies should be vigilant in adopting the appropriate data transfer mechanisms in every jurisdiction they operate in, as non-compliance with local data protection regulations may result in large fines and reputational damage.

The aim of this article is to provide a brief summary of the international data transfer mechanisms regulated under Turkish data protection regime.

Data Transfer Mechanisms

Basically, there are three mechanisms for lawfully transferring personal data out of Turkey. As set out under Article 9 of the Personal Data Protection Law (the “Law”), a cross-border transfer may take place, if:

(i)    express consent of the data subject is obtained, or;

(ii)    the destination country ensures an adequate level of data protection, or;

(iii)    a written data transfer agreement is concluded between data exporter and data importer, subject to the approval by Turkish Personal Data Protection Board (‘the Board’). 

Furthermore, without prejudice to the rights and obligations established under international agreements, in circumstances where an international transfer of data would seriously harm the legitimate interests of the
Republic of Turkey or data subjects, such transfer can only be actualised upon the permission of the Board after obtaining an opinion from the relevant public bodies and institutions.

Adequate Countries

Countries having adequate level of protection shall be determined and announced by the Board. However, no country has been officially recognized as “adequate country” ever since the formation of the Board in January 2017.    

That being said, in its decision numbered 2019/125 and dated 02 May 2019, the Board unveiled the criteria to be taken into account when determining the adequacy status of a country. Following are the noteworthy factors to be taken into consideration in a typical assessment;

♦existence of reciprocity between Turkey and the concerning country,

♦whether the protection of personal data is a constitutional right,

♦existence of a basic law on the protection of personal data and its’ effective date,

♦secondary regulations and consistency of these regulations with the regulations implemented in Turkey,

♦personal data processing requirements and consistency of these requirements with the requirements implemented in Turkey,

♦existence of security measures for processing of sensitive personal data,

♦existence of the necessary legal guarantees ensuring effective implementation of the transparency principle in personal data processing activities,

♦existence of the obligation to take necessary technical and administrative measures to prevent unlawfully processing of and illegal access to personal data,

♦degree of implementation of the administrative and criminal sanctions against data violations and existence of other mechanisms to prevent data violations,

♦rights of the data subject,

♦existence of compensation rights of data subjects whose personal data rights have been violated,

♦existence of reference guidelines and publications,

♦exceptions to the applicability of data protection laws,

♦existence of independent data protection authority and it’s structure, the level of independency, powers and duties;

♦whether the concerning country is party to international agreements to which Turkey is a party.

Data Transfer Agreements 

In the absence of data subjects’ express consent and where the destination country is not recognized as an adequate country, cross-border data flows can be made on a contractual basis between data exporters and data importers. However, parties to a data transfer agreement should bear in mind that the agreement so concluded must be approved by TDPA before the commencement of data flow.

On 16 May 2018, Turkish Data Protection Authority (“TDPA”) published its first guidance on the required content to be included in cross-border data transfer agreements. In this framework, TDPA issued two sets of model contractual clauses, where one set is intended for data transfer from Turkish controllers to foreign controllers whilst the second set being intended for data transfers from Turkish controllers to foreign processors. 

Both sets allow the possibility of outsourcing activities to sub-controllers/sub-processors, provided that model contractual clauses in primary data transfer agreements are maintained in sub-contracts.

The model clauses are intended to provide appropriate safeguards for international data transfers. Their adoption does not prevent the parties from including them in a wider contract or from including additional safeguards or other clauses, provided that such additions/alterations are not in contravention of the model clauses or the rights of data subjects.

Conclusion

Cross-border transfer of personal data should carefully be structured as all mechanisms, policies and procedures of data controllers and data processors should be in compliance with the Law, secondary regulations and the Board’s decisions. 

Otherwise, companies and their executive officers may face severe sanctions including criminal prosecution and administrative fines. With regard to potential criminal penalties, the Law refers to the relevant provisions of the Criminal Code that detail the sanctions for the unlawful recording and/or accessing of personal data which is punishable by a 2 to 4 years of prison sentence.

In addition to criminal sanctions, the most readily identifiable breaches would be either a failure to satisfy data security requirements or a failure to implement the decisions of the Board with regards to the transfer of personal data. Such breaches can be sanctioned with administrative fines ranging from TRY 15,000 to TRY 1,000,000.