29
Fri, Mar
38 New Articles

Cross-border Data Transfer Rules Under Data Protection Law

Briefings
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Introduction

The Data Protection Law, Turkey's first dedicated general data protection law, was published in the Official Gazette on April 7, 20161. The law regulates the transfer of personal data in two categories: the transfer of personal data and the transfer of personal data abroad.

Article 8 of the law sets out the general principles for the transfer of personal data in Turkey to third parties. The law provides no exceptions for group companies. As a result, personal data cannot be transferred within groups without the explicit consent of the data subject. Secondary legislation and the Personal Data Protection Board may shed light on the matter. Article 9 sets out the general principles regarding the transfer of personal data abroad. Personal data cannot be transferred abroad without the explicit consent of the data subject. However, Articles 8 and 9 of the law establish exemptions regarding the transfer of personal data inside or outside the country.

The Data Protection Law came into force on April 7 2016 with transition periods for certain provisions, including data transfer rules which will came into force on October 7 2016. The Personal Data Protection Authority is also expected to have a significant role regarding cross-border data transfers, such as determining which countries provide adequate levels of protection in that regard.

General rule

In principle, personal data cannot be transferred abroad without the explicit consent of the data subject, except in specific circumstances.

Exemptions

Exemptions under which personal data can be transferred abroad without the explicit consent of the data subject include the following:

  • The country to which the personal data will be transferred provides an adequate level of protection; or
  • If the level of protection in the country to which personal data will be transferred is inadequate, the data controllers in Turkey and the country in question provide a written undertaking guaranteeing an adequate level of protection, which is authorised by the Personal Data Protection Authority.

Further, if data processing is required for the performance of a legal obligation by the data controller (such as providing data to government authorities for tax purposes), the data subject's explicit consent is not required. In such case, the data may also be transferred outside Turkey without obtaining the explicit consent of the data subject, provided that the relevant foreign country provides an adequate level of protection.

Personal Data Protection Authority

The Personal Data Protection Authority will determine and make public which countries have an adequate level of protection regarding personal data protection. It will make its decision based on whether the foreign country can afford an adequate level of protection and after consulting with the relevant public administrations and agencies (if necessary) and evaluating:

  • the international agreements to which Turkey is a party;
  • the reciprocity relating to data transfers between Turkey and the recipient country;
  • the category of personal data, as well as the purpose and processing period for each specific data transfer;
  • the relevant legislation and practice in the recipient country; and
  • the measures that the controller in the recipient country commits to provide.

In cases where personal data may be processed without the explicit consent of the data subject (eg, where stipulated by law or – in the case of sexual and health data – for the purpose of protecting public health), sensitive data may be transferred abroad without explicit consent, provided that:

  • the relevant foreign country has an adequate level of protection, as determined by the Personal Data Protection Authority; or
  • data controllers in Turkey make a written declaration that they have ensured an adequate level of protection in the relevant foreign country and the Personal Data Protection Authority grants permission.

If the interests of Turkey or the data subject will be seriously undermined, personal data may be transferred abroad (without prejudice to international treaties) only with the authorisation of the Personal Data Protection Board, having ascertained the opinion of the relevant public institution or authority. The provision is ambiguous and does not:

  • specify a criteria to assess or determine how the transfer of data abroad may seriously harm the interests of Turkey or the relevant party;
  • precisely define a situation or instance in which the transfer of data abroad will be subject to the Personal Data Protection Authority's permission; or
  • specify who or which authority will decide whether permission is required regarding the transfer of data abroad.

The Data Protection Law does not define or determine the scope of any condition or term referred to therein.

Cross-border data transfer agreements

Turkey has no specific rules regarding data transfer agreements. Therefore, the general provisions of the Data Protection Law and the Code of Obligations apply to data transfer agreements. However, data transfer agreements may be regulated once secondary legislation has been established and the Personal Data Protection Authority has assumed its duty.

The data protection provisions found in various laws should be taken into account, along with EU legislation, when applying the general provisions of the Data Protection Law to data transfer agreements. Turkish courts take these provisions into account and data transfer agreements that do not comply with them could be deemed void by the courts. Further, it would be prudent for the parties in a data transfer agreement to act in accordance with the Data Protection Law in order to avoid disputes regarding the validity of the agreement in future.

Comment

As there is no set criteria regarding which conditions require permission from the Personal Data Protection Authority, the potential consequences of data transfer rules are unclear. For example, a data controller or processor may not be in a position to assess and determine whether a data transfer could seriously harm the interests of Turkey or the party in question and hence require permission from the Personal Data Protection Board. Therefore, this provision should be seen as an exceptional requirement for highly sensitive issues. There is also no guidance regarding how personal data will be transferred between group companies or the process that foreign companies will need to follow to prove that they provide an adequate level of protection of personal data. Even if the Data Protection Law introduces a new regime regarding cross-border data transfers, its application and details will be clearer once the Personal Data Protection Board starts to practise data transfer powers and relevant secondary legislation is enacted. 

(First published in International Law Office on June 7, 2016)

1. For further information please see “Data Protection Law is Approved by the Turkish Grand National Assembly”  and “Comparison of Turkish Data Protection Law with EU Directive 95/46/EC” 

By Gonenc Gurkaynak, Managing Partner, and Ilay Yilmaz, Partner, ELIG, Attorneys-at-Law