Publications
Transfer Of Personal Data Abroad According To The Turkish Law
According to the legislations of Turkish Republic, the transfer of personal data abroad is carried out in accordance with the conditions set out in the Personal Data Protection Law numbered 6698 (the “Law”).
The transfer of personal data abroad is a matter that should be examined separately with important details to be highlighted. context, the concepts of “Affiliate Undertaking” and “Secures Third Countries” are important.
Conditions for Transferring the Data Transfer Abroad
When transferring data abroad, the following conditions must be met according to the Law:
• Explicit consent of the data subject
• Existence of exceptions required by the Law
• Ensuring adequate protection
Commitment of Affiliate Companies and Secure Third Countries in the Process of Transferring Personal Data Abroad
The concepts of commitment of affiliate companies and secure third countries in the process of transferring personal data abroad cover topics related to data protection and privacy regulations. These topics are especially considered within the framework of the General Data Protection Regulation (GDPR) in the European Union.
Before transferring personal data abroad, a data controller must ensure that the destination country has adequate data protection regulations, and that data protection is ensured.
The commitment of affiliate companies is a mechanism that ensures that a company to which data is being transferred abroad commits to complying with data protection regulations and ensuring the security of the data. This commitment provides an important assurance for the protection of transferred data.
Secure Third Countries
According to the GDPR, countries outside the EU that do not meet EU standards in terms of data protection regulations are considered "unsecure countries." Additional measures are required for data transfers to such countries. However, countries that have been determined by the EU Commission to have adequate data protection regulations and are recognized as having "secure third country" status do not require the implementation of additional measures when transferring data. The list of secure third countries is determined and updated by the EU Commission. As of 2021 under GDPR, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Switzerland, Jersey, New Zealand, and Uruguay are considered secure third countries. Data transfers to these countries do not necessitate additional measures. However, if data is to be transferred to a country outside these secure third countries, the data controller must take supplementary precautions. As of now, Turkey does not hold the status of a secure third country. It is currently an "unsafe country", although this is expected to change in the future
Determination of Countries Providing Adequate Protection (Secure Countries)
The determination of countries providing adequate protection is achieved through an evaluation conducted by the Personal Data Protection Board of Turkey (the “Board”) as stipulated in the fourth paragraph of Article 9 of the Law. This evaluation takes into account various criteria such as international agreements to which Turkey is a party, reciprocity status regarding data transfers, legislation and practices of the country to which the transfer will be made. The Board must consider various factors when making these assessments. Mutual recognition underpins the secure country status, enabling data controllers and processors to transfer personal data securely, cost-effectively, and rapidly. The principle of reciprocity is an important criterion for data transfer and emphasizes that negotiations for mutual adequacy decisions should be pursued.
The reason for the delay in announcing secure countries by the Board is due to this principle of reciprocity. Since the EU does not define Turkey as a secure third country, Turkey is also taking slow to announce secure countries.
Regarding the implementation of the Convention for the Protection of Individuals regarding Automatic Processing of Personal Data (the “Convention 108”), efforts are being undertaken by the Personal Data Protection Authority (the “Authority”) in Turkey to determine the status of secure countries. While Convention 108 is significant, being a party to this convention alone is not sufficient for a country to be considered a secure country.
Transfer of Personal Data to Countries without Adequate Protection
According to the second paragraph of Article 9 of the Law, for the transfer of personal data to countries without adequate protection, the parties involved in the transfer must commit to providing adequate protection in writing, and the Board's approval for the transfer is required. The Board determines the minimum requirements for preparing these commitments. Furthermore, for data transfers between multinational corporate groups, Binding Corporate Rules have been designated as an alternative method to ensure adequate protection.
Conclusion
Although the Turkish Personal Data Protection Law and the EU GDPR are parallel and similar in many aspects, Turkey is not yet considered a secure third country. Due to this qualification, the Authority also refrains from disclosing the list of safe third countries based on the principle of reciprocity, making the process of transferring personal data abroad more difficult. Hopefully, this situation will change in the future, and Turkey could be included among secure third countries.
|
Nazlı OZKUL
|
Mustafa İsmail ÇAKAR
|