News
Time to Legalize Data Transfers from Turkey - Deadline: September 1, 2024.
The Turkish Data Protection Law was amended to introduce new mechanisms to transfer personal data from Turkey to other countries. One of the significant changes is that consent will not be used as a legal basis as of September 1, 2024. This deadline requires controllers and processors exporting personal data from Turkey to take action and comply with the new data transfer mechanisms by September 1, 2024.
TIME TO LEGALIZE DATA TRANSFERS FROM TURKEY – DEADLINE September 1, 2024
As we posted here last week, the Regulation on The Procedures and Principles for Cross-Border Transfers of Personal Data (“Regulation“) has been published in the Official Gazette and entered into force on July 10, 2024.
Although the Regulation underwent a lengthy public consultation process of approximately 8 weeks, the changes to the Regulation at the end of the public consultation process were minimal.
The DPA also published the four standard contracts (“SCCs“) together with the BCR application forms on 10 July 2024.
With the publication of the Regulation together with the mechanisms to be used by the DPA for data transfers on 10 July 2024, the legislative steps of the reform of the Personal Data Protection Law No. 6698 (“DPL“) are now complete.
As we have already covered the DPL reform in our previous newsletter, this article will not go into the details of the legislative changes. Instead, we will focus on what steps need to be taken for data transfers in light of the changes, and what challenges may arise in taking those steps.
New Data Transfer Methodology
As detailed in previous newsletters, the data transfer methodology under the DPL has changed significantly with the amendments published on 12 March 2024, largely in line with the GDPR.
With the amendments, the current data transfer methodology is based on 3 different main categories, which should be applied in this order:
- Adequacy Decision for Third Countries, International Organisations and Sectors (“Adequacy“)
- Appropriate safeguards such as SCCs, BCRs, data transfer undertakings, etc. in the absence of an adequacy decision (“Appropriate Safeguards“).
- Derogations for specific situations in the absence of both Adequacy and Appropriate Safeguards.
Please note that there is no adequacy decision from the Data Protection Authority (“DPA“) yet. Therefore, in this article we will discuss the appropriate safeguards and focus on SCCs as the most favoured and expected appropriate safeguards.
Appropriate Safeguards
The DPL provides that personal data may be transferred abroad by data controllers and data processors if one of the data processing conditions (i.e. the legal basis set out in Art. 5 or 6 of the DPL, such as contract, legitimate interest, etc.) is met and one of the appropriate safeguards is provided by the parties, provided that the data subject has the opportunity to exercise his or her rights and obtain effective remedies in the country of transfer.
The appropriate safeguards that may be provided by the parties are listed in Art. 10 of the Regulation and are as follows
- Binding corporate rules, approved by the DPA, containing provisions on the protection of personal data, to be observed by the companies of the group engaged in joint economic activities.
- Standard Contractual Clauses, published by the DPA Board, which cover matters such as categories of data, purposes of data transfers, recipients and groups of recipients, technical and administrative measures to be taken by the data recipient, additional measures for special categories of personal data.
- A written commitment containing provisions to ensure adequate protection and approval of the transfer by the DPA.
- Existence of an agreement, which is not in the nature of an international contract, between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey, and the Board authorises the transfer.
When the appropriate safeguard options are reviewed, the Standard Contractual Clause option is the one that stands out as it is the only option which does not require the authorisation/approval of the DPA. As such, proceeding with the Standard Contractual Clauses is the quickest of the 4 options available to controllers and processors.
Use of Standard Contractual Clauses for Data Transfers
As mentioned above, the DPA published 4 modules of SCCs on 10 July 2024. These are controller to controller, controller to processor, processor to processor and processor to controller SCCS.
The published SCCs are only available in Turkish. You can find the texts of the SCCs together with machine translations here:
Although the SCCs published by the DPA are similar to those published by the European Commission, there are major differences when it comes to the steps that need to be taken to implement the SCCs. Below, we will focus on these differences and the challenges they pose to controllers or processors who wish to use the SCCs for data transfers out of Turkey.
1. Text of the SCCs
The Regulation stipulates that the text of the SCC must be used exactly as it is and must not be changed/amended. The regulation also states that if the text of the SCC is changed, this will be grounds for an ex officio investigation by the DPA.
2. Signature
The Regulation requires the parties to the transfer or their representative to sign the SCC. Please note that this is a strict signature requirement where the parties or their representative must sign the SCC with a wet/handwritten signature or with an electronic signature provided by an authorised certificate provider in Turkey. Please note that commonly used electronic signature software (e.g. Echosign) is not a valid electronic signature under Turkish law.
The absence of a valid signature of one or both of the parties to the transfer in the SCC is a valid ground for ex officio investigation by the DPA.
As a result, the regulation does not allow the SCCs to be entered into by incorporating them into a larger DPA or IGDTA. Each SCC must be signed in order to be valid.
3. Language
The regulation stipulates that the SCC must be written in Turkish. Even if English is used together with Turkish, the Turkish version shall prevail.
4. Supplementary Documents
The Regulation stipulates that all supplementary documents that prove the authority of the signatories shall be attached to the SCC as addenda. Please also note that any documents prepared outside Turkey relating to signatory powers must be notarised and apostilled in order to be valid in Turkey under the 1961 HCCH Apostille Convention. In addition, any documents prepared in a language other than Turkish must be translated and notarised in Turkey for the SCC to be valid.
5. Notification to the DPA
The SCC shall be notified to the DPA physically or by registered electronic mail (KEP) address or other methods determined by the DPA within five business days after the completion of the signatures. The parties may determine in the SCC who will fulfill the notification obligation. If no such designation is made, the SCC will be notified to the DPA by the data exporter.
In addition, the DPA must be notified within five business days of any change in the parties to the SBC or in the information and declarations provided by the parties in the contents of the SBC, or of any termination of the SBC, either physically or by registered electronic mail or by other methods specified by the DPA.
Failing to notify to the DPA is subject to an administrative fine to be issued by the DPA
6. No Docking Clause
The SCCs published by the DPA do not provide for the possibility of adding additional parties through the use of a docking clause. If the parties to the SCC change, the SCC must be re-signed and notified to the DPA.
7. Number of Parties to the SCC
The SCCs published by the DPA appear to allow only one data exporter and one data importer to sign. Given that the Regulation strictly requires the SCC to be used as it is, the question arises as to whether additional parties can be added to the SCC by increasing the number of signature blocks and changing certain definitions in the SCC.
Given that any change to the SCCs will result in an ex officio investigation by the DPA, it is best to sign two-party SCCs at this stage.
Road Map
In light of the above and the amendments made to the DPL on 12 March 2024, the use of explicit consent will no longer be a valid legal basis for transfers outside Turkey as of 1 September 2024. As a result, controllers and processors in Turkey will need to develop and apply one of the appropriate safeguards by 1 September 2024.
As mentioned above, SCCs are the most convenient and quickest of the appropriate safeguards. As a result, the following steps must be taken to legalise data transfers outside Turkey.
- Prepare/review data mapping in light of the most recent data flows
- Decide on the relevant module and the parties to sign the SCC in light of the data flows.
- Prepare the relevant documentation for signing the SCC.
- Notify the DPA of the SCCs by 1 September 2024
Article provided by INPLP member: Burak Ozdagistanli (Ozdagistanli Ekici, Turkey)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010