10.06.2024
On 1 June 2024, the draft law including the much-awaited amendments to the Turkish Personal Data Protection Law (the “PDPL”) came into force and began to be implemented. The law draws attention, especially with the major amendments relating to the cross-border transfer of personal data.
The new amendment brings a prerequisite that there should be an adequacy decision issued by the Personal Data Protection Board (the “Board”) for data transfer abroad. Within the scope of the previous article regarding the cross-border transfer of personal data, in cases where there was no adequacy decision, explicit consent could be deemed sufficient for data transfer abroad. In fact, since the Board had not published any adequacy decision, the general method used in data transfer abroad was previously to obtain explicit consent from data subjects. With this amendment, explicit consent is no longer a general reason for cross-border transfer of personal data and it has become an exception.
According to the new amendment, the Board may issue adequacy decisions not only for countries but also for international organizations or sectors within the country, and cross-border data transfer may be carried out in accordance with the relevant decisions if any. In the absence of such a decision, the parties must provide one of the appropriate safeguards for cross-border data transfer. Otherwise, continuous cross-border data transfer will not be possible. According to the new amendment, if there is no adequacy decision, the transfer of personal data abroad will be possible if one of the conditions specified in article 5 or article 6 of PDPL conditions of data for processing of personal data or sensitive personal data is met and the data subject has the right to exercise its rights and apply to legal remedies in the relevant country, and if one of the following conditions applies:
– if an agreement (that is not qualified as an international treaty) is signed between foreign public institutions or organizations, or international organizations on the one hand, and public institutions or professional organizations qualified as public institutions in Turkey on the other hand, and the transfer is approved by the Board,
– for multinational companies, where binding corporate rules with which all the undertakings are obliged to comply has been approved by the Board,
– if the standard contract published by the Board and containing the purposes of the personal data transfer, the transferred data categories, transferees and transferee groups, the technical and administrative measures to be taken by the transferee, and additional measures for sensitive personal data, is used; or
– if the data controller in Türkiye and in the relevant foreign country undertake to provide adequate protection in writing and the transfer is approved by the Board.
On 9 May 2024, the Personal Data Protection Authority published a draft regulation on procedures and principles for the transfer of personal data abroad for public consultation which includes details related to this amendment and on 17 May 2024, it published draft application forms and guideline for “Binding Corporate Rules” applications for both data controllers and data processors.
Practitioners are waiting for the final versions of these documents and the adequacy decision to fully determine the implementation of the new amendment. Please note that cross-border transfer of personal data based on explicit consent as permitted under the previous legislation will be applicable until 1 September 2024. 10.06.2024
Commentaires