A New Era in Cross-Border Data Transfers in Turkey

The Law Proposal Amending the Code of Criminal Procedure and Certain Laws and Decree Law No. 659 (“Law Proposal”), which embodies significant changes to the Law No. 6698 on the Personal Data Protection (“DPL”) has been submitted to the Turkish Grand National Assembly (“Assembly”) on February 16, 2024. The Law Proposal mainly includes amendments under the DPL regarding (i) processing conditions for the special categories of personal data,(ii) rules governing cross-border data transfers and (iii) appeal process and venue related to decision of the Data Protection Authority (“Authority”).

The Law Proposal, specifically the provisions on cross-border data transfers, has been eagerly anticipated by the relevant stakeholders as they facilitate a smoother mechanism for the data transfers abroad, which are also aligned with the European Union’s General Data Protection Regulation (“GDPR”). By adopting similar rules and principles with the GDPR, the Law Proposal aims to foster international compatibility and to ensure consistency with established international norms. This alignment not only facilitates compliance for entities operating in multiple jurisdictions but also enhances the coherence and effectiveness of global data governance frameworks.

Once adopted by the Assembly, the Law Proposal is expected to enter into force in the upcoming weeks.

Amendments to the Conditions for Processing of Special Categories of Personal Data

Currently, the DPL regulates that special categories of personal data shall only be processed based on (i) the explicit consent of the data subjects and (ii) it is explicitly stipulated by law, except for data concerning health and sexual life. Moreover, data concerning health and sexual life shall only be processed, without the explicit consent of the data subject, when it is necessary for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations.

As the practice in the past several years revealed the necessity to process health data in the fields of health insurance, employment and social services; and with the purpose of alignment with the GDPR, the Law Proposal abolishes the different processing conditions for different types of special categories of personal data and introduces additional conditions for all special categories of personal data.

Accordingly, the Law Proposal forbids processing special categories of personal data, unless:

• Explicit consent of the data subject is obtained,
• It is explicitly stipulated by law,
• Processing is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent,
• Processing relates to personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
• Processing is necessary for the establishment, exercise or protection of a right,
• Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations,
• Processing is necessary for carrying out legal obligations in the field of employment, occupational health and safety, social security, social services and social assistance,
• Processing is carried for current or former members of or for persons who are in regular contact with the foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity and not disclosed to third parties.

While these amendments seem to be able to fill the necessity risen from the practical implementations, e.g. sharing blood type information in emergencies, or for people with disabilities to benefit from government policies, the processing condition related to employment stands out as one of the most significant changes under the Law Proposal. This amendment will result in correction of the wrong but mandatory practice developed in Turkey where various special categories of personal data (i.e. criminal records, health data, disability etc.) of employees had to be processed by the employers with explicit consent of employees, of which the free-will element was questionable.

Another important impact will also happen in the health insurance sector. Because of shortcomings of the current law, health insurance providers did not have the legal basis to process health data of their customers, which was required to pay the treatment costs. As a result, another absurd but mandatory practice had to be created where health insurance providers had to ask for explicit consent when an insured customer requested payment of their treatment costs. Of course, the free-will element of the consent was questionable in this practice, however this was the only workable method. With the changes, this practice will no longer apply.

Amendments to the Cross-Border Data Transfer Regimes

The existing cross-border data transfer mechanisms under the DPL have been subject to criticism due to their challenging and not business-friendly nature. Additionally, the current mechanisms prevent the use cloud-based software and applications, which are widely used by almost all companies and individuals doing business, whose servers are located abroad; and it is evaluated that these mechanisms also became an obstacle against the potential foreign investments.

Currently, the DPL regulates that cross-border data transfers shall only be initiated from Turkey to third countries based on the fulfillment of one of the following criteria:

• Explicit consent of the data subject is obtained, provided that such consent is freely given, specific and informed,
• The Personal Data Protection Authority (“Authority”) determines that the recipient country provides an adequate level of protection of personal data,
• Both the data controller and the data processor, parties to the cross-border data transfer, sign an agreement (an undertaking or binding corporate rules) ensuring adequate protection of personal data and the Authority approves such transfer.

As a response to the criticisms, the Law Proposal introduces novel appropriate safeguards and derogations for specific cases, while introducing international organization or sectors as subjects of adequacy decisions, in addition to countries. Moreover, the explicit consent is no longer a criterion for cross-border data transfers, and may only be relied upon within the framework of derogations for specific cases, as explained below.

The Law Proposal further regulates that these novel mechanisms shall apply to the onward transfers of the personal data; and that where the interests of Turkey or the data subject would be seriously harmed, personal data shall only be transferred abroad with the permission of the Authority, along with the opinion of the relevant public institution or organization.

The Authority is expected to prepare secondary regulations for the procedures and principles regarding the implementation of the cross-border data transfer mechanisms.

Adequacy Decision for Third Countries, International Organizations and Sectors

Even though one of the existing conditions for cross border data transfers is set out for transfers to a recipient country determined by the Authority to have an adequate level of protection; the Authority has not determined any country safe since the effective date of the DPL.

The Law Proposal does not abolish the safe country condition for cross border data transfers; however, amends the adequacy decision to also cover (i) international organizations and (ii) sectors within a country.

Furthermore, the Law Proposal sets forth the following criteria to be taken into consideration while the Authority renders an adequacy decision:

• The reciprocity status regarding the transfer of personal data between Turkey and the recipient country, sectors within the country or international organizations.
• The relevant legislation and practice of the recipient country and the rules governing the recipient international organization.
• The existence of an independent and effective data protection authority in the recipient country or to which the recipient international organization is subject and the existence of administrative and judicial remedies.
• The status of the recipient country or international organization as a party to international conventions on the protection of personal data or as a member of international organizations.
• The membership status of the recipient country or international organization to global or regional organizations of which Turkey is a member.
• International conventions to which Turkey is a party.

With the amendment, the Authority’s adequacy decisions will be published in the Official Gazette; and will be evaluated by the Authority every four years at the latest. As a result of the evaluation or in other cases deemed necessary, the Authority may change, suspend or revoke the adequacy decision with future effect.

Appropriate Safeguards for Cross-Border Data Transfers

In the event that there is no adequacy decision, the Law Proposal also introduces appropriate safeguard mechanisms for cross border data transfers. With the condition that the data subject has the possibility to exercise their rights and to apply for effective legal remedies in the country where the transfer will be made, if any of the following safeguard is provided by the parties, the data controllers and data processors will be able to transfer personal data abroad;

a. Standard Contractual Clauses

The standard contractual clauses (“SCCs") will be finally introduced as a safeguard with the Law Proposal. The clauses that will enable the cross-border data transfers will be announced by the Authority, and will contain:

• data categories,
• purposes of data transfer,
• recipients and recipient groups,
• technical and administrative measures to be taken by the data recipient,
• additional measures taken for special categories of personal data.

However, unlike GDPR, the standard contractual clauses under the DPL will be required to be notified to the Authority, by the data controller or data processor, within 5 business days following its signature.

b. Corporate Binding Rules

Although the corporate binding rules (“BCR”) are already utilized by data controllers in practice for cross-border data transfers, the Law Proposal sets forth BCR as an appropriate safeguard in a clear manner. Accordingly, in the presence of BCRs approved by the Authority, which contain provisions on the protection of personal data and which the companies in the same group of undertakings are obliged to comply with, personal data can be transferred between these companies without the need to obtain separate authorization from the Authority.

Thus, it is (and will continue to be) possible to transfer personal data from a company of an undertaking group in Turkey that has BCRs approved by the Authority to the company of the same group in a foreign country without obtaining a separate authorization from the Board.

On the other hand, the details of BCRs are not determined and it is expected that the secondary regulations of the Authority will establish the procedures and principles regarding the BCRs.

c. Signing of an Undertaking and Obtaining the Approval of the Authority

The existing condition for cross border data transfer, where parties sign an undertaking with provisions ensuring adequate protection and obtains the Authority’s authorization for the transfer, remains as a safeguard under the Law Proposal. Different from the current practice where the Authority published model clauses, it is possible that the parties to have more freedom as to the content of the undertaking. Having said that, considering that the Authority has authorized only a handful of applications so far and the existence of SCCs, this option may become obsolete in the near future.

d. Agreements of Public Institutions

Existence of an agreement, that is not in the nature of an international agreement, between public institutions and organizations or international organizations abroad and the public institutions and organizations or professional organizations in the nature of a public institution in Turkey, will enable cross border data transfer, provided that the Authority gives permission for such transfer.

Derogations for Specific Situations

The Law Proposal introduces several novel and exceptional conditions for cross-border data transfers that are incidental and not repetitive. These exceptional conditions correspond to the derogations for specific situations under the Article 49 of GDPR.

Accordingly, in the absence of an adequacy decision and appropriate safeguards, data controllers and data processors will be able to transfer personal data abroad, only in one of the following cases:

• The data subject gives explicit consent to the transfer and is informed about the possible risks of the cross-border data transfer,
• The transfer is necessary for:
• the performance of a contract between the data subject and the data controller, or
• the implementation of pre-contractual measures taken upon the request of the data subject;
• the establishment or performance of a contract between the data controller and another party for the benefit of the data subject.
• The transfer is necessary for an overriding public interest.
• The transfer is necessary for the establishment, exercise or protection of a right.
• The transfer is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
• The transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests the transfer.

Another important point we must make here is, while these changes are positive, we evaluate that direct collection of personal data by a foreign controller remains questionable. This is not due to the legislation but due to the interpretation of the legislation by the Authority.

Contrary to EDPBs direct collection opinion in Guidelines 05/2021, the Authority’s decision on WhatsApp (numbered 2021/891 and dated September 3, 2021) underlines that, after the initial collection of personal data, all kinds of processing activities conducted in servers located outside Turkey constitutes a cross-border transfer. If the Authority does not align its interpretation with the EDPB, this will continue to be a problem for many foreign controllers that directly collect personal data from data subjects since there will be no data exporters in Turkey to run the mechanisms (SCCs, undertaking, BCR etc.) in the legislation.

Therefore, we hope that the Authority will reconsider the interpretation of what a transfer is and will clarify that direct collection scenarios where there is no exporter of personal data is not a data transfer.

Amendments to the Sanctions

The Law Proposal adds a sanction clause for the newly introduced notification obligation, where the data controller or data processor are required to notify the Authority the standard contractual clauses, within 5 business days following its signature, where failure to comply will result in administrative fine from 50.000 to 1.000.000 Turkish Liras (approx. EUR 1,500 to 30,000).

Unlike the other sanctions under the DPL, the implementation of this new sanction is regulated not only for data controllers, but also for the data processors.

Lastly, with the amendments, the Authority’s administrative fines will be able to be challenged before administrative courts instead of magistrate courts.

Transition Periods

By taking into account the disruptions that may occur after the amendments enter into force, the Law Proposal foresees that:

• the cross-border data transfers with data subjects’ explicit consents shall remain applicable until September 1, 2024; and
• the proceedings pending before the magistrate courts as of 1/6/2024 shall continue to be heard by these courts.