Regulation on Cross-Border Data Transfer Mechanisms is in Force

The Regulation on the Procedures and Principles on the Cross-Border Personal Data Transfers (“Regulation”) was published on the Official Gazette and entered into force today, on July 10, 2024. The Regulation was originally opened for public consultation by the Personal Data Protection Authority (“DPA”) some 8 weeks ago, however despite such a long process, the changes to the Regulation between the draft and the final version are minimal.

The DPA further announced the final texts of the standard contractual clauses (“SCCs”) and the application forms for the binding corporate rules, which are the novel cross-border data transfer mechanisms newly introduced to the Personal Data Protection Law No. 6698 (“DPL”) on March 12, 2024.

By way of background, the amendments to the DPL introduced significant changes, in particular the novel mechanisms for cross-border data transfers, with the aim of alignment with European Union’s General Data Protection Regulation. With these amendments, the current cross-border data transfer mechanisms under the DPL consist of:

i. Adequacy decision for third countries, international organizations and sectors

ii. Appropriate safeguards

— SCCs

— Binding corporate rules

— Undertakings approved by the DPA

— Agreements of public institutions

iii. Derogations for specific situations.

With slight amendments, the Regulation reflects its draft, detailing the procedures and principles of the cross-border data transfer mechanisms. Most notably, the Regulation details the procedures and principles for the SCCs. Accordingly, the Article 14 of the Regulation determines (i) the principles, (ii) the content and (ii) the notification procedures of the SCCs.

Principles for the SCCs

The SCCs must be executed between the data importer and the data exporter, by using the texts announced by the DPA, without making any modifications. The DPA is authorized to conduct an examination in the event that the SCCs are modified or does not contain valid signature. In addition, in the event that the SCCs are executed in a foreign language, the Turkish text will be taken as a basis.

Content of the SCCs

The SCCs will have to include provisions on (i) the data categories, (ii) the purposes of the data transfer, (iii) the recipients and recipient groups, (iv) the technical and administrative measures to be taken by the data importer and (v) the additional measures taken for special categories of personal data.

Notification of the SCCs

The SCCs must be notified to the DPA, physically or by registered electronic mail address (KEP) or other methods to be determined by the DPA, within 5 days of its signing. The party that will fulfil the notification obligation may be determined by the parties within the SCCs. If not determined, the data exporter will be the liable party. Accordingly, the notification must include documents supporting the authority of the signatories, with the notarized translation of any foreign documents.

Additionally, in the event of (i) any changes in the parties to the SCCs or in the information and explanations provided by the parties in the content of the SCCs or (ii) termination of the SCCs, an additional notification must be made to the DPA, by following the same procedure.