Saying Goodbye to Consent in Data Transfers: What is Next?

13.03.2024

The Turkish Data Protection Law Has Been Amended. What Has Changed in Cross-Border Transfers?

This morning, the highly anticipated amendments in the Law on Protection of Personal Data w. no. 6698 (“DPL”) has been published in the Official Gazette. These changes mentioned below will enter into force in June 1, 2024. You may find our article about the changes here:

With the so called “Small DPL Reform” amendments that published in the Official Gazette, three important provision of the DPL has changed, two of which were creating deadlocks on the daily operation of businesses. The amendments were related to:

Art. 6 of the DPL related to conditions for processing sensitive (special categories) personal data
Art. 9 of the DPL related to transfer of personal data out of Turkey and
Art. 18 of the DPL related to misdemeanors

In addition to the above, a provisional article (Prov. Art. 3) was introduced.

So, now that the changes have been published and are in force, what is the next step for compliance with the revised provisions for data controllers?

1- The Problem: Gridlock

Since the enactment of the DPL in 2016, the transfer of personal data outside Turkey has always been a problem for data controllers. Originally, Art. 9 of the DPL required explicit consent from the individual whose data is being transferred, as per the article’s initial clause.

Other alternatives were:
– signing the standart undertaking by importer and exporter and seeking approval of the Data Protection Authority (“Authority”),
– BCRs, and
– Transfer to an importer located within an adequate country.

To date the Authority has not published any adequacy decisions. Also, it could also be argued that BCR was stillborn due to complexities of the legislation and practice. Lastly the Authority has approved only a handful of written undertakings despite numerous applications.

Therefore, since its inception in 2016, the framework for data transfers outside Turkey has faced challenges and this led to creation of a risk based approach to be taken by controllers with the following options:

• sign the undertaking and apply to the Authority for approval (least desireable option due to low number of approvals by the Authority and approval may put the controller in Authority’s radar)
• force data subjects to provide explicit consent (risk the consent being invalid due to lack of free-will but prepare a defense as explicit consent is the last and only resort) or,
• have IGDTA or a similar mechanism signed between the importer and exporter and wait for a sensible reform to fix the broken mechanism
And now, after almost 8 years of waiting, we are happy to announce that the mechanism has been fixed in a sensible way with the reform.

2- The Solution: Goodbye Consent, Welcome SCCs

Art. 9 of the DPL is rewritten to amend the whole cross-border transfer mechanism. With the change, a threefold system is introduced that covers: i- adequacy decision, ii- appropriate safeguards and iii- incidental transfers. Before diving in to details, with the changes:

– explicit consent can no longer be basis for data transfers abroad (except for incidental cases).
– a mechanism similar to SCCs is introduced where importer and exporter can simply sign the SCC and notify the Authority within 5 days to transfer personal data.

Here is how the threefold mechanism will work:

i- Adequacy Decision

As explained above, the previous version of the provision only allowed the Authority to give adequacy decisions about third countries and required the Authority to take into consideration of the reciprocity. This prevented the Authority from giving and adequacy decisions.

With the changes, data transfer is possible if an adequacy decision is given about the country, international organization or sector within the country where the transfer will be made. This way with the addition of international organization or sector specific adequacy options, the Authority may be more flexible in deciding for adequacy.

As a result, if there is an adequacy decision given, provided that there is legal basis for data processing exists (i.e. Art. 5 or 6 of the DPL), it will be possible to transfer personal data.

It should be noted that any adequacy decision must be reviewed and renewed by the Authority every 4 years at the latest. Also, the following are the criteria that will be taken into account by the Authority while making the adequacy decision:

• The mutual agreement on data privacy regulations regarding the movement of personal information from Turkey to any foreign nations, specific sectors within those nations, or global organizations.
• The applicable laws and customary practices of the nation receiving the personal data, along with the policies that the international organization receiving the personal data adheres to.
• The presence of an autonomous and competent authority dedicated to data protection in the destination country or organization, along with available administrative and legal measures for recourse.
• The engagement level of the receiving country or international organization with international treaties focused on personal data protection, or their participation in relevant global bodies.
• The affiliation of the receiving country or organization with worldwide or regional groups that Turkey is also a part of.
• International agreements that Turkey is a signatory to.

ii- Appropriate Safeguards

In the absence of an adequacy decision, any of the newly introduced appropriate safeguards shown below can be used to facilitate transfers, provided that one of the conditions specified in Art. 5 and 6 is present in the absence of an adequacy decision, the data subject has the opportunity to exercise his rights and to apply for effective legal remedies in the target country:

• The existence of SCCs to be published by the Authority, which will include data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the recipient and additional measures taken for special categories of personal data,

• The existence of a written undertaking with provisions to ensure adequate protection and approval of the transfer by the Board,

• Existence of BCRs approved by the Authority, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with, or

• Existence of an agreement that is not in the nature of an international agreement between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey and the Authority’s approval of the transfer.

It is important to note here that when SCCs are signed, there is no requirement to seek the approval of the Authority, however the SCCs must be notified to the Authority within 5 days signing.

iii- Incidental Transfers

In the absence of an adequacy decision and in the absence of any of the appropriate safeguards personal data may be transferred abroad only in one of the following cases, provided that it is incidental

• The data subject’s explicit consent to the transfer, provided that he/she is informed about the possible risks.

• The transfer is necessary for the performance of a contract between the data subject and the data controller or for the mandatory for the implementation of pre-contractual measures taken at the request of the person is in favour of the data subject.

• The transfer is made between the data controller and another natural or legal person for the benefit of the data subject is mandatory for the establishment or performance of a contract to be concluded between the parties.

• The transfer is mandatory for a superior public interest.

• The transfer of personal data is mandatory for the establishment, exercise or protection of a right.

• The transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

• Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

3- Next Steps For Controllers: Compliance

As mentioned above, the data controllers can be divided to three groups when it comes to what actions they have taken for data transfers: i- those that had to force data subjects to provide explicit consent for data transfers, ii- those that signed IGDTAs and applied a wait and see approach, and iii- those who applied to the Authority for approval of their data transfer undertaking. The actions that the data controller must take for compliance depends on this grouping.

i- Those That Relied on Consent
As mentioned above, consent can now be used only for incidental transfers. Therefore, controllers that (rightfully due to restrictons of the legislation) built all their data transfer operations on consent must now adopt any of the other mechanism that is being introduced. The provisional article 3 of the DPL provides a grace period until September 1, 2024 for these controllers and the consents obtained for transfers will be valid until this date.
As a result, the controllers in this category may wait for adequacy decision and in the meantime start making preparations for applying any of the appropriate safeguards (i.e SCCs) to comply with the new provision.

ii- Those That Signed IGDTAs and Applied a Wait & See Approach
Controller within this group do not rely on any legal basis to transfer personal data and with the new reform, it is now time to select any of the appropriate safeguards and legalize the transfers. Please note that there is no grace period for controllers in this group.

iii- Those That Applied to the Authority for Approval of Their Data Transfer Undertaking
The fate of the approved undertakings is not clear under the new mechanism, however since a similar approval mechanism is introduced, controllers that got approval from the Authority for their data transfer undertaking can wait until the announcement of secondary legislation by the Authority.
Controllers that have applied for approval however could not get approval from the Authority must immediately start preparations to apply any of the new safeguards to legalize transfers.

FAQ

1- We are a foreign data controller with no establishment in Turkey. We collect data directly from data subjects. What is our position?

The amendments do not solve this issue since this question is related to the interpretation of the Authority rather than the legislation. As you may know, contrary to EDPBs direct collection opinion in Guidelines 05/2021, the Authority’s decision on WhatsApp (numbered 2021/891 and dated September 3, 2021) underlines that, after the initial collection of personal data, all kinds of processing activities conducted in servers located outside Turkey constitutes a cross-border transfer. If the Authority does not align its interpretation with the EDPB, this will continue to be a problem for many foreign controllers that directly collect personal data from data subjects since there will be no data exporters in Turkey to run the mechanisms (SCCs, undertaking, BCR etc.) in the legislation.
Therefore, we hope that the Authority will reconsider the interpretation of what a transfer is and will clarify that direct collection scenarios where there is no exporter of personal data is not a data transfer.

2- We are a group company with approved BCR from an authority in the EU. Can we rely on such BCR for the transfer from Turkey?

No, transfers from Turkey is subject to the DPL and pursuant to the DPL, BCRs must be approved by the Authority in Turkey.

3- We have signed EUs standard SCCs for transfers, can we rely on such for transfers from Turkey?

No, the SCCs mentioned above is the version that will be published by the Authority in Turkey. Therefore, unless the SCCs published by the Authority is exactly same with the EU version, separate SCCs published by the Authority must be signed.

4- We have signed a intra group data transfer agreement, can we rely on such mechanism for transfers from Turkey?

No, however if such agreement ensures adequate protections, it would be possible to apply to the Authority for approval with such IGDTAs. The secondary legislation, when published by the Authority, will provide a more clear response.

5- We are located in an EU country, can EU countries automatically be considered as adequate for transfers from Turkey?

No, in order for a country to be accepted as adequate, it must be published by the Authority.

6- What constitutes as incidental transfer?

The reasoning of the amendments explains the incidental as follows: Single or several times and in a non-continuous manner. For example; a company in Turkey sharing information about its employees who will be in contact with the addressee company in terms of the commercial activity that it intends to carry out with a company abroad on an incidental basis.

This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

SPK’dan e-Başvuru Zorunluluğu

CMB Deploys Electronic System for Submissions

Sermaye Piyasası Kurulu Tarafından Payların İlk Halka Arzı Öncesi Uyulacak Ön Şartlardaki Tutarların İndirimine İlişkin Kurul İlke Kararı Yayımlandı

Recent Changes Regarding the Determination of Companies Subject to Independent Auditing

Call Option Agreement on Shares of a Joint Stock Company

Bağımsız Denetime Tabi Şirketlerin Belirlenmesine Dair Karar

The Constitutional Court Decision on Legal Professional Privilege

Two-minute Recap of Recent Developments in Turkish Competition Law - March 2024

Two-minute Recap of Competition Law Matters Around the Globe – March 2024

Türkiye’s Green Transition Journey and Effects on Construction Sector

“Reasonable” Remedy Period

An Overview of FIDIC 2022 Reprint

Veri Koruması İçin Yöntemler: Anonimleştirme ve Psödönimleştirme Hakkında Bir İnceleme

Safeguarding Data: A Review of Anonymization and Pseudonymization

ÇSY Kapsamında Kişisel Verilerin Korunması Hukukunun Önemi

Anayasa Mahkemesi’nden 6325 Sayılı Hukuk Uyuşmazlıklarında Arabuluculuk Kanunu’nun Bazı Hükümlerinin İptaline İlişkin Yeni Karar

New Decision by the Constitutional Court on the Annulment of Certain Provisions of the Mediation in Civil Disputes Law No. 6325

Esin Litigation Quarterly | Issue 4 | March 2024

2024 Yılı İtibarıyla Perakende Ticaret Mevzuatında Neler Değişti?

Sadakat Programlarına İndirimli Satış Reklamı Yasağı!

Obligations under the Distance Contracts Regulation are Postponed

Kamu İhale Sözleşmelerinde Düşük Karbon Emisyonuna Sahip Yeşil Çimento Kullanımının Yaygınlaştırılmasına İlişkin Tebliğ Yayımlandı

Communiqué on the Promotion of the Use of Green Cement with Low Carbon Emission in Public Procurement Contracts has been Published

Şarj Hizmeti Ağlarında Konsolidasyon: Lisans İptalleri

Kurumsal Sürdürülebilirlik Özen Yükümlülüğü Direktifi (CSDDD) Onaylandı

Corporate Sustainability Due Diligence Directive (CSDDD) Approved

Yeşil Dönüşüm Yolunda: Çevre Etiketi Sistemi

Ödeme ve Elektronik Para Kuruluşlarının Asgari Özkaynak Miktarlarında Değişiklikler

Amendments Regarding Minimum Equity Amounts for Payment and Electronic Money Institutions

Dijital Türk Lirası’nda Faz-2 Çalışmalarına Başlandı

Technology Disruption in the Insurance Industry

Cyber Insurance

İklim Değişikliğinin Sigorta Sektörü Üzerindeki Etkisi

Türkiye's Geopolitical and Strategic Importance Regarding Counterfeiting Activities

Design Registration Application in Turkey: Things to Consider

Turkish PTO Will Handle Non-Use Cancellation Actions as of January 10, 2024

İşçinin Ölümü Halinde Kıdem Tazminatı ve Ölüm Tazminatı Taleplerinin Karşılaştırmalı Olarak Değerlendirilmesi

Non-competition Obligation - Intervention of the Judge

İş Sözleşmelerinde Rekabet Etme Yasağı

Türkiye İlaç ve Tıbbi Cihaz Kurumu Tıbbi Cihaz Sektör Belgesi Yayınlandı

Turkish Medicines and Medical Devices Agency Published the Industry Report on Medical Devices

Spor Müsabakalarına Dayalı Bahis ve Şans Oyunları

Remarkable Topics of Recent Times: Betting and Games of Chance on Sports Competitions

Advertising Board Published the Report on Supplementary Food Advertisements!

Convertible Investments in Türkiye

Türkiye’de Pay Opsiyon Planları ve Birleşme Devralmalara Etkileri

Employee Stock Option Plans and Effects on M&A Practices in Türkiye

Yayımlanan Yönetmelik ile Konutların Turizm Amaçlı Kiralanması

Konutların Turizm Amaçlı Kiralanması

Konut Kira Bedeli Artışlarında Azami Sınır

Anonim Şirketlerde Önemli Miktardaki Varlığın Satışı ve İlgili Tartışmalı Konular

Sale of Significant Assets in Joint Stock Companies and Related Contentious Issues

Adi Konkordatoda Alacaklılar Toplantısı

Türkiye’de Çalışan Pay Opsiyon Planları ve Yatırım Sürecindeki Etkileri

Yatırım ve Pay Devri İşlemlerinde Ara Dönem ve Kapanış Şartları

What is Convertible Debt as a Method of Quick Access to Finance?

Damga Vergisi Kanun Genel Tebliği (Seri No: 69) Hakkında Bilgi Notu

Information Note Regarding the General Communiqué on the Stamp Duty Law (Serial No: 69)

Anayasa Mahkemesi’nden Enflasyon Düzeltmesine İlişkin Önemli Karar

The AI Act: The World's First Comprehensive Laws to Regulate AI

AB’den Devrim Niteliğinde Düzenleme: Yapay Zekâ Yasası Onaylandı

Revolutionary Regulation from EU: AI Act is Approved

Regulation on Preventing Collision at Sea

Türkiye’de Deniz Kirliliği Cezalarına İlişkin Yeni Düzenleme

Current Pollution Administrative Fines

Şirket Yöneticilerinin Cezai Sorumluluğu

An Overview of Occupational Fraud 2024: A Report to the Nations by ACFE

Güneş Balçıkla Sıvanmaz!

Saying Goodbye to Consent in Data Transfers: What is Next?

Popular Articles on Data Protection & Privacy

Latest Insights from Özdağıstanli Ekici Attorney Partnership

Subscribe to our newsletter