The New Draft Regulation On Cross-Border Data Transfers
Contents
On 9 May 2024, the New Regulation Draft on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data ("Draft Regulation") has been published by the Turkish Data Protection Authority's (“DPA”). Now interested parties may submit opinions on the Draft Regulation.
It will enter into force on 1 June 2024, however there is a three-month grace period during which the existing regime will co-exist.
The new Draft Regulation introduces a new regulatory framework governing the cross-border data transfers.
What is new in Cross-Border Transfers?
Subsequent to the amendments introduced to the relevant law (“KVKK”) two months ago in March 2024, the Draft Regulation will attempt to respond common problems encountered in practice, adaptation to the innovations brought by the developing technology and new approaches adopted in international platforms.
With the new system data controllers and data processors will follow a gradual approach when transferring personal data abroad. In case personal data is transferred by the data processor, it is obligatory to comply with the instructions of the data controller.
According to the new system, the DPA can issue an 'Adequacy Decision' for recipient countries, specific industries, or international organizations. With an adequacy decision for the destination country or industry, controllers may transfer such with legal bases in Article 5 or 6 of the KVKK.
In the absence of an adequacy decision, data controllers can transfer personal data abroad by implementing 'Safeguards'. These safeguards require that data subjects can exercise their rights and seek legal remedies in the destination country, and the transfer must comply with legal bases in Article 5 or 6 of the KVKK. These safeguards are a) an agreement between the public authorities and organizations, b) the existence of binding corporate rules ("BCRs") c) the existence of the "Standard Contract" ("Turkish SCCs") that signed between the parties and notification to the DPA within five (5) business days therefrom, d) existence of the Data Transfer Commitment published by the DPA and approved by the DPA.
If the aforementioned conditions are not met, data controllers may transfer the personal data abroad provided that such transfer is it is not regular, occurs only once or a few times, not continuous and not in the ordinary activity flow if one of the following conditions are satisfied:
o Obtaining the explicit consent of the data subject after informing him/her about the potential risks,
o Necessity for fulfilling a contract or pre-contractual measures at the data subject's request.
o Requirement for a contract between the data controller and another party for the data subject's benefit.
o Vital public interest, defense of rights, or protection of life or physical integrity of the data subject or another person unable to give consent.
o Transfer from a registry open to the public or persons with a legitimate interest, on condition that the requirements for accessing the registry in the relevant legislation are met and the person with a legitimate interest requests it.
What are the important points in the Draft Regulation?
This Draft Regulation will enter into force on 1 June 2024, however there is a three-month grace period during which the existing regime will co-exist. In other words, one of the legal basis for the transfer of personal data abroad, 'the explicit consent of the data subject to the transfer', will continue to apply until 1 September 2024 along with the amended version of the article and the Draft Regulation.
The Draft Regulation specifies the procedures for transferring personal data abroad and provides specific instructions and details for each data transfer method.
The Draft Regulation will apply to data controllers and data processors who transfer personal data abroad. However, the transfer of personal data abroad by the data processor will not eliminate the responsibility of the data controller. Thus, the data processor who transfers personal data abroad shall comply with the instructions of the data controller.
In order to ensure Binding Corporate Rules as one of the Safeguards, the Binding Corporate Rules and other necessary information will be submitted to the DPA for the approval. The matters to be included in the Binding Corporate Rules are specified in the Draft Regulation.
The most important method in practice for data transfers will be the Standard Contract. The Standard Contract, which is one of the safeguards, will be determined and announced by the Board. It will be mandatory to use the standard contract without any modification. The Standard Contract will be concluded between the parties to the personal data transfer.
The data controller or data processor shall notify the DPA of the Standard Contract within five business days physically, by using a registered electronic mail address or by other methods determined by the DPA. In the Standard Contract, the parties may determine who will fulfill the notification obligation. If no determination is made, it will be notified by the data exporter. If the data processor is obliged to notify the Standard Contract, the data processor shall fulfill the notification obligation without the instruction of the data controller.
The notification regarding the Standard Contract shall be accompanied by documents showing that the signatories of the Standard Contract are authorized.
The amended provisions of the KVKK have no definition of exceptional and temporary situations for data transfers. The Draft Regulation defines it as, the transfers that are not regular, occur only once or a few times, are not continuous and are not in the ordinary activity flow. It can be considered as the equivalent of derogations for specific situations in Article 49 of the GDPR. However, it will be shaped by practices and DPA's guidelines.
Last but not least, the Draft Regulation states that the DPA will be authorized to resolve any doubts that may arise during its implementation.
First published in Mondaq on May 16, 2024.