Time to Legalize Data Transfers from Turkey - Deadline: September 1, 2024

As we posted here last week, the Regulation on The Procedures and Principles for Cross-Border Transfers of Personal Data (“Regulation“) has been published in the Official Gazette and entered into force on July 10, 2024.

Although the Regulation underwent a lengthy public consultation process of approximately 8 weeks, the changes to the Regulation at the end of the public consultation process were minimal.

The DPA also published the four standard contracts (“SCCs“) together with the BCR application forms on 10 July 2024.

With the publication of the Regulation together with the mechanisms to be used by the DPA for data transfers on 10 July 2024, the legislative steps of the reform of the Personal Data Protection Law No. 6698 (“DPL“) are now complete.

As we have already covered the DPL reform in our previous newsletter, this article will not go into the details of the legislative changes. Instead, we will focus on what steps need to be taken for data transfers in light of the changes, and what challenges may arise in taking those steps.

New Data Transfer Methodology

As detailed in previous newsletters, the data transfer methodology under the DPL has changed significantly with the amendments published on 12 March 2024, largely in line with the GDPR.

With the amendments, the current data transfer methodology is based on 3 different main categories, which should be applied in this order:

1- Adequacy Decision for Third Countries, International Organisations and Sectors (“Adequacy“)

2- Appropriate safeguards such as SCCs, BCRs, data transfer undertakings, etc. in the absence of an adequacy decision (“Appropriate Safeguards“).

3- Derogations for specific situations in the absence of both Adequacy and Appropriate Safeguards.

Please note that there is no adequacy decision from the Data Protection Authority (“DPA“) yet. Therefore, in this article we will discuss the appropriate safeguards and focus on SCCs as the most favoured and expected appropriate safeguards.

Appropriate Safeguards

The DPL provides that personal data may be transferred abroad by data controllers and data processors if one of the data processing conditions (i.e. the legal basis set out in Art. 5 or 6 of the DPL, such as contract, legitimate interest, etc.) is met and one of the appropriate safeguards is provided by the parties, provided that the data subject has the opportunity to exercise his or her rights and obtain effective remedies in the country of transfer.

The appropriate safeguards that may be provided by the parties are listed in Art. 10 of the Regulation and are as follows

— Binding corporate rules, approved by the DPA, containing provisions on the protection of personal data, to be observed by the companies of the group engaged in joint economic activities.

— Standard Contractual Clauses, published by the DPA Board, which cover matters such as categories of data, purposes of data transfers, recipients and groups of recipients, technical and administrative measures to be taken by the data recipient, additional measures for special categories of personal data.

— A written commitment containing provisions to ensure adequate protection and approval of the transfer by the DPA.

— Existence of an agreement, which is not in the nature of an international contract, between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey, and the Board authorises the transfer.

When the appropriate safeguard options are reviewed, the Standard Contractual Clause option is the one that stands out as it is the only option which does not require the authorisation/approval of the DPA. As such, proceeding with the Standard Contractual Clauses is the quickest of the 4 options available to controllers and processors.

Use of Standard Contractual Clauses for Data Transfers

As mentioned above, the DPA published 4 modules of SCCs on 10 July 2024. These are controller to controller, controller to processor, processor to processor and processor to controller SCCS.

The published SCCs are only available in Turkish. You can find the texts of the SCCs together with machine translations here:

Although the SCCs published by the DPA are similar to those published by the European Commission, there are major differences when it comes to the steps that need to be taken to implement the SCCs. Below, we will focus on these differences and the challenges they pose to controllers or processors who wish to use the SCCs for data transfers out of Turkey.

·       Text of the SCCs

The Regulation stipulates that the text of the SCC must be used exactly as it is and must not be changed/amended. The regulation also states that if the text of the SCC is changed, this will be grounds for an ex officio investigation by the DPA.

·       Signature

The Regulation requires the parties to the transfer or their representative to sign the SCC. Please note that this is a strict signature requirement where the parties or their representative must sign the SCC with a wet/handwritten signature or with an electronic signature provided by an authorised certificate provider in Turkey. Please note that commonly used electronic signature software (e.g. Echosign) is not a valid electronic signature under Turkish law.

The absence of a valid signature of one or both of the parties to the transfer in the SCC is a valid ground for ex officio investigation by the DPA.

As a result, the regulation does not allow the SCCs to be entered into by incorporating them into a larger DPA or IGDTA. Each SCC must be signed in order to be valid.

·       Language

The regulation stipulates that the SCC must be written in Turkish. Even if English is used together with Turkish, the Turkish version shall prevail.

·       Supplementary Documents

The Regulation stipulates that all supplementary documents that prove the authority of the signatories shall be attached to the SCC as addenda. Please also note that any documents prepared outside Turkey relating to signatory powers must be notarised and apostilled in order to be valid in Turkey under the 1961 HCCH Apostille Convention. In addition, any documents prepared in a language other than Turkish must be translated and notarised in Turkey for the SCC to be valid.

·       Notification to the DPA

The SCC shall be notified to the DPA physically or by registered electronic mail (KEP) address or other methods determined by the DPA within five business days after the completion of the signatures. The parties may determine in the SCC who will fulfill the notification obligation. If no such designation is made, the SCC will be notified to the DPA by the data exporter.

In addition, the DPA must be notified within five business days of any change in the parties to the SBC or in the information and declarations provided by the parties in the contents of the SBC, or of any termination of the SBC, either physically or by registered electronic mail or by other methods specified by the DPA.

Failing to notify to the DPA is subject to an administrative fine to be issued by the DPA

·       No Docking Clause

The SCCs published by the DPA do not provide for the possibility of adding additional parties through the use of a docking clause. If the parties to the SCC change, the SCC must be re-signed and notified to the DPA.

·       Number of Parties to the SCC

The SCCs published by the DPA appear to allow only one data exporter and one data importer to sign. Given that the Regulation strictly requires the SCC to be used as it is, the question arises as to whether additional parties can be added to the SCC by increasing the number of signature blocks and changing certain definitions in the SCC.

Given that any change to the SCCs will result in an ex officio investigation by the DPA, it is best to sign two-party SCCs at this stage.

Road Map

In light of the above and the amendments made to the DPL on 12 March 2024, the use of explicit consent will no longer be a valid legal basis for transfers outside Turkey as of 1 September 2024. As a result, controllers and processors in Turkey will need to develop and apply one of the appropriate safeguards by 1 September 2024.

As mentioned above, SCCs are the most convenient and quickest of the appropriate safeguards. As a result, the following steps must be taken to legalise data transfers outside Turkey.

1- Prepare/review data mapping in light of the most recent data flows

2- Decide on the relevant module and the parties to sign the SCC in light of the data flows.

3- Prepare the relevant documentation for signing the SCC.

4- Notify the DPA of the SCCs by 1 September 2024.