Turkiye - ENG (Machine Translation) - Regulation on Data Transfer Abroad
Contents
- CHAPTER ONE Preliminary Provisions
- CHAPTER TWO General Provisions
- CHAPTER THREE Transfers Based on Adequacy Decision
- CHAPTER FOUR Transfers Based on Appropriate Safeguards
- CHAPTER FIVE Exceptional Transfers
- CHAPTER SIX Miscellaneous and Final Provisions
CHAPTER ONE
Preliminary Provisions
Purpose
ARTICLE 1- (1) The purpose of this Regulation is to establish the procedures and principles regarding the implementation of Article 9 of the Personal Data Protection Law No. 6698, dated March 24, 2016, which regulates the transfer of personal data abroad.
Scope
ARTICLE 2- (1) The provisions of this Regulation apply to data controllers and data processors who are parties to the transfer of personal data abroad pursuant to Article 9 of Law No. 6698.
Basis
ARTICLE 3- (1) This Regulation is prepared based on the eleventh paragraph of Article 9 and subparagraph (e) of the first paragraph of Article 22 of Law No. 6698.
Definitions
ARTICLE 4- (1) In the implementation of this Regulation:
a) President: Refers to the President of the Personal Data Protection Authority,
b) Data Subject: Refers to the natural person whose personal data is processed,
c) Law: Refers to the Personal Data Protection Law No. 6698, dated March 24, 2016,
ç) Personal Data: Refers to any information relating to an identified or identifiable natural person,
d) Processing of Personal Data: Refers to all kinds of operations performed on personal data such as obtaining, recording, storage, retention, alteration, rearrangement, disclosure, transfer, retrieval, making available, classification, or preventing the use of personal data by fully or partially automatic means; or by non-automatic means provided that it is part of any data recording system,
e) Transfer of Personal Data Abroad: Refers to the transmission of personal data by a data controller or data processor within the scope of Law No. 6698 to a data controller or data processor abroad or making it accessible by any other means, f) Board: Refers to the Personal Data Protection Board,
g) Authority: Refers to the Personal Data Protection Authority,
ğ) Data Exporter: Refers to the data controller or data processor transferring personal data abroad,
h) Data Importer: Refers to the data controller or data processor located abroad receiving personal data from the data exporter,
ı) Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller,
i) Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
(2) For definitions not included in this Regulation, the definitions in the Law and relevant legislation shall apply.
CHAPTER TWO
General Provisions
Transfer of Personal Data Abroad
ARTICLE 5- (1) Personal data may be transferred abroad by data controllers and data processors only in accordance with the procedures and principles stipulated in the Law and this Regulation. In cases where personal data is transferred by data processors, compliance with the instructions of the data controller is mandatory.
(2) The provisions of the first paragraph apply to onward transfers of personal data transferred abroad and to transfers to international organizations.
(3) Provisions of other laws regarding the transfer of personal data abroad shall be reserved.
Procedures for the Transfer of Personal Data Abroad
ARTICLE 6- (1) Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law is met and one of the following conditions is fulfilled:
a) There is an adequacy decision regarding the country, the sectors within the country, or international organizations to which the data will be transferred.
b) In the absence of an adequacy decision, provided that the data subject has the possibility to exercise their rights and seek effective legal remedies in the country to which the data will be transferred, one of the appropriate safeguards specified in Article 10 is provided by the parties.
(2) In the absence of an adequacy decision and if one of the appropriate safeguards specified in Article 10 cannot be provided by the parties, personal data may be transferred abroad by data controllers and data processors only if one of the derogations specified in Article 16 existsand provided that the transfer is occasional. (3) Without prejudice to the provisions of international agreements, in cases where the interests of Turkey or the data subject would be seriously harmed, personal data may be transferred abroad only with the permission of the Board, upon consultation with the relevant public institution or organization.
Transfer of Personal Data Abroad by Data Processors
ARTICLE 7- (1) In cases where personal data is transferred abroad by data processors, the data processor shall act within the purposes and scope determined by the data controller, on behalf of the data controller, and in accordance with the instructions given by the data controller. The data processor shall take all necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing of personal data, prevent unlawful access to personal data, and safeguard personal data.
(2) The transfer of personal data abroad by data processors does not relieve the data controller of its responsibility to comply with the procedures and principles stipulated in the Law and this Regulation and to ensure the provision of safeguards. The data controller is obligated to ensure that the technical and administrative measures specified in the first paragraph are taken by the data processor.
(3) In cases where the data processor is obligated to notify the standard contract pursuant to the fifth paragraph of Article 14, the data processor shall fulfill the notification obligation without requiring the instruction of the data controller.
CHAPTER THREE
Transfers Based on Adequacy Decision
Adequacy Decision
ARTICLE 8- (1) The Board may decide that a country, one or more sectors within a country, or an international organization ensures an adequate level of protection for the transfer of personal data abroad. In making an adequacy decision, the following factors shall be primarily considered:
a) The reciprocity regarding the transfer of personal data between Turkey and the country, sectors within the country, or international organizations to which personal data will be transferred.
b) The relevant legislation and practices of the country to which personal data will be transferred, along with the rules applicable to any international organization involved in the transfer.
c) The existence of an independent and effective data protection authority in the country or international organization to which the personal data will be transferred, and the availability of administrative and judicial remedies.
ç) Whether the country to which personal data will be transferred or the international organization is a party to international agreements or a member of international organizations related to personal data protection.
d) Whether the country to which personal data will be transferred or the international organization is a member of global or regional organizations to which Turkey is also a member. e) International agreements to which Turkey is a party.
(2) The Board is authorized to determine additional factors beyond those specified in the first paragraph.
(3) The Board shall take the opinion of the relevant institutions and organisations, if necessary, in its assessment of the adequacy decision.
(4) Adequacy decisions made by the Board are published in the Official Gazette and on the Authority’s website.
Review of Adequacy Decisions
ARTICLE 9- (1) The adequacy decision is reassessed at least every four years. The review periods are explicitly specified in the relevant adequacy decision. If the Board determines that the country, one or more sectors within the country, or the international organization no longer ensures an adequate level of protection, it may amend, suspend, or revoke the decision with prospective effect.
(2) The Board may review the adequacy decision and amend, suspend, or revoke it with prospective effect if deemed necessary, without being bound by the review period specified in the first paragraph.
(3) The Board may consult with the competent authorities of the relevant country or international organization to rectify the situation that led to the amendment, suspension, or revocation of the adequacy decision under the first or second paragraph.
(4) Decisions regarding the amendment, suspension, or revocation of an adequacy decision are published in the Official Gazette and on the Authority’s website.
CHAPTER FOUR
Transfers Based on Appropriate Safeguards
Means of Providing Appropriate Safeguards
ARTICLE 10- (1) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law is met, and provided that the data subject has the possibility to exercise their rights and seek effective legal remedies in the country to which the data will be transferred, but only if one of the following appropriate safeguards is provided by the parties:
a) The existence of an agreement that is not of an international treaty nature between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations having the status of public institutions in Turkey, and the transfer is authorized by the Board.
b) The existence of binding corporate rules approved by the Board, which include provisions related to the protection of personal data, that companies within a group of undertakings engaged in joint economic activity are required to comply with.
c) The existence of a standard contract announced by the Board, which includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data importer, and additional measures taken for special categories of personal data.
ç) The existence of a written undertaking containing provisions ensuring adequate protection and the transfer is authorized by the Board.
Providing Appropriate Safeguards through Non-International Agreements
ARTICLE 11- (1) Appropriate safeguards can be provided for personal data transfers between public institutions and organizations or professional organizations having the status of public institutions in Turkey and public institutions and organizations or international organizations in foreign countries through the provisions related to the protection of personal data in a noninternational treaty agreement. The agreement is concluded between the parties to the personal data transfer.
(2) During the negotiation process of the agreement, the opinion of the Board is sought.
(3) The provisions related to the protection of personal data to be included in the agreement shall particularly cover the following:
a) The purpose, scope, nature, and legal basis of the personal data transfer.
b) Definitions of fundamental concepts in accordance with the Law and relevant legislation.
c) Commitment to comply with the general principles specified in Article 4 of the Law.
ç) Procedures and principles for informing data subjects about the agreement and the personal data transfer to be made under the agreement.
d) Commitment to ensure the exercise of the rights of data subjects whose personal data is transferred, as specified in Article 11 of the Law, and the procedures and principles for making applications to exercise these rights.
e) Commitment to take all necessary technical and administrative measures to ensure an appropriate level of data security.
f) Commitment to take adequate measures determined by the Board in the case of transferring special categories of personal data.
g) Restrictions on onward transfers of personal data.
ğ) Remedies available to the data subject in the event of a violation of the provisions related to the protection of personal data in the agreement.
h) Supervisory mechanism for the implementation of the provisions related to the protection of personal data in the agreement.
ı) Provision that grants the data exporter the right to suspend data transfers and terminate the agreement if the data importer fails to comply with the provisions related to the protection of personal data in the agreement.
i) Commitment by the data importer to either return the personal data along with any copies to the data exporter or to completely destroy the personal data if the agreement is terminated or its validity period expires, at the discretion of the data exporter.
(4) In order to transfer personal data abroad based on the agreement, the data exporter shall apply to the Board for permission. The final version of the agreement and other necessary information and documents required for the Board’s evaluation shall be submitted with the application. The transfer of personal data can only commence after the Board grants permission.
Providing Appropriate Safeguards through Binding Corporate Rules
ARTICLE 12- (1) Appropriate safeguards can be provided through binding corporate rules that companies within a group of undertakings engaged in joint economic activity are required to comply with for the protection of personal data. To transfer personal data abroad based on binding corporate rules, an application for approval must be submitted to the Board.
(2) The application must include the text of the binding corporate rules and other necessary information and documents required for the Board’s evaluation. Notarized translations of all documents in foreign languages submitted with the application must be included. In cases where the binding corporate rules are also prepared in a foreign language, the Turkish version prevails.
(3) When approving binding corporate rules, the Board particularly considers the following:
a) The legal binding and enforceability of the binding corporate rules for each member of the group of undertakings engaged in joint economic activity, including employees.
b) Commitment in the binding corporate rules to ensure the exercise of data subject rights.
c) The inclusion of at least the matters specified in Article 13 in the binding corporate rules.
(4) The transfer of personal data can only commence after the binding corporate rules are approved by the Board.
Mandatory Aspects of Binding Corporate Rules
ARTICLE 13- (1) Binding corporate rules shall, at a minimum, include the following matters:
a) The organizational structure and contact details of each member within the group of undertakings engaged in joint economic activity.
b) The categories of personal data, processing activities, and purposes, the group or groups of data subjects, and the country or countries to which the transfers will be made, as well as other matters related to transfers within the scope of the binding corporate rules.
c) Commitment that the binding corporate rules are legally binding within both internal relations of the group of undertakings engaged in joint economic activity and in other legal relations.
ç) Data protection measures such as compliance with the general principles specified in Article 4 of the Law, conditions for processing personal data, conditions for processing special categories of personal data, technical and administrative measures to ensure data security, sufficient measures for processing special categories of personal data, and restrictions on onward transfers of personal data.
d) Commitment to ensure that data subjects whose personal data is transferred can exercise their rights specified in Article 11 of the Law and the right to file a complaint with the Board in accordance with the procedures and principles specified in Article 14 of the Law, and the procedures and principles for exercising these rights.
e) Commitment that a data controller and/or data processor based in Turkey will assume responsibility for violations of the binding corporate rules by any member not based in Turkey.
f) Explanations on how data subjects will be informed about the matters specified in (ç), (d), and (e) and other matters related to the binding corporate rules, in addition to the information provided under the obligation to inform pursuant to Article 10 of the Law.
g) Explanations regarding the training to be provided to employees on the protection of personal data.
ğ) The duties of the persons or units responsible for monitoring compliance with the binding corporate rules within the group of undertakings, including the activities related to responding to data subject applications.
h) Mechanisms for monitoring and verifying compliance with the binding corporate rules within the group of undertakings, including data protection audits and methods for ensuring corrective actions to protect data subjects' rights, and a commitment that the results of these activities will be submitted to the person or unit specified in (ğ), the board of directors of the parent company within the group of undertakings, and to the Board upon the Board’s request.
ı) Mechanisms for reporting and recording changes to the binding corporate rules and notifying the Board of these changes.
i) Obligation to co-operate with the Authority to ensure compliance with binding corporate rules by the members of the group of undertakings, , in particular the submission of the results of the audit and verification activity specified in (h).
j) With respect to personal data to be transferred under binding corporate rules, commitment by the members of the group of undertakings that there are no national regulations contrary to the safeguards provided by the binding corporate rules in the country or countries where the transfer will take place, and mechanisms to notify the Board in the event of a legislative change that is likely to have a negative impact on such safeguards.
k) Commitment to provide appropriate data protection training to personnel who have continuous or regular access to personal data.
(2) The Board is authorized to determine additional matters beyond those specified in the first paragraph. The documents to be used for the application of binding corporate rules are determined by the Board.
Providing Appropriate Safeguards through Standard Contracts
ARTICLE 14- (1) Appropriate safeguards shall be provided through standard contracts, which include matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data importer, and additional measures for special categories of personal data.
(2) The standard contracts shall be determined and announced by the Board.
(3) The text of the standard contract is required to be used without any amendments. If the standard contract is executed in a foreign language as well, the Turkish text shall prevail.
(4) The standard contract shall be executed between the parties to the personal data transfer. The standard contract must be signed by the parties or by individuals authorized to represent and sign on behalf of these parties.
(5) The standard contract must be notified to the Authority within five business days of the completion of signatures, either physically or via registered electronic mail (KEP) address or other methods determined by the Board. The parties to the transfer may determine in the standard contract who will fulfill the notification obligation. If no determination is made, the standard contract shall be notified to the Authority by the data exporter.
(6) The notification shall include documents proving the authority of the signatories of the standard contract and notarized translations of all documents in foreign languages.
(7) If changes are made to the text of the standard contract announced by the Board or if the standard contract lacks a valid signature of one or both parties to the transfer, the Board will conduct an examination pursuant to Article 15 of the Law.
(8) If there is a change in the parties to the standard contract or in the information and explanations provided by the parties in the standard contract, or if the standard contract is terminated, the Authority must be notified in accordance with the procedure specified in the fifth paragraph.
Appropriate Safeguards Through Written Undertaking
ARTICLE 15- (1) Appropriate safeguards may be provided through a written undertaking containing provisions on data protection concluded between the parties to the transfer.
(2) The provisions on data protection included in the written undertaking particularly cover the following:
a) The purpose, scope, nature, and legal basis of the personal data transfer.
b) Definitions of basic concepts in accordance with the Law and relevant legislation.
c) Commitment to comply with the general principles specified in Article 4 of the Law.
ç) Procedures and principles for informing data subjects about the undertaking and the personal data transfer under the undertaking.
d) Commitment to ensuring that data subjects can exercise their rights specified in Article 11 of the Law and procedures and principles for handling applications made for this purpose.
e) Commitment to take all necessary technical and administrative measures to ensure an appropriate level of data security.
f) Commitment to take adequate measures specified by the Board when transferring special categories of personal data.
g) Restrictions on onward transfers of personal data.
ğ) Remedies available to the data subject in case of violation of the provisions on data protection included in the undertaking.
h) Commitment by the data importer to comply with the decisions and opinions of the Board regarding the processing of personal data.
ı) A provision stating that the data importer commits there are no national regulations that would prevent compliance with the undertaking and will notify the data exporter as soon as possible of any potential legislative changes that may lead to non-compliance, in which case the data exporter will have the right to suspend data transfers and terminate the undertaking .
i) A provision stating that the data exporter will have the right to suspend data transfers and terminate the undertaking if the data importer is unable to comply with the undertaking.
j) Commitment to return or completely destroy the personal data, along with any backups, to the data exporter upon termination or expiry of the written undertaking, at the discretion of the data exporter.
k) Arrangement stating that the data importer acknowledges and accepts the jurisdiction of Turkish courts and commits to comply with Turkish law, and that the data exporter has the right to suspend data transfers and terminate the agreement if the data importer fails to comply with the provisions on data protection included in the written undertaking.
(3) The data exporter must apply to the Board for permission to transfer personal data abroad based on the written undertaking. The written undertaking text and other necessary information and documents for the Board's evaluation are submitted to the Board as part of the application. If the written undertaking is prepared in a foreign language, the Turkish text prevails. The transfer of personal data begins only after the Board grants permission.
CHAPTER FIVE
Exceptional Transfers
Exceptional Transfer Circumstances
ARTICLE 16- (1) Personal data may only be transferred abroad, provided it is occasional, in the absence of an adequacy decision and appropriate safeguards specified in Article 10, if one of the exceptional transfer circumstances specified in the second paragraph exists. Transfers that are not regular, occur only once or a few times, are not continuous, and are not part of the normal course of business activities are considered occasional.
(2) Exceptional transfer circumstances are as follows:
a) The data subject has given explicit consent to the transfer after being informed of the potential risks.
b) The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request.
c) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person.
ç) The transfer is necessary for an overriding public interest.
d) The transfer is necessary for the establishment, exercise, or defense of a legal claim.
e) The transfer is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
f) The transfer is made from a register that is open to the public or that is open to persons who have legitimate interest, provided that the conditions for accessing the register specified in the relevant legislation are met and the person requesting the transfer has a legitimate interest. (3) Transfers made under subparagraph (f) of the second paragraph must comply with the following procedures and principles:
a) The transfer cannot include all personal data or personal data categories in the registers.
b) Transfers from registers open to individuals with legitimate interest are performed only to these individuals or upon these individual’s request.
(4) Subparagraphs (a), (b), and (c) of the second paragraph do not apply to activities of public institutions and organizations subject to public law.
CHAPTER SIX
Miscellaneous and Final Provisions
Resolution of Doubts
ARTICLE 17- (1) The Board is authorized to resolve any doubts arising during the implementation of this Regulation and to make decisions on matters not covered in this Regulation within the framework of the relevant legislation.
Enforcement
ARTICLE 18- (1) This Regulation enters into force on the date of its publication.
Execution
ARTICLE 19- (1) The provisions of this Regulation are executed by the President of the Personal Data Protection Authority.