Personal Data Protection Law No. 6698 (“PDPL”) has entered into force in order to regulate the processing, storage, and protection of personal data, and the PDPL aims to keep personal data safe and to control the processing of personal data.
Nowadays, it is becoming increasingly impossible, especially for global companies, to store the personal data they process as data controllers on servers in Turkey, and companies prefer to process personal data by transferring them abroad. At this point, the control and security of the data transferred abroad is important.
In this article, after briefly discussing the transfer of personal data abroad within the scope of Article 9 of the LPPD, the current decision of the Personal Data Protection Board (“Board”) in this context will be evaluated, as well as how commitment letters and commitment letter applications, which are regulated under Article 9/2-b of the PDPL and are one of the cases of data transfer abroad, provide assurance for both data controllers and data subjects and contribute to the legal realisation of data transfer.
B. Transfer of Personal Data Abroad within the Scope of PDPL
Although it is possible to transfer personal data to natural or legal persons residing in Turkey or abroad, it is preferred to regulate the issue of data transfer abroad with a separate provision in the LPPD, since the data leaving the border of the country where the national legislation is valid causes certain difficulties in terms of reducing the control of the relevant person’ data and ensuring security. As a matter of fact, within the scope of Article 9 of the PDPL titled “transfer of personal data abroad” regarding the transfer of data abroad, important responsibilities are imposed on how personal data will be processed internationally.
In this context, in order for personal data to be transferred abroad, as a rule, the explicit consent of the data subject is required in accordance with Article 9 of the PDPL.
However, it may be possible to transfer personal data abroad without the explicit consent of the data subject, provided that one of the processing conditions specified in paragraph 2 of Article 5 of the PDPL regulating the processing conditions of personal data of non-special nature or paragraph 3 of Article 6 of the PDPL regulating the processing conditions of personal data of special nature exists and the and the following conditions exist:
- there is adequate protection in the foreign country to which the personal data will be transferred,
- in the absence of adequate protection in the foreign country to which the personal data will be transferred, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Personal Data Protection Board (“Board”),
Although it is regulated in paragraph 3 of Article 9 of the PDPL that the countries with adequate protection will be determined by the Board, since the list of safe countries with adequate protection has not yet been determined by the Board, the way personal data can be transferred abroad without seeking explicit consent depends on the commitment of adequate protection by the data controllers and the application for the permission of the Board.
Lastly, it should be added that, considering the regulation in Article 4 of the PDPL that personal data can only be processed in accordance with the procedures and principles stipulated in the PDPL and other laws, and the regulation in paragraph 6 of Article 9 of the PDPL stating that “The provisions of other laws regarding the transfer of personal data abroad are reserved.”, as stated by the Personal Data Protection Authority (“Authority”) in its public announcement dated 26th October, 2020, since international treaties duly put into force within the scope of Article 90 of the Constitution have the force of law, if an international treaty included in our domestic law contains a provision regarding the transfer of data abroad, it will be necessary to act according to this regulation.
C. The Concept of Commitment Letters and Board Authorisation in Data Transfer Abroad
As stated above, pursuant to Article 9/2-b of the PDPL, in the event that there is no adequate protection in the foreign country where personal data is planned to be transferred, it is possible to transfer personal data abroad without obtaining the explicit consent of the data subject, provided that the data controllers in Turkey and the data controllers/data processors in the relevant foreign country commit in writing adequate protection in writing and obtain the permission of the Board. In the transfer of personal data by the data controller resident in Turkey to the data controller and/or data processor resident in countries that do not have adequate data protection, the method that allows the relevant parties to commit in writing to adequate protection is determined as “Commitment Letter”.
At this point, it should be noted that personal data transfers abroad based on the explicit consent condition cannot be subject to the commitment letter. Because, as stated above, if personal data is transferred with explicit consent within the scope of paragraph 1 of Article 9 of the PDPL, this situation will not be the subject of the commitment letter, and the matters regulated in subparagraph (b) of paragraph 2 of Article 9 of the PDPL are within the scope of the commitment letter.
In this context, it is possible to transfer data abroad after the Board approves the commitment letters prepared by the data controller in Turkey. In other words, the preparation of a commitment letter is not sufficient for the transfer of data abroad, and the Board’s authorisation in this regard must be awaited.
The commitment letters are regulated in two forms: transfer from the data controller to the data controller and transfer from the data controller to the data processor, and examples of commitment letters are available on the official website of the Authority. As a matter of fact, the procedures, and principles regarding the issuance of commitment letters are also announced on the official website of the Authority.
In addition, in these commitment letter, which determine the commitments of data controllers and data processors in case personal data are transferred abroad; data controllers must clearly and understandably inform data subjects that the data will be transferred abroad and prove that this transfer has a legal basis. The Board decides whether to authorise the commitments regarding the transfer of data abroad by considering the criteria specified in paragraph 4 of Article 9 of the PDPL.
D. Evaluation of the Board’s Recent Decision on Data Transfer Abroad within the Scope of the PDPL
According to the announcement on the official website of the Authority, the application of Google Reklamcılık ve Pazarlama Limited Şirketi (“Google”) for a commitment letter regarding the transfer of personal data abroad was evaluated by the Board within the scope of Article 9/2-b of the LPPD and the Board authorised the said data transfer on 17th August, 2023.
As it is known, Google is a global company and it is not possible in practice for Google to completely stop the transfer of data abroad or to obtain explicit consent from the data subjects for all personal data to be transferred. In this context, Google has applied to the Board with a commitment letter, preferring to commit to adequate protection regarding the transfer of data abroad in accordance with Article 9/2-b of the PDPL. As a result of the evaluations regarding the application made by Google, the Board authorised the transfer of personal data abroad without obtaining explicit consent from the data subjects. Thus, by obtaining the Board’s authorisation through a commitment letter application, Google has obtained the opportunity to transfer data abroad without the explicit consent of the data subjects.
The commitments made by Google in order to obtain the Board’s authorisation reinforce the aim of protecting the privacy and security of personal data and after the permission obtained from the Board, Google will not be able to disclose the personal data it processes to others in violation of the provisions of the PDPL, nor will it be able to use the data for purposes other than processing. In addition, Google will be required to comply with the principles set out in paragraph 2 of Article 4 of the PDPL as (i) complying with the law and good faith (ii) being accurate and, where necessary, up-to-date (iii) being processed for specific, explicit and legitimate purposes (iv) being relevant, limited and proportionate to the purpose for which they are processed (v) being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
In this context, in the event that the transferred personal data is obtained by others through unlawful means, this situation will be notified to the Authority by Google as soon as possible, and the data transfer permission in question may be suspended in case of violation of the commitments specified in the commitment letter.
Finally, we would like to emphasise that the permission granted by the Board belongs to Google as the data controller and that data controllers using Google’s servers can provide data transfer in accordance with the provision regulated in Article 9 of the PDPL within the scope of data transfer abroad.
E. In Conclusion
The PDPL aims to protect the rights of individuals in processes such as the processing, storage and transfer of personal data, and the transfer of personal data abroad is a process that may increase the risk of violation of these rights. As a matter of fact, the importance of data transfers abroad and the necessity to regulate this issue in detail are increasing day by day. For this reason, the transfer of personal data abroad should be strictly regulated by the PDPL, and it is of great importance at this point that the Personal Data Protection Authority tightens its inspections in order to ensure that the data transfer procedure abroad is carried out in accordance with the legislation and quickly concludes the applications regarding the transfer of data abroad, such as the decision regarding the Google. In this context, the Board’s approval of Google’s application for the transfer of personal data abroad is of great importance in terms of protecting the rights of companies and/or individuals whose personal data will be processed. Indeed, Google will continue to provide its services by adhering to its commitments regarding the security and confidentiality of personal data.
Author: Eren Can Ersoy and Aleyna Kekeva