Turkish DPA’s Announcement on Cross-Border Data Transfers

ELIG Gürkaynak Attorneys-at-Law | View firm profile

Turkish Data Protection Authority (“DPA”) published an announcement in October 26, 2020 regarding cross-border data transfers. The purpose of the announcement seems to be providing a general response and the Turkish DPA’s views to the criticism and feedback received from private sector and academic institutions regarding the difficulties in cross-border data transfers.

DPA begins by stating it has made the effort to provide conveniences to actors involved in processing activities in order to ensure effective compliance with Law No. 6698 on Protection of Personal Data (“Law”). DPA also states that it is also trying to assist relevant actors such as taking recommendations and views of the stakeholders, giving extension of the VERBIS deadline thrice, as an example.

DPA addresses these criticisms by dividing its response to several categories:

Regulation Stipulated in the Law on the Cross-Border Data Transfers

The announcement mentions procedural requirements on cross-border data transfers by specifying the regulations stipulated in the Law and states that the relevant provisions do not aim to prevent the cross-border transfers that occur at an ever-increasing amount as a result of globalization and technological developments; but it aims to establish a predictable and transparent transfer regime based on the protection of fundamental rights and freedoms.

Determining the Countries with Adequate Protection

According to the announcement, evaluation on determining the countries with adequate protection, shortly, the adequacy assessment, can be divided into four sections: (i) assessment on whether adequate protection is available in the relevant country, (ii) the importance of reciprocal adequacy, (iii) adequacy determination operations conducted by DPA and (iv) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Treaty No. 108”).

(i) Assessment on Whether Adequate Protection is Available in The Relevant Country

DPA refers to Turkish Data Protection Board (“Board”) decision dated 05.02.2019 and numbered 2019/125, which includes a form created to be used in the determination of countries with adequate protection. According to the relevant form, in determining the countries with adequate protection; it is stated that criteria such as follows, will be taken into account: reciprocity condition, legislation of the relevant country regarding the processing of personal data and its implementation, existence of an independent data protection authority, party status to international agreements on the protection of personal data,  membership status to international organizations, and membership status to global and regional organizations that Turkey is a party to, and the volume of trade with the relevant country. The announcement, by making reference to several EU documents, further states that determination of the countries with adequate protection is a dynamic process that necessitates comprehensive and multi-dimensional evaluations including establishment of dialogue mechanisms and close cooperation with the relevant country, and the continuity of the protection level provided.

(ii) The Importance of Reciprocal Adequacy

DPA refers to the sub-paragraph (b) of Article 9/4 of the Law, which stipulates that when DPA makes an adequacy evaluation on the foreign country, it will consider its reciprocity status with Turkey regarding data transfers. According to DPA, the fact that Ministry of Foreign Affairs is an important factor on the adequacy and the Ministry regards the reciprocity condition greatly. The announcement defends the focus on reciprocity by stating that a reciprocal adequacy with the country subject to evaluation will be essential for the data controllers and data processors operating in our Country to benefit from a safe, cost-free and accelerated transfer of personal data equally, to have economic benefits and in this sense and not to be at disadvantage due to the asymmetry that a single-party adequacy would create.

(iii) Adequacy Determination Operations Conducted by Turkish DPA

DPA states that their operations regarding the determination of countries with adequate protection are carried out in close cooperation with the Ministry of Justice, the Ministry of Foreign Affairs and the Ministry of Trade and negotiations. Within this scope, meetings are held with various countries regarding adequacy and updating of Turkey’s personal data legislation in accordance with EU legislation. The announcement further states that DPA, in coordination with other relevant public institutions and organizations, has taken all necessary measures in order to conduct reciprocal adequacy negotiations with the European Commission.

(iv) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No. 108)

DPA addresses that the current legislative framework of international transfers is in line with the Treaty No. 108. DPA claims that the Treaty No. 108 does not eliminate the possibility of making the data flow between the Contracting States subject to notification or does not prohibit making regulations in their domestic law regarding domestic or cross-border transfers in certain cases, by making references to the Treaty and its Explanatory Note.

Furthermore, DPA, by making reference to EU legislation, emphasizes that being a party to the Treaty No. 108 is not the only condition to determine the adequacy. DPA indicates that it follows a similar approach to EU, which makes further assessments to determine adequacy. DPA states that it is a misconception that they are making international transfer impossible since they allow international transfers in case of a written undertaking in line with Article 9 of the Law, by referring to Board decision of July 22, 2020 with number 2020/559 regarding “cross-border transfer of personal data based on Treaty with number 108”.

Personal Data Transfer to the Countries without Adequate Protection

In terms of personal data transfer to the countries without adequate protection, the announcement indicates the requirement for parties to undertake adequate protection in written form and obtain Board’s approval, as per (b) subparagraph of second paragraph of Article 9 of the Law, by also taking into account the Board’s instructions. Following that, the announcement also refers DPA’s announcement on Binding Corporate Rules as an adequate protection mechanism for intra-group transfers to be made between multinational group companies.

Provisions Included in Other Laws

The announcement refers to provisions included in other laws regarding cross-border transfer of personal data by stating paragraph of Article 4 of the Law and sixth paragraph of Article 9 of Law and states that legal provisions that personal data processing operations are subject to in different areas are applied with the Law and therefore, the requirements arising out of the distinctive nature of these operations should also be fulfilled. The announcement refers to paragraph 6 of Article 9 of the Law, which stipulates that international transfer provisions in other laws are reserved and to paragraph 5 of Article 90 of the Constitution, which stipulates that “International agreements duly put into effect have the force of law” to emphasize that if there is a provision regarding cross-border transfer of personal data in the laws and international treaties which are duly put into effect, that provision will be followed.

DPA’s Conclusion

As a conclusion, DPA refers to the provisions regulated under third paragraph of Article 20 of the Constitution regarding the right to request protection of personal data and mainly suggests that DPA serves for the protection of a fundamental right and freedom. DPA further states it aims to benefit Turkey from the results of the opportunities arising out of technological developments, by following the relevant developments and to establish practices compliant with personal data protections laws.

DPA finalizes the announcement by stating that the process requiring the Board’s approval for cross-border data transfer which is seen as a problem by the public, is a consequence of the provision being regulated in a mandatory manner under Article 9 of the Law.

Authors: Gönenç Gürkaynak Esq., Ceren Yıldız, Batuhan Aytaç and Kübra Keskin, ELIG Gürkaynak Attorneys-at-Law

(First published by Mondaq on November 4, 2020)

More from ELIG Gürkaynak Attorneys-at-Law