The Regulation On The Procedures and Principles Regarding the Transfer Of Personal Data Abroad Has Been Published

7/11/2024

All News
  • Home Page
  • |
  • News
  • |
  • The Regulation On The Procedures and Principles Regarding the Transfer Of Personal Data Abroad Has Been Published
Long-awaited amendments to the Law No. 6698 on the Protection of Personal Data (“Personal Data Protection Law”) have been implemented through the Law No. 7499 on the Amendment of the Criminal Procedure Code and Some Other Laws . Although the provisions amending the Personal Data Protection Law came into force on June 1, 2024, the secondary regulations that will determine the details regarding the transfer of personal data abroad have not been published during this process, delaying the steps to comply with the new rules.
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”), which is expected to determine the details of the transfer abroad, was published in the Official Gazette on July 10, 2024. The Regulation details the new rules regarding the transfer of data abroad as stipulated in the Personal Data Protection Law.

Additionally, on the same day as the Regulation, the Personal Data Protection Authority (“Authority”) published standard contract templates, binding corporate rules application forms, and guidance documents on the essential elements that should be included in binding corporate rules on its website for use in the transfer of personal data abroad:

  1. Standard Contract for the Transfer of Personal Data Abroad-1 (From Data Controller to Data Controller)
  2. Standard Contract for the Transfer of Personal Data Abroad -2 (From Data Controller to Data Processor)
  3. Standard Contract for the Transfer of Personal Data Abroad - 3 (From Data Processor to Data Processor)
  4. Standard Contract for the Transfer of Personal Data Abroad - 4 (From Data Processor to Data Controller)
  5. Binding Corporate Rules Application Form for Data Controllers
  6. Essential Elements that Should be Included in Binding Corporate Rules for Data Controllers – Guidance Document
  7. Binding Corporate Rules Application Form for Data Processors
  8. Essential Elements that Should be Included in Binding Corporate Rules for Data Processors – Guidance Document

New Era Rules for Data Transfer Abroad

With the amendment to the Law, the approach prioritizing explicit consent for the transfer of personal data abroad has been changed. Under the amendment, both data controllers and processors must ensure compliance with the requirements specified in Article 9 of the Personal Data Protection Law for transfers of personal data abroad.

Accordingly, before initiating the transfer, the parties involved in the transfer should evaluate the following conditions in sequence:
  1. Existence of adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made,
  2. 2. Ensuring adequate safeguards by the parties involved in the transfer,
  3. 3. Assessing the existence of the conditions regarding occasional data transfers.

1- Transfers Based on Adequacy Decisions

The Personal Data Protection Board (“Board”) may decide that a country, one or more sectors within a country, or an international organization ensures an adequate level of protection for the transfer of personal data abroad. Adequacy decisions issued by the Board will be published in the Official Gazette and on the Authority's website.

The Regulation lists the factors to be considered during the adequacy decision-making process in accordance with the provisions of the Personal Data Protection Law. Additionally, it specifies that the Board is authorized to determine additional factors for evaluation. If necessary, the Board may seek the opinion of relevant institutions and organizations in its assessment related to the adequacy decision.

2- Transfers Based on Adequate Safeguards

If there is no adequacy decision for the country, sectors within the country, or international organizations to which transfer will be made, personal data may be transferred only if the following conditions are met and provided that the parties involved in the transfer provide adequate safeguards:

  • Existence of one of the conditions stated in Article 5 and Article 6 of the Personal Data Protection Law,
  • The data subject having the alternative to exercise their rights and access effective legal remedies in the country to which the transfer will be made.

In this case, the parties to the data transfer should consider ensuring adequate safeguards through the following alternatives, depending on the identities of the parties and the nature of the transfer activity:

Method of Adequate Safeguards Scope of Application
The existence of an agreement that is not considered an international treaty and permission granted by the Board for the transfer The transfer of personal data between public institutions and organizations, professional organizations with public entity status in Turkey, and foreign public institutions and organizations or international organizations
The existence of binding corporate rules approved by the Board containing provisions on the protection of personal data Transfers between companies within a group of enterprises engaged in joint economic activities
Existence of a standard contract (+notification to the Authority within five business days) Regular data transfers
The existence of a written undertaking and permission granted by the Board for the transfer Regular data transfers


The Regulation provides detailed guidelines on the procedures and content of each safeguard to be implemented.

In the new era, the standard contract method is expected to be frequently used due to its suitability as a transfer safeguard, both for not requiring approval/permission processes and for being widely preferred in the European Union.

3- Key Considerations for Transfers Based on the Existence of Standard Contracts:

  • Standard contract templates must be used as published by the Board without any modifications.
  • The Turkish version of the standard contract must always be prioritized.
  • The standard contract must be executed between the parties involved in the transfer of personal data and signed by individuals authorized to represent and sign on behalf of the parties.
  • The standard contract must be notified to the Authority within five business days following the completion of signatures, either physically or through registered electronic mail (REM / KEP) address or other methods specified by the Authority.
  • The parties to the standard contract may determine themselves who will fulfil the notification obligation as mentioned above, but if not specified, the notification should be made by the data transferor.
  • In the notification to the Authority, documents verifying the authorities of the signatories of the standard contract and notarized translations of documents in foreign languages must also be submitted.
  • If modifications are made to the standard contract text published by the Board or if it is determined that the signatories of the standard contract do not have authority, the Board may conduct an examination under Article 15 of the Personal Data Protection Law.
  • In case of any change in the information and explanations provided by the parties in the standard contract or in the content of the standard contract, or in the event of termination of the standard contract, notification must be made to the Authority within five business days.

4- Occasional Data Transfers:

The Regulation defines the exceptional cases of data transfer that may lead to occasional data transfers. Accordingly, irregular, one-time or exceptional cases of data transfers that do not constitute a continuous part of routine business operations are considered occasional.

If adequacy decisions are not applicable for transferring data abroad and adequate safeguards cannot be ensured, personal data may be transferred abroad on an ad hoc/occasional basis within the limited exceptional circumstances specified in the Regulation.

Examples of these exceptions include the explicit consent of the data subject, the necessity of the transfer for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject.

Final Remarks

The implementation of the new rules for data transfers abroad, introduced with the amendments to the Personal Data Protection Law, has been specified in the Regulation and the texts to be used by the parties for ensuring adequate safeguards have been published by the Authority. In this regard, as of September 1, 2024, explicit consent alone will not be considered valid for non-occasional transfers, Therefore, considering the challenges in declaration adequacy decisions by the Board within this short period of time, data controllers are required to assess their cross border data transfers to ensure adequate safeguards.


For the Regulation, please see:(in Turkish)

For the announcement regarding the decision of the Personal Data Protection Board dated June 4, 2024, numbered 2024/959, and for guidance on standard contract templates, application forms for binding corporate rules, and guidance documents outlining essential elements for binding corporate rules, please see:(in Turkish)


Selen Akgün, Associate


Other News
10/16/2024
Significant Amendments Made Regarding Work Permit Evaluation Criteria
In accordance with the annex to the Regulation on the Implementation of the International Workforce Law (“Regulation”) published in the Official Gazette dated 02.02.2022 and numbered 31738, the “Work Permit Evaluation Criteria” used by the Ministry of Labor and Social Security (“Ministry”) during the evaluation process of work permit applications have been updated pursuant to Article 22 of the Regulation.
News| Legal Updates
10/15/2024
Amendments Have Been Made to the Regulation on Business Opening and Operating Licenses
The Regulation Amending the Regulation on Business Opening and Operating Licenses (“Amendment Regulation”), which was published in the Official Gazette No. 32688 dated October 10, 2024, and came into effect on the same date, has introduced several changes to the relevant provisions of the Regulation on Business Opening and Operating Licenses (“Regulation”).
News| Legal Updates
10/9/2024
Amendment to the Communiqué on the Protection of the Value of the Turkish Currency No. 32
Communiqué (Communiqué No: 2024-32/70) Amending the Communiqué on the Decree No: 32686 on the Protection of the Value of Turkish Currency (Communiqué No: 32686) published in the Official Gazette dated 08.10.2024 and numbered 2024-32/70), which entered into force on the date of its publication.
News| Legal Updates
8/8/2024
Important Amendments to the Animal Protection Law and Our Opinions
The Law on Amendments to the Animal Protection Law (“Law Amendment”), which involves changes to the Animal Protection Law No. 5199 (“Law”), was published in the Official Gazette on August 2, 2024, and came into effect on the same date.

This article has been prepared to summarize and comment on the significant changes.
News| Legal Updates
8/7/2024
Amendments to Customs Law No. 4458
The Decision Concerning the Amendment to the Decision on the Implementation of Certain Articles of the Customs Law No. 4458 ("Decision Amendment") was published in the Official Gazette, and the changes brought by the Decision Amendment will come into force as of August 21, 2024.
News| Legal Updates
7/31/2024
Enforced Collection of Social Security Institution’s Receivables
News| Legal Updates
7/22/2024
Recent Important Decisions by the Board of Advertisement
Advertisements must comply with the principles determined by the Board of Advertisement (“Board”) operating under the General Directorate of Consumer Protection and Market Surveillance of the Ministry of Trade, and must be appropriate to general morality, public order, personal rights, and must be truthful and honest.
News| Legal Updates
7/11/2024
Effective Regulations Have Been Introduced Regarding Crypto Assets
With the Law on Amendments to the Capital Markets Law, accepted on 26.06.2024 and published in the Resmi Gazete on 02.07.2024, the following definitions have been added to Article 3 of the Capital Markets Law No. 6362:
News| Legal Updates
6/26/2024
Significant Amendments for the Transformation of Risky Buildings
With the Regulation amending the Regulation on the implementation of Law No. 6306 (“Regulation”) entered into force after being published in the Official Gazette on 21.05.2024, a number of significant changes have been made in urban transformation practices.
News| Legal Updates
6/3/2024
The Amendments Introduced by Law No. 7511 To The Act On The Protection Of Competition
Amendments have been made to the Turkish Commercial Code, the Act No. 4054 on the Protection of Competition (“Act”) and other legislation with the Law No. 7511, which has been under preparation for some time.
With Law No. 7511, the right to the first written defense granted to parties in investigations initiated by the Competition Board ("Board") was abolished, and amendments were made to Articles 34, 43, and 45 of the Act.
News| Legal Updates
5/24/2024
Similarity Assessment Between Trademarks : Critieria Determined by the Decision of the General Assembly of the Court of Civil Chambers
General Assembly of Civil Chambers ("GACC") has issued a guiding decision dated 24.01.2024 with the file number 2023/588 E. – 2024/22 K., concerning the scope of similarity between brands, criteria for distinctiveness, and the concept of entirety.
News| Legal Updates
5/23/2024
Recent Alterations in Legal Interest and Delay Hike Rates
Presidential decrees regarding the alterations to the legal interest and delay hike on the Public Receivables, rates were published in the Official Gazette dated May 21, 2024.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020