Guidelines On The Transfer Of Personal Data Abroad Has Been Published
A. INTRODUCTION
On March 12, 2024, Article 9 of the Personal Data Protection Law No. 6698 ("PDP Law") regulating the transfer of personal data abroad was amended by Law No. 7499. The procedures and principles regarding transferring personal data abroad were regulated by the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Regulation")[1]. The Guideline on the Transfer of Personal Data Abroad ("Guideline") was prepared to eliminate the question marks that may be encountered in practice after the amendment and to provide guidance on the safeguards expected by the Personal Data Protection Board ("Board"), was published on the website of the Personal Data Protection Authority ("Authority") on January 2, 2025.[2] This Guideline provides essential information on the methods used in data transfer abroad, especially standard contracts.
B. DEFINITION OF TRANSFER ABROAD
The Guideline provides detailed explanations of the territorial applicability of the PDP Law. The Guideline states that the principle of territoriality is insufficient to ensure effective data protection when determining the transfer abroad. Therefore, the principle of effect should be considered when determining the territorial scope of the Law.[3] In addition, the Guideline defines data transfer abroad as the activity of "transmitting and making accessible," and examples of these activities are creating an account, granting access to an existing account, viewing personal data through remote access from a third country, storing personal data in a cloud located abroad. It is also stated that if personal data is obtained directly from the data subject (direct collection), this will not constitute data transfer abroad.
Some of the examples recognized in the Guideline as constituting data transfer abroad are as follows:
• The data controller residing abroad transmits the data obtained directly from the data subjects in Turkey to a data processor abroad, and the personal data are processed by the data processor on its behalf,
• A data processor residing in Turkey transfers the data processed on behalf of a data controller abroad to this data controller,
• A company residing in Turkey transfers employee data to a parent company located abroad for storage in a centralized HR database.
C. STANDARD CONTRACTS
Pursuant to Article 9(4)(c) of the PDP Law, the existence of a standard contract announced by the Board is listed as one of the appropriate safeguards accepted for transfer abroad. In this procedure, standard agreements are the most frequently used data transfer abroad method, as data can be transferred abroad without obtaining any other permission/pre-approval using the standard agreement announced by the Board.
Article 9/8 of the PDP Law stipulates that the conditions stipulated in the PDP Law must also be met in onward transfers. In practice, the question of whether the agreements signed with the data processors should be notified to the Authority to provide appropriate safeguards for such onward transfers is frequently raised. Since the Guidelines do not provide sufficient explanations on this issue, this uncertainty continues.
The Guideline clearly states that standard contracts may be drafted in Turkish and English in two columns, as is often used in practice. The Guideline also states that all official documents, including documents showing that the contracting parties are authorized to sign the agreements, must have a Turkish translation and an apostilled annotation if issued by a country party to the Convention on the Abolishing the Requirement of Legalisation for Foreign Public Documents.
D. BINDING CORPORATE RULES
The Guideline provides detailed explanations of the binding corporate rules stipulated in Article 13 of the PDP Law. According to PDP Law, Corporations may apply to the Authority for binding corporate rules, and applications are subject to Board approval. The application may be based on the "Binding Corporate Rules for Data Processors" and "Binding Corporate Rules for Data Controllers" published by the Board. The Guideline states that applications will be made separately in cases where there is a transfer to both the data controller and the data processor within the same group company. It is also noted that the contact person or unit related to the application should be specified, and it is recommended that this person/unit be present in Turkey. The Guidelines also provide statistical information that three binding corporate rules applications were filed before Law No. 7499, but these applications were rejected due to procedural deficiencies.
E. OCCASIONAL TRANSFER
In the Guidelines, an occasional transfer is defined as a transfer that occurs once or more than once, is not regular, does not show continuity, and is not in the regular course of business. This definition clarifies that occasional transfers are not restricted to data transfers that occur just once. Instead, transfers can still be deemed occasional even if they happen multiple times, provided they do not occur continuously and are not part of the regular course of business.
The Guideline gives examples of occasional transfers, such as the transfer of personal data of a sales manager who travels to visit customers abroad for the performance of an employment contract by his employer to organize meetings with these customers, and the transfer of personal data by a Turkish company to another company abroad to fulfill a customer's payment request, provided that other conditions are met. Regarding the transfers to be made by a tourism company regarding the reservation information of its customers, it is stated that these transfers are not occasional as they are carried out within the ordinary course of business of the company, although it is not known in advance when these transfers will be made.
The Guideline offers examples of occasional transfers, illustrating various contexts in which these transfers may occur. For instance, a sales manager's personal data may be transferred by their employer when the manager travels abroad to meet clients as part of their employment contract. Similarly, a Turkish company might transfer personal data to a foreign company to facilitate a customer's payment request, provided other conditions are met. In contrast, the Guideline specifies that data transfers related to customer reservation information by a tourism company cannot be classified as occasional. Despite the unpredictable timing of these transfers, they are considered part of the company's regular course of business operations. This distinction highlights the importance of context in determining whether a data transfer is deemed occasional.
E. CONCLUSION
The Guideline has been observed to include important explanations, especially regarding standard contracts and occasional transfers. However, answers to some questions in practice, particularly those regarding subsequent transfers, are not clearly provided. Future Board decisions and implementations are expected to provide guidance.
The Guideline provides comprehensive guidance on the procedures for transferring personal data abroad, offering practical examples to shed light on key aspects for practitioners. Notably, it offers detailed explanations and concrete examples related to standard contracts and occasional transfers, which are crucial for understanding the scope of data transfer requirements. Nevertheless, the Guideline falls short in providing clear answers to certain practical questions, particularly those related to subsequent transfers. Clarity on these issues is anticipated through future decisions and implementations from the Board.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners Law Firm
[1] The Regulation entered into force on July 10, 2024, and the information note we prepared on the subject can be found here.
[2] For the guide, see https://kvkk.gov.tr/SharedFolderServer/CMSFiles/13711235-abb6-4b17-9a6b-0a68c1ad86c5.pdf (Date of Access: 24.01.2025)
[3] In the same direction, see the Board's Decision dated 24.01.2019 and numbered 2019/10 on the Procedures and Principles of Personal Data Breach Notification.
On March 12, 2024, Article 9 of the Personal Data Protection Law No. 6698 ("PDP Law") regulating the transfer of personal data abroad was amended by Law No. 7499. The procedures and principles regarding transferring personal data abroad were regulated by the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Regulation")[1]. The Guideline on the Transfer of Personal Data Abroad ("Guideline") was prepared to eliminate the question marks that may be encountered in practice after the amendment and to provide guidance on the safeguards expected by the Personal Data Protection Board ("Board"), was published on the website of the Personal Data Protection Authority ("Authority") on January 2, 2025.[2] This Guideline provides essential information on the methods used in data transfer abroad, especially standard contracts.
B. DEFINITION OF TRANSFER ABROAD
The Guideline provides detailed explanations of the territorial applicability of the PDP Law. The Guideline states that the principle of territoriality is insufficient to ensure effective data protection when determining the transfer abroad. Therefore, the principle of effect should be considered when determining the territorial scope of the Law.[3] In addition, the Guideline defines data transfer abroad as the activity of "transmitting and making accessible," and examples of these activities are creating an account, granting access to an existing account, viewing personal data through remote access from a third country, storing personal data in a cloud located abroad. It is also stated that if personal data is obtained directly from the data subject (direct collection), this will not constitute data transfer abroad.
Some of the examples recognized in the Guideline as constituting data transfer abroad are as follows:
• The data controller residing abroad transmits the data obtained directly from the data subjects in Turkey to a data processor abroad, and the personal data are processed by the data processor on its behalf,
• A data processor residing in Turkey transfers the data processed on behalf of a data controller abroad to this data controller,
• A company residing in Turkey transfers employee data to a parent company located abroad for storage in a centralized HR database.
C. STANDARD CONTRACTS
Pursuant to Article 9(4)(c) of the PDP Law, the existence of a standard contract announced by the Board is listed as one of the appropriate safeguards accepted for transfer abroad. In this procedure, standard agreements are the most frequently used data transfer abroad method, as data can be transferred abroad without obtaining any other permission/pre-approval using the standard agreement announced by the Board.
Article 9/8 of the PDP Law stipulates that the conditions stipulated in the PDP Law must also be met in onward transfers. In practice, the question of whether the agreements signed with the data processors should be notified to the Authority to provide appropriate safeguards for such onward transfers is frequently raised. Since the Guidelines do not provide sufficient explanations on this issue, this uncertainty continues.
The Guideline clearly states that standard contracts may be drafted in Turkish and English in two columns, as is often used in practice. The Guideline also states that all official documents, including documents showing that the contracting parties are authorized to sign the agreements, must have a Turkish translation and an apostilled annotation if issued by a country party to the Convention on the Abolishing the Requirement of Legalisation for Foreign Public Documents.
D. BINDING CORPORATE RULES
The Guideline provides detailed explanations of the binding corporate rules stipulated in Article 13 of the PDP Law. According to PDP Law, Corporations may apply to the Authority for binding corporate rules, and applications are subject to Board approval. The application may be based on the "Binding Corporate Rules for Data Processors" and "Binding Corporate Rules for Data Controllers" published by the Board. The Guideline states that applications will be made separately in cases where there is a transfer to both the data controller and the data processor within the same group company. It is also noted that the contact person or unit related to the application should be specified, and it is recommended that this person/unit be present in Turkey. The Guidelines also provide statistical information that three binding corporate rules applications were filed before Law No. 7499, but these applications were rejected due to procedural deficiencies.
E. OCCASIONAL TRANSFER
In the Guidelines, an occasional transfer is defined as a transfer that occurs once or more than once, is not regular, does not show continuity, and is not in the regular course of business. This definition clarifies that occasional transfers are not restricted to data transfers that occur just once. Instead, transfers can still be deemed occasional even if they happen multiple times, provided they do not occur continuously and are not part of the regular course of business.
The Guideline gives examples of occasional transfers, such as the transfer of personal data of a sales manager who travels to visit customers abroad for the performance of an employment contract by his employer to organize meetings with these customers, and the transfer of personal data by a Turkish company to another company abroad to fulfill a customer's payment request, provided that other conditions are met. Regarding the transfers to be made by a tourism company regarding the reservation information of its customers, it is stated that these transfers are not occasional as they are carried out within the ordinary course of business of the company, although it is not known in advance when these transfers will be made.
The Guideline offers examples of occasional transfers, illustrating various contexts in which these transfers may occur. For instance, a sales manager's personal data may be transferred by their employer when the manager travels abroad to meet clients as part of their employment contract. Similarly, a Turkish company might transfer personal data to a foreign company to facilitate a customer's payment request, provided other conditions are met. In contrast, the Guideline specifies that data transfers related to customer reservation information by a tourism company cannot be classified as occasional. Despite the unpredictable timing of these transfers, they are considered part of the company's regular course of business operations. This distinction highlights the importance of context in determining whether a data transfer is deemed occasional.
E. CONCLUSION
The Guideline has been observed to include important explanations, especially regarding standard contracts and occasional transfers. However, answers to some questions in practice, particularly those regarding subsequent transfers, are not clearly provided. Future Board decisions and implementations are expected to provide guidance.
The Guideline provides comprehensive guidance on the procedures for transferring personal data abroad, offering practical examples to shed light on key aspects for practitioners. Notably, it offers detailed explanations and concrete examples related to standard contracts and occasional transfers, which are crucial for understanding the scope of data transfer requirements. Nevertheless, the Guideline falls short in providing clear answers to certain practical questions, particularly those related to subsequent transfers. Clarity on these issues is anticipated through future decisions and implementations from the Board.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners Law Firm
[1] The Regulation entered into force on July 10, 2024, and the information note we prepared on the subject can be found here.
[2] For the guide, see https://kvkk.gov.tr/SharedFolderServer/CMSFiles/13711235-abb6-4b17-9a6b-0a68c1ad86c5.pdf (Date of Access: 24.01.2025)
[3] In the same direction, see the Board's Decision dated 24.01.2019 and numbered 2019/10 on the Procedures and Principles of Personal Data Breach Notification.
b.uyanik@lbfpartners.com