Navigating GDPR & KVKK with New SCC

Living in a period where data flows across borders as never before, ensuring the protection of personal data has become quite puzzling. It is time

Living in a period where data flows across borders as never before, ensuring the protection of personal data has become quite puzzling. It is time for businesses to learn how to transfer data internationally in accordance with the General Data Protection Regulation, when it comes to trade with its customers in the European Union. Recent updates to the Standard Contractual Clauses draw contemporary attention to businesses to review their data transfer mechanisms. This article discusses these changes and their interaction with Turkish data protection laws.

What Is a Standard Contractual Clause (SCC)?

Standard Contractual Clauses, or SCCs, are model contractual conditions under European Commission authorization that enable business organizations to transfer personal data from the European Economic Area to those third countries not branded as having adequate data protection standards. SCCs are, in essence, safeguards; they ensure the protection of personal data, which is being transferred abroad, comparable to the protection under the European Union.

Indeed, many businesses had relied on the EU-U.S. Privacy Shield framework for transfers of data to the United States before the rise of SCCs. However, in July 2020, the CJEU invalidated the Privacy Shield because U.S. government surveillance did not have sufficient checks and balances in place. This decision was the catalyst that made firms seek other legal mechanisms and made SCCs by default the primary tool for lawful data transfers outside the EU.

The New SCCs: What’s Changed?

Following the CJEU ruling and changing digital space, the European Commission made its proposal for new SCCs in June 2021. These improvements are based tailor-made on modern issues of data processing and the responsive custom internation; therefore, here are some updates in detail: 

 

1. Update: A Modular Design

Of the most important novelties introduced by the new SCCs, a modular structure can be counted. The modularity of the instrument allows flexibility to businesses, which might pick only those clauses corresponding to their data transfer scenario. The SCCs, in their current form, contemplate the following types of transfers, such as:

  • Controller-to-Controller: the purpose and means of data processing are determined by both parties (for example, when a company shares customer data with a business partner).
  • Controller-to-Processor: The data exporter determines the purpose of processing, while the data importer acts on behalf of the exporter. For example, a company outsourcing the processing of data to a cloud provider.
  • Processor-to-Processor: Both parties are processors acting on behalf of a third-party controller. Examples include a subcontractor hired by a cloud provider.
  • Controller-to-Processor: A controller transfers data down to a processor (e.g., the company’s transfer of raw data to a cloud provider).

This sort of flexibility in the text of the SCCs empowers companies to make adaptations for any exceptional scenarios in their data flows, to be compliant with the principles of GDPR.

2.Supplementary Measures

The new SCCs stress the relevance of considering the legal effect of the place of the recipient third country. Organizations are now expected to conduct a Transfer Impact Assessment to verify whether the country of receipt provides data protection standards at least equal to European Union levels. If not, then additional supplementary measures would be required for such data, including encryption or anonymization.

That this would be the case, for example, would mean that a European-based company that was outsourcing data to a U.S.-based cloud computing provider would have to assess whether U.S. legislation regarding surveillance had the impact of compromising the security of the data; if it did, the company would have to encrypt the data before it was sent to the cloud to address the risks.

3.Third-Party Beneficiaries

Another key change is the explicit acknowledgement of data subjects-that is, the individuals whose personal data is being transferred-as third-party beneficiaries under the SCCs. What this means is that individuals can directly invoke certain clauses of the SCCs against both the data exporter and importer. Thus, in the case of a foreign service provider mishandling data belonging to a European customer, for instance, such a customer may be entitled to claim remedies under the SCCs.

4.Increased Transparency

The necessity for increasing transparency is one of the mainstays of GDPR; in this respect, new SCCs have indeed placed an additional burden on business with respect to transparency of data transfer. The business has to inform data subjects of the transfers as to where the data are being transferred, on what legal basis, and what safeguards are in place for such transfer.

Learn whether your company needs to comply with the GDPR

How does this relate to Turkish data protection law?

Turkey has its different data protection framework under the title KVKK: Law on Protection of Personal Data, enacted in 2016. So, KVKK has many things common with GDPR, such as legal permission required for the processing of data and the obligation of data safety. Yet, there is a difference that is striking and which businesses have got to put up with, as regards data transfer between the EU and Turkey. 

 

Limitation of Data Transfer

Like GDPR, KVKK limits the transfer of personal data to third countries outside Turkey. To conduct a transfer of personal data outside Turkey, third countries should be considered as providing an adequate level of protection by the relevant Turkish authority: the KVKK Board. An adequacy list does not exist, and supplementary guarantees of protection are required for almost all transfers.

To legally transfer the data from Turkey to the low-protected country (i.e., EU member state), organizations are obligated to obtain explicit consent from the data subject or conclude a written agreement with the receiver of data, which will provide appropriate guarantees. The New SCCs may be included in such agreements so as to satisfy two different legislations—GDPR and KVKK—of dual compliance, which has to be effectuated by the companies managing operations in both regions.

For instance, a Turkish e-Commerce company that processes EU customer data will have to take up the new SCCs in the contracts that bind it with EU partners as a way of legally transferring data under GDPR, while it also ensures compliance with the KVKK requirement.

  • Scenario 1: A company based in Turkey outsourcing its data processing to a U.S.-based cloud service provider needs to evaluate the legal frameworks in the U.S. and add extra levels of safeguards with encryption, for instance, to be on par with the GDPR and KVKK.
  • Scenario 2: An EU company sharing customer data with a partner in Turkey. The company shall incorporate the appropriate SCCs in the data-sharing agreement and ensure that data transfer is KVKK compliant for the cross-border transfer of the same.

 

What Should Business Do Now?

Since these reforms have been newly ratified and reaffirmed, businesses practicing international data transfers, specifically from the EU going to Turkey, must do the following actions at the soonest.

1.Evaluate Existing Data Transfers

First, map all the personal data flows outside the EU to third countries, including Turkey. Establish which of the existing legal mechanisms are used and assess whether they meet new SCCs. If they do not, determine what must be done to bring them into compliance.

2.Update agreements

Update old SCCs to their new versions before the deadline from the European Commission. Ensure all the contracts that involve data transfer include relevant safeguards under the GDPR, considering the KVKK when it is also in effect.

3.Transfer Impact Assessments

Conduct a Transfer Impact Assessment (TIA) on the recipient country’s legal environment. Identification of potential risks towards data protection that may have existed and further measures to mitigate this risk. Such include encryption or placing of binding contractual obligations on parties controlling the data.

4. Compliance with KVKK

Conclusion

Be reminded that any data transfer both from and into Turkey has to adhere to the requirements of GDPR and KVKK. It would mean obtaining the explicit consent of data subjects, drawing up first-rate data transfer agreements, or incorporating the new SCCs into existing contracts.

The updated SCCs amount to a sea change in the data transfer regime under the GDPR, bringing more flexibility for businesses and dispelling doubts with respect to international data flows. Being compliant in a diversified world economy, which includes countries like Turkey, will need due diligence and consideration of details. Remaining aware, conducting deep assessments, and properly updating language in contractual agreements, businesses will tread these waters without losing trust with their customers while safeguarding personal data.

Suggestions

Jurcom Sponsors 2024 ELI Annual Conference! Learn More