While we are shopping every day, we see words such as “personal data, express consent, transfer of data abroad” more frequently. The Law on the Protection of Personal Data (“Law”), which entered into force in 2016, brought many innovations and awareness to our lives in terms of the protection of our data. Although 5 years have passed since the law came into force, there are still some problems in implementation. One of the problems within the scope of the law is the “transfer of personal data abroad” regulated in Article 9 of the Law. Where are my data? Data transfer methods abroad.
According to the relevant article, “Personal data shall not be transferred abroad without explicit consent of the data subject.”
ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.
(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;
(a) Adequate protection is provided.
(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorization of the Board.
(3) The Board determines and announces the countries with adequate protection.
(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of the second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:
a) the international conventions to which Turkey is a party,
b) the state of reciprocity relating to data transfer between the requesting country and Turkey,
c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,
ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,
d) the measures committed by the data controller in the country to which the personal data are to be transferred,
5) Without prejudice to the provisions of international agreements, in cases where the interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorization to be given by the Board after receiving the opinions of relevant public institutions and organizations.
6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.
In the article of various methods are specified for the transfer of data abroad. These methods have emerged as obtaining explicit consent, commitment to transfer data abroad, and transferred to countries where adequate protection is available.
Since “countries with adequate protection” have not been announced by the Personal Data Protection Board (“Board”), this method is not an applicable method for data transfer. Commitment Letters which are specified as another method in the Law, are used in bilateral data transfer and are insufficient in practice within multinational companies. For this reason, it is presented as a new alternative for the transfer of data abroad with the “Announcement on the Binding Company Rules” published by the Board on 10.04.2020.
Data Transfer Methods Abroad
Since data is commonly transferred abroad in the daily workflow of companies, it would be useful to talk about what the methods within the scope of the Law are and how they should be implemented.
The first method specified in the scope of the law is “explicit consent”. Pursuant to Article 9 of the Law, “Personal data shall not be transferred abroad without explicit consent of the data subject.” At this point, the issue that may be a problem is that explicit consent must be obtained from every real person whose personal data will be transferred abroad within the company and/or institution. Since the explicit consent given by the individuals can always be withdrawn, the data controller will not be able to transfer the data abroad in this case. In order to be able to transfer abroad based on explicit consent, this explicit consent must be prepared in a way that includes the details of the scope of the transfer abroad.
Binding Corporate Rules (“BCR”)
It was accepted by the Board due to the insufficient data transfer between the multinational corporations. In terms of the BCR, if the group company has a head office located in Turkey, or if the group does not have a head office located in Turkey, a group member residing in Turkey should apply to the Board by an “Authorized Group Member” who will be authorized to protect personal data. The legal risk and a negative situation for the BCR are that the applications made by the companies are evaluated and finalized within 1 year from the official application date by the Board. There are no BCRs published by the Board from the date of the announcement until today.
Within the scope of the law, in order to transfer abroad based on other processing conditions other than explicit consent, it is necessary to provide adequate protection as well as data processing conditions.
In order to be able to mention that there is adequate protection, the countries in which data will be transferred must be one of the countries that are deemed to have adequate protection declared by the board. Another way is the adequate protection must be committed to writing by the data controller in the country and the data controller abroad, who is the addressee of the data transfer abroad.
The data controller or data processor in Turkey must undertake to provide adequate protection by signing a written undertaking and apply to the Board with this Commitment Letter and obtain permission for data transfer abroad. By the Board on February 9, 2021, TEB Arval Araç Kiralama A.Ş data transfer Commitment Letter is the first international data transfer undertaking approved since the Law came into force. The situation that may pose a risk in terms of the Commitment is the lack of adequate justification in the Commitment Letter published by the Board so far.
Considering that personal data is in every aspect of our lives, companies or institutions continue to transfer our personal data abroad every day. Even if we use Gmail -Outlook during the day and/or use a cloud service whose server is located abroad, our personal data is transferred abroad. At this point, it would be the best method for us to evaluate and implement one of the conditions listed in the Law for data transfer as a company and/or institution.