Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad


BY-LAW ON

THE PROCEDURES AND PRINCIPLES FOR THE TRANSFER OF PERSONAL DATA ABROAD

PART I

Introductory Provisions

Purpose

ARTICLE 1- (1) The purpose of this By-Law is to establish the procedures and principles regarding the implementation of Article 9 of the Personal Data Protection Law No. 6698 dated 24/03/2016, which regulates the transfer of personal data abroad

Scope

ARTICLE 2- (1) The provisions of this By-Law shall apply to data controllers and data processors involved in the transfer of personal data abroad in accordance with Article 9 of the Law No. 6698.

Basis

ARTICLE 3- (1) This By-Law is issued pursuant to Article 9(11) and Article 22(1)(e) of the Law No. 6698.

Definitions

ARTICLE 4- (1) For the purposes of this By-Law, the following definitions shall apply:

  1. a) President: The President of the Personal Data Protection Authority;
  2. b) Data subject: A natural person whose personal data is processed;
  3. c) Law: The Personal Data Protection Law No. 6698 dated 24/3/2016;
  4. ç) Personal data: Any information relating to an identified or identifiable natural person;
  5. d) Processing of personal data: Any operation which is performed on personal data, wholly or partially, by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof;
  6. e) Transfer of personal data abroad: The transmission of personal data from a data controller or data processor under the Law No.6698 to a data controller or data processor established abroad, or making such data accessible to them by any other means;
  7. f) Board: The Personal Data Protection Board;
  8. g) Authority: The Personal Data Protection Authority;
  9. ğ) Data exporter: A data controller or data processor transferring personal data abroad;
  10. h) Data importer: A data controller or data processor in a foreign country receiving personal data from the data exporter;
  11. ı) Data processor: A natural or legal person who processes personal data on behalf of the data controller upon its authorisation;
  12. i) Data controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

(2) For the definitions not covered in this By-Law, the definitions provided in the Law and relevant legislation shall apply.

PART II

General Provisions

Transfer of Personal Data Abroad

ARTICLE 5- (1) Personal data may only be transferred abroad by the controller and the processor in accordance with the procedures and principles set forth in the Law and this By- Law. In cases where personal data is transferred by the processor, the instructions from the controller shall also be complied with.

(2) The provision of the first paragraph shall also apply to onward transfers of personal data that has been transferred abroad, and transfers to international organisations.

(3) The provisions of other laws concerning the transfer of personal data abroad are reserved.

Procedures for transferring personal data abroad

ARTICLE 6- (1) Personal data may be transferred abroad by controllers and processors under one of the conditions specified in Article 5 and Article 6 of the Law, and in the event of the following circumstances:

  1. a) An adequacy decision has been issued regarding the country, sectors within that country, or international organisations to which the transfer is to be made;
  2. b) In the absence of an adequacy decision, one of the appropriate safeguards specified in Article 10 is provided by the parties, on the condition that data subject rights and effective legal remedies for data subjects are also available in the country receiving the transfer.

(2) In the absence of an adequacy decision and where the parties cannot provide one of the appropriate safeguards specified in Article 10, personal data may be transferred abroad by controllers and processors only under one of the exceptional circumstances specified in Article 16, provided that such transfer is incidental.

(3) Without prejudice to the provisions of international conventions, personal data may only be transferred abroad with the permission of the Board by obtaining the opinion of the relevant public institution or organisation, in cases where the interests of Türkiye or the data subject would be seriously harmed.

Transfer of personal data abroad by the processor

ARTICLE 7- (1) In cases where personal data is transferred abroad by the processor, the processor shall act within the purpose and scope established by the controller, on behalf of the controller, and in accordance with the controller’s instructions. The processor shall implement all necessary technical and organisational measures to ensure an appropriate level of security, corresponding to the nature of personal data, in order to prevent unlawful processing of personal data, unlawful access to personal data, and to ensure protection of personal data.

(2) The transfer of personal data abroad by the processor shall not relieve the controller of its responsibility to comply with the procedures and principles, and to ensure the necessary safeguards stipulated in the Law and this By-Law. The controller shall be obliged to ensure that the technical and organisational measures specified in the first paragraph are implemented by the processor.

(3) If the processor is obliged to notify the standard contract pursuant to the Article 14(5), the processor shall fulfil this notification obligation independently of any instructions from the controller.

PART III

Transfers Based on Adequacy Decision

Adequacy Decision

ARTICLE 8- (1) The Board may decide that a country, one and more sectors within that country, or an international organisation offers an adequate level of protection with respect to the transfer of personal data abroad. When assessing the adequacy of the level of protection, the following elements shall be taken into account:

  1. a) The reciprocity status concerning the transfer of personal data between Türkiye and the country, sectors within that country, or international organisations to which the data will be transferred;
  2. b) The relevant legislation and practices of the country receiving the data transfer, and the rules governing the international organisation receiving the data transfer;
  3. c) The existence of an independent and effective data protection authority in the country or to which an international organisation is subject, as well as the availability of administrative and judicial redress for the data subjects;
  4. ç) The status of being a party to relevant international conventions on personal data protection or membership in international organisations by the country or international organisation to which the personal data will be transferred;
  5. d) The membership status of the country or international organisation receiving the data transfer in global or regional organisations that Türkiye is a member of;
  6. e) The international conventions to which Türkiye is a party.

(2) The Board shall be authorised to determine additional factors beyond those specified in the first paragraph.

(3) If the Board deems it necessary in its assessment regarding the adequacy decision, it may seek the opinions of relevant institutions and organisations.

(4) Adequacy decisions issued by the Board shall be published in the Official Gazette and on the Authority’s website.

Review of the adequacy decision

ARTICLE 9- (1) The adequacy decision shall be re-evaluated at least every four years. The adequacy decision in question shall explicitly specify the re-evaluation periods. If, following the re-evaluation, the Board determines that the relevant country, one or more sectors within the country, or the international organisation no longer provides an adequate level of protection, it may amend, suspend, or revoke its decision with prospective effect.

(2) The Board may, without being restricted by the re-evaluation period specified in the first paragraph, review the adequacy decision at any time if it deems it necessary and may amend, suspend, or revoke the decision with prospective effect.

(3) The Board may consult with the competent authorities of the relevant country or international organisation to remedy the circumstances that led to the amendment, suspension, or revocation of the adequacy decision pursuant to first and second paragraphs.

(4) The decisions concerning the amendment, suspension, or revocation of the adequacy decision shall be published in the Official Gazette and on the Authority’s website.

PART IV

Transfers Based on Appropriate Safeguards

Means of providing safeguards

ARTICLE 10- (1) In the absence of an adequacy decision, personal data may be transferred abroad on the condition that one of the conditions specified in Article 5 and Article 6 of the Law exists, and that data subject rights and effective legal remedies for data subjects are also available in the country receiving the transfer, but only where one of the following appropriate safeguards is provided by the parties involved in the transfer:

  1. a) The existence of an agreement, which is not classified as an international convention, between public institutions and organisations, or professional organisations with public institution status in Türkiye and public institutions, organisations, or international organisations abroad, along with approval for the transfer by the Board;
  2. b) The existence of binding corporate rules, containing provisions on personal data protection, which the companies within a group of undertakings engaged in joint economic activities are required to comply with, and which have been approved by the Board;
  3. c) The existence of a standard contract which is published by the Board, containing information such as data categories, purposes of the data transfer, recipients and recipient groups, technical and organisational measures to be implemented by the data importer, and additional measures for sensitive personal data,
  4. ç) The existence of a written commitment containing provisions to ensure adequate protections, and approval for the transfer by the Board.

Providing appropriate safeguards with non-international agreements

ARTICLE 11- (1) Appropriate safeguards may be provided by provisions to be inserted into agreements, not classified as an international convention, for the transfer of personal data between public institutions and organisations, or professional organisations with public institution status in Türkiye, and public institutions, organisations, or international organisations abroad. The agreement shall be concluded between the parties to the personal data transfer.

(2) The Board’s opinion shall be sought during the negotiation process of the agreement.

(3) The provisions on personal data protection included in the agreement shall specifically address the following:

  1. a) The purpose, scope, nature, and legal basis of the personal data transfer;
  2. b) Definitions of key concepts in accordance with the Law and relevant legislation;
  3. c) A commitment to comply with the general principles outlined in Article 4 of the Law;
  4. ç) Procedures and principles for providing information to data subjects about the agreement and the personal data transfer to be carried out under that agreement;
  5. d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
  6. e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
  7. f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
  8. g) Restrictions on the onward transfer of personal data;
  9. ğ) A redress mechanism available to data subjects in the event of a breach of the data protection provisions to be included in the agreement;
  10. h) An auditing mechanism to ensure compliance with the data protection provisions to be included in the agreement;
  11. ı) A provision granting the data exporter the right to suspend the data transfer and terminate the agreement if the data importer cannot comply with the data protection provisions to be included in the agreement;
  12. i) A commitment from the data importer, upon termination or expiration of the agreement, to either return the personal data transferred, including all backups, to the data exporter or to completely destroy such data, at the choice of the data exporter;

(4) To transfer the personal data abroad based on the agreement, the data exporter shall apply to the Board for permission. As part of the application, the final version of the agreement text and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. The transfer of personal data may only commence after the Board has granted the permission.

Providing appropriate safeguards with binding corporate rules

ARTICLE 12- (1) Appropriate safeguards may be provided through binding corporate rules for the protection of personal data, which the companies within the group of undertakings engaged in joint economic activity are obliged to comply with. To transfer personal data abroad based on binding corporate rules, an application for approval shall be submitted to the Board.

(2) As part of the application, the text of the binding corporate rules and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. If any document submitted for the application is in a foreign language, a notarised translation shall be attached to the application. If the binding corporate rules are also prepared in a foreign language, the Turkish text shall prevail.

(3) In approving the binding corporate rules, the Board shall consider the following:

  1. a) The binding corporate rules are legally binding and enforceable for each relevant member within the group of undertakings engaged in joint economic activity, including their employees;
  2. b) The binding corporate rules include a commitment to ensure enforceable data subject rights;
  3. c) The binding corporate rules contain at least the elements specified in Article 13.

(4) The transfer of personal data may only commence after the Board has approved the binding corporate rules.

Elements to be found in binding corporate rules

ARTICLE 13- (1) Binding corporate rules shall include at least the following elements:

  1. a) The organisational structure and contact details for each member of the group of undertakings engaged in a joint economic activity;
  2. b) Information regarding the data transfers under binding corporate rules, in particular the categories of personal data, processing activity and its purposes, data subject group or groups, and identification of country or countries receiving data transfer,
  3. c) A commitment confirming that binding corporate rules are legally binding both within the internal relations and external legal interactions of the group of undertakings engaged in a joint economic activity;
  4. ç) Data protection measures such as compliance with the general principles outlined in Article 4 of the Law, conditions for processing personal data, sensitive personal data, technical and organisational measures for ensuring data security, adequate measures for processing sensitive personal data, and restrictions on onward data transfers;
  5. d) A commitment to ensure that data subjects whose personal data is transferred can exercise their rights specified in Article 11 of the Law and their right to lodge a complaint with the Board in accordance with the procedures and principles outlined in Article 14 of the Law, along with the existence of the procedures and principles for the exercise of these rights;
  6. e) A commitment that, in the event of a breach of the binding corporate rules by any member not established in Türkiye, a controller and/or processor established in Türkiye will assume liability for the breach;
  7. f) Explanations on how the data subjects will be informed about matters related to the binding corporate rules, in particular on the provisions referred to in subparagraphs (ç), (d) and (e), as well as the information provided to the data subjects within the scope of the obligation to inform under Article 10 of the Law;
  8. g) Explanations on the training to be provided to employees on the protection of personal data;
  9. ğ) The tasks of the persons or entities in charge of monitoring compliance with the binding corporate rules within the group of undertakings, including their role in responding to the requests of the data subjects;
  10. h) The mechanisms for auditing and verifying compliance with the binding corporate rules within the group of undertakings, in particular data protection audits and methods for ensuring corrective actions to protect the rights of the data subjects, and a commitment that such results will be communicated to the person or entity referred to in subparagraph (ğ) and to the board of the controlling company within the relevant group of undertakings, and to the Board upon request;
  11. ı) The mechanisms for reporting and recording changes to the binding corporate rules and reporting those changes to the Board;
  12. i) The obligation to cooperate with the Authority to ensure compliance with the binding corporate rules by the members of the group of undertakings, in particular the submission of the results from the audit and verification activities referred to in subparagraph (h);
  13. j) With respect to personal data to be transferred under the binding corporate rules, a commitment by the members of the group of undertakings that there is no national regulation in the country or countries receiving the data transfer that contradicts the guarantees provided by the binding corporate rules, and mechanisms to notify the Board in case of a legislative change which likely to have a substantial adverse effect on these guarantees;
  14. k) A commitment to provide appropriate data protection training to personnel having permanent or regular access to personal data;

(2) The Board shall be authorised to determine additional requirements beyond those specified in the first paragraph. The documents required for the application of binding corporate rules shall be determined by the Board.

Providing appropriate safeguards with standard contract

ARTICLE 14- (1) Appropriate safeguards may be provided through a standard contract, which includes elements such as data categories, purposes of data transfer, recipient and recipient groups, technical and organisational measures to be implemented by the data importer, additional measures, and additional measures for sensitive personal data.

(2) The standard contract shall be determined and announced by the Board.

(3) The standard contract text shall be used without any modifications. In the event the standard contract is also concluded in a foreign language, the Turkish text shall prevail.

(4) The standard contract shall be concluded between the parties involved in the personal data transfer. It shall be signed by the parties to the transfer, or by persons authorised to represent and sign on behalf of the parties.

(5) The standard contract, after finalisation of the signatures, shall be notified to the Authority within five business days, either physically, through a registered electronic mail (KEP) address, or via other methods specified by the Board. The parties to the transfer may designate in the standard contract which party will fulfil the notification obligation. If no such agreement is made, the data exporter shall be responsible for notifying the Board.

(6) The notification shall include documents certifying that the signatories are authorised, along with notarised translations of any foreign language documents.

(7) If the standard contract text announced by the Board is modified, or if one or both parties to the transfer lack valid signatures in the standard contract, the Board shall conduct an examination in accordance with Article 15 of the Law.

(8) In the event of any change to the parties involved in the standard contract, or modifications to the information and explanations it contains, or if the standard contract is expired, the Board shall be notified in accordance with the procedure outlined in paragraph five.

Providing appropriate safeguards with a commitment letter

ARTICLE 15- (1) Appropriate safeguards for the protection of personal data may be provided through provisions included in a written commitment letter to be concluded between the parties involved in the transfer.

(2) The provisions related to the protection of personal data in the commitment letter shall specifically include the following:

  1. a) The purpose, scope, nature, and legal basis of the personal data transfer;
  2. b) Definitions of key concepts in accordance with the Law and relevant legislation;
  3. c) A commitment to comply with the general principles specified in Article 4 of the Law;
  4. ç) Procedures and principles for informing data subjects about the commitment letter and the personal data transfer to be made under its scope;
  5. d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
  6. e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
  7. f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
  8. g) Restrictions on the onward transfers of personal data;
  9. ğ) A redress mechanism available to data subjects in the event of a breach of the commitment letter;
  10. h) A commitment by the data importer to comply with the Board’s decisions and opinions regarding the processing of personal data subject to the transfer;
  11. ı) A provision stating that there is no national regulation that will cause the data importer to fail to comply with the commitment letter, and a commitment to notify the data exporter as soon as possible of any potential legislative changes that may lead to such a failure, and in such a case the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
  12. i) A provision confirming that if the data importer fails to ensure compliance with the commitment letter, the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
  13. j) A commitment that if the commitment letter is terminated or its term expires, the data importer shall, at the choice of the data exporter, either return the personal data with its backups to the data exporter or completely destroy the personal data;
  14. k) A commitment confirming that the commitment letter is subject to Turkish law and, in case of a dispute, Turkish courts shall have jurisdiction, and that the data importer agrees to recognise the jurisdiction of Turkish courts.

(3) To transfer personal data abroad based on the commitment letter, data exporter shall apply to the Board for permission. As part of the application, the commitment text and any other information and documents necessary for the Board’s evaluation shall be submitted to the

Board. If the commitment is also concluded in a foreign language, the Turkish text shall prevail. The transfer of personal data may only commence after the Board has granted permission.

CHAPTER V

Exceptional Transfers

Exceptional transfer cases

ARTICLE 16- (1) In the absence of an adequacy decision and where the parties cannot provide one of the appropriate safeguards specified in Article 10, personal data may be transferred abroad only under one of the exceptional circumstances specified in the second paragraph, provided that such transfer is incidental. Transfers that are not regular, occur only once or a few times, do not have a continues nature, and are not part of the ordinary course of business shall be considered incidental.

(2) Exceptional cases for the transfer of personal data are as follows:

  1. a) The data subject has given explicit consent to the transfer, provided that he/she has been informed of the potential risks involved;
  2. b) The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures implemented at the data subject's request;
  3. c) The transfer is necessary for the establishment or performance of a contract between the controller and another natural or legal person, carried out in the interest of the data subject;
  4. ç) The transfer is necessary for a substantial public interest;
  5. d) The transfer of personal data is necessary for the establishment, exercise, or protection of any right;
  6. e) Transfer of personal data is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid;
  7. f) The transfer is made from a registry that is open to public or accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are fulfilled, and that the person with a legitimate interest has requested the transfer.

(3) For transfers under subparagraph (f) of the second paragraph, the following procedures and principles shall be observed:

  1. a) The transfer shall not include all personal data or categories of personal data contained within the registries;
  2. b) Transfers from registries accessible to persons with legitimate interests shall only be made to those persons or upon their request.

(4) The provisions in subparagraphs (a), (b), and (c) of the second paragraph shall not apply to the activities of public law activities of public institutions and organisations.

CHAPTER VI

Miscellaneous and Final Provisions

Resolution of Doubts

ARTICLE 17- (1) The Board shall be authorised to resolve any ambiguities that may arise in the implementation of this By-Law and to make decisions on matters not specifically addressed within herein, in accordance with the relevant legislation.

Entry into Force

ARTICLE 18- (1) This By-Law shall enter into force on the date of its publication.

Enforcement

ARTICLE 19- (1) The President of the Personal Data Protection Authority shall be responsible for executing the provisions of this By-Law.