The Undertaking regarding transfer of personal data outside Turkey has been evaluated by the Personal Data Protection Board (“Board”) within the scope of subparagraph (b) of paragraph 2 of Article 9 of the Personal Data Protection Law No. 6698 and the said data transfer has been approved by the Board on 09.02.2021.
With this precedent decision, instead of obtaining explicit consent from each data owner for transfer of personal data outside Turkey; undertake to be signed between data controllers and data receiver groups, and which the Board will evaluate and give its permission to transfer data abroad, the way has been paved for a more practical transfer.
What were the conditions for data transfer abroad?
The conditions for transfer of personal data outside Turkey are specified with three basic alternatives in the Law on Protection of Personal Data No.6698 (“Law”). According to Article 9 of the Law, which is the article on transfer of personal data outside Turkey, personal data can be transferred abroad if the following conditions are provide. These conditions are as follows; (i) obtaining explicit consent from the person concerned for transfer abroad, (ii) the country which the data will be transferred must be considered by the Board as one of the countries with adequate protection, or (iii) in the absence of adequate protection, data controllers in Turkey and in the relevant foreign country must undertake adequate protection in writing and have the permission of the board regarding data transfer.
Since the date which the law came into force in 2016, the Board has not considered any country as a “country with adequate protection” and kept its silence on applications regarding undertakes or binding company rules which allows data transfer to foreign countries that did not have adequate protection. Although there are alternative regulations in addition to the option of obtaining explicit consent from the data owner for the transfer abroad in the Law, these alternatives could not find a field of application until the decision of the Board on 09.02.2021 for permission to transfer abroad. Considering that even the simplest CRM software that is frequently used in any institution has overseas servers and in this way, almost every company transfers data abroad on a large scale; it is obvious that obtaining explicit consent from each person concerned is not applicable.
However, with the aforementioned decision of the Board, the application for a undertaking for the transfer of personal data abroad by a Vehicle Fleet Rental Company was evaluated and the data transfer abroad was allowed with the undertaking. This situation indicates that a new era will be entered in the transfer of personal data abroad.
With this decision, it seems that the method of obtaining explicit consent from each concerned person, which is the only method that finds a field in practice for data transfer abroad, will be replaced by the transfer of data via the Undertakings to be signed between data transferor and data receiver and binding company rules applications.
What Does the Board Say About Permission to Data Transfer Abroad?
For the permissions to be obtained for the transfer of personal data abroad, it is necessary to pay attention to the use of the guide texts and explanations, especially on the official website of the Institution. In this context, it will be of great importance to include the provisions included in the examples of the undertaking texts which is on the official website, in the undertakings to be prepared. While the application is made, in addition to the name, surname, address and signature of the person authorized to represent and bind the data controller (the person authorized to apply), documents indicating that he is authorized to sign the Undertaking must be attached to the application. And also, a notarized Turkish translation of every document in a foreign language will also be required.
One of the most important points in the application is the clear and detailed indicate of which personal data is transferred to which recipient groups, for what purpose and for what legal reasons. Especially in the data category sections, ambiguous expressions should be avoided and the data types to be transferred under the category should be specified in detail(For example, under the identity data category: specifying subcategories such as name, surname, TR Identity Number). It is also very important to include clear detailed explanations on the legal status of the parties and to confirm the relationship between the Parties, if any, with documents.
The evaluation of the Letter of Undertaking application by the Board and the permission to transfer data abroad with Undertaking for the first time is a great progression for institutions whose commercial and operational activities are very intensive to transfer data abroad. With the accepted undertaking, the way for foreign data transfer permit applications has been opened. In this respect, we recommend that all institutions transferring personal data abroad start the necessary work for permit applications.
Ekim Bayram, Attorney At Law