Legal AlertThe Regulation on The Procedures and Principles Regarding the Transfer of Personal Data Abroad Has Been Published in the Official Gazette.

10 July 2024

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation“) was published in the Official Gazette dated July 10, 2024, and has thus come into force. The Regulation has been prepared in order to regulate the procedures and principles regarding the transfer of personal data abroad.

It may be recalled that the Personal Data Protection Authority (“Authority“) officially announced on its website on 9 May 2024 the initiation of the public consultation process for the “Draft Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad” (“Draft Regulation“). Subsequent to the collection and thorough evaluation of public feedback, the Regulation has been finalized.

Although there are no significant distinctions between the Draft Regulation and the final Regulation, a critical difference emerges in the provisions related to standard contracts. Article 14 of the Draft Regulation required that the standard contract be reported to the Authority within five business days following its execution. The final Regulation extends this requirement, mandating that any modifications to the parties of the standard contract, its content, or in the event of the contract’s termination, must also be reported to the Authority. This modification introduces an obligation to notify the Authority of any changes concerning the standard contract.

Furthermore, the Regulation introduces the definitions of data transmitter and data receiver for the first time in our legislative framework. The Regulation is prepared to apply to data controllers and data processors who are parties to the transfer of personal data abroad, and in case personal data is transferred by the data processor, it is also stipulated that the data processor must comply with the instructions of the data controller. This obligation is also envisaged to be applied in terms of onward transfers of personal data transferred abroad and transfers to international organizations.

The Regulation details the issues to be taken into consideration by the Board when making an Adequacy Decision for data transfer abroad and the issues regarding the review of the Adequacy Decision. Accordingly, the adequacy decision will be re-evaluated at the latest every four years. The re-evaluation periods will be clearly defined, and the Board will modify, suspend or revoke its decision with prospective effect if, as a result of the re-evaluation, it finds that the relevant country, one or more sectors within the country or international organisation does not provide an adequate level of protection. The Regulation stipulates that the decisions regarding the amendment, suspension or revocation of the qualification decision shall be published in the Official Gazette and on the website of the Authority.

Under the Regulation, among the transfer mechanisms to be based on Appropriate Safeguards, the minimum terms that should be included in the agreement that is not an international agreement, Binding Corporate Rules and Undertaking Letter, and the issues regarding how to transfer personal data based on these mechanisms are specified. It is also regulated that the Standard Contract will be determined and announced by the Board.

The ‘incidental’ phrase included in the new version of Article 9 of the Law, for the transfers in the absence of an Adequacy Decision or Appropriate Safeguards is included in the Regulation under the exceptional transfer cases as transfers that are not regular, occur only once or a few times, are not continuous and are not in the ordinary course of business. In the event that a transfer is made from a registry that is open to the public or to persons with legitimate interests, which is one of the cases of incidental transfer, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it, the transfer may be made. It is stipulated that the transfer cannot encompass the entirety of the personal data or personal data categories present within the registries. Furthermore, transfers from registries accessible to individuals with legitimate interests can only be made to these individuals or upon their request.

The Board is empowered to address any ambiguities that may arise during the implementation of the Regulation and to determine matters not explicitly addressed by the Regulation in accordance with the relevant legislation.

Please find the complete text of the Regulation, via the following link:

https://www.resmigazete.gov.tr/eskiler/2024/07/20240710-2.htm

 

This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in the Information Note do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Information Note. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Information Note.