Articles

12.07.2024

New Regulations on Transfer of Personal Data Abroad and Standard Contracts

In line with the amendments to the Turkish Law on the Protection of Personal Data (“KVKK”), new provisions regarding the transfer of personal data abroad have been introduced. Additionally, it was noted that the details concerning the methods of data transfer abroad would be regulated through a specific regulation.

On July 10, 2024, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published.

The Regulation defines the activity of transferring personal data abroad. Accordingly, if personal data is transmitted to or made accessible by any means to a data controller or data processor abroad by a data controller or data processor within the scope of KVKK, it will be considered a data transfer abroad.

The transfer of personal data abroad, which largely depended on explicit consent in practice, is now allowed to be carried out without explicit consent. The Regulation elaborates on three different transfer methods specified in the Law:

• Adequacy decision regarding the country, international organization, or sectors within the country where the transfer will take place
• Appropriate safeguards, including the Board’s approval, binding corporate rules, and standard contracts. To utilize this method, as mentioned in the Law, the data subject must have the opportunity to exercise their rights and seek effective legal remedies in the country to which the transfer is being made. Therefore, this method will also require data transfer impact assessments, as is the case with the GDPR
• Occasional data transfers

Among these, standard contracts will be the most commonly used transfer method for data controllers. The Regulation stipulates the obligation to notify the Personal Data Protection Authority within 5 business days after signing the standard contracts. Additionally, even if the standard contracts are drawn up in a foreign language, the Turkish version will prevail. It is also specified that the notification must include documents verifying the authorization of the signatories of the standard contract and a notarized translation of any foreign-language document.

Examples of these contracts have been published in four sets in Turkish by the Authority. Upon review, it is evident that the published contracts bear significant similarities to the standard contracts prepared by the European Commission, although there are some differences. For instance, the published standard contracts do not include a docking clause as found in the GDPR. Therefore, an entity that is not a party to these clauses may not accede to them at any time.

The Regulation also stipulates notification to the Authority in the event of any changes in the information and explanations included in the standard contract or the termination of the standard contract. Failure to fulfill the notification obligation will result in an administrative fine ranging from TRY 50,000 to TRY 1,000,000,000.

The transfer of personal data abroad based on explicit consent will continue to be applied until 1.9.2024 and afterwards this method will be an exceptional method for abroad transfers.