Eryürekli | A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules Eryürekli | A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules
Eryürekli | A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules

14 Mar 2024 Legal Alert
Data Protection General

A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules

Eryürekli | A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules

Download PDF

Share

  • Yazdır

Turkish data protection rules governing the transfer of personal data abroad were amended with the Law on Amendments to The Criminal Procedure Law and Certain Other Laws No. 7499 (“Amendment Law”), together with conditions for processing special categories of personal data, penalties and remedies.

A. Introduction

Law on the Protection of Personal Data No. 6698 (“PPDL”), based on Directive 95/46/EC, was adopted in Türkiye in 2016. After the General Data Protection Regulation (“GDPR”) was adopted and proved its well-established jurisprudence and practice; Türkiye announced its objective to amend PPDL (i) based on EU standards, (ii) based on provisions of GDPR regarding the transfer of personal data abroad, and (iii) to bring a judicial remedy against Personal Data Protection Board (“Board”) decisions by the Human Rights Action Plan and Economic Reforms Action Plan declared in 2021.

Legislative activities were accelerated by the Twelfth Development Plan and the Presidential Annual Program for 2024, aiming to complete the GDPR amendments based on the impacts on the goods and services export and by prioritizing the matters that have urgency for direct investments. The Amendment Law was adopted on 2 March 2024 and published in the Official Gazette on 12 March 2024 and set forth structural changes to transfers of personal data abroad and processing conditions of special categories of personal data, along with penalties and remedies. The entry into force date of PPDL provisions is 1 June 2024.

B. Amendments on the Transfer of Personal Data Abroad

The new amendment brings three alternatives gradually and respectively applicable to transfers of personal data abroad; namely, transfers based on (i) adequacy decisions, (ii) appropriate safeguards, and (iii) exceptions for specific situations.

(i) Adequacy Decisions

The data controllers and processors can transfer personal data abroad in the existence of a condition of legal grounds indicated in Articles 5 and 6 of the PPDL for processing personal data or specific categories of the same; and the existence of the adequacy decision granted by the Board regarding the country, sectors in a country or international organizations in the new transfer regime.

Adequacy decisions will be based on regulations of the country or organization that the personal data be transferred such as having independent and effective data protection authority, having judicial administrative remedy, being a signatory/member of international conventions on data protection and reciprocity principles.

(ii) Appropriate Safeguards

In the absence of an adequacy decision, the data controllers and processors can transfer personal data abroad if appropriate safeguards are established. However, there are two prerequisites to transfer personal data based on appropriate safeguards: (a) the existence of a condition of legal grounds indicated in Articles 5 and 6 of the PPDL for processing personal data and (b) the ability of data subjects to exercise their rights and apply to effective remedies in the country that personal data is transferred to. Provided that the prerequisites are fulfilled, the data controllers and processors can transfer personal data abroad based on one of the following appropriate safeguards:

    • Agreements: The existence of an agreement (not an international convention) between the public/international institutions with Turkish public institutions and/or public professional organizations and the Board’s permission to data transfer.
    • Binding Corporate Rules: The existence of binding corporate rules of group companies, containing provisions on the protection of personal data and the Board’s approval of the binding corporate rules.
    • Standard Contacts: The existence of a standard contract including data categories, purposes of data transfer, the recipient(s), technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data, based on the template to be announced by the Board. Additionally, the contract shall be notified to the Personal Data Protection Authority (“Authority”) within 5 business days following its execution.
    • Letter of Undertaking: The existence of a written undertaking with provisions to ensure adequate protection and the Board’s permission to data transfer.

(iii) Exceptions for Specific Situations

In the absence of an adequacy decision and appropriate safeguards, the data controllers and processors can transfer personal data abroad only in the following circumstances:

    • Explicit consent of the data subject, provided that the data subject is informed accordingly regarding the risks that may arise from personal data transfer.
    • In case the transfer is mandatory;
      • to establish or perform a contract between the data controller and data subject or implementation of pre-contractual measures taken at the request of the data subject,
      • to establish or perform a contract between the data controller and third person(s) on behalf of the data subject,
      • for an overriding public interest,
      • for establishment, exercise, or protection of a right,
      • to protect the life or physical integrity of the person who is unable to grant consent due to actual impossibility or due to the consent being not legally valid.
    • Transfer from a public registry accessible to the public or to persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests transfer.

C. Amendments on the Processing Special Categories of Personal Data

Processing special categories of personal data under the PPDL was strictly dependent on obtaining explicit consent before the amendment. However, the hierarchy between explicit consent and other legal grounds was removed by the Amendment Law and new legal grounds are adopted in line with Article 9 of the GDPR, allowing processing special categories of personal data becomes applicable without explicit consent under Turkish law.

The new legal grounds for the processing of special categories of personal data include, in addition to explicit consent, explicit provisions in laws, the necessity for protection of life and physical integrity in case of legally invalid consent or inability of granting consent, data being made public, the necessity for the establishment, exercise, or protection of a right, legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance and special processing grounds for foundations, associations, or other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes.

D. Amendments on the Penalties and Remedies

In addition to the major changes above, please find below the updates to penalties and remedies:

  1. With the Amendment Law, data controllers and data processors who transfer personal data abroad using standard contracts will be subject to an administrative fine of up to 1,000,000 Turkish liras if they do not notify the Authority within 5 business days of signing the standard contracts.
  2. Prior to the amendment, there was a dual review procedure against the Board’s decisions. Administrative fines imposed by the Board could be appealed to the criminal court of peace, while other decisions could be appealed to the administrative judiciary. Since resolutions of the criminal judgeship of peace did not turn into case law, it led to a lack of case law that would shed light on the implementation of the PPDL. By the Amendment Law, it is regulated that administrative fines imposed by the Board are also appealable before administrative courts.

Relevant Expert Insights

Data Protection
General
Eryürekli | Transfer of Personal Data Abroad: Data Protection Authority Clarifies the Details
10 Jul 2024 Legal Alert EN

Transfer of Personal Data Abroad: Data Protection Authority Clarifies the Details

Data Protection
General
Eryürekli | Kişisel Verilerin Yurt Dışına Aktarılması: Kişisel Verileri Koruma Kurumu Ayrıntıları Açıkladı
10 Jul 2024 Legal Alert TR

Kişisel Verilerin Yurt Dışına Aktarılması: Kişisel Verileri Koruma Kurumu Ayrıntıları Açıkladı

Publication Subscription Privacy Notice

Thank you for your interest in our Firm.

As Eryürekli Law Firm (“Eryürekli”), we attach great importance to the protection of your personal data and to the processing of such data in compliance with the Law No. 6698 on the Protection of Personal Data (“Law”) and other applicable legislation.

If you subscribe to our newsletter and other publications through the “Newsletter” section by visiting our office website, we collect and process your personal data in our capacity as the data controller.

By providing your explicit consent in the “Newsletter” section and filling out the form on our website and/or the relevant directed page, we automatically collect and process your name, surname, e-mail address, and language preference in an electronic environment for the purposes of managing your subscription and delivering our publications to you.

Within the framework of the data processing activities mentioned above, our publications are sent to the e-mail address you have shared. Since the servers of the service infrastructure we use for these transmissions are located abroad, your personal data shared through the form will be transferred to servers located abroad based on your explicit consent.

Your personal data will be destroyed in the event that you unsubscribe from our publications.

We would like to inform you that, pursuant to Article 11 of the Law, you hold the following rights regarding your personal data processed by Eryürekli:

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of the processing of your personal data and whether such data are used in accordance with that purpose,
  • To learn the identity of third parties to whom your personal data are transferred, whether domestically or abroad,
  • To request the correction of personal data if it is incomplete or inaccurately processed,
  • To request the deletion or destruction of your personal data if the reasons requiring their processing cease to exist,
  • To request that the correction, deletion, or destruction of your personal data be notified to third parties to whom such data have been transferred,
  • To object to any outcome detrimental to you resulting from the analysis of your data exclusively through automated systems,
  • To claim compensation for damages incurred due to the unlawful processing of your personal data.

You may contact us regarding your requests via [email protected].

Yayın Aboneliği Aydınlatma Metni

Büromuza göstermiş olduğunuz ilgi için teşekkür ederiz.

Eryürekli Hukuk Bürosu (“Eryürekli”) olarak kişisel verilerinizin korunmasını ve 6698 sayılı Kişisel Verilerin Korunması Kanunu (“Kanun”) ve sair mevzuata uygun olarak işlenmesini önemsiyoruz.

Ofis web sitemizi ziyaret ederek “Newsletter” bölümünden bültenimize ve diğer yayınlarımıza abone olmanız durumunda kişisel verilerinizi veri sorumlusu sıfatıyla topluyor ve işliyoruz.

“Newsletter” bölümününde açık rızanızı vermek suretiyle web sitemiz ve/veya yönlendirildiğiniz ilgili sayfada yer alan formu doldurmanız ve yayınlarımıza abone olmanız halinde, adınız ve soyadınızı, elektronik posta adresinizi ve dil tercihinizi, aboneliğinizin gerçekleştirilmesi ve yayınlarımızın size iletilmesi amacıyla elektronik ortamda otomatik olarak toplamakta ve işlemekteyiz.

Yayınlarımız, yukarıdaki veri işleme faaliyetleri çerçevesinde, paylaşmış olduğunuz elektronik posta adresine gönderilmekte olup; gönderilerde kullandığımız servis altyapısı sunucularının yurt dışında olması sebebiyle, form aracılığıyla paylaştığınız kişisel verileriniz, açık rızanıza istinaden yurt dışında bulunan sunuculara aktarılacaktır.

Kişisel verileriniz, yayınlarımıza abonelikten çıkmanız halinde imha edilir.

Eryürekli bünyesinde işlenmekte olan kişisel verilerinize ilişkin olarak Kanun’un 11.maddesi uyarınca aşağıda sayılan haklarınızın bulunduğunu belirtmek isteriz:

  • Kişisel verilerinizin işlenip işlenmediğini öğrenme,
  • Kişisel verileriniz işleniyorsa bunlara ilişkin bilgi edinme,
  • Kişisel verilerinizin işlenme amacının ne olduğu ve kişisel verilerinizin amacına uygun olarak kullanılıp kullanılmadığını öğrenme,
  • Varsa yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişilerin kimler olduğunu öğrenme,
  • İşlenen kişisel verilerinizin eksik veya yanlış olması halinde bunların düzeltilmesini isteme,
  • Kişisel verilerinizin işlenmesini gerektiren sebeplerin ortadan kalkması halinde, işlenmiş olunan kişisel verilerinizin silinmesini veya yok edilmesini isteme,
  • Kişisel verilerinizin düzeltilmesi, silinmesi ya da yok edilmesi halinde bu işlemlerin kişisel verilerinizin aktarıldığı üçüncü kişilere bildirilmesini isteme,
  • İşlenen kişisel verilerinizin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme,
  • Kişisel verilerinizin kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız halinde zararın giderilmesini talep etme.

Talepleriniz için bizimle [email protected] adresimiz aracılığıyla iletişime geçebilirsiniz.

Career Privacy Notice

Thank you for your interest in our Firm.

As Eryürekli Law Firm (“Eryürekli”), we attach great importance to the protection of your personal data and to the processing of such data in compliance with the Law No. 6698 on the Protection of Personal Data (“Law”) and other applicable legislation.

If you apply for a position through our career page, we collect and process your personal data in our capacity as the data controller.

By filling out the form on our career page and providing your explicit consent to apply for a position, we automatically collect and process your name and surname, e-mail address, telephone number, and any other personal data included in your CV through electronic means. This data is processed solely for the purposes of evaluating your job application and contacting you if necessary.

The personal data you share during your job application is not transferred to third parties.

Once your application has been evaluated, your personal data stored in the electronic environment will be destroyed as soon as possible.

We would like to inform you that, pursuant to Article 11 of the Law, you hold the following rights regarding your personal data processed by Eryürekli:

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of the processing of your personal data and whether such data are used in accordance with that purpose,
  • To learn the identity of third parties to whom your personal data are transferred, whether domestically or abroad,
  • To request the correction of personal data if it is incomplete or inaccurately processed,
  • To request the deletion or destruction of your personal data if the reasons requiring their processing cease to exist,
  • To request that the correction, deletion, or destruction of your personal data be notified to third parties to whom such data have been transferred,
  • To object to any outcome detrimental to you resulting from the analysis of your data exclusively through automated systems,
  • To claim compensation for damages incurred due to the unlawful processing of your personal data.

You may contact us regarding your requests via [email protected].

 

Kariyer Aydınlatma Metni

Büromuza göstermiş olduğunuz ilgi için teşekkür ederiz.

Eryürekli Hukuk Bürosu (“Eryürekli”) olarak kişisel verilerinizin korunmasını ve 6698 sayılı Kişisel Verilerin Korunması Kanunu (“Kanun”) ve sair mevzuata uygun olarak işlenmesini önemsiyoruz.

Kariyer sayfamızdan iş başvurusunda bulunmanız durumunda kişisel verilerinizi veri sorumlusu sıfatıyla topluyor ve işliyoruz.

Kariyer sayfamızda yer alan formu doldurmak ve açık rızanızı vermek suretiyle iş başvurusunda bulunmanız halinde, adınız ve soyadınızı, elektronik posta adresinizi, telefon numaranızı ve özgeçmişinizde yer alan diğer kişisel verilerinizi, iş başvurunuzu değerlendirmek ve gerekmesi halinde size ulaşabilmek amacıyla elektronik ortamda otomatik olarak toplamakta ve işlemekteyiz.

İş başvurusu esnasında paylaşmış olduğunuz kişisel verileriniz üçüncü taraflara aktarılmamaktadır.

İş başvurunuzun en kısa sürede değerlendirilmesi üzerine kişisel verileriniz kayıtlı bulunduğu elektronik ortamda imha edilmektedir.

Eryürekli bünyesinde işlenmekte olan kişisel verilerinize ilişkin olarak Kanun’un 11.maddesi uyarınca aşağıda sayılan haklarınızın bulunduğunu belirtmek isteriz:

  • Kişisel verilerinizin işlenip işlenmediğini öğrenme,
  • Kişisel verileriniz işleniyorsa bunlara ilişkin bilgi edinme,
  • Kişisel verilerinizin işlenme amacının ne olduğu ve kişisel verilerinizin amacına uygun olarak kullanılıp kullanılmadığını öğrenme,
  • Varsa yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişilerin kimler olduğunu öğrenme,
  • İşlenen kişisel verilerinizin eksik veya yanlış olması halinde bunların düzeltilmesini isteme,
  • Kişisel verilerinizin işlenmesini gerektiren sebeplerin ortadan kalkması halinde, işlenmiş olunan kişisel verilerinizin silinmesini veya yok edilmesini isteme,
  • Kişisel verilerinizin düzeltilmesi, silinmesi ya da yok edilmesi halinde bu işlemlerin kişisel verilerinizin aktarıldığı üçüncü kişilere bildirilmesini isteme,
  • İşlenen kişisel verilerinizin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme,
  • Kişisel verilerinizin kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız halinde zararın giderilmesini talep etme.

Talepleriniz için bizimle [email protected] adresimiz aracılığıyla iletişime geçebilirsiniz.

Kayıt Formu / Subscription Form

* indicates required
Your e-mail address
Your First name
Your Last Name
Gönderi Dili / Publication Language
Herhangi birisi veya her ikisi / Either any or both
Cookie Settings
This website uses third party analytic cookies “_ga_*” and “_ga” of Google Analytics for statistical analysis/measurements, which are stored for 1 year and 1 month. You may refer to https://policies.google.com/privacy for details on the use of cookies and further information.