Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (the “Regulation”) by Data Protection Authority (the “DPA”) has been entered into force via being published at the Official Gazette on 10 July 2024.

The implementation details of the data transfer regime, which was explained in our previous Legal Alert, is further clarified by the Regulation. The Regulation affects data controllers and/or processors who are parties to the transfer of personal data abroad in accordance with Article 9 of the Law on the Protection of Personal Data No. 6698 (“PPDL”).

Under the three-step data transfer regime, namely, adequacy decisions, appropriate safeguards, and exceptional transfer conditions , the Regulation underlines that DPA’s permission shall be mandatory to start personal data transfer through appropriate safeguards except standard contracts. The Regulation expands the details of appropriate safeguard methods, i.e. agreements, binding corporate rules, standard contracts and letters of undertaking and provides minimum content requirements such as mandatory provisions, commitments, measures, etc. Please find below some key points set forth with the Regulation which establish new clarifications to the framework of the new data transfer regime:

• The opinion of the DPA shall be consulted during the negotiation process of the agreements.
• The content of the standard contracts cannot be altered.
• Regarding exceptional data transfer scenarios, the requirement of being incidental is clarified as cases that are not regular, that occur only once or a few times, that are not continuous and not in the ordinary course of business.

It is worth to note that previous data transfer regime shall become void in 1/9/2024, and, afterwards, only the new version of the transfer regime shall be applicable.