The Turkish Data Protection Law1 (the “Law”) regulates the transfer of personal data outside of Turkey in detail. According to the Law, as a general rule, explicit consent is required for all data transfers from Turkey to other countries.
If explicit consent cannot be obtained, transfer under the concept of “just grounds” is still possible provided that the requirements under the Law are fulfilled. In such case, the transfer must fulfill one of the just grounds found in the Law, an exhaustive list of which may be found under Articles 5(2) and 6 of the Law. Circumstances where explicit consent is not required include, among others, cases where data processing is:
- obligatory by law;
- necessary to enter into or perform a contract;
- when the data in question has already been made public by the data subject (i.e. the person); or
- when factual circumstances effectively prevent obtaining such consent (e.g. if there are pressing time concerns about the processing of data that would affect one’s life or bodily integrity).
If the necessity of the transfer meets one of the just grounds under the Law, it is also necessary to examine whether prior to undertaking the data transfer the destination country is considered a “safe country.”
If the recipient country is a “safe country,” that is, if the country is deemed to have implemented sufficient personal data protections, the transfer may proceed on the basis of just grounds without explicit consent.
If the recipient country is found not to qualify as a “safe country” from a data protection standpoint, the data controller in Turkey must execute an undertaking with the data controller or data processor in the recipient country, guaranteeing a sufficient degree of protection. This undertaking must be submitted and approved by the Data Protection Board (the “Board”). Last year, the Board published on its website two separate templates, one for transfers between two data controllers and one for transfers from a data controller to a data processor, one or both of which, depending on the nature of the specific transfer, must be used when applying for transfer approval.
As of the date of this publication, the list of safe countries has yet to be generated by the Board. On September 26, 2020, the Board announced that the list of safe countries is still in process because a review of the legal framework in place at both national and sub-national levels is being conducted. Meaning that if a country has overlapping federal and state-level data protection laws, the Board is reviewing both legal frameworks when making a determination. The Board also noted that the following criteria, all of which are also provided in the Law, are being taken into account when compiling the safe country list:
- countries with international treaties to which Turkey is a party;
- whether the recipient country considers Turkey to be a “safe country” (i.e. the principle of reciprocity); and
- the relevant legal framework in the recipient country and how it is enforced in practice.
Alluding to its earlier decision number 2019/125 dated May 2, 2019, the Board also noted that it will consider whether a destination country has:
- a data protection board and, if so, whether it is independent from political influence;
- whether the data protection board’s decisions are appealable;
- whether the destination country is a member-state of international organizations of which Turkey is also a member; and
- the extent of Turkey’s cross-border trade relations with that country.
The Board reiterated that the safe country list will be “living,” meaning it will be subject to regular update and review. Should the legal measures, as well as some of the other criteria mentioned above, in place in any of the countries on or off the list change sufficiently, a status update may be warranted.
While the Board’s work on the safe country list is ongoing, data controllers must either rely on explicit consent from data subjects, or, in the absence of explicit consent, one of the just grounds listed in the Law must be fulfilled and an undertaking executed, submitted to and approved by the Board.
1 Kişisel Verilerin Korunması Kanunu, Law no. 6698 on data protection published in the Official Gazette dated April 7, 2016, and numbered 29677.