Within the scope of development of technology, personal data has started to have a very important place in our country as well as in the world. In this context, data security and compliance process gained momentum in our country with the Law No. 6698 on Personal Data Protection (“Law”) which was published on 07.04.2016 in Official Gazette and secondary legislation has followed the Law.

In this regard, the Board’s, established to work and make inspections in the field of protection of personal data in Turkey, most recent decision on corporate e-mail services dated 31.05.2019 and numbered 2019/157 is significant.

As it is known, the use of cloud computing services is one of the most significant developments in technology and attracting attentions in recent years. Cloud computing services can be briefly defined as; the general name for Internet-based information services for computers and other devices, which can be used at any time and provides shared computer resources between the users.

Today, cloud computing services are widely used in the private sector for both communicative and infrastructural reasons. The reason of this the use of cloud computing systems is more economical and safer. However, the cloud services are mostly provided by foreign based companies. Hence the adoption of the use of such systems shall be deemed as transfer to abroad. The Board stated under its above-mentioned decision that, companies such as Google have data centers in various parts of the world and that incoming and outgoing e-mails are kept in these centers and this will be considered as transfer of data to abroad.

In addition, the Board stated that the use of servers located abroad will be deemed as date transfer to abroad and all these actions should be conducted in accordance with Article 9 of Law.

Pursuant to Article 9, which is stated by the Board as a condition of conformity, it is necessary to obtain explicit consent from the date owner, the real person. However, there are some exceptions to the explicit consent requirement which are as follows:

  • If the appropriate protection in the company from which the service is obtained, and
  • If the commitment to secure the data from such company is obtained and also permission from the Board is received.

In case of fulfillment of above conditions, it will be possible to transfer the personal date to abroad. Besides, it is also possible transfer of personal date to abroad without need of explicit consent of data owner is transferor country is accepted as safe county by Board. However, the countries that are considered as safe countries for data transfer to abroad have not been announced by the Board yet. Hence, it is not temporarily and practically preferable to receive commitment from the company which provide e-mail or server service and wait for the Board's consent in accordance with this commitment.

As a result of this resolution, it would be more appropriate for the individuals or institutions wishing to use such services to take the necessary measures to comply with Article 9 or to prefer local companies providing cloud computing services.