COMMITMENTS WITHIN THE SCOPE OF TRANSFER OF PERSONAL DATA ABROAD
The conditions for the transfer of personal data abroad are regulated within the scope of the Personal Data Protection Law No.6698 (“Law”). The presence of one of the following conditions is required for the transfer of personal data abroad in accordance with Article 9 of the Law:
- Explicit consent of the data subject,
- Existence of processing conditions for transfer to countries with adequate protection,
- In case of transfer to the countries where an adequate level of protection is not present, if the data controllers in Turkey and abroad commit to provide an adequate level of protection in writing, and the permission of the Board of Protection of Personal Data (“Board”) exists
Since the "Secure Countries List" has not been announced yet by the Board, in case explicit consent is not obtained for personal data transfer activities, the parties must undertake adequate protection in writing and the Board must authorize the transfer.
There are two methods for data controllers in Turkey and the relevant foreign country to provide a commit in writing for adequate protection. The first method that can be used is the "Commitment Letters" accepted and announced by the Board.
Commitment Letters are structured in two different ways: (i) transfers from data controller to data controller and (ii) transfers from data controller to data processor. In order to determine which letter to use, it is essential to first accurately analyze whether the transfer will take place from data controller to data controller or from data controller to data processor. This analysis will assist in deciding which of the commitment letters published on the Data Protection Authority (“DPA”)'s website to choose.
The scope of the Commitment Letter does not encompass personal data transfers abroad based on the explicit consent requirement. The subject of the Commitment Letter is personal data that can be processed without explicit consent under Article 5(2) of the Law and personal data related to health and sexual life as defined under Article 6(3). It should be ensured that the conditions for compliance with the relevant article are satisfied in terms of data relating to health and sexual life.
The suitability of the commitment mechanism for commercial activities may be doubtful, as it is uncertain that whether the commitment letters submitted will be approved by the Board or not. Currently, the number of commitment applications that were approved is 7 with the approval of the commitment application made by Google Reklamcılık ve Pazarlama Limited Şirketi on 17.08.2023.
“Binding Corporate Rules" is another method that can be used for commitment. Binding Corporate Rules are defined as "data protection rules used in the transfer of personal data for the multinational group corporation operating in countries where adequate protection is not provided and that enable the commitment of adequate protection in writing". Companies that fall within this scope are required to apply to the Board for Binding Corporate Rules by completing the relevant form and following the instructions provided.
Binding Corporate Rules can be used as a verification tool by setting the same data processing and security standards for all members, while providing transparency at a global level.
Conclusion
Practically speaking, it is not possible for companies to stop transferring data abroad or to obtain explicit consent for all personal data to be transferred. Ensuring adequate protection and obtaining Board’s permissipn, which is one of the mechanisms that allows data to be transferred abroad without requiring explicit consent, regulates this process by ensuring that the risk of data transfers is eliminated.
Enterprises generally facilitate bilateral data transfers between companies. However, they may not be sufficient for data transfers between multinational corporate communities. Thus, more comprehensive and tailored approaches, such as Binding Corporate Rules, can be used to more effectively regulate and secure international data flows. These two mechanisms play a vital role in data protection and compliance.
Given the difficult process of drafting and approving the Commitment Letters and Binding Corporate Rules in accordance with the Board's requirements, the Board's publication of a list of "Secure Countries" with adequate protection would provide a more straightforward path for cross-border data transfers.