How to compliantly transfer data abroad from Turkey

Personal data transfers to third parties, as well as transfers outside of Turkey, are regulated by the Data Protection Law. This is especially important for international and local businesses with operations that exceed Turkey’s national borders. Companies should conduct a review of their operations to determine where personal data is maintained and whether the legislative regulations will apply.

Customer data under banking law

Banking Law No. 5411 (only available in Turkish here) foresees specific rules for cross-border transfers of customer data. The Banking Law No. 5411 stipulates certain rules for cross-border consumer data transfers. Data belonging to real and legal people formed after establishing a customer relationship with banks expressly for banking activities becomes customer data, according to Article 73 of the Banking Law, and is subject to the Banking Law’s restrictions. As a result, the Banking Law’s conditions for the cross-border transfer of client data should take precedence over the Data Protection Law’s conditions.

Transfers to third parties

The Data Protection Law requires explicit consent from data subjects for the transfer of personal data to third parties. However, consent is not required if the transfer is carried out in the following circumstances:

• expressly permitted under laws;
• necessary to protect the life or physical integrity of the data subject (or another person) where the data subject is physically or legally incapable of providing their consent;
• necessary to process data of the parties to a contract, if such processing is directly related to the execution or performance of the contract;
• necessary for the data controller to fulfil its legal obligations;
• already publicised by the individuals themselves;
• necessary to establish, use or protect a right; or
• necessary for the legitimate interests of the data controller, provided that such processing does not violate fundamental rights and freedoms.

In addition, the Data Protection Law stipulates that personal data on health and sexual life may only be processed and therefore transferred from and to competent authorities under a confidentiality obligation, for the purposes of:

• protecting public health;
• operating preventive medicine;
• medical diagnosis;
• treatment and care services; or
• planning and managing health services and financing.

Transfers outside of Turkey

Explicit consent will not be required for data transfers outside of Turkey where any of the exceptions above apply, and either adequate protection exists in the transferee country (the Board has not yet announced the countries which it deems to have adequate protection, until then, data controllers should consider that no country has such protection) or, where no adequate protection exists in the transferee country, the data controller has attested sufficient data security and the Board grants permission for such transfer.

The Board specified the criteria to determine the countries with an adequate level of protection on its decision Number 2019/125 (only available in Turkish here). The decision includes a form, to be used in determining the countries with an adequate level of protection. The following considerations must be made:

• reciprocity condition;
• legislation of the relevant country regarding the processing of personal data and its implementation;
• existence of an independent data protection authority;
• party status to international agreements on the protection of personal data;
• membership status to international organisations;
• membership status to global and regional organisations that Turkey is a party to; and
• the volume of trade with the relevant country.

Since the enactment of the Data Protection Law in 2016, the Board approved only two undertakings. The Board announced its first approval to a fleet leasing company on 9 February 2021 and its second approval to e-commerce and web services company (Amazon’s subsidiaries) on 4 March 2021.

The Board reviews the applications both from the procedural perspective and from material aspects. While considering the material aspects, the most critical point is to determine whether the data transfer is from data controller to data controller or from data controller to data processor. The transfer process must be carefully analysed by the applicants. To determine the relationship between a data controller and data processor, the Board’s decision dated 30 January 2020 and numbered 2020/71 can be taken as reference (only available in Turkish here).

When granting permissions, the Board must evaluate international treaties, reciprocity of countries, measures taken by the data controller, as well as the period and purpose of the data processing.

The Board can limit data transfers to third countries if it considers that a violation of public interest or personal interests exists. It is not clear how the Board will determine the criteria for such violation yet.

Binding Corporate Rules

On 10 April 2020, KVKK announced Binding Corporate Rules (‘BCRs’) allowing intra-group data transfers among multinational companies. Binding Corporate Rules are defined as data protection rules applicable for cross-border transfers that allow multinational group companies, operating in unsafe countries, to achieve an adequate level of data protection for the intra-group data transfers.

The KVKK was expected to publish new regulations for intra-group cross-border data transfers in parallel with the approach to Binding Corporate Standards approved under the GDPR, due to challenges in implementing cross-border data transfer rules defined under the Data Protection Law. The KVKK created an alternative cross-border data transfer method unique to group companies, built after the EU’s Binding Corporate Rules approach, in response to sector-specific needs.

The KVKK proposed binding corporate rules that would allow multinational corporations to transfer personal data from Turkey to a member of the same corporate group in a country with a low degree of data protection. In such cases, binding corporate rules should be viewed as a commitment to proper data protection for intra-group cross-border data transfers.

Binding corporate rules must include all general data protection principles and adequate safeguards for protecting personal data in the corporate group. The KVKK gives a guideline on the necessary content of the binding corporate rules, as well as a standard application form on its official websites (only available in Turkish here and here).