Our member firm, KURT GÜRLER PARTNERS, shares important information about the new regulation regarding the transfer of personal data abroad. This regulation will come into force on September 1, 2024, under the Personal Data Protection Law (KVKK) numbered 6698.
There have been some fundamental changes in the transfer of personal data abroad, an area that has been unclear in terms of KVKK application and has operated under the “explicit consent” mechanism until now. One important result of these changes is that all previous “explicit consents” will become invalid as of September 1, 2024.
With this amendment to Article 9 of the KVKK, data transfer abroad will no longer be possible by obtaining “explicit consent” and according to the new regulation approaching the implementation of the EU General Data Protection Regulation (“GDPR”), the necessary preparations and processes will have to be completed by selecting one of the appropriate legal transfer methods regulated in the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad and the existence of one of the legal reasons specified in Articles 5 and 6 of the KVKK.
Before selecting the appropriate legal transfer, method and completing the process, it should be determined which types of data are subject to foreign transfer within the scope of your company’s data map and under which procedures and conditions. After this preparation process, one of the legally recognised transfer methods that is suitable for your company’s corporate structure and security infrastructure should be selected and the compliance processes should be completed.
Things to do during the preparation process for companies are as follows:
1. Do You Know the Doors of Transfer of Data Abroad?
It is necessary to determine which type of data, on what grounds, procedures and conditions you transfer abroad by auditing the processes which the data is being transferred.
2. Is Your Data Inventory Up to Date?
The data transfer processes included in your personal data inventory should be reviewed and updated to include the conditions for overseas data transfer.
3. What Is the Nature of Overseas Data Transfer Made by You?
Depending on whether the data transfer abroad is continuous or incidental, the process to be operated within the scope of KVKK and Regulation will vary. In order to determine the process, it is necessary to determine the nature of the data transfer.
4. Are Your KVKK Implementation Documents Up to Date?
Existing explicit consent, disclosure, confidentiality documents, contracts signed with employees and 3rd parties, and related policies and procedures need to be updated according to the new data transfer practice.
5. What is the Most Suitable Data Transfer Method (Appropriate Safeguard) for Your Company?
The appropriate transfer method should be determined according to your company’s relationship with your group or your stakeholders abroad, your technical infrastructure and the security measures taken. In this way, companies can determine the appropriate safeguard to be selected: If the appropriate safeguard to be selected is Binding Corporate Rules or Letter of Undertaking, you should make the necessary preparations and apply to the Personal Data Protection Board (“Authority/Board”) and obtain approval, and if the appropriate safeguard method is Standard Contract, the contracts between the transfer parties mentioned above will need to be signed and the processes will need to be completed. Furthermore, a transfer impact analysis will be required for the transfer of personal data abroad. This analysis should be conducted to assess the potential risks to the rights and freedoms of data subjects when you transfer data to a third country or an international organisation.
According to the KVKK, penalties for practices contrary to the transfer of personal data abroad regulation may include those set out in the law for “failure to fulfill obligations regarding data security.” A fine ranging from 141,934.00 TL to 9,463,213.00 TL may be imposed for illegal practices. In addition, the Board may decide to stop data processing or the transfer of data abroad in cases of irreparable or impossible damages and when there is a clear violation of the law. For this reason, it is necessary to immediately raise awareness of companies, make preparations, determine the appropriate method, and begin the process.
The Appropriate Methods of the Transfer of Personal Data Abroad:
Adequacy Decision:
The Board may determine that a country, one or more sectors within the country, or an international organization provides an adequate level of protection for the transfer of personal data abroad. If the Board has issued a Adequacy Decision under KVKK, international transfer may be possible within the framework of this Decision without the need for further action. (Reg. Art. 8)
In the absence of an Adequacy Decision, transfer may occur through one of 3 types of transfer methods based on Appropriate Safeguards.
Transfer Methods Based on Appropriate Safeguards:
- Binding Corporate Rules (BCR) can provide adequate safeguard through their application among companies within a group engaged in joint economic activities (Reg. Art. 12).
- Data transfer abroad based on a BCR can only be carried out with the permission of the Board.
- Appropriate Safeguard Can Be Provided with a Standard Contract. (Reg. Art. 14)
- The Standard Contract text signed between the data exporter and the data recipient must be submitted to the Board; however, it is not subject to the Board’s approval.
- Adequate Safeguard Can Be Provided Through an Undertaking Approved by the Board Based on an Application by the Parties.
The undertaking signed between the data exporter and the data recipient must be submitted to the Board. Data transfer abroad based on this commitment can only be carried out with the Board’s permission.
Exceptional Transfer Cases (“Incidental Transfer”):
In the absence of an Adequacy Decision and Appropriate Safeguards, personal data can only be transferred abroad in the “incidental” cases listed below.
- The data subject provides explicit consent (provided they are informed about the risks).
- Measures are taken prior to a contract between the data subject and the data controller or necessary for the performance of the contract.
- Mandatory for the benefit of the data subject and for the performance of a contract between the data controller and third parties.
- Necessary for the pursuit of a legitimate public interest.
- Necessary for the establishment, exercise, or protection of a legal right.
- In cases where consent cannot be obtained for the protection of the life or bodily integrity of the person or another individual.
- Transfer from a public registry or one accessible to individuals with legitimate interests, provided that the conditions required by relevant legislation are met and the individual with a legitimate interest requests the transfer.
The transfer conducted under clause (f) cannot be carried out in a way that includes all personal data or categories of personal data in registries. Transfers from public registries accessible to individuals with legitimate interests can only be carried out for these individuals or upon their request.
Clauses (a), (b), and (c) do not apply to the activities of public institutions and organizations that are subject to public law