Turkish legislation on personal data protection continues to develop with the resolutions and declarations of the Turkish Data Protection Authority (“DPA”). The recent developments shed light on the transfer of personal data outside Turkey without relying on the explicit consent of the data subject and the data controllers who will be kept exempt from the obligation to register with the Data Controllers’ Registry (“Registry”).
Contractual Clauses for Cross-Border Data Transfers
As our readers will recall from our previous articles covering the Turkish Data Protection Law no. 6698, transfer of personal data outside Turkey based on processing grounds other than explicit consent is only permissible if one of the following conditions is met:
- An adequate level of protection must exist in the destination country to which personal data will be transferred (such countries are yet to be declared by the DPB); or
- If an adequate level of protection does not exist in the destination country, the transferor and the transferee must commit, in writing, to provide an adequate level of protection and the DPB’s permission must be obtained.
The DPA has recently published two sets of contractual clauses on its website, one for data transfers from controller to controller and one for those from controller to processor. The contractual clauses will enable the data controllers to engage in cross-border transfers by relying on processing grounds other than the explicit consent of the data subject, which resembles the common practice in the European Union in which European Commission’s standard contractual clauses are utilised.
Exemptions from the Obligation to Register with the Registry
The decision-making body of the DPA, the Data Protection Board ("DPB"), has also specified the data controllers who will be exempt from the obligation to register with the Registry. According to the DPB’s decision no. 2018/32, which has been published in the Official Gazette dated 2 April 2018, the following will not be obliged to register with the Registry:
- Data controllers who process data by non-automatic means but instead by utilising any part of a filing system;
- Associations, foundations, and trade unions which process personal data solely in relation to their own employees, members and donors within the scope of their field of activities;
- Political parties;
- Public accountants and sworn-in public accountants.
The decision of the DPB simply means that almost all private companies and public institutions will be required to register with the Registry, regardless of the size of their processing operations.