In 2024, the Personal Data Protection Law No. 6698 (“LPPD”) underwent significant amendments, introducing a revised legislative framework for transferring personal data abroad, effective as of 1 September 2024. These changes, primarily aimed at aligning updated Article 9 of the LPPD with the General Data Protection Regulation (“GDPR”), to establish a tiered and alternative framework for cross-border data transfers.
Under this framework, transfers can occur based on three mechanisms:
1. Adequacy Decisions: Transfers to countries with data protection levels deemed adequate by the Personal Data Protection Board (“Board”).
2. Appropriate Safeguards: Mechanisms like standard contracts or binding corporate rules in the absence of an adequacy decision.
3. Derogations for Specific Cases: Exceptional circumstances where neither adequacy decisions nor safeguards are applicable.
To clarify the application of these amendments and the associated Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, the Board issued the Guidelines on the Transfer of Personal Data Abroad (“Guidelines”) on 2 January 2025.
These changes enhance individual rights protections while imposing structured compliance obligations on data controllers and processors, moving beyond reliance solely on explicit consent.
Mechanisms for Cross-Border Data Transfers
1. Transfers Based on Adequacy Decisions
- An adequacy decision is issued by the Board if the recipient country’s data protection standards are deemed equivalent to Türkiye’s.
- Such decisions are subject to periodic review, and the Board may modify, suspend, or revoke them based on existing circumstances.
2. Transfers Based on Appropriate Safeguards
In the absence of an adequacy decision, data transfers may occur if appropriate safeguards are in place. These safeguards include:
- Agreements Not Constituting International Treaties: Used for collaborations between Turkish and foreign public institutions or organizations, subject to Board approval.
- Binding Corporate Rules (BCRs): Drafted for data transfers within corporate groups, requiring Board approval for lawful use.
- Standard Contracts: Pre-approved templates issued by the Board. Companies must notify the Board within five business days of signing such contracts.
- Undertakings: Letters of undertaking that must receive Board approval before any transfers occur.
3. Transfers Based on Derogations
When neither adequacy decisions nor safeguards are available, transfers are permitted under exceptional circumstances. These derogations apply only when:
- The transfers are irregular, unforeseeable, and outside ordinary business activities.
- Regular or ongoing transfers (e.g., granting database access) are excluded from this mechanism.
Key Highlights from the Guidelines
The Guidelines issued in January 2025 address critical practical scenarios, offering insights and solutions:
Data Collected Directly
- Personal data collected directly from individuals in Türkiye by a foreign data controller does not constitute a "transfer abroad." However, such processing activities are subject to the LPPD and the data controller must comply with it.
- If the foreign data controller shares the data with other foreign controllers or processors, this is considered a transfer abroad and the data controller must comply with the cross-border personal data transfer rules of LPPD.
Transfers Between Group Companies
- The Guidelines evaluate scenarios involving multinational corporations:
- - If a Turkish affiliate transfers employee data to the parent company for storage in a central database, the Turkish affiliate acts as the data controller, and the parent company is -considered a data processor.
- If the parent company uses the data for other purposes, it may also be deemed a data controller.
- Multinational companies typically use:
- Standard contracts for data controller-to-processor transfers.
- Separate contracts for data controller-to-controller transfers.
Ensuring Compliance with Appropriate Safeguards
- The Guidelines elaborate on using safeguards like standard contracts, emphasizing strict compliance and analysis of the specific requirements.
Avoiding Modifications to Standard Contracts
- Standard contract templates must not be altered, except for optional or alternative clauses.
- Adjusting the effective date, a common practice, is deemed inappropriate.
- Transfers without a valid standard contract after 1 September 2024, pose significant risks for data controllers.
Preparing Annexes for Standard Contracts
- Annexes must be completed in line with the Board’s instructions.
- Information provided in these annexes must align with the records in VERBIS to ensure consistency.
Exceptional Nature of Derogations
- Incidental transfers are narrowly interpreted and should only be used as a last resort.
- Such transfers must meet the following cumulative criteria:
- Irregular and not part of routine processes.
- Triggered by unforeseen, extraordinary circumstances.
- Occur at irregular and undefined intervals.
Conclusion
In conclusion, the Guidelines represent a significant step toward harmonizing Türkiye’s data protection framework with the GDPR. By introducing a layered mechanism—comprising adequacy decisions, appropriate safeguards, and derogations—the amended law not only strengthens the protection of personal data but also facilitates lawful cross-border transfers.
Practitioners should take note of the new obligations imposed on data controllers and processors, particularly the importance of selecting and implementing appropriate data protection mechanisms.
Finally, while the Guidelines provide detailed instructions and examples, they must be interpreted in conjunction with the Board’s ongoing decisions and updates. As the Guidelines are subject to revision based on emerging practices and insights, data controllers and processors should remain vigilant and regularly review future amendments to ensure continued compliance.