Our Information Note on the Personal Data Protection Authority’s recent announcement as to the transfer of data abroad has been published.

1. INTRODUCTION

In its “announcement regarding issues to be considered in letters of undertaking for personal data transfers to other countries” (the “Announcement”) published on 7 May 2020, the Personal Data Protection Authority (the “Authority”) has set out the principles and procedures concerning the transfer of data to other countries.

Pursuant to Article 9 of the Personal Data Protection Law numbered 6698 (the “Law”), in circumstances where the explicit consent of data subjects for the transfer of their respective data to other countries is not obtained, such data transfer is only allowed provided that (i) the transferee country provides sufficient protection; or (ii) if this is not the case, the data controller/data processor in Turkey and the transferee country undertake to provide sufficient protection in writing and obtain the Personal Data Protection Board’s (the “Board”) approval. As the Board has not published a list of countries providing sufficient protection of personal data yet, the approval of the Board must be obtained in each case by submitting a letter of undertaking for the transfer of data to other countries unless the data subject’s explicit consent is obtained.

The Authority has published on its website templates of letters of undertaking for the transfer of data to data controllers and data processors.

2. SCOPE OF THE ANNOUNCEMENT

The Announcement contains information as to content and form requirements of letters of undertaking. The main requirements are as follows:

• Determination of Qualifications as a Data Controller or Data Processor

The first step constitutes the classification of the transferee as a data controller or a data processor as the scope and content of the letter of undertaking will depend on such qualification. Accordingly, the classification of the transferee must be determined on the basis of the processing activities carried out.

• Evaluating the Purpose of the Data Processing Activity

In accordance with the principle requiring data processing activities to be “specific, explicit and for legitimate purposes” as set out in Article 4/2 (c) of the Law, data transfers and data processing activities must be in connection with, and necessary for, the work or service provided. Further, the fact that the personal data will only be processed (including the transfer) to the extent necessary will have to be demonstrated.

• Transfer of Special Category Personal Data

Article 6 of the Law provides that special category personal data not related to health or sexual life can only be processed without the data subject’s explicit consent if required by law. However, special category personal data related to health or sexual life can be processed without the data subject’s explicit consent by health sector personnel who has a statutory confidentiality obligation or authorised institutions for the protection of public health, preventive medicine, medical diagnosis, the operation of treatment and care services, health services and the financial planning and management thereof. 

Accordingly, if a transfer of personal data not related to health or sexual life is not required by law, this will not be possible without obtaining the data subject’s explicit consent.

Any transfer of personal data related to health or sexual life without obtaining the explicit consent of the data subject is only possible if such data is processed by (i) persons working in the health sector who are under a confidentiality obligation (such as doctors, nurses or hospital officials) or (ii) entities active in the health sector (such as hospitals, insurance companies or medical companies) provided that all necessary precautions required by law are taken.

• Chain Data Transfer

If then subsequently any transferred data is again transferred by the transferee to another data controller or processor, regardless of whether such data controller or processor is in the same country or not, this will require a separate letter of undertaking and approval process.

3. BINDING COMPANY RULES

The Authority’s “Announcement on Binding Company Rules” dated 10 April 2020 is also worth mentioning. According to the established practice of the Board, access to a commonly used single database by group companies located in different countries is also considered as a transfer of data. Although the abovementioned undertaking process eases the process for bilateral data transfers, it creates additional obligations for group companies. For instance, if there are five group companies using a single database, access to the database by any of such companies is considered as a transfer and therefore subject to the aforementioned undertaking obligation.

As this creates a considerable workload for group companies, the so-called “binding company rules” provide an opportunity for group companies to apply to the Board via the so-called “binding company rules application form”. This enables group of companies to provide the necessary undertaking by submitting a single application. In order to file such application, group of companies must have prepared and submitted to the Board a document setting out their “binding company rules”.

4. CONCLUSION

The transfer of personal data to other countries involves various obligations which relate to data protection, disclosure requirements and compliance with the Board’s decisions and can trigger administrative fines. In view of the high administrative fines the Board has imposed in the past –  i.e. the Board’s latest Amazon decision – it is of great importance that this matter is prioritised by each data controller and data processor by duly implementing the Board’s decisions and announcements.