On 12 March 2024, the amendments to the Personal Data Protection Law No. 6698 ("KVKK" or "Turkish PDPL") has been published in the Official Gazette.

This amendment will be followed by a regulation to be issued by the Data Protection Authority ("DPA") which will specifically govern the matter of cross-border data transfers.

The updated KVKK along with such regulation will together introduce a new regulatory framework governing the transfer of personal data across borders as an attempt to solve serious problems in practice under the current framework.

Currently, most of the data controllers obtain the explicit consent of the data subjects, since the "safe countries" have not yet been determined by the DPA and the commitment for adequate protection to be signed between the data exporter and the data importer, which requires the approval of the Authority, is not working effectively.

What is New in Data Transfers?

The new provisions will come into effect on 1 June 2024. However, one of the legal basis for the transfer of personal data abroad, 'the explicit consent of the data subject to the transfer', will continue to apply until 1 August 2024 with the amended version of the article.

With the new system data controllers will follow a gradual approach when transferring personal data abroad.

First of all, DPA is entitled to issue an 'Adequacy Decision' based on recipient countries or specific industry in a recipient country or international organizations. If there is an adequacy decision on the basis of the country or industry to which personal data will be transferred, the data controller will be able to transfer personal data based on t Article 5 or 6 of the KVKK.

In the absence of an adequacy decision, data controllers may transfer personal data abroad by providing the 'Safeguards' discussed below. For the transfer to be made under the following safeguards, (a) the data subject must have the opportunity to exercise his/her rights and to apply for effective legal remedies in that country and (b) it must be based on the legal bases specified in Article 5 or 6 of the KVKK.

  • Where there is an agreement between the public authorities and organizations of the recipient country and Turkey and the transfer is permitted by the DPA.
  • The existence of binding corporate rules ("BCRs") within the group of enterprises and the approval of the DPA.
  • Where the "Standard Contract" ("Standard Contractual Clauses", "TR SCCs", "Turkish SCC") to be announced by the Turkish DPA is signed between the parties and the signing of the standard contract is notified to the DPA within five (5) business days therefrom.
  • Where the Data Transfer Commitment published by the DPA is signed and approved by the DPA.

If the aforementioned conditions are not met, data controllers may transfer the personal data abroad where it is incidental and not repetitive if one of the following conditions are satisfied:

  • Obtaining the explicit consent of the data subject after informing him/her about the potential risks,
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
  • The transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
  • The transfer is necessary for an overriding public interest,
  • The transfer ois necessary for the establishment, exercise or defense of a right,
  • The transfer is necessary for the protection of the life or physical integrity of the data subject or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
  • The transfer from a registry open to the public or persons with a legitimate interest, on condition that the requirements for accessing the registry in the relevant legislation are met and the person with a legitimate interest requests it.

What is Next in Practice?

The most important aspects to complete the amendments will the regulation to be issued by the DPA to specifically govern the matter of cross-border data transfers ("Regulation"), determination of the safe countries or safe industries within certain countries and determination of Standard Contractual Clauses.

With such following regulatory actions and steps the data controller and processors who have significant investments in Turkey will have clear compliance requisites to satisfy.

Harmonization of the KVKK with the GDPR is an explicit political objective of the government and the DPA and we anticipate that aforementioned secondary regulations will further enhance GDPR-alignment of practice in Turkey.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.