Turkish Personal Data Protection Board ("Board") published a decision1 (2020/559) at the Data Protection Authority's ("DPA") website on September 4, 2020 regarding a data controller's transfer of personal data to outside of Turkey. The Board elaborates on the data controller's arguments based on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Treaty No.108").
A data subject filed a complaint to the Board against a company in automotive industry regarding their transfer of personal data abroad without their explicit consent. The data controller claimed in their defense statement (i) that they obtained the explicit consent and fulfilled their obligation to inform, (ii) that there is a legal reason for them transferring personal data to the company in abroad since there is a legitimate interest for the transfer, (iii) that Turkey is a party to the Treaty No.108 and because of that Treaty No. 108 overrides the Law No. 6698 on the Protection of Personal Data ("Law No. 6698") and other relevant regulations, (iv) the Treaty No. 108 does not regulate a legal restriction for personal data transfer and (v) that there is a legal reason for transferring personal data abroad since there is a legitimate interest under Article 5 of Law No. 6698.
II. Board's Evaluations
In its decision of July 22, 2020 with number 2020/559, the Board stated that the data controller failed to comply with the requirements for transfer of personal data abroad and to duly inform data subjects and decided the following:
- Treaty No. 108 regulates that a party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization cross-border flows of personal data going to the territory of another party and that the countries that are party to Treaty No. 108 cannot be automatically deemed as countries which have an adequate level of protection, without any further evaluation. The Board noted that being a party to the Treaty No. 108 might be taken into consideration as one of the criteria during the assessment of safe countries by the Board. For this reason, if the personal data will be transferred abroad without the explicit consent, then there should be one of the reasons regulated under Article 5/2 or Article 6/3 of Law No. 6698 and the parties should commit to adequate protection in writing and the transfer should be allowed by the Board.
- The articles of Law No. 6698 on the transfer of personal data is in line with the Treaty No. 108.
- If the personal data will be transferred abroad, data subjects should be duly informed and give their explicit consent to such transfer. Mentioning "a transfer of personal data to third parties" does not fulfill the obligation to inform and obtain explicit consent for data transfer,
- The obligation to inform data subjects and to obtain explicit consent should be complied with separately,
- The legal reason of obtaining personal data should be clearly stated in the obligation to inform text in detail, and that only stating that the legal reason to obtain is Article 5 and 6 of the Law No. 6698 does not fulfill this obligation,
- The information provided in the privacy notice should not be deficient, misleading and wrong. Therefore, the text should include the information if personal data will be transferred abroad and the name of the company which the relevant transfer will be made and otherwise the text will mislead the data subject and that the data subject will not know what they are giving their explicit consent for.
The Board finally decided (i) to impose an administrative fine of 900,000 Turkish Liras, (ii) erasure and destruction of personal data which were illegally transferred abroad and notification of the Board and (iii) separately fulfilling the obligation to obtain explicit consent and to duly inform data subjects.
With this decision, the Board, once again, noted that explicit consent or approval of the Board (in cases where transfer is based on other legal grounds) are currently the only grounds for data controllers for transfer of data abroad, as the Board has not yet announced the safe countries.
The arguments revolving around the Treaty No. 108 were dismissed by the Board, with the grounds that the Law No. 6698 was in fact in line with this Treaty. In practice, given the common assumption that the Board has not yet approved any undertaking letter to date, explicit consent seems to be the only practical and immediate solution for data controllers to lawfully transfer data abroad. On the other hand, as per the previous decisions of the Board, the data controllers should also be careful on obtaining explicit consent where there are other legal grounds for processing of personal data.