General overview of the Law and data transfers before the amendments       

The Law is primarily based on the Data Protection Directive (Directive No. 95/46/EC), despite the said directive being repealed with the General Data Protection Regulation (GDPR), effective as of 25 May 2018. While there are considerable differences between the Law and the GDPR, we should note that the Law is not a verbatim adaptation of Directive No. 95/46/EC either.

The fact that the Law is based on Directive No. 95/46/EC, while the GDPR superseded it in the EU, creates many challenges for companies transacting with an EU company or even with their parent companies. The Personal Data Protection Authority (KVKK) moved towards harmonizing the Law with the GDPR, and hence, a draft amending law has been submitted to the Grand National Assembly of Türkiye (the Assembly). The Law, which has been on the Assembly's agenda for about eight years, was passed and published on March 12, 2024.

Before the amendments, the Law's interpretation and the KVKK's approach to data transfers was very restrictive. As per the previous version of Article 9 of the Law, personal data could only be transferred abroad upon the satisfaction of one of the following mechanisms:

• the individual subject to the data transfer granted their explicit consent;
• the country where the data importer is located was declared by the KVKK as a country that provides adequate protection in terms of data protection; or
• the data exporter and data importer executed a data transfer agreement and undertook to provide adequate protection for the data subject to the transfer, followed by the data transferor making an application to the KVKK for approval of the planned data transfers.

In terms of the above options, the mechanism for obtaining explicit consent indicated in the first point provided for a temporary solution rather than a permanent one, as consent can be revoked by the data subject at any time, and as of the time of writing, the KVKK has not yet granted any countries with an adequacy decision as mentioned in the second point above. Therefore, in practice, the only available mechanism remaining to lawfully transfer a high volume of personal data outside of Turkey was to execute a data transfer agreement by and between the data transferor and data transferee. On the other hand, the KVKK approved a handful of applications regarding the third point. Therefore, one can argue that the transfer of personal data abroad in a legally compliant manner was nearly impossible.

The amended version of the Law and its effects on data transfers

Fundamental changes were made in Article 9 of the Law, and the only practically viable method, i.e., 'explicit consent,' has been abandoned. The amendments envisaged in the article resemble Article 46 of the GDPR. According to the amendments, a multitier structure was established for the transfer of personal data abroad:

• In case the Data Protection Board takes an adequacy decision on cross-border personal data transfers to certain states or to certain industries in certain states or to certain international organizations, personal data may be transferred provided a legal ground for processing is applicable.
• In the absence of an adequacy decision, personal data can be lawfully transferred abroad, if a legal ground for processing exists, the data subject has access to legal remedies in the destination country, and the data processor provides one of the appropriate safeguards that the Law defines,
• In the absence of an adequacy decision and failure to provide any of the appropriate assurances, the transfer can only be made provided that it is incidental, and one of the data processing conditions under the Law are applicable and on the condition that such transfer is incidental/non-repetitive.

As the KVKK has not yet declared any country or any sector as adequate and the incidental transfer exception does not benefit continuous transfers, we believe the most feasible option in many cases would be to provide one of the appropriate safeguards under the Law.

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (the Regulation) was published in the Official Gazette dated July 10, 2024, and clarified the details regarding transfer methods and appropriate safeguards.

In the absence of an adequacy decision, the lawful method for transferring data is based on appropriate safeguards. According to Article 10 of the Regulation, there are four different options for providing appropriate safeguards:

• In case of cross-border transfer between public institutions or professional organizations, an agreement that is not an international agreement in nature and permission to transfer is granted by the Board.
• A written undertaking containing provisions to ensure adequate protection and permission to the transfer by the Board.
• The standard contract announced by the Board (it must be notified to the Board within five business days after signing).
• Binding corporate rules (BCR) approved by the Board, which companies that engage in joint economic activity within a group are obliged to comply with.

In addition to the methods listed above, it is also necessary to ensure that one of the legal grounds in Articles 5 and 6 of the Law exists and that the data subject has the ability to exercise their rights and access effective legal remedies in the country to where the data is being transferred.

Exceptional transfers

In the absence of an adequacy decision or an appropriate safeguard, personal data can be transferred abroad only if the transfer is incidental and corresponds to one of the exceptional cases listed in the Regulation. The Regulation lists the cases of exceptional transfer as follows:

• informed explicit consent;
• the transfer is made from a registry open to the public or to persons with a legitimate interest in accessing the data, provided that the conditions specified by law for accessing the data are met.
• necessary for protecting the life or physical integrity of the data subject or another person when the data subject cannot give consent due to physical incapacity; or
• necessary for the establishment, exercise, or protection of a right;
• public interest;
• necessary for a contract between the data controller and a third party for the benefit of the data subject; and
• necessary for a contract between the data controller and data subject;

In order for the transfer to be incidental, it must not be regular, it must occur only once or a few times, it must not be continuous, and it must not be in the ordinary course of business.

Conclusion

The novelty of the methods that can be used to transfer personal data abroad from Türkiye calls for further KVKK guidelines and decisions to shed light on the dos and don't's of this commonly encountered issue. However, this amendment made in order to harmonize Turkish data protection legislation with the GDPR makes available new tools in the transfer of personal data abroad, which has perhaps been the most problematic area for Turkish practitioners for many years.

Deniz Tuncel Partner
[email protected]
Hergüner Bilgen Üçer, Istanbul