Transfer of Personal Data out of Türkiye
Transfer of Personal Data out of Türkiye
The transfer of personal data abroad is regulated under Article 9 of the Law No. 6698 on the Protection of Personal Data [“Law”] and strict conditions and safeguards are required for the transfer. The transfer of personal data abroad also includes not only the transfer of the data to a third party abroad, but also the data controllers possession of the data from which it is responsible. If a company established in Türkiye keeps a server abroad where personal data from which it is responsible is stored, this is also considered as a transfer of data abroad, and therefore, it must meet the necessary conditions regulated in Article 9 of the Law.
If a company rents a server in a foreign country and executes the applications through this server or uses a foreign-based mail server when transferring personal data to different units within the company, as is quite common nowadays, a transfer abroad will again take place. These issues were also emphasized in the Personal Data Protection Board’s [the “Board”] decision numbered 2019/157, where the Board considered the use of an e-mail service infrastructure abroad as transfer of personal data out of the country. In essence, it is not essential for the transferred data to be processed abroad, it is sufficient for the data to physically leave Turkish territory.
Conditions of Transfer
The conditions for the transfer of personal data abroad are regulated under Article 9 of the Law. Accordingly, as a rule, personal data cannot be transferred abroad without the explicit consent of the data subjects. However, if certain conditions are met, it is possible to transfer personal data abroad without such explicit consent.
I. Explicit Consent of the Data Subject
In order for personal data to be transferred abroad with the explicit consent of data subjects, a detailed explicit consent must be received. This means that the explicit consent must at least contain the following elements: that the personal data will be transferred abroad, to which country or countries the transfer will take place, and for what purpose the transfer will be made. In the presence of the explicit consent of the data subject, no other conditions are required for the transfer of personal data abroad.
II. Lack of Explicit Consent of the Data Subject
In the absence of the explicit consent of the data subject, personal data may be transferred abroad only if one of the conditions for processing personal data without explicit consent is present and in addition to this, there is adequate protection in the country of transfer or adequate protection is warranted by the data controllers and the Board gives permission.
i. Existence of Personal Data Processing Conditions
Since data transfer abroad is a type of data processing, the Law requires the existence of one of the conditions that make it necessary to transfer data abroad in the absence of the explicit consent of the data subject. In other words, in order for personal data to be transferred abroad without the explicit consent of the data subject, at least one of the conditions for data processing without explicit consent must be met.
Non-special categories of personal data may be transferred abroad without obtaining the explicit consent of the data subject in the presence of one of the conditions stipulated in Article 5/2 of the Law, such as being mandatory for the establishment, exercise or protection of a right, being made public by the data subject or being mandatory for the data controller to fulfill its legal obligation. In order to transfer special categories of personal data such as race, political opinion, religion, association or foundation membership, data concerning health and biometric and genetic data without explicit consent, one of the conditions listed in Article 6/3 of the Law must be present. Pursuant to the aforementioned article, special categories of personal data other than health and sexual life may be transferred in cases stipulated by law, and data relating to health and sexual life may be transferred only for the protection of public health, medical diagnosis and treatment purposes and only by persons under the secrecy obligation without obtaining the explicit consent of the data subject.
The data may be transferred abroad in the presence of one of the above-mentioned conditions, without the explicit consent of the data subject, if there is adequate protection in the country where the transfer will be made or if such protection is warranted by the data controllers and the Board gives permission.
ii. Adequate Protection
In cases where there is no explicit consent of the data subject, personal data may be transferred to countries with adequate protection if one of the data processing conditions stipulated in the Law exists. It is stated in the Law that countries with adequate protection will be determined and announced by the Board. However, even though it has been seven years since the Law came into force, countries with adequate protection have not been declared by the Board yet. In 2019, only the criteria to be taken as a basis for determining the countries with adequate protection were determined and announced. Therefore, in the absence of the explicit consent of the data subject, the transfer of personal data abroad is only possible with the permission of the Board.
iii. Undertaking of Adequate Protection and Board Authorization
Since the countries with adequate protection have not yet been announced by the Board, transfer of personal data abroad without the explicit consent of the data subjects is only possible if adequate protection is warranted by the data controllers in Türkiye and in the foreign country where the data will be transferred together with the Board authorization. In other words, the relevant data controllers must sign a written undertaking to provide adequate protection and apply to the Board with this undertaking and obtain permission for the transfer. As can be seen, it is not sufficient for data controllers to file a written undertaking, it is necessary to obtain permission from the Board. So far, the applications of companies such as Amazon Türkiye and Decathlon Türkiye have been reviewed by the Board and permission has been granted to these companies to transfer data abroad.
Amazon Decision of the Board regarding the Subject
With its decision in 2020, the Board clearly set out the procedure by which data can be transferred abroad. In the application subject to the decision, the claim that amazon.com.tr ["Amazon"] had transferred personal data abroad in violation of the Law was examined.
In its response, Amazon stated that the possibility of transferring data to the EU and the USA is stated in the privacy statement in their website, that by users need to approve such privacy statement while signing up to use the said website and that the users therefore accept that their data may be transferred abroad by approving the privacy statement.
The Board first noted that Amazon submitted letters of undertaking to the Board, but since the Board has not yet made a decision on this issue, data transfer abroad is only possible with explicit consent. The Board underlined that it is not sufficient for the data controllers to commit adequate protection in writing, but that the approval of the Board is mandatory, and whether explicit consent of the data subjects have been obtained by Amazon was thus examined.
In this respect, as stated by Amazon in its defense, the fact that the users accepted the privacy statement when creating an account and the reminder of the acceptance of the privacy statement during the order is accepted by the Board as an implied consent. The Board stated that, within the framework of the Law, explicit consent means giving consent to processing of the data that the person has, either voluntarily or upon request from the other party. It is further noted that the explicit consent should specify the limits, scope and duration of the data that the data subject authorizes to be processed. In the case subject to the decision, on the other hand, it was determined that users' approval of the privacy statement constituted a general consent that extended to all of Amazon's activities involving the processing of their personal data; as a result, the transfer of personal data abroad violated the Law, and Amazon was imposed an administrative fine.
In the following period, Amazon's undertaking application was evaluated within the scope of the Law, and Amazon was permitted to transfer the data out of the country as per the Board’s decision.
Practices such as renting a server from a data that has located abroad or sending personal data to the parent company located abroad by the company located in Türkiye are becoming increasingly common, and such activities constitute the transfer of personal data abroad under Turkish law. Although it is a very difficult obligation to fulfill, especially by data controllers providing services globally, it can be said that the most appropriate method for transfer of personal data abroad under the current conditions is to obtain the explicit consent of the data subjects, since the Board has not yet determined countries with adequate protection.