New Era in the Transfer of Personal Data Abroad

The "Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad," published in the Official Gazette on July 10, 2024, includes regulations regarding the transfer of personal data abroad.

Procedures for Transferring Personal Data Abroad

Articles 5 and 6 of the Regulation set out the procedures for the transfer of personal data abroad. Personal data may be transferred abroad by the data controller and the data processor only in accordance with the procedures and principles stipulated in the Law and the Regulation. First of all, an adequacy decision is required for the transfer abroad. In cases where there is no adequacy decision, the data transfer can be carried out by providing appropriate safeguards, provided that the data subject can exercise his/her rights and apply for effective legal remedies.

Transfers Based on Adequacy Decisions

Articles 8 and 9 of the Regulation regulate transfers based on adequacy decisions. The Board of Protection of Personal Data can decide that the country or international organization to which personal data will be transferred ensures an adequate level of protection. This decision is re-evaluated at least every four years at the latest and can be amended, suspended, or revoked with prospective effect if necessary.

Transfers Based on Appropriate Safeguards

Article 10 of the Regulation describes transfers based on appropriate safeguards. In the absence of an adequacy decision, data may be transferred by providing appropriate safeguards through agreements that are not international conventions, binding corporate rules, standard contracts or undertakings. subjects and mechanisms for data protection audits. These safeguards aim to ensure the protection of personal data and the rights of the data subject.

Necessary elements to be included in binding corporate rules: Article 13 of the Regulation sets out the minimum requirements that must be included in binding corporate rules. These rules must be legally binding and enforceable for each member of the group of undertakings involved in a joint economic activity. They must also cover aspects such as categories of personal data, processing activities and purposes, the group or groups of persons concerned, and the country or countries to which the transfer will be made. Commitments regarding the exercise of data subjects' rights and mechanisms for data protection audits must also be included within these rules.

Provision of appropriate safeguards through standard contracts: Article 14 of the Regulation states that standard contracts can be used to provide appropriate safeguards for data transfers. These standard contracts are determined and published by the Board of Protection of Personal Data and include issues such as data categories, purposes of data transfer, recipient groups, and technical and administrative measures to be taken by the data recipient. These contracts must be used without any modification and signed by the parties or their authorized representatives.

Provision of appropriate safeguards with a letter of undertaking: Article 15 of the regulation stipulates that appropriate safeguards can be provided through a letter of undertaking. The letter of undertaking must contain provisions for the protection of personal data and the purpose, scope, nature and legal basis of the transfer must be clearly stated. It should also include commitments to take the necessary technical and administrative measures to ensure the level of data security. To carry out data transfer based on the letter of undertaking, the data exporter must apply to the Board for authorisation.

Exceptional Transfers

Article 16 of the Regulation sets out the exceptional transfer situations that may be applied in cases where an adequacy decision and appropriate safeguards cannot be provided. These cases include situations where the transfer is absolutely necessary for the benefit of the relevant person or the public interest. Exceptional transfers are defined as irregular, one-time, or infrequent transfers that do not have continuity and are not part of the usual course of business.

Conclusion

The “Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad” introduces significant obligations for data controllers and data processors in the process of transferring personal data abroad. The Regulation contains detailed provisions for the protection of personal data and the rights of data subjects. When transferring personal data abroad, compliance with the procedures and principles specified in the Regulation is of great importance in terms of data security and legal responsibilities.



Autor: Müge Şengönül