Lawyer Ayşe Hüma Lofça
General Information
»In today’s world, foreign direct investment has become a crucial component in almost every country’s economy, including Turkey. While countries invest abroad, they process personal information and as the importance of data protection increases, foreign investors are left with questions about internationally transferred data and the rules to be applied. This article will discuss the scope of personal data in Turkey which can be transferred abroad and the binding law such as the Turkish “Law on The Protection of Personal Data” dated 24/3/2016, No: 6698.
»Foreign direct investments made in Turkey must be in compliance with the data protection laws applied in Turkey. Whether investors choose to employ Turkish workers, bring in workers from their home country or from foreign countries, various kinds of personal data will be processed in Turkey, making the personal data of these workers a part of the Turkish data base. In this sense, foreign direct investors must take into consideration that processing and transferring of such data must be done according to the Turkish law on data protection.
The Law on Personal Data Protection
»Article 9 of the “Law on the Protection of Personal Data” lays out the rule for data transfer abroad. According to the first paragraph of said article, the transfer of personal data abroad is prohibited without explicit consent of the data subject. All data transfers abroad must be within the knowledge and consent of the data subject.
»The second paragraph states exceptions to the rule; personal data can be transferred abroad without explicit consent if the foreign country where the data is to be transferred provides sufficient protection or if sufficient protection is not provided, the Personal Data Protection Board must authorize the transfer based on an agreement between the controllers in Turkey and in the related foreign country.
»Furthermore, one of the conditions set forth in either Article 5-Paragraph 2 or Article 6-Paragraph 3 must be met whether the foreign country provides sufficient protection or not. The case of foreign countries with sufficient protection will be examined first.
Data Transfers from Turkey to Countries with Sufficient Protection
»The Personal Data Protection Board shall announce the countries deemed sufficiently protected. If the foreign country receiving the data transfer is listed as a sufficiently protected country, either Article 5/2 or Article 6/3 must be met for the transfer to be made. These two articles differentiate on terms of whether the data is of special nature.
Transferring Special Categories of Personal Data to Countries with Sufficient Protection
»Special categories of personal data entails “race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data” as stated in Article 6/1. Special categories of personel data cannot be processed without explicit consent from the data subject.
»The third paragraph of this article lays down the exception to the rule. Personal data, other than those related to sexual life or health may be processed without explicit consent if it is prescribed by laws.
»Personal data related to health or sexual life can be processed without explicit consent only for;
- Public health protection purposes,
- Operation of preventative medicine,
- Medical diagnosis,
- Treatment and nursing services,
- The planning and management of health-care services and their financing,
by persons or authorized institutions and organizations under a confidentiality obligation.
»Data processing is a necessary element for creating efficient databases to better serve public needs but strict regulations are needed as the data gets more personal. As seen above, very personal data subjects such as sexual life and health may only be processed without consent for matters of greater importance.
The Transferring of Data Other Than Special Categories of Personal Data to Countries with Sufficient Protection
»Other than those of special categories of personal data has a wider scope of applicability as opposed to those of special nature. According to Paragraph 2 of Article 5, this type of data can be transferred abroad without explicit consent if;
“a) It is clearly provided for by the laws.
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.
ç) it is mandatory for the controller to be able to perform his legal obligations.
d) the data concerned is made available to the public by the data subject himself.
e) data processing is mandatory for the establishment, exercise or protection of any right.
f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.”
Data Transfers from Turkey to Countries without Sufficient Protection
»If the country in which the personal data will be transferred does not provide sufficient protection, both the controllers in Turkey and in the foreign country must guarantee sufficient protection in writing and is subject to the Board’s authorization. According to Article 9/4, the Board will authorize the written agreement on the grounds of;
“..a) The international conventions to which turkey is a party,
b) The state of reciprocity relating to data transfer between the requesting country and Turkey,
c) The nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,
ç) The relevant legislation and its implementation in the country to which the personal data are to be transferred,
d) The measures committed by the data controller in the country to which the personal data are to be transferred,
5) Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorization to be given by the board after receiving the opinions of relevant public institutions and organizations.
6) the provisions of other laws relating to the transfer of personal data abroad are reserved.”
»In addition, one of the conditions set forth in articles 5/2 or 6/3 must apply. Only then is data transferring without explicit consent accepted.
»While transferring data from Turkey to countries without sufficient protection, according to Article 9/2, a written guarantee is mandatory and the following matters must take place in said guarantee.
Obligations of the Controller Transferring Data Regarding the Guarantee Agreement
»Personal data must be processed and transferred in accordance with the Law on the Protection of Personal Data. The controller who is transferring the data undertakes great responsibility throughout the process because while fulfilling their own obligations they must also supervise the receiving controller’s actions.
»The transferring controller must take measures to insure the prevention of unlawful processing, unlawful accessing and must provide sufficient security for any technical or administrative measures and must also make sure that the receiving controller takes said measures.
»The transferring controller will notify the receiving controller about the LPPD and other regulations about data protection. The transferring controller must notify the receiving controller that in case of personal data being obtained by third parties unlawfully, the receiving controller shall report such incident to the transferring controller immediately. The transferring controller will then notify the Board and the subject of data. The Board may announce the incident on its website or another method deemed appropriate.
»The transferring controller is obligated to notify the Board of any problems that may arise surrounding the guarantee. If the receiving controller is unable to answer queries directed by related persons or the Board despite it being agreed upon, the transferring controller is obligated to provide answers in the light of the information available to them.
»The transferring controller may suspend data transferring or terminate the contract if the receiving data controller violates the obligations. Suspensions or terminations are immediately notified to the Board.
Obligations of the Controller Receiving Data Regarding the Guarantee Agreement
»The receiving controller must take measures to insure the prevention of unlawful processing, unlawful accessing and must provide sufficient security for any technical or administrative measures.
»In case of personal data being processed on the controller’s behalf by another natural or legal person, these persons and the controller will be jointly liable. Data processors included, persons operating under the authority of the controller may only process data in accordance with their given instructions. If for any reason, compliance with the laws and the agreement is not achieved, it must be notified to the transferring controller immediately.
»The transferring controller holds the right to suspend or terminate the agreement if the receiving controller fails to fulfill any obligations related to the guarantee agreement. The receiving controller must accept and guarantee that there are no contradicting national regulations to the agreement. Furthermore, the transferring controller is authorized to supervise the actions of the receiving controller.
»If any legislation changes may affect the compliance to the agreement or if any request from a judicial authority is directed to the receiving controller, the transferring controller must be notified immediately.
»In case of the termination of the agreement or if the validity period is over, depending on the choice of the controller transferring data, the personal data being transferred including their backups will either be sent back to the controller transferring the data or the personal data will be terminated completely. If there are any statutes preventing the receiving data controller from executing this obligation, the receiving controller must accept to take any technological and administrative measures to insure confidentiality and stop the data processing activity.
»While performing the service regarding the agreement, if it is necessary for the receiving controller to transfer personal data to a subcontractor, the transferring controller must be notified in an evincive manner. Approval of the transferring controller is mandatory. The agreement between the subcontractor and the receiving controller must at a minimum, include the provisions of the agreement between the transferring controller and receiving controller.
Common Provisions Regarding the Guarantee Agreement
»Both parties cannot disclose the personal data being processed to anyone outside of the LPPD provisions and cannot use the data for purposes other than processing. This obligation is not limited to any period of time for the two parties.