Turkey’s Data Protection Authority Ruled on Using Google’s G- Mail Services

One of these decisions, the decision numbered 2019/157, is on entities using foreign based e-mail services such as G-Mail and how using G-Mail servers should be treated under the Turkish law.

The decision rules that the usage of foreign-based servers and data centers, such as Google services, shall be treated as “international data transfer” under the Turkish Personal Data Protection Law no. 6698 (“KVKK”). Even though companies using foreign based services such as G-Mail have no intention to transfer the data abroad, because the services store the data in servers located in foreign countries, companies are considered to be transferring the personal data abroad.

The Decision numbered 2019/157 also states that the usage of storage services (such as Google Drive) received from the data controllers or processors who have their servers abroad shall be evaluated under the terms of international data transfer as well. Therefore, companies using Google applications shall comply with the KVKK’s international data transfer regulations as well.

Data Transfer Under KVKK

Pursuant to article 8 of KVKK, personal data cannot be transferred without the explicit consent of the data subject. However, the conditions regulated under article 5 and 6 of KVKK which are the exceptions of explicit consent for data processing may also apply for data transfers. As it can be seen from text of KVKK, these exceptions are regulated in two articles depending on whether the subject personal data is special categories of personal data[1] or not.

The explicit consent exceptions regulated in article 5 of KVKK shall apply if the data processing or transfer is;

• expressly permitted by any law;
• necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
• necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
• necessary for compliance with a legal obligation which the controller is subject to;
• regarding a personal data which is revealed to the public by the data subject herself/himself;
• necessary for the institution, usage, or protection of a right;
• necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

However, where the subject of data transfer or processing is special categories of personal data, the exceptions of the explicit consent is regulated in article 6 of KVKK and much limited compared to article 5. The special categories of personal data other than personal data relating to health and sexual life, can be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Due to this exception and since KVKK is also a law in Turkish legal system, the special categories of personal data other than personal data relating to health and sexual life shall be processed or transferred without obtaining the explicit consent if the exceptions regulated under article 5 of KVKK are present.

On the other hand, personal data relating to health and sexual life can only be processed or transferred without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.

According to articles 5 and 6 of KVKK, in such cases where, there are specified, explicit, legitimate purposes for data transfer, yet, the exceptions of explicit consent are not applicable for data processing or transfer, data controllers have to obtain explicit consent of data subject to transfer or process relevant personal data.

As a result of abovementioned the conditions, the personal data can be transferred nationally if there are specified, explicit, legitimate purposes for data transfer and the requirements of article 5 or article 6 of KVKK are fulfilled.

International Data Transfer Under KVKK

In addition to the requirements of national personal data transfer, it is very important for personal data transfer abroad whether the third country which is the object of data transfer has been recognized as a country with adequate level of data protection by the Board.

If the legal requirements for data transfer such as having specified, explicit, and legitimate purposes for data transfer and the exceptions of explicit consent requirements of article 5 or article 6 of KVKK are fulfilled; the data transfer can be transferred to the countries which have the adequate level of protection.

In such cases where, the subject country has not been recognized as a country with adequate level of protection, there are two different alternatives to transfer personal data. Firstly, if the legal requirements for data transfer such as having specified, explicit, and legitimate purposes for data transfer and the exceptions of explicit consent requirements of article 5 or article 6 of KVKK are fulfilled and in addition to those, the party who transfers personal data and the party who receives such data commit, in writing, to provide an adequate level of protection and the permission of the Board exists, the data transfer also shall be conducted. However, this way of transferring personal data has more requirements compared to others.

Secondly, transfer of personal data to a third country which has not the adequate level of protection can be made with the explicit consent of data subject to the transfer.

As regulated under KVKK, the countries which have the adequate level of protection should have been announced by the Board. However, the Board has not announced such countries yet. Most of the international personal data transfers which companies and entities make unknowingly in daily basis cause data breach and unlawful transfers due to the lack of the Board’s announcement. Unless the Board announces such countries, the exceptions of explicit consent to data transfer regulated in article 5 and 6 of KVKK cannot be applied to data transfers. As a result of this situation, international data transfers can be made only if the explicit consent of data subject is obtained.

When the Board announces such countries, where the servers or data centers of these platforms or applications is located shall affect the process. Until the countries have the adequate level of protection is announced by the Board, the explicit consent of data subject required for the processing made through foreign-based e-mail or storage or cloud platforms. The data controllers have to obtain explicit consent regarding these kind of data transfers to fulfill their obligations and because of the nature of explicit consent, the data controllers should offer alternative local e-mail, storage methods to their customers or users who do not want to consent to such international data transfer through foreign-based servers.

[1] Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.

Author: Aslı Naz Ünlü