TR-TR 
EN-US 
Turkish Data Protection Authority (“Authority”) released its announcement regarding commitments between data exporter and importer for international data transfers on May 7, 2020 on its website. Parties to apply for permission for international data transfers based on commitments have to comply with the requirements of such announcement. In this information note, the highlighted points of such announcement will be summarized, especially for data exporters’ attention.
Background of Commitments of International Data Transfers
Turkish Data Protection Board (“Board”) issued its Standard Contractual Clauses/Model Clauses, with the Board’s saying Commitments, for transfers between a data controller in Turkey and a data controller or processor abroad on May 16, 2018.
Such commitments designated to provide adequate level of data protection which is not provided by the third country’s legal system that the data importer is subject to between the parties of the international transfer. Since the list of countries with the adequate level of data protection has not been announced by the Board, such commitments play an essential role for contractual relationships require personal data to be transferred from Turkey to third countries.
Under the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”), personal data can be transferred to a third country which does not ensure the adequate protection without the data subject’s explicit consent, if the adequate level of protection is provided by the parties with the commitment in writing granted that other data processing principles are fulfilled and the Board’s permission for such transfer exists.
These commitments includes an annex that includes;
- The Categories of Data Subjects,
- The Categorizes of Personal Data,
- Legal Basis of the Transfer,
- The Purposes of the Transfer,
- Recipient Groups,
- Technical and Organizational Measures to be Taken by the Data Importer,
- The Categorizes of Recipients,
- Additional Measures for Special Categories of Personal Data,
- Information of Data Exporter in the Data Controllers Registry Information System (“VERBIS”).
Highlights of the Announcement dated May 7, 2020
Choosing the Correct Commitment Form
The Board underlines that there are two forms of commitment that may apply to transfers, yet, parties have to accurately identify their roles and choose the correct commitment form for their transfers. To do so, parties have to determine their specifications under the Law No. 6698 regarding whether they are data controller or data processor. In this regard, the Board addresses several useful examples to identify specifications of the parties.
To identify data controllers, the Board states that the party which solely decides on the issues regarding processing activities such as initiation or purposes of the processing, the personal data to be collected, or the party which will be processing the personal data. The Board also identifies the data controller as an independent and autonomous party of the relation by stating that the data controller gives instructions, orders and have authority to decide freely.
On the other hand, the data processor is a party which fulfils the orders of the data controller for the benefit of him mostly on the issues related to the technical parts of the processing. The data processor depends on its authorization by the data controller to process such data. Pursuant to such authorizations, the data controller has to check and audit the compliance of the processor’s processing activities to the instructions.
Accordingly, the Board states that the commitments made between the data controller and the data processor have to include the activities between the parties regarding the transfer and the services that will be provided by the data processor. In this regard, the Board requires a document which certifies the relation between the data controller and processor for approval of the commitments. Parties have to link the personal data, data subjects, purposes, and legal basis to provide comprehensible structure.
Legal Basis and General Principles
Since personal data shall be transferred abroad if the data subject provides its explicit consent for the transfer, the Board indicates that commitments with explicit consent as the legal basis of the transfer cannot be summited to the Board. If the explicit consent of the data subject is provided, such transfer can be made without a commitment between the parties. Parties have to specify the legal basis of the transfer as stipulated under the Article 5(2) and 6 of the Law No. 6698.
The Board states that purposes specified under commitments have to be in line with the general data protection principles stipulated under the Article 4(2) of the Law No. 6698. In this respect, the Board addresses the scope and meaning of such principles to reinforce their applications.
Specific, explicit and legitimate purposes
Pursuant to the Article 4(2)(c) of the Law No. 6698, the Board emphasizes that purposes specified in the annex of the commitment should be explicit and specific enough to be understood clearly and legal basis of processing should be specified. Moreover, the Board unveils the meaning of being legitimate by stating that purposes which are linked to and necessary for the services of the data controller is legitimate.
Personal Data which is relevant with, limited to and proportionate to the purposes
Pursuant to the Article 4(2)(ç) of the Law No. 6698, the Board explains the scope of processing personal data that is relevant with, limited to and proportionate to the purposes by referring to the fair balance between the processing and the aimed purpose, and the principle of proportionality. According to the Board, personal data that is not related to the purposes should not be processed and personal data should not be collected for unclear future purposes. Only personal data that is enough for the purposes, in other words which is necessary, should be collected and processed. According to announcement, the Board seems to combine the proportionality and the necessity under the principle of proportionality.
Points Regarding Annexes of Commitments
The Board highly stresses that parties have to use a clear and the Law No. 6698 compliant language for the categorizes of personal data and purposes sections of the commitments’ annex parts. Such sections have to be answered precisely and should avoid any vague and abroad descriptions.
The categorizes of data subjects and the personal data to be transferred have to be linked to each other to explicitly identify which data subject category’s which personal data will be transferred. Moreover, the purposes and legal basis of transfer have to be linked to the personal data categories. Therefore, the Board can make its permission assessment regarding what personal data of which data subject category will be transferred based on which legal basis and for what purposes.
Legitimate Interest of the Data Controller
In cases where the legal basis of planned data transfer is legitimate interest of the data controller as per the Article 5(2)(f) of the Law No. 6698, the Board requires a positive conclusion of a balance test conducted by the parties prior to their applications for permission. The elements of balance test was provided by the Board in its Decision No. 2019/78 and dated March 25, 2019. Parties have to answer listed questions in balance test and conclude that such transfer will not infringe fundamental rights and freedoms of the data subjects.
Following Transfers
Parties have to identify following transfers to be made by the data importer for its legal obligations and recipients. Yet, the Board states that transfers other than the ones made for the legal obligations, cannot be performed based on the commitment between the data exporter and the importer. In such case, the Board states that the data importer and the recipients of the following transfers have to sign a new commitment and apply for the permission of the Board.
The Board indicates that the technical and organizational measures to be provided by the data importer as stipulated in the commitment by parties have to be demonstrated by necessary documents and should be supported with the elements of “Guidelines on Technical and Organizational Measures” published by the Authority. Moreover, the technical and organizational measures stipulated especially for the special categorizes of personal data published with the Board’s Decision No. 2018/10 and dated January 31, 2018 have to be put in place by the importer and demonstrated by necessary documents in the application.
VERBIS and Additional Information
Parties have to specify whether the data exporter is obliged to notify any information to the VERBIS, if so information to be provided to the VERBIS has to be indicated in the related section of the commitments.
Parties have to include retention periods in the section of additional information of their commitments. If such retention period is required by laws, specific legislation have to be addressed in the related section.
Author: Aslı Naz Ünlü
