The principles regarding the transfer of personal data abroad have been determined. Details are given in today’s Official Gazette.
In the Official Gazette dated July 10, 2024 and numbered 32598 The following statements were made on the subject: “Personal data can only be processed by the data controller and data processor. in the law and may be transferred abroad in accordance with the procedures and principles stipulated in the regulation. In case of transfer of personal data by the data processor, it is also mandatory to comply with the instructions of the data controller. Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law is present and one of the following situations occurs: a) There must be a qualification decision regarding the country, sectors within the country or international organizations to which the transfer will be made. b) In the absence of an adequacy decision, the parties must provide one of the appropriate safeguards specified in Article 10, provided that the person concerned has the opportunity to exercise his or her rights and to resort to effective legal remedies in the country where the transfer will take place.
YOU MAY BE INTERESTED IN
(2) In the absence of an adequacy decision and failure of the parties to provide one of the appropriate safeguards specified in Article 10, personal data may be transferred abroad by data controllers and data processors only in the event of the existence of one of the exceptional circumstances specified in Article 16, provided that it is incidental. Personal data may be transferred abroad only with the permission of the Board after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the relevant person would be seriously harmed, without prejudice to the provisions of international agreements.
In the event that personal data is transferred abroad by the data processor, the data processor acts on behalf of the data controller and in accordance with the instructions given by the data controller, within the scope and purpose determined by the data controller. The data processor takes all necessary technical and administrative measures to ensure the appropriate level of security according to the nature of the personal data in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data.
The transfer of personal data abroad by the data processor does not eliminate the data controller’s responsibility for complying with the procedures and principles stipulated in the Law and this Regulation and for providing the guarantees. The data controller is obliged to ensure that the technical and administrative measures specified in the first paragraph are taken by the data processor. In the event that the data processor is obliged to notify the standard contract in accordance with the fifth paragraph of Article 14, the data processor shall fulfill the notification obligation without the need for instructions from the data controller.”
Within the scope of the regulation, “The Board may decide that a country, one or more sectors within the country, or an international organization provides an adequate level of protection with regard to the transfer of personal data abroad.” A statement is made and it is stated that a qualification decision must be made here. It is stated that this qualification decision will be re-evaluated every four years: “The adequacy decision shall be re-evaluated at least every four years. The re-evaluation periods shall be clearly specified in the relevant adequacy decision. If, as a result of the re-evaluation, the Board determines that the relevant country, one or more sectors within the country or international organizations do not provide an adequate level of protection, it may change, suspend or revoke its decision with prospective effect.”