04 Aralık 2023
Data Transfer within the Scope of KVKK and GDPR
Table of Contents
The Personal Data Protection Law is a law adopted in 2016 and published in the Official Gazette. The Law aims to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles to be followed. In order to protect the fundamental rights and freedoms of individuals, the law has set forth different provisions.
Personal data must be obtained and processed in accordance with the legislation. In addition, personal data belongs only to natural persons. However, the data controller or data processor may be a real person or a legal entity. They take the name of data controller or data processor in line with the purposes of data processing.
These personal data obtained in accordance with the legislation may be transferred to third parties. Data transfer is listed as one of the ways of "processing personal data" in subparagraph e of paragraph 1 of Article 3 of The Personal Data Protection Law. However, the concept of data transfer is not defined in the KVKK.
It is possible to define the concept of transfer of personal data as the transfer of personal data from the data controller to another data controller or data processor, or from the data processor to another data controller or data processor.
It should be noted here that transfers between the units of the data controller are not within this scope. For example, data transfer from the human resources unit of a company to another unit such as law, accounting, etc. will not be analysed in this way.
Although data transfer is not defined in the law, it is regulated in line with the purpose of the law. Although the data is obtained and processed in accordance with the legislation, this does not mean that they can be transferred directly.
Domestic transfer and international transfer are regulated in different articles. For this reason, they should be examined separately.
Domestic Transfer of Personal Data
Article 8 of the Law stipulates that “Personal data shall not be transferred without explicit consent of the data subject.” The same article regulates the cases where personal data may be transferred to third parties without seeking explicit consent: “Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken.“ regulated with the 2nd paragraph provision. At this point, it is seen that the law seeks the same conditions for the transfer of personal data within the country as for the processing of personal data. With these conditions, personal data can be transferred to third parties without seeking the explicit consent of the data subject.
Article 5, Paragraph 2 of the Law;
- It is expressly provided for by the laws.
- It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- It is necessary for compliance with a legal obligation to which the data controller is subject.
- Personal data have been made public by the data subject himself/herself.
- Data processing is necessary for the establishment, exercise or protection of any right.
- Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.”
listed the conditions in the form of.
Article 6 of the Law, which is referred to by Article 8, is related to the processing of special categories of personal data. Sensitive personal data are the data that may cause the person concerned to be discriminated against and victimised. For this reason, it is necessary to be much more careful about their protection than other personal data. Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. The conditions in Article 6 of the Law are the conditions that will apply to the transfer of special categories of personal data. These are listed as follows;
- If the explicit consent of the person concerned is obtained,
- In case it is clearly stipulated in the laws in terms of personal data of special nature other than health and sexual life,
In terms of personal data relating to health and sexual life, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality" can be transferred.
In this provision, explicit consent is mentioned firstly, and then the situations where special categories of personal data can be transferred without explicit consent are listed.
Transfer of Personal Data to Abroad
The transfer of personal data to abroad is also regulated by the law. In order to transfer personal data obtained in accordance with the legislation to abroad, the explicit consent of the person concerned must be obtained. This issue is stipulated in Article 9 of The Personel Data Protection Law as " Personal data shall not be transferred abroad without explicit consent of the data subject.
In the transfer of personal data abroad, the conditions sought for processing are sought again. However, additional measures have been taken in terms of transfer abroad.
There are cases where personal data can be transferred abroad without explicit consent. If there is one of the conditions in Paragraph 2 of Article 5 or Paragraph 3 of Article 6 mentioned above, personal data may be transferred abroad without explicit consent. However, there are other conditions in addition to these. These are listed as follows in paragraph 2 of Article 9;
- "Adequate protection is provided.
- Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.”
As per the Law, the Board shall determine and announce the countries with adequate protection. However, no country has been announced yet. The decision numbered 2019/125 taken by the Personal Data Protection Board has determined the criteria to be taken as basis in determining the countries with adequate protection. Accordingly, criteria such as reciprocity, the legislation and practice of the relevant country regarding the processing of personal data, the existence of an independent data protection authority, being a party to international agreements on the protection of personal data and being a member of international organisations, being a member of global and regional organisations of which our country is a member, and the volume of trade with the relevant country will be taken into consideration by the Personal Data Protection Board.
In the Public Announcement dated 26 October 2020 made by the Personal Data Protection Authority, it is stated that countries with adequate protection can be determined after an intensive and lengthy process that must be carried out meticulously, considering the existence of various and quite different national legal regulations, the absence of a general data protection regulation in the country subject to the assessment or the existence of regulations covering only certain areas, and the differences between states in federal states. In addition, it is stated that countries with adequate protection should be subject to periodic audits and evaluations and that such adequacy decisions may be changed, suspended or cancelled according to changing conditions. Therefore, the process of determining safe countries by the Personal Data Protection Board is a dynamic process that involves the establishment of close cooperation and dialogue mechanisms with the relevant country and requires comprehensive and multidimensional evaluations and monitoring the continuity of the level of protection provided.
The Board decides whether there is sufficient protection in the foreign country and whether to grant permission pursuant to subparagraph (b) of paragraph 2 of Article 9 by evaluating the following issues and, if necessary, by taking the opinion of the relevant institutions and organisations. These considerations are as follows;
- International conventions to which Turkey is a party,
- The reciprocity status regarding data transfer between the country requesting personal data and Turkey,
- For each concrete personal data transfer, the nature of the personal data and the purpose and duration of processing,
- The relevant legislation and practice of the country to which the personal data will be transferred,
- Measures undertaken by the data controller in the country where the personal data will be transferred”
Personal data may be transferred abroad in cases where the interests of Turkey or the person concerned would be seriously harmed, only with the permission of the Board by obtaining the opinion of the relevant public institution or organisation. Provisions of international agreements are reserved.
In order to transfer data to a country where adequate protection does not exist without explicit consent, the data controllers in the foreign country and Turkey must undertake adequate protection in writing. Subsequently, the Personal Data Protection Board must authorise the transfer. There are two methods that can be used for this commitment.
1- Undertakings
Undertakings are the first method by which data controllers in Turkey and abroad can commit to adequate protection. Undertakings are regulated in two ways: transfer from the data controller to the data controller and transfer from the data controller to the data processor. The minimum elements to be included in the Undertakings to be prepared by the parties and submitted to the Personal Data Protection Board for approval were determined by the Personal Data Protection Board and announced on 7 May 2020.
- While preparing the Letter of Undertaking, the provisions in the Letter of Undertaking examples published on the official website of the Personal Data Protection Authority should be included as a minimum, and if additional provisions are to be included, these provisions should be included separately under the heading "Additional Provisions".
- The recipient of the personal data transfer should be correctly characterised and the sample commitment letter prepared by the Personal Data Protection Authority should be used according to the nature of the recipient.
- For transfers from the data controller to the data controller or data processor, clear and detailed explanations regarding the legal status of the parties should be included and the contract and similar documents showing the legal relationship between them should be submitted to the Personal Data Protection Authority together with the letter of undertaking.
- The data subject group and groups, data categories, purposes of data transfer, legal reason for data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data, Data Controllers Registry Information System (VERBIS) information and contact person contact information of the data transferor should be filled in completely and additional useful information, if any, should be included.
- The terms used and definitions made within the scope of the commitment letter must comply with the Personal Data Protection Law and secondary regulations.
- The issues of which personal data of which data subject group, which personal data, for which purpose and legal reason will be transferred should be explained in detail in connection with each other.
- Undertakings must be prepared in accordance with the principles of complying with the law and good faith, being accurate and up-to-date when necessary, being processed for specific, explicit and legitimate purposes, being relevant, limited and proportionate to the purpose for which they are processed, and being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
- In the applications for permission to transfer data abroad made to the Personal Data Protection Authority, issues such as the name, surname, address and signature of the person authorised to apply should be included, and documents such as signature circulars and power of attorney showing the authority of the person authorised to sign should be included with the application.
- The letter of undertaking and its annex must be signed and stamped at the end and each page must bear the initials of the signatories.
- Documents issued in a foreign language must have a notarised translation.
2- Binding Corporate Rules
The Personal Data Protection Board, taking into account that the undertakings may be insufficient to ensure the implementation practice in terms of data transfers between multinational company groups, has determined "Binding Corporate Rules" as the second method to be used in international data transfers to be carried out between the companies in question.
The Personal Data Protection Authority defines Binding Corporate Rules as "the personal data protection rules that must be complied with in personal data transfers or transfer sets to be made by a data controller resident in Turkey affiliated to a group of companies to companies, undertakings operating in one or more countries abroad affiliated to this group of companies, and data controllers engaged in a common economic activity or having a common decision mechanism regarding data processing activity".
The obligations under the Binding Corporate Rules shall apply to data controllers and data processors operating under a multinational group of companies. In relation to personal data, data controllers operating under a multinational group of companies that will transfer personal data without explicit consent to countries where there is no adequate protection of personal data, must fill out the relevant form and duly submit a Binding Corporate Rules application to the Personal Data Protection Authority. Pursuant to the Law on the Protection of Personal Data, such application shall be subject to the authorisation of the Personal Data Protection Board.
The Personal Data Protection Authority published an application form for Binding Corporate Rules on 10 April 2020. According to this form, if a group of companies has its head office in Turkey, this head office will be authorised to make the relevant application. If the group of companies does not have its head office in Turkey, a member of the group of companies resident in Turkey will be authorised for the protection of personal data and the relevant application will be made by the authorised member. During the application process, the application form, Binding Corporate Rules and other documents deemed necessary for the application shall be submitted to the Personal Data Protection Authority by hand or by post.
Here, as an example, we can show the announcement of the Personal Data Protection Authority dated 01.09.2023. Google Reklamcılık ve Pazarlama Limited Company applied for a letter of undertaking regarding the transfer of personal data abroad. This application was evaluated by the Personal Data Protection Board within the scope of Article 9, paragraph 2, subparagraph b of the KVKK and the said data transfer was authorised on 17.08.2023. As a company operating worldwide, it is not very possible for Google to obtain explicit consent from all relevant persons in the transfers it will make. With this authorisation, the transfer can be made without explicit consent. This announcement was also published on the web pages of various newspapers. Its importance is better understood as it is the 7th data transfer undertaking authorised by the KVKK. Regulations introduced with the aim of protecting personal rights are gaining importance and their usability is increasing day by day.
Data Transfer In Terms of GDPR
The European Union General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy for individuals throughout the European Union and the European Economic Area. It was adopted in 2016 and entered into force in 2018. Companies based in countries that are not members of the European Union must also comply with the Regulation in their business dealings with member states. For this reason, the issue of data transfer should also be analysed in terms of GDPR.
First of all, it should be noted that the GDPR analyses the issue of data transfer in more detail. While transfers of personal data within the European Economic Area are regulated, transfers to countries or international organisations outside the Area are also protected under special conditions. The reason for this is to ensure that the data continues to be protected outside the Area.
The transfer of personal data abroad is regulated between Articles 44 and 50 of the GDPR. Article 44 starts by regulating the "General Transfer Principle". The following articles continue with articles such as "Transfers made on the basis of an adequacy decision", "Transfers subject to appropriate safeguards", "Binding corporate rules". Article 45 "Transfers on the basis of an adequacy decision" provides that "Where the Commission decides that a third country or a territory or one or more sectors within that third country or an international organisation provides an adequate level of protection, a transfer of personal data to that country or international organisation may take place. No specific authorisation is required for such a transfer." In assessing the adequacy of the level of protection, the Commission shall take into account such matters as the rule of law, respect for human rights and fundamental freedoms, public safety, etc., the importance of which is widely recognised. Also of great importance are international commitments or legally binding conventions or instruments entered into by the third country or international organisation concerned, as well as other obligations arising from its participation in multilateral or regional systems, in particular those relating to the protection of personal data.
In order for a restricted transfer to be possible pursuant to the GDPR, the data processing activity subject to the data transfer must be subject to the GDPR, the country to which the data will be transferred must not be subject to the GDPR, and the recipient of the data transfer must be a natural or legal person different from the sender.
In fact, it can be seen that the GDPR emphasises the existence of an adequacy decision, the existence of security measures or the existence of an exception in order for data transfers to become lawful.
On 22.05.2023, news sources reported that Meta was fined 1.2 billion euros for transferring user data to the USA. Meta's fine exceeded the GDPR fine of 746 million euros imposed on Amazon in 2021.
As can be seen, GDPR violations lead to large fines. These fines have a bad impact on the image of companies as well as financial aspects.
Conclusion
At the end of the evaluation, it can be easily said how important the issue of data transfer is both in terms of KVKK and GDPR. The GDPR is more detailed than the KVKK as it regulates the transfer of data both within and outside the EU. In addition, the size of the penalties imposed is larger.
Personal data is an issue that is becoming increasingly important day by day and especially with the development of technology. Their protection is becoming more and more important day by day. Accordingly, it is not difficult to interpret that the issue of transfer of personal data will also develop and the protection methods will increase and the amount of penalties will increase.
Should you have any queries or need further details, please contact us.
Notification!