Turkey: International data transfers
In a global economy, cross-border data transfers are a highly pertinent matter in the regulatory focus of national data protection authorities and Turkey is no exception in this regard. On 7 May 2020, the Turkish Personal Data Protection Authority ('KVKK') published an announcement containing significant remarks regarding commitment letters for cross-border data transfers1. Burcu Tuzcu Ersin LL.M and Burcu Güray, from Moroglu Arseven, discuss the KVKK's announcement and highlight the procedural and substantive requirements for making international transfers of data to third countries from Turkey.
As per the Law on Protection of Personal Data No. 6698 ('the Data Protection Law'), aside from the obtaining the explicit consent of the data subjects, data controllers can transfer personal data to countries without data protection adequacy in scenarios where an adequate level of protection is instead provided by the parties with a commitment in writing and the Board's approval for such transfer is obtained.
The list of the countries with adequate level of protection has yet to be published by the Board, which must then lead us to consider all countries as unsafe in terms of data transfers as it currently stands. Hence, such a commitment letter is a key process for data controllers who transfer personal data abroad in order to comply with the Data Protection Law.
The standard terms for cross-border data transfers have already been published by the Board on its website on 16 May 2018. These are the essential clauses which must be included in contracts for transferring personal data to countries which Turkey deems as not providing adequate protection. The minimum clauses include separate provisions for transfers to data controllers, compared to data processors. The minimum content envisaged by the Board is similar to those of Standard Contractual Clauses ('SCC') in the EU.
With its latest announcement, the KVKK further expanded on the principles and procedures of the commitment letter process to guide data controllers in Turkey, taking into consideration the problems which arise in implementation.
Key remarks on procedure
The KVKK highlighted that the following points need to be taken into account by the data controller in terms of the procedure of applications for the Board's approval for cross-border data transfers:
- Data controllers must provide the KVKK with identification information for the authorised person and supporting legal documents certifying that these persons are authorised signatories of the data controllers in the application for cross-border data transfers. If the application is made via proxy, an original or certified copy of the proxy needs to be submitted as well.
- Signature and company stamp must be put at the end of the undertaking and annexes thereto. Each page must bear the initials of the signatories.
- Every document in a foreign language must be translated into Turkish and have been notarised.
- Commitment letters must at least include the provisions foreseen in the commitment letter templates published by the KVKK. If additional provisions are to be included into the commitment letters, these must be included under the title 'Additional Provisions.'
- All undertakings under the commitment letter must be drafted in the future tense (i.e. 'The data transferor will inform the data recipient that the transferred personal data will be processed in accordance with this commitment letter and with the Law on Protection of Personal Data No. 6698').
Key remarks on substance
Data controllers must pay attention to the following points for the substance of the commitment letters. Data transfers based on the explicit consent of the data subject will not be included into the commitment letter.
- Two different forms of commitment letter templates have been issued by the KVKK for the transfer to data controllers and data processors. In this context, the relationship between the parties as well as the roles of the parties in the data transfer must be accurately identified and the correct commitment letter template must be used. Furthermore, detailed clear explanations regarding the legal status of the parties and any supporting documents showing that the relationship between the parties (e.g. agreement), if any, must be submitted to KVKK along with the commitment letter.
- Terminology in the commitment letter must follow the Data Protection Law or secondary regulations.
- Parties must give clear explanations related to data transfers flows and must correlate personal data, data subjects, processing purposes, and legal basis for data transfers.
- Data controllers must comply with the general principles for personal data processing, set forth under Article 4 of the Data Protection Law, throughout the preparation of the commitment letter.
The KVKK, in its announcement, has also provided clarifications as to the explanations that parties need to make under the Annex of the commitment letter, which, briefly, indicate the details of the data transfer flow. Below is a summary of the KVKK's explanations.
- Data subject groups: data controllers must avoid using ambiguous expressions like 'such as, similar to, possible, likely' and must clearly indicate the data subject groups.
- Personal data categories: when determining the data categories to be transferred, the data controller must comply with the processing principle and the data categories to be transferred and must be relevant to, limited to, and proportionate to the transfer purposes. Data categories must also be referred to in a clear and understandable manner and no vague expressions employed in this respect. Data categories and the data subject groups must be linked to each other, so that it can been seen which data category of which data subject group will be transferred.
- Transfer purposes: the correlation between the transfer purposes and the data categories must be shown in the commitment letter. The transfer purpose must be specific, explicit, and legitimate. Data controllers must provide sufficient and comprehensible information to show their transfer purpose is in compliance with such principle.
- Legal grounds for the data transfer: data controllers must clearly point out the legal ground of the transfer by creating a link between the data categories, so that it can be understood which data category is transferred on which legal basis. The KVKK explicitly stated that, for cross-border data transfers to be based on legitimate interest, data controllers must perform a balancing test in compliance with the Board's Decision No. 2019/78 of 25 March 2019 to reach and to indicate, in the commitment letter, a positive conclusion to that end.
- Recipient groups: recipient groups refers to data controllers or data processors, located in the same country with the data recipient, to which the data recipient will carry out a subsequent data transfer.
Subsequent data transfers are only possible if the data would be transferred to competent institutions and organisations based on a statutory obligation of the data recipient under the applicable law. Otherwise, subsequent data transfers from the data recipient which are either to another data controller or data processor located in another company from the data recipient or which are not based on a statutory obligation cannot be conducted within the scope of the commitment letter. In such cases, separate commitment letter must be executed.
The KVKK has also highlighted that its Personal Data Security Guidelines (Technical and Administrative Measures) must be taken into account when determining the required technical and organisational data security measures. Technical and administrative measures must be explained under separate titles and the supporting documents related to these measures must be attached to the application.
In addition, if any special categories of personal data are transferred, additional required data security measures must be obtained and identified in the commitment letter by also submitting the supporting documents, in line with the Board's Decision No. 2018/10 of 31 January 2018.
Further information to be included in the commitment letter, as highlighted by the KVKK, includes the following:
- Information on the Data Controllers' Registry ('VERBIS'): whether the data controller is obliged to register along with its reason and if there is a registration obligation, VERBIS information must be included in the commitment letter.
- Additional information: retention periods and other relevant information will be provided under this section, which must be specified by including their justification, indicating at least the maximum duration. If a specific retention period is regulated under law, the applicable legislation must be noted in the commitment letter as well.
- Contact person information: information about the contact person must be included in the commitment letter.
- Specific explanations for the data transfers to data processors: detailed explanations on the activities of the data controller or the data processor, as well as the data transfer and processing activities after the data transfer, must be given under the sections titled 'Data Controller' and 'Data Processor' of the commitment letter for the data transfer from a data controller to a data processor.
Finally, under the section titled 'Data Processing Activities' of the said commitment letter, clear explanations must be given related to processing activities of transferred data in line with the transfer purposes.
Burcu Tuzcu Ersin LL.M Partner
Burcu Güray Senior Associate
Moroglu Arseven, Istanbul