Ali Gül
Hukuk Bürosu

The Transfer of Personal Data Abroad – An Evaluation Within the Scope of International Agreements

The transfer of personal data abroad has been a frequent topic of discussion in recent times. We believe that to go beyond the discussions on this subject and to reach a comprehensive understanding, it is important to evaluate the matter within the context of international agreements, in addition to the Personal Data Protection Law (“Law”) and the guidelines provided by the Personal Data Protection Board (“Board”).

Current Situation

Regarding the transfer of personal data abroad, there are three ways defined in the Law:

  • Consent of the Relevant Person

If the data subject, as defined in Article 9 of the Law, provides explicit consent for the transfer of personal data abroad, then such transfer can take place.

  • Existence of Adequate Protection

In cases where the exceptions mentioned in Articles 5 and 6 of the Law are applicable, and if there is adequate protection in the country to which the data will be transferred, personal data can be transferred without the need for explicit consent.

  • Absence of Adequate Protection

In cases where the exceptions are applicable, and if there is no adequate protection in the country to which the data will be transferred, personal data can be transferred abroad without explicit consent, provided that the data controller commits to the transfer and obtains the permission of the Board.

Countries with adequate protection will be determined and announced by the Board, as stated in Article 9/3 of the Law. The evaluation of whether adequate protection exists in a country or whether the Board will grant permission to the data controller will be made within the framework of the principles specified in Article 9/4.

The Board has not yet announced countries with adequate protection. Therefore, currently, it is generally accepted that there is no country with adequate protection, and if data transfer abroad is to be conducted based on the exception provisions, obtaining permission from the Board is required.

Other Legal Provisions

The issue of transferring personal data abroad is not regulated solely by our legislation under the Personal Data Protection Law. In fact, the last paragraph of Article 9 of the Law states, “The provisions in other laws regarding the transfer of personal data abroad are reserved.” The rationale for this paragraph is as follows:

“In the fifth paragraph of the article, it is stipulated that the provisions in relevant laws regarding the transfer of personal data abroad are reserved. Accordingly, for example, Law No. 5549 on Preventing Laundering of Crime Revenues, which grants authority to the President of the Financial Crimes Investigation Board for international information exchange in this matter, will be primarily applied.”

Although the rationale mentions that the Law on Preventing Laundering of Crime Revenues will be primarily applied, it is clear that it is not the only law whose provisions are reserved.

The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention No. 108”) was deemed appropriate by the law published in the Official Gazette on February 18, 2016, and became binding in our domestic law through a cabinet decree published in the Official Gazette on March 17, 2016.

The Republic of Turkey is a party to Convention No. 108. According to Article 90, paragraph 4 of the Constitution, international agreements duly put into effect have the force of law. Also, according to the same paragraph, in the event of a conflict between the provisions of international agreements duly put into effect and laws regarding fundamental rights and freedoms in the same subject matter, the provisions of international agreements shall prevail.

Therefore, the provisions of Convention No. 108 have the force of law under the Constitution, and in case of a conflict with the provisions of another law, the provisions of the international agreement will prevail.

Convention No. 108

Convention No. 108 is the first internationally binding treaty on the protection of personal data. Recently, a new treaty called the 108+ Convention, which modernizes Convention No. 108, has also been opened for signature. The purpose of Convention No. 108, which was opened for signature in 1981, is to establish the fundamental principles for the protection of data and regulate cross-border data flows. Article 12 of Convention No. 108 regulates the cross-border flow of data, i.e., the transfer of data abroad. The second paragraph of Article 12 is as follows:

“A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party. “

Although the provision in the second paragraph prevents Parties from imposing a prohibition or special authorization requirement solely for the purpose of protecting privacy on cross-border data flows between them, there are two exceptions to this rule. 

According to the third paragraph of Article 12, each Party may make exceptions to the provisions of the second paragraph in the following cases:

  1. If its legislation contains specific regulations arising from the nature of certain categories of personal data or automated personal data files, provided that the regulations of the other Party do not provide for equivalent protection.
  2. In cases where such transfers are made from the territory of one Party through the territory of another Party to a territory not belonging to a Party, in order to take advantage of gaps in the legislation of the Party referred to at the beginning of this paragraph.

The two paragraphs mentioned above are in the nature of a legal provision. Accordingly, countries that are parties to the 108th Convention cannot prohibit data transfer except for the two exceptions, or subject it to special permission.

The first of these two exceptional cases is when one party has specific regulations in its legislation while the regulations in the legislation of the other party do not provide equivalent protection. The other exception is when data is prevented from being transferred from one country that is a party to another country that is not a party, in order to take advantage of the gaps in the legislation of one party.

In this context, the Republic of Turkey cannot prohibit data transfer to the countries that are parties to this convention or subject it to special permission if its legislation includes specific regulations equivalent to the legislation of these countries. Therefore, if data transfer is to be prohibited or subject to special permission from countries that are parties to the 108th Convention, it must be determined that there is “no sufficient protection” in these countries from the perspective of our legislation. In other words, it is not necessary for sufficient protection to be declared by the Board in these countries. If a special permission is to be requested by the Board, it must be determined that “there is no sufficient protection.”

Dolayısıyla 108 Sayılı Sözleşme’nin tarafı olan devletlerden herhangi birine veri aktarımı yasaklanacak veya özel bir izne tabi tutulacaksa, bu ülkede bizim mevzuatımız açısından yeterli korumanın “bulunmadığının” tespiti gerekir.  Yani bu ülkelerde yeterli korumanın “bulunduğunun” Kurul tarafından ilan edilmesine gerek yoktur. Eğer Kurul tarafından özel bir izin talep edilecekse, yeterli korumanın “bulunmadığının” tespit edilmesi gerekmektedir.

In this regard, the view that countries with sufficient protection have not been declared as such, and therefore such a country does not exist, and that permission must be obtained from the Board if data is to be transferred abroad, will be invalid for countries that are parties to the 108th Convention. Because the provision of a duly ratified international agreement will be evaluated before the provisions of the Personal Data Protection Law, and in case of any contradiction, the provision in the international agreement will prevail.

So, when transferring data to European Union member states that are parties to the 108th Convention, there is no need to obtain permission from the Board. Except for the two exceptional cases, the Board cannot prohibit data transfer to these countries or subject it to special permission. The situation of not having equivalent protection in the country where data transfer will take place cannot be applicable to European Union member states covered by the European Union Data Protection Regulation (“GDPR”). This is because our country acquired the Personal Data Protection Law from the European Union with some modifications, and it is clear that the goal in this regard is to approach GDPR standards.

Conclusion

  • The transfer of personal data abroad is not a subject regulated solely by the Personal Data Protection Law.
  • The 108th Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, to which Turkey is a party and which has been incorporated into its domestic law in accordance with the proper procedures, and the provisions in this Convention are considered as having the force of law.
  • Turkey cannot prohibit data transfer to countries that are parties to the 108th Convention or subject it to special permission. There are two exceptions in this regard. The first is when there is no equivalent level of protection in the country where data transfer will take place, compared to the special regulations in the country transferring the data. The second exception is when data is to be transferred from the country where the contract is not a party to another non-party country.
  • These two exceptions do not apply to European Union member states that are parties to the 108th Convention. Turkey cannot prohibit data transfer to European Union member states or subject it to special permission.
  • Under the 108th Convention, all European Union countries that are parties to the Convention are considered “safe countries.” In order to prohibit data transfer to these countries or subject it to special permission, the Personal Data Protection Board must determine that these countries are “unsafe countries.” Otherwise, these countries should be considered safe.