On July 10, 2024, the Turkish Official Gazette published Regulation No. 32598, titled Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad (the “Regulation”). This Regulation introduces significant changes to the transfer of personal data outside Turkey, aligning with recent amendments to the Personal Data Protection Law No. 6698 (“PDPL”).

Key Provisions:

• Adequacy Decisions: The Regulation stipulates that the transfer of personal data to a foreign country, international organization, or specific sectors within a country is permissible only if the Personal Data Protection Authority (“Authority”) has issued an adequacy decision confirming that the destination provides an adequate level of protection. These adequacy decisions will be reviewed by the Authority every four years.

• Appropriate Safeguards: In the absence of an adequacy decision, data controllers and processors must implement appropriate safeguards to ensure the protection of personal data. The Regulation outlines several mechanisms to establish these safeguards, including:

• • International Agreements: Non-international agreements between public institutions, professional organizations, or international organizations.
  • Binding Corporate Rules (BCRs): Internal policies adopted by multinational companies to allow intra-organizational transfers of personal data.
  • Standard Contractual Clauses (SCCs): Pre-approved contractual terms set by the Authority to ensure data protection during transfers.
  • Declarations: Written commitments by the data exporter to adhere to specific data protection standards.

• Exceptional Cases: The Regulation provides for exceptional cases where personal data can be transferred abroad without an adequacy decision or appropriate safeguards, including:
  • Explicit consent from the data subject, provided they are informed of the potential risks.
  • Transfers necessary for the performance of a contract between the data subject and the data controller.
  • Transfers required for the establishment, exercise, or defense of legal claims.
  • Transfers essential for the protection of vital interests of the data subject or another individual.

Implications for Organizations:

Organizations engaged in the transfer of personal data abroad must:

• Assess whether the destination country or organization has an adequacy decision.
• Implement appropriate safeguards if no adequacy decision exists.
• Ensure that any data transfers comply with the exceptional cases outlined in the Regulation.

Non-compliance with these provisions may result in administrative sanctions, including fines.

Conclusion:

The enactment of the Regulation marks a significant development in Turkey’s data protection framework, particularly concerning the transfer of personal data abroad. Organizations must review and, if necessary, update their data transfer practices to ensure compliance with the new requirements. It is advisable for entities involved in international data transfers to consult with legal professionals to navigate the complexities of the Regulation effectively.