top of page
Image by Andrew Neel

A Brief Overview of Standard Contractual Clauses Through New Regulations in the Turkish Data Protection Legislation

Last week, the highly anticipated Regulation on the Procedures and Principles for Transferring Personal Data Abroad was finally released in the Official Gazette.


This Regulation has been issued in order to determine the procedures and principles regarding the implementation of Article 9 of the Law No. 6698 on the Protection of Personal Data (“Law no.6698”) regulating the transfer of personal data abroad. As of June 1st, 2024, the amendments to articles of the Law No.6698 regarding the processing of special categories of personal data and the transfer of personal data abroad entered into force. The former legislation stipulated that explicit consent must be obtained from each data subject for transfer to countries that do not have an adequacy decision pursuant to Article 9 of the Law No.6698. Considering that #Turkiye has not yet taken an adequacy decision for any country, this situation was challenging for every data controller who has business relations abroad. 


The relevant regulation states that in the absence of an adequacy decision, personal data may be transferred abroad if one of the appropriate safeguards is provided; of course, the processing is lawful under Protection of Personal Data Law No. 6698 and provided that the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer. One of these appropriate safeguards is the existence of a standard contract announced by the #Turkish #Data #Protection #Board (“Board”), which defines data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data. In short, this may also be referred to as Standard Contractual Clauses (SCC), as mentioned in the GDPR. 


Step-by-Step procedure to ensure appropriate safeguards in accordance with SCCs:


According to Article 14 of the Regulation: 


  1. The appropriate contract shall be selected from the standard contract templates announced by the Board on its website [e.g. controller-to-controller (C2C), controller-to-processor (C2P), processor-to-processor (P2P), and processor-to-controller (P2C)]. This contract shall be used without any revision, amendment or change. 

  2. The information regarding the details of the transfer in the annexes of the contracts shall be filled in. 

  3. The contract shall be signed by the parties or authorized persons to represent and sign the parties. 

  4. After the signature process is completed, the SCC shall be notified to the Board within five business days, either physically or via a registered electronic mail address. 

  5. Documents certifying that the signatories of the standard contract are authorized and notarized translations of each foreign language document shall be attached to the notification. 


The provision of appropriate safeguards through the standard contract shall be finalized by the fulfillment of obligation to notify the Board. The Board shall make an examination only in case that the text of the standard contract announced by the Board is amended/changed or the standard contract does not contain the valid signature of one or both of the parties to the transfer. 


The notification may be made by the party agreed to in the contract or, if not agreed to, by the party transferring the data. In the event of a change in the parties to the standard contract or in the information and explanations provided by the parties in the content of the standard contract or the termination of the standard contract, the Board shall be notified in the same procedure. 


As mentioned above, #SCC is also regulated in the #GDPR and ensures the compliance of companies with data protection laws in cases where data transfer abroad is continuous. #SCCs provide a legal framework designed to safeguard the fundamental rights and freedoms of individuals when their personal data is transferred across borders. With the adoption of new regulation, we anticipate that the legal compliance of personal data transfer processes from Turkey to abroad and from abroad to Turkey will increase. 

Comments


bottom of page