TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
5. International Considerations 5.1 Restrictions on International Data Transfers With the DP Law Amendments, the previous system has been significantly amended. Accord - ingly, current provisions of the DP Law foresee a gradual and alternative regime for international transfers, comprising three levels based on; • adequacy decisions; • appropriate safeguards; and • occasional causes. While the DP Law does not include a definition of “data transfer abroad”, the By-Law on Data Transfers Abroad fills this gap by defining it as “the transmission of personal data by a data controller or data processor within the scope of the DP Law to a data controller or data proces - sor abroad or making it accessible by any other means”. With its Guidelines on Transfers Abroad, the DPA further clarified that, in contrast to its pre - vious position, direct collection of personal data does not constitute data transfer under the new regime. Adequacy Decisions Adequacy decisions provide a valid legal basis for transferring data abroad. The DPA has the authority to issue adequacy decisions not only for countries but also for international organisa - tions and specific sectors within third countries (referred to as the “Whitelist”). Adequacy decisions must be reviewed by the DPA at least once every four years. If the DPA determines that adequate protection is no longer ensured, these decisions may be amended, sus - pended, or revoked with prospective effect fol -
the measures data controllers must take to com - ply with the new DP Law regime. 4.4 Transfer of Personal Data in Asset Deals The DP Law does not contain specific provisions regarding the transfer of personal data in asset deals. As a result, the general principles of the DP Law apply. Legal Bases for Processing Controllers must ensure they rely on the appro - priate legal bases outlined in the DP Law when transferring personal data in asset deals (see 4.1. Use of Cookies and 4.3. Employment Pri- vacy Law ). If the transfer involves transferring personal data abroad, controllers must also comply with the specific requirements set for international data transfers (see 5.1 Restrictions on International Data Transfers ). Obligation to Inform In practice, a key challenge is the obligation to inform data subjects. While some control - lers include a general statement in their privacy notices about potential data transfers in asset deals, the DPA’s general stance is that privacy notices should not include vague references to possible transfers. Instead, if the details of the transfer (eg, what personal data will be trans - ferred, the purposes of the transfer, and the recipients) are already known, data subjects should be informed at the time of data collection. Unlike the GDPR, the DP Law does not provide an exemption from the obligation to inform in cases where personal data is not directly col - lected from data subjects. Therefore, in such cases, data subjects should be informed at the latest when their data is transferred.
488 CHAMBERS.COM
Powered by FlippingBook