TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
lowing the review or, in any other cases, it deems necessary. However, since the DPA has not yet established a Whitelist, alternative mechanisms for transferring data abroad must be considered. Appropriate Safeguards In the absence of an adequacy decision, data transfers abroad can still occur through the implementation of appropriate safeguards. How - ever, these safeguards can only be utilised if the conditions for processing personal data are met and if it is feasible for data subjects to exercise their rights and access effective legal remedies in the third country where the data will be trans - ferred. There are four methods to deploy appropriate safeguards: • an agreement (excluding international trea - ties) between “public institutions and organi - sations or international organisations abroad” and “public institutions and organisations or public professional organisations in Türkiye” subject to the DPA’s approval; • BCR, subject to the DPA’s approval; • a written undertaking containing provisions that will provide adequate protection, subject to the DPA’s approval; and • SCCs announced by the DPA, with a require - ment for notification to the DPA within five business days from the date of execution. As of the time this note is written, only ten con - trollers have obtained approval for written under - takings, and no BCR has been approved. There - fore, due to the challenges in obtaining approval from the DPA, SCCs have been the most viable option in market practice since their recognition. The DPA published four versions of SCCs that cover data transfers from:
• controller to controller; • controller to processor; • processor to processor; and • processor to controller.
While the English-language versions are also available on the DPA’s website, the By-Law on Data Transfers Abroad clearly emphasises that if SCCs are executed in a foreign language, the Turkish version will prevail. This is further con - firmed in the Guidelines on Transfers Abroad, stating that double-column SCCs will be con - sidered valid by the DPA, provided that the Turk - ish version is properly executed. Furthermore, in an announcement on 5 February 2025, the DPA highlighted that both the data exporter’s and the data importer’s signatures must be present in the column containing the Turkish text. The SCCs published by the DPA must be exe - cuted without any modification, except where explicitly allowed within the relevant sections of the SCCs (eg, details of the transfer, tech - nical and administrative measures, etc). While various practices emerged due to uncertainties arising from the lack of guidance, the Guidelines on Transfers Abroad clarified how to complete each section of the annexes to be filled out by the parties. For instance, while many practition - ers only included the categories of personal data transferred, the guidelines clarified that both the categories and the specific data transferred should be stated. While SCCs are not subject to the DPA’s approv - al, there is still an obligation to notify the DPA about the execution of SCCs within five business days from the date of execution. The By-Law on Data Transfers Abroad states that notifications of SCCs can be made physically, via registered electronic mail (KEP), or through other methods determined by the DPA. In this context, on 17
489 CHAMBERS.COM
Powered by FlippingBook