TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
onward transfers conducted by either controllers or processors. Other Regulations The DP Law states that provisions on data transfers abroad are reserved in other laws. For example, the Guidelines for Good Practices on Personal Data Protection in the Banking Sector emphasise that specific provisions outlined in the Banking Law should be considered when trans - ferring information that constitutes client secrets abroad. Likewise, the By-Law on Measures for Preventing Money Laundering and Financing of Terrorism details the required information that must be included in an international e-transfer, adding further compliance obligations for finan - cial institutions. Furthermore, sectoral regulations imposing spe - cific restrictions regarding data transfers abroad should also be considered (see 5.3 Data Locali- sation Requirements ). 5.2 Government Notifications and Approvals As detailed under 5.1 Restrictions on Interna- tional Data Transfers , data transfers abroad can occur through the implementation of appropri - ate safeguards. Except SCCs, these safeguards require the DPA’s prior approval. Furthermore, without prejudice to the provisions of international agreements, in cases where Tür - kiye’s or the data subject’s interests will be seri - ously harmed, personal data may only be trans - ferred abroad upon the DPA’s permission. The DPA must obtain the opinions of relevant public institutions and organisations before it grants its permission. Sector-specific regulations may also require further notifications or approvals. For instance,
under the Regulation on Geographic Data Per - missions, transferring geographic data is subject to authorisation from the Ministry of Environ - ment, Urbanisation, and Climate Change. In the health sector, the transfer of personal health data is subject to the Ministry of Health’s evaluation in accordance with the By-Law on Personal Health Data. Similarly, in the civil avia - tion sector, airline operators or institutions may share passenger information with third countries upon request under the Turkish Civil Aviation Law, provided that they obtain approval from the Ministry of Interior. 5.3 Data Localisation Requirements While no standalone legislation governing data localisation exists, certain sector-specific regu - lations do apply. Key sectors are as follows. Banking and Finance Entities The following entities must keep their primary and secondary information systems in Türkiye: • banks; • payment institutions and electronic money institutions; • insurance and private pension companies (excluding services like email, teleconference, or videoconference); • capital markets institutions; and • financial leasing, factoring, and finance com - panies. Electronic Communications Providers In principle, electronic communications pro - viders cannot transfer traffic and location data abroad for national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of data subjects.
491 CHAMBERS.COM
Powered by FlippingBook