TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
abroad is relatively recent and, as such, has pre - sented a variety of practical challenges. While the By-Law on Data Transfers Abroad has clarified some aspects of the new regime, prac - titioners eagerly waited for guidance from the DPA, as many points of uncertainty remained. On 2 January 2024, the DPA published its Guide - lines on Transfers Abroad, which aimed to offer more clarity on the provisions governing interna - tional data transfers. These guidelines addressed certain issues that had sparked differing views among practitioners, particularly regarding the requirements for completing the SCCs process. Despite the DPA’s efforts to clarify some aspects, several issues remain unresolved, and the DPA has indicated that the Guidelines on Transfers Abroad will be reviewed and updated based on practical experience gained through the imple - mentation of the DP Law. On the other hand, efforts to align with the GDPR are ongoing. According to the Medium-Term Programme (2025–2027), the alignment of the DP Law with the GDPR and other EU legisla - tion is expected to be completed by the final quarter of 2025. The 12th Development Plan (2024–2028) also identifies alignment efforts as a key goal for the coming years. In practice, the new regime has introduced some challenges but has generally been well-received by practitioners. A key reason for this is that, under the previous legal framework, obtaining approval from the DPA for data transfers was a lengthy and complex process. As a result, con - trollers had practically no option but to rely on data subjects’ explicit consent for data transfers abroad, leading to practical difficulties.
The Guidelines on Transfers Abroad further con - firmed the challenges of obtaining DPA approval. They revealed that three applications for BCR had been submitted to the DPA but were reject - ed due to procedural and substantive deficien - cies. Furthermore, only ten requests for written undertakings have been approved by the DPA. Consequently, while SCCs should be notified to the DPA, they have become a more viable approach for many businesses as they do not require prior approval from the DPA. On the oth - er hand, since SCCs cannot be executed on a multiparty basis, some practitioners have argued that executing individual SCCs with each party is impractical, especially for businesses work - ing with multiple service providers or partners across borders. However, these arguments have diminished as several service providers have taken the initia - tive to prepare and implement SCCs for their clients. Yet, in sectors dominated by a few major players, controllers often find themselves in a “take it or leave it” situation, with limited room for negotiation. This imbalance in bargaining power further exacerbates the challenges faced by smaller companies.
493 CHAMBERS.COM
Powered by FlippingBook