Cybersecurity 2025

TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal

The Communiqué on Payment Services In cases where one of the parties of the payment transaction is located abroad, the institution may share the required data with the relevant third parties abroad. However, the following condi - tions must be satisfied: • data must be stored domestically; • data must be limited to the extent necessary for the performance; and • the principle of proportionality must be respected. General DP Law Regime on International Personal Data Transfers If data transferred is personal data, the DP Law also applies. Provisions on international personal data trans - fers under the DP Law have been significantly amended on 12 March 2024, effective from 1 September 2024. The purpose of the amend - ment was to align the DP Law with the General Data Protection Regulation. The new regime allows personal data to be transferred abroad or to international organisa - tions under the following conditions. • Existence of one of the applicable legal bases under the DP Law and an adequacy decision for the country, international organisation or the sectors therein to which the data will be transferred (note that, as of the date of this publication, the DPA has not issued any adequacy decision yet). • In the absence of an adequacy decision – the existence of one of the applicable legal bases under the DP Law and enforceable data subject rights and effective legal remedies for data subjects and provision of one of the fol - lowing appropriate safeguards:

(a) a legally binding and enforceable instru - ment between public authorities or bod - ies; (b) binding corporate rules; (c) standard contractual clauses; or (d) a written letter of commitment, together with the approval of the transfer by the Board. • In the absence of an adequacy decision and where appropriate safeguards cannot be provided – the existence of derogations for specific situations outlined in the DP Law, where the transfer is “occasional” . Although the DPA published the By-Law on Pro - cedures for the Transfer of Personal Data Abroad and a guideline, there are many ongoing discus - sions on interpreting the provisions therein. Besides the amendments, there is an unaltered provision under the DP Law, which provides a reservation for provisions under other laws applying to personal data transfers abroad. In the Banking Sector Best Practices Guide on the Protection of Personal Data, the DPA states that where such a specific provision is applicable, it will override the transfer regime under the DP Law. The provisions explicitly mentioned in the Bank - ing Guide are those on “consumer secrets” under the Banking Law and related secondary regulations. Although not explicitly mentioned, Article 24 under the By-Law on Measures for Preventing Money Laundering and Financing of Terrorism, which provides the minimum informa - tion to be included in an international e-transfer, will also apply in a preceding manner. International Treaties International treaties to which Türkiye is a par - ty may allow or require banks to transfer data

311 CHAMBERS.COM

Powered by