Personal Data Protection Law no. 6698 (“Law”) stipulates that personal data transfer occurs when any personal data is transferred by a data controller or data processor to another data controller or data processor. Articles 8 and 9 in the Law prescribe how to transfer personal data within a country and abroad. Accordingly, the Law’s relevant requirements must be fulfilled.
A. Domestic Transfer of Personal Data
Pursuant to Article 8 in the Law, domestic transfer of personal data is subject to certain terms. However, lawful processing of personal data within a country does not suffice to transfer that data since the transfer also requires the fulfillment of conditions in Articles 5 and 6 in the Law[1]. Thus, personal data may be transferred if: i) the data subject has given express consent; ii) the Law clearly requires it; iii) the transfer is necessary to protect the life or bodily integrity of a data subject or another person when a data subject is unable to express their consent due to circumstances, or their consent has no legal validity; iv) the processing of personal data belonging to parties to an agreement is necessary provided that the procedure is directly related to the conclusion or performance of that agreement; v) it is necessary for the data controller to fulfill their obligations; vi) the data subject has already published their personal data; vii) data processing is required for the establishment, exercise or defense of a right; viii) data processing is necessary for the data controller’s legitimate interests, provided that the processing does not harm the fundamental rights and liberties of the data subject.
B. International Transfer of Personal Data
Article 9 in the Law regulates the international transfer of personal data. Accordingly, if the data subject does not give their express consent, it is illegal to transfer their personal data abroad unless the exceptions in Articles 5 and 6 of the Law are present. In this context, the data protection regulations in the country to which personal data will be transferred must be considered as well, including whether a country offers an adequate level of data protection:
- In case of personal data transfer to countries with adequate level of data protection (e. countries determined to be safe by the Board), the conditions specified in the Law (in paragraph 2 of article 5 and paragraph 3 of article 6) must be fulfilled.
- In case of personal data transfer to countries without adequate level of data protection, the fulfillment of conditions specified in the Law (in paragraph 2 of article 5 and paragraph 3 of article 6) is sufficient only if the data controllers in Türkiye and the relevant foreign country provide a written guarantee for adequate protection, and the Board permits the transfer.
The Board published its criteria for countries with adequate protection in decision no. 2019/125 of 02.05.2019. We can find the requirements for determining whether a country may offer data security in the criteria contained in the decision’s form.
In countries with adequate protection, only authorized institutions & organizations, or individuals bound by confidentiality may transfer a data subject’s personal data regarding their health and sexual life abroad without the subject’s express consent in order to protect public health, offer preventive medicine, medical diagnosis, treatment, and care services, and plan, finance, and manage healthcare services.[2]
In conclusion, domestic or international transfer of personal data requires paying attention to the fulfillment of conditions in the Law, as well as the Board’s decisions, and other factors mentioned in the Board’s guidelines.
[1]https://www.kvkk.gov.tr/Icerik/2052/Yurtici-Aktarim
[2]https://kvkk.gov.tr/yayinlar/K%C4%B0%C5%9E%C4%B0SEL%20VER%C4%B0LER%C4%B0N%20YURTDI%C5%9EINA%20AKTARILMASI.pdf
