Turkish Data Protection Authority’s Decision on the Transfer of Personal Data Abroad Based on the Convention 108

Turkish Personal Data Protection Authority (“Authority”) has published a very important decision regarding data transfer abroad. Upon a data controller’s claim that "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Convention 108) was adopted into domestic law, Turkey is also a party of this convention and therefore the data controller carried out the data transfer abroad on the basis of this convention, the Authority evaluated the provisions of the Law No. 6698 (“Law”) and the Convention 108 together. 

The decision of the Authority on the subject is summarised as follows: 

By taking into account the article regarding reciprocity with the country to which the data will be transferred in the explanatory report on the Convention 108  and the regulation in article 9 of the Law, it has been stated that the personal data transfer regulation stipulated in the Law is compatible with the Convention 108. 

According to the evaluation made in the decision, similar to the EU practice, being a party to the Convention 108 on its own is not sufficient for the determination of the countries which have the adequate level of protection (“safe countries”).  After the evaluation of the data controller’s data transfer abroad, it is stated that data controller's transfer of personal data abroad on the basis of the Convention 108 was not carried out in accordance with the provisions of Article 9 of the Law. 

For this reason, it is stated that within the scope of the obligations regarding the data security in accordance with the Law, “the obligation to prevent the unlawful processing of personal data" was not fulfilled and the data controller was imposed an administrative fine of TRY 900,000. 

Additionally, the data controller was ordered to delete/destruct the personal data in question which was unlawfully transferred abroad and to inform the Authority regarding the execution of this order. 

As a result, since no country has yet been declared as a safe country by the Authority, it is necessary to (i) obtain explicit consent or (ii) commit in writing to provide an adequate level of protection and submit the commitment to the permission of the Turkish Personal Data Protection Board. Otherwise, considering the current legislation and practice, it is not possible to transfer data abroad in accordance with the law.

Follow us