69 MAY 2022 | WWW.LAWYER-MONTHLY.COM EXPERT INSIGHT comply with the Law. However, several areas remain as perplexing for data controllers and data processors in Turkey. Among these problems, the most problematic issue relates to transfer of personal data abroad. According to the DP Law, personal data of data subjects in Turkey can be transferred abroad only on three conditions: 1) if the data subject provided their explicit consent for the transfer of their personal data; 2) if the transfer is made to a country which was deemed “safe” by the Turkish Personal Data Protection Authority because they provide an adequate level of data protection; 3) if the data controller in Turkey and the data controller/ processor abroad sign the standard contractual clauses published by the Turkish Authority or prepare binding corporate rules, and get the Authority’s approval for the transfer. Currently, all three options remain as challenging for data controllers in Turkey. Because explicit consent must be freely given, data controllers cannot compel data subjects to give their consent for the transfer of their personal data abroad. This means that data controllers must create alternative methods to store personal data of data subjects who do not wish for their data to be transferred abroad, locally. Also, since the Turkish Data Protection Authority has not yet published the list of safe countries that provide an adequate level of data protection, the second option does not work in practice either. This leaves the third option, signing the standard contractual clauses of the Authority and getting their permission, as the only viable option to transfer personal data abroad. However, the strict examination of the Authority and the vast amount of additional information that is required to be submitted with the agreement, such as information security policies and procedures, meant that only a few data controllers were able to receive this permission as of now. Turkey currently plans to change the DP Law to conform with the GDPR. I hope that after this change, data controllers in Turkey will have more options for transferring data abroad, such as codes of conduct, certification, performance of a contract, or even compelling legitimate interests of the data controller in certain limited situations. How have these challenges differed for domestic and foreign corporations? While one of the biggest challenges for Turkish corporations was the lack of knowhow and awareness during the early days of the DP Law, foreign corporations, especially European companies, were familiar with privacy regulations due to the decades-old privacy regulations such as the 95/46/ EC Directive and the related national laws. However, most of these foreign corporations were not aware of the overarching framework of the DP Law. The DP Law does not have specific articles on the territorial scope of the I hope that after this change, data controllers in Turkey will have more options for transferring data abroad
RkJQdWJsaXNoZXIy Mjk3Mzkz