Within the scope of trainings conducted by the Union of Turkish Bar Associations, the following issues are important within the framework of Assoc. Dr. Murat Volkan Dülger’s training on Transferring Personal Data Abroad and Cookie Use Policies.
Article 8 of the Law on the Protection of Personal Data – Transfer of Personal Data
(1) Personal data cannot be transferred without explicit consent of the data subject.
(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:
a) the second paragraph of Article 5,
b) the third paragraph of Article 6, provided that sufficient measures are taken.
(3) Provisions of other laws concerning transfer of personal data are reserved.
Article 9 of the Law on the Protection of Personal Data – Transfer of Personal Data Abroad
(1) Personal data cannot be transferred abroad without explicit consent of the data subject.
(2) Personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that;
(a) sufficient protection is provided in the foreign country where the data is to be transferred,
(b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
(3) The Board determines and announces the countries where sufficient level of protection is provided.
Article 5/2 — (2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) it is clearly provided for by the laws.
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
ç) it is mandatory for the controller to be able to perform his legal obligations.
d) the data concerned is made available to the public by the data subject himself.
e) data processing is mandatory for the establishment, exercise or protection of any right.
f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Article 6/3 — (3) Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
Regarding the transfer of personal data, article 8 of the Law regulates how it will be transferred domestically, and article 9 regulates how it will be transferred abroad.
For transferring the personal data abroad, explicit consent of the data subject should be obtained in accordance with Article 9 of the LPPD. However, in the second paragraph of the Article, it is regulated that transfer can be made without explicit consent of the data subject in cases provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist or sufficient protection is provided in the foreign country where the data is to be transferred or the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided. It is at the discretion of countries whether to transfer abroad and the conditions of transfer and regulations regarding this matter differ from country to country. Countries with sufficient protection have not yet been announced by the Board. For this reason, the methods that make it possible to transfer data abroad are as follows, obtaining explicit consent and giving a letter of undertaking by the data responsible and approval of this commitment by the Board.
In his training, Assoc. Dr. Murat Volkan Dülger stated that counting reciprocity and the volume of trade carried out with the relevant country among the criteria stated in the “Board Decision on the Form Issued for Use in the Determination of the Countries with Sufficient Protection” published on 2 May 2019 with the decision number 2019/125 may cause problems.
The announcement regarding the procedures and principles of the commitments was published on the page of the Authority on 7 May 2020. In this announcement, besides the procedures and principles of commitments, concepts such as data controller and data processor were also explained with examples, and requested documents, etc. during the submission of letter of undertaking were specified in accordance with domestic legal system. As a result of examining the principles and procedures announced, it is seen that obtaining approval for letters of undertaking is an important workload and process. In terms of substance, it is stated that it should be clearly stated whether the data will be sent from the data controller to data controller or from the data controller to the data processor. At this point, determining who the data controller and the data processor is of great importance. The terminologies used in the letter of undertaking must comply with the Laws and other regulations, it should be clearly stated that what’s the purpose and legal reason of the data transfer and these should be specified one by one, the letter of undertakings and additional documents should comply with the general principles stated in Article 4 of the LPPD, if the data is processed for one of the reasons in Article 5/2 or 6/3 of LPPD, this reason should be clearly stated and it is necessary to establish a connection with the data. If data transfer is going to be made with explicit consent, these situations cannot be subject to undertaking. In the transfers which are going to be made, the balance test specified by the decision numbered 2019/78 and dated 25.03.2019 should be evaluated, applied and included in letter of undertaking without damaging the fundamental right and freedoms of the data subject. Assoc. Dr. Murat Volkan Dülger stated in his training that the receiver and receiver groups, measures to be taken by the data receiver, measures to be taken for personal data of special nature, VERBİS (Data Controllers’ Registry Information System) information should be specified in the letter of undertaking; also the retention periods and other relevant information should be included under the heading of additional useful information. Besides, Dülger stated that while it is stating the retention period it is not clearly mentioned if it is referring the time regulated in Turkey or in the country to be transferred, however he stated that he interpreted this period in the reference as the periods in Turkish legislation. If is not regulated in the legislation; he stated that in case of transferring related to the purpose of the data controllers, the retention period in transfers to be made from the data controller to data processor will be determined by the data controller in Turkey and that in transfers to be made from to data controller to data controller, the reasonable time should be determined with the agreement between the parties.
With another announcement it published, The Authority has aimed to provide ease of implementation for data transfer for multinational group companies in countries where there is not sufficient protection by saying “ These letters of undertaking generally facilitate bilateral data transfers between companies, but they are unable to provide implementation practice in terms of data transfers between multinational company communities.. Therefore ‘Binding Corporate Rules” have been determined by the Board as another method to be used in international data transfers between regarding companies.” in case these binding corporate rules application is accepted by the Board. Dülger stated that the binding corporate rules are also regulated in the EU General Data Protection Regulation. Considering that there is a continuous data circulation between European Union countries, in order to provide practicality in practice, it has been made possible to establish the binding corporate rules and to obtain approval from the data protection authority and to use them as a result of approval. However, the establishment of binding corporate rules requires a serious investment and, in this respect, it is very difficult for small companies to bear this cost. As a matter of fact, Dülger states that the number of companies that can apply binding corporate rules is not more than forty although it has been implemented under the EU for 20 years. Dülger stated that implementation of these rules in Turkey is quite difficult although it announced by the Authority, by drawing attention to issues that to which data authority the rules will be presented for approval and that what is the number of subsidiaries established under the TCC (“Turkish Commercial Code”) which producing the same product.
Cookies are traces collected from every site that persons visit with the device they use, in order to quickly access this site whenever they want to re-enter. This information is stored in the device used by persons. Considering that the preferences of persons on various topics and their world views can be determined with the sites they have visited as a result of cookies; it will be clearly seen that these data are personal data. Therefore, explicit consent is required for the processing of these data. Dülger stated that personal data is accepted as a property that may be the subject of property right in America, and as a rule, data collection and processing are free except for certain areas; however, the perspective of the EU is quite different. He also mentioned that the possibility of accessing data within the scope of informatics is accepted as transfer although cookies are kept on the computer.
Dülger also mentioned the Amazon Decision and administrative fine imposed, and stated that the fines imposed under the GDPR were proportionally based on the annual returns of the companies, that although the imposed amount is high in Turkey it cannot be considered too high for companies such as Amazon. He also stated that many problems have arised within the scope of the decision.
Within the scope of the questions asked; he stated that in cases where it is obligatory to accept cookies for circulation on the site, if the reasons for this situation are reasonably explained and in case the approval is obtained to continue with clarification with the entrance to the site, this situation does not constitute a violation of the law, but the violation will occur if the service is bound by the approval requirement, that the type of statement which the cookies are accepted does not matter, the important thing is to give the opportunity to refuse, that the clarification should be done at the beginning, that there is no need for separate consent for the transfer abroad, that the consent can be taken with a single document after stating the issues such as explicit clarification and purpose of the transfer etc., that considering that it is quite easy to withdraw explicit consent it would be beneficial to use it as the last option, that there is no exception in the law other than law enforcement forces and intelligence services in terms of explicit consent, that exceptions are included in the scope of administrative fines, however these will not prevent disciplinary investigation, that in case of transferring data to a data processor abroad, Article 9 of the LPPD shall be applied as if it were transferred to the data controller.