Your Partner
in Legal Success
| Reading Time: 9 Minutes
Incidental Circumstances Regulation For The Transfer of Personal Data Abroad With The PDPL Reform in Türkiye
With the adoption of the 8th Judicial Package by the Grand National Assembly of Turkey, significant amendments have been made to the Personal Data Protection Law (“PDPL”) regarding the transfer of personal data abroad. One of these amendments includes, in addition to the regulations related to continuous transfer, provisions concerning transfers that do not involve a continuous transfer of data abroad and are made on an incidental basis. According to the new regulation, if one of the guarantees accepted for continuous transfer mentioned in the fourth paragraph of Article 9 cannot be provided and the processing conditions specified below are met, then transfer of data abroad through this method may be possible.
The examination of the “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679” (hereafter referred to as ‘the Guide’), will illuminate the situations listed under the section concerning incidental transfers.
Primarily, the incidental transfer of data abroad is a situation that may be considered when there is no adequacy decision regarding the country to which the data is being transferred and when the guarantees listed in the fourth paragraph of Article 9 of the KVKK cannot be provided. This constitutes an exceptional type of data processing and, as such, should be interpreted narrowly. The changes made specify the following conditions for incidental circumstances in the relevant provision:
- The data subject has given explicit consent to the transfer, after being informed of the potential risks,
- The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject,
- The transfer is necessary for the conclusion or performance of a contract in favour of the data subject between the data controller and another natural or legal person,
- The transfer is necessary for reasons of significant public interest,
- The transfer is necessary for the establishment, exercise, or defence of legal claims,
- The transfer is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent,
- The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, provided the conditions for accessing the register specified in the relevant legislation are met and upon request by the person with a legitimate interest.
The judicial package is prepared based on General Data Protection Regulation (GDPR) for the incidental cases intended to be applied in Turkish law; therefore, the articles will be exactly the same as those to be applied in Turkey, except for subparagraph (g). The change is that a guide, in line with the one mentioned above, has not yet entered into force in our law. The relevant guide emphasizes the regulations more clearly by presenting to the public how the articles organized under GDPR will be applied, their definitions, their scopes, and examples. In this regard, we also find it important to examine such a guide for a better understanding of the incidental circumstances that will soon be implemented.
DETAILS OF INCIDENTAL CIRCUMSTANCES WITHIN THE FRAMEWORK OF THE GUIDE
In accordance with the provisions delineated in the guide [1] prepared for the elucidation and application of the GDPR, incidental data transfers must inherently possess the characteristics outlined below:
- The occurrence should be “occasional” and should not be continuous or of a repetitive nature.
(For instance, it cannot be claimed that an incidental circumstance has arisen on behalf of the individuals transferring and receiving data within a regular relationship.)
- There must be a necessity arisen for the utilization of the exception.
- “A situation must arise where there is no adequacy decision and one of the required safeguards for continuous data transfer has not been provided.
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate [2]
The data controller may proceed with the proposed transfer in cases where, due to the absence of an adequacy decision and appropriate safeguards, such transfers are explicitly consented to by the data subject after being informed about the risks involved. The guidance specifies that there must be explicit consent. The guidance specifies that;
- Consent must be explicit.
- Consent must have been given for the specific transfer constituting an incidental transfer.
For example, if a company obtains consent from data subjects for the purpose of delivery, and several years later, when the company is sold and it becomes necessary to transfer the data abroad, this explicit consent cannot be used. Consent must be specifically obtained at the time the situation arises.
- The data subject must be informed about potential risks.
It is necessary that the data subject is appropriately informed in advance about the specific conditions of the transfer (the identity of the data controller, the purpose of the transfer, the type of data, the existence of the right to withdraw consent, the identity or categories of recipients). In addition to this situation, information is provided regarding the lack of sufficient safeguard, the absence of adequacy decision in the country to which the data is transferred, and that the consent is a legal requirement.
The amendment is one of the notable regulations of the KVKK (Personal Data Protection Law) reform. The concept of explicit consent in Article 9 has been redefined. With the amendment, an additional obligation has been introduced to the responsibilities of data controllers regarding the transfer of data abroad, beyond obtaining explicit consent. This obligation is the duty to inform the data subject about the risks. This is a specific and independent obligation of clarification.Formun Üstü
When informing the data subject about the data processing activity, the data controller must also convey the information determined by the guideline[4] on the obligation of clarification published by the Personal Data Protection Authority (“Authority”), along with the risks related to the incidental transfer. Those who fail to comply with this obligation incorporated into the law text will be subject to administrative fines.
With the revised provision of Article 9, which regulates transfers abroad, the institution of explicit consent has been limited to incidental transfers. As a result of this limitation, which practitioners and data controllers need to heed, new clarification declarations will need to be prepared for transfers abroad that fall within the definition of incidental transfers.
In the transitional provisions of the reform, the transfer of data abroad based on explicit consent will end on September 1, 2024. Until this date, it will be necessary to differentiate between incidental and continuous transfers for transfers abroad, and for incidental transfers based on explicit consent, the obligation of clarification must be carried out in accordance with the new regulation.
- Transfer necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken at the data subject’s request.[5]
As an example of this situation; A travel agency making a preliminary reservation at a hotel in a third country on behalf of a customer can be given as an example of this transfer. In this example, an incidental relationship is established with the hotel in the said country. The request of the data subject is also sought for the application of pre-contractual measures.[6]
- Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.[7]
In this case, the party to the contract will not be the data subject but between the data controller and the third natural or legal person. Data transmitted during travel and accommodation activities for the benefit of the data subject can be considered within this scope.
- The transfer must be necessary for a superior public interest. [8]
The country to which the transfer is made must have a superior public interest. Distinguishing from the public interest definition, the concept of superior public interest has been accepted. It is possible to consider transfers related to competition, taxation, social security institutions, epidemic diseases, money laundering, combating match-fixing, etc., under this condition.
The guideline clarifies that there is no distinction between whether the data transmitter or the recipient is a public entity or a natural person.
Furthermore, the guide specifically recommends that public institutions continue transfers with provided safeguards, as opposed to incidental situations.
- Transfer is necessary for the establishment, exercise or defense of legal claims.[9]
According to the guideline, this incidental case can be applied even if it pertains to a judicial, administrative, or extrajudicial procedure. This exception can also be applied to activities conducted by public authorities using public powers. Procedures within the scope of a third country are also included in this exception. However, it is required that the transfer actually occurs in reality; a transfer remaining theoretical will not provide a legal basis for this exception.Formun Üstü
In the event of such a situation, attention should be paid to whether there are any legal regulations in the third country that might prevent the transfer. The guideline specifies that individuals transferring data in such instances must consider the principle of data minimization under GDPR.
For instance, this exception can be applicable in situations where the parent company of a corporate group based in a third country is required to transfer data for evidentiary purposes after being sued by a temporary employee of one of its subsidiaries. This scenario illustrates the permissible reliance on this exception for the transfer of data under specified circumstances. [10]
- Transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.[11]
The guideline provides a justification for this situation, stating, “If an individual loses consciousness while outside the EU and requires emergency medical care, it should be legally possible for certain personal data, including data (e.g., individual’s regular doctor) to be provided by an exporter established in an EU Member State.
In this context, this exception cannot be used to justify the transfer of personal medical data outside the EU unless it is specifically for treating the situation of the data subject or another person’s condition; for instance, it cannot be used for conducting general medical research that will yield results in the future. Being subject to legal interdiction is also included in this context.
As indicated in the guideline, search and rescue operations following natural disasters are among the prime examples of this situation.
Formun Üstü
It is possible to resort to this incidental transfer case when a patient’s medical data needs to be transferred to a third country for treatment purposes in an emergency. However, the important consideration here is that there must be a serious threat to the individual’s life and physical integrity. It is not permissible to transfer general health data based on this reason. [12]
- Transfer made from a public register [13]
This incidental circumstance is the first circumstance that shows a difference between the new Turkish regulation and the GDPR regulation. In the regulation to be applied in Turkish law, the transfer of data from public registers is conditioned upon the establishment of a legitimate interest and the fulfilment of the criteria for access to the register as stipulated in the legislation.
The register should provide the opportunity to disclose information either to the public at large or to any individual who can demonstrate a legitimate interest. Private registers cannot be included in this exception. If examples are needed for this exception; company registers, associations registers, criminal conviction registers, (property registers, or public vehicle registers could be mentioned.
The transfer cannot encompass all categories and can only be made to the individual who conveys the request, with the interests of the data subjects being considered.
The final detail to mention is that the reform has introduced restrictions on incidental transfers in the activities of public institutions subject to public law into Turkish law. In this context, public institutions cannot base their actions on the circumstances for incidental transfers detailed in the relevant article, which include (a) the data subject giving explicit consent to the transfer after being informed about potential risks, (b) the transfer being necessary for the performance of a contract between the data subject and the data controller, or for pre-contractual measures taken at the data subject’s request, and (c) the transfer being necessary for the conclusion or performance of a contract in the interest of the data subject between the data controller and another natural or legal person.
THERE IS A NEED FOR THE AUTHORITY TO ISSUE GUIDES AND GUIDELINES TO UNDERSTAND INCIDENTAL CIRCUMSTANCES.
It is evident that the new regulations in Turkish law specifically require certain situations to be regulated considering extraordinary conditions. It is also clear that these regulations may bring scenarios that make the transfer of personal data abroad inevitable. In this context, the existence of a regulation like the guideline evaluated above under the (GDPR) is an inevitable necessity for the Personal Data Protection Law (PDPL). This necessity requires the provision of detailed rules and guidance for the protection of personal data and the regulation of international transfers, in accordance with the specific needs and conditions of the PDPL. Such guidance should be particularly instructive for data controllers and data subjects, providing clarity on the conditions under which incidental transfers can be conducted and how.
[1] European Data Protection Board (EDPB) (2018) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf
[2] EDBP (2018) age, p.6
[3] Kaya, Mehmet Bedii (2024) KVKK Reformu: 2024 Değişiklikleri, p.46
(Dijital Baskı 1.0), https://mbkaya.com/hukuk/kvkk-reformu.pdf
[4] https://kvkk.gov.tr/Icerik/5443/AYDINLATMA-YUKUMLULUGUNUN-YERINE-GETIRILMESINDE-UYULACAK-USUL-VE-ESASLAR-HAKKINDA-TEBLIG
[5] EDBP (2018) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p.8
[6] Kaya, Mehmet Bedii (2024) age, p.48
[7] EDBP (2018) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p.9
[8] EDBP (2018) age, p.10
[9] EDBP (2018) age, p.11
[10] Kaya, Mehmet Bedii (2024) age, p.,49
[11] EDBP (2018) age, p.12
[12] Kaya, Mehmet Bedii (2024) age, p. 50
[13] EDBP (2018) age, p.13