Turkey has unveiled a game-changing regulation for businesses handling personal data. On 10 July 2024, the Personal Data Protection Authority (KVKK) introduced the “Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad No. 32598.” This regulation significantly impacts how companies manage the Turkey transfer of personal data. Let’s dive into the key points you need to know.
How Turkey’s transfer of personal data rules affect your Business
The new regulation clarifies Article 9 of Turkey’s Personal Data Protection Law, focusing on international data transfers. It applies to all data controllers and processors involved in moving personal data out of Turkey. Here’s what you must do:
- Follow existing laws. Ensure your data transfers comply with both the Personal Data Protection Law and this new regulation.
- Monitor data processors. If you use data processors, make sure they follow your instructions when transferring data.
New procedures to follow
The regulation allows for personal data transfers abroad under these conditions.
- Adequacy decision. The Personal Data Protection Board deems the recipient country, sector, or international organisation to provide adequate data protection.
- Implement safeguards. Without an adequacy decision, you must use one of these:
- An agreement between public institutions or organisations
- Board-approved binding corporate rules
- A Board-declared standard contract
- A Board-approved written commitment with protection provisions
- Exceptional circumstances. In limited cases, data may be transferred without the above safeguards if:
- It’s incidental (not regular or continuous)
- One of the specific exceptions listed in the regulation applies (e.g., explicit consent, contract performance, vital interests)
How the Board shapes international data transfers
The Personal Data Protection Board (KiÅŸisel Verileri Koruma Kurulu or KVKK Board in Turkish) is an entity in Turkey’s data protection landscape. Established under the Personal Data Protection Law, this independent body is responsible for enforcing data protection regulations in Turkey.
In the context of the new regulation on the Turkey transfer of personal data, the Board wields significant power.
- It decides which countries, sectors, or organisations provide adequate protection.
- It can review and revoke adequacy decisions.
- It approves safeguards like binding corporate rules.
- It determines standard contracts for data transfers.
Steps to comply with Turkey’s new data transfer rules
- Audit your practices. Examine your current data transfer processes for compliance gaps.
- Establish safeguards. Implement appropriate safeguards for your data transfers.
- Keep detailed records. Document all personal data transfers leaving Turkey.
- Stay alert. Monitor the Board’s decisions on adequate countries or sectors.
- Train your team. Educate your staff on the new requirements for international data transfers.
Prepare for Turkey’s stricter data transfer landscape
This regulation marks a pivotal shift in Turkey’s approach to data protection. It offers clearer guidelines for international data transfers but also introduces new compliance challenges. If you operate in Turkey or handle data of Turkish residents, you must act now. Review this regulation carefully and adapt your data transfer practices to avoid penalties and maintain trust with your Turkish customers and partners.
Actions to take next
- Ensure that your organisation has the necessary safeguards in place by asking Michalsons to conduct a data protection health check and updating your privacy policies.
- Empower yourself with the necessary knowledge for data protection compliance by joining our data protection programme.
- Determine the impact the updated notification rule has on your organisation by asking Michalsons to conduct an impact assessment for you.
