On May 7, 2020, the Personal Data Protection Authority (“DPA“) issued an announcement regarding commitment letters for cross-border personal data transfers. The DPA provided explanations on the principles and procedures, as well as the relevant information and documentation required, for cross-border data transfer approval applications. The DPA’s announcement is available online here (in Turkish).
According to the Law on the Protection of Personal Data (“Law“), data controllers may transfer personal data without obtaining the data subjects’ explicit consent to countries that do not provide an adequate level of data protection by executing an undertaking letter with the recipient entities and obtaining the Personal Data Protection Board’s approval.
Accordingly, data controllers applying for cross-border data transfer approval must provide the DPA with information on the persons authorized to file the application and any other documentation certifying that these persons are authorized signatories. All documents in foreign language must be translated into Turkish and certified by a notary public. Data controllers must prepare their commitment letters using the commitment letter templates published on the DPA’s website and ensure that all requirements in the templates are included in the commitment letter. In addition, undertakings under the commitment letter must be drafted in the future tense (e.g. “The party transferring personal data shall/will inform the data recipient that the transferred personal data will be processed in accordance with the Law No. 6698 and the provisions of this commitment letter.”)
The applicant data controllers must identify the relationship between the parties to the transfer and use the relevant commitment letter template published by the DPA. In this regard, data controllers provide sufficient explanation about the legal status of the parties to the transfer, and submit to the DPA any document that certifies the relationship between the parties along with the commitment letter (e.g. agreement), if any. Data controllers must take into consideration the general principles under the Law when preparing the commitment letter and any other document annexed to the application file. Data transfers based on the data subject’s explicit consent will not be included in the commitment letter.
In relation to the explanations under the Annex of the DPA’s commitment letter template, data controllers must avoid using vague terms like “such as, similar to, possible, likely” and must clearly indicate the data subject groups. In this respect, data controllers must explain in detail which personal data of the data subject groups will be subject to the transfer and the purposes of the transfer, and the legal grounds for the transfer by establishing a connection between the relevant sections in the Annex.
According to the DPA, subsequent data transfers from the recipient to any other data controller or data processor do not fall within the scope of the commitment letter. If the applicant wishes to carry out subsequent data transfers, it must execute the commitment letter with the data recipient and the relevant data controllers/processors together, or execute a separate commitment letter with these parties. Subsequent data transfers will only be allowed if the data is transferred to the competent institutions and organizations according to the data recipient’s legal obligations under the relevant applicable law.
The DPA continues to provide guidance to data controllers regarding cross-border personal data transfers. In this respect, data controllers applying for the DPA’s cross-border transfer approval must follow the DPA’s instructions and prepare their commitment letters accordingly.
Please stay up to date with further developments through the Esin Attorney Partnership Coronavirus Helpdesk.