Cross-Border Data Transfers: Commitment Letters
IT & Communications
Click the button to listen to our legal alert now!
On 24 March 2021, the Data Protection Authority (DPA) discussed the commitment letters for cross-border personal data transfers and touched upon the procedures and principles to be followed for applications in its Wednesday Seminar. As is known, the Law on the Protection of Personal Data (“Law”), sets forth certain rules on cross-border transfer of personal data. Preparing a commitment letter between the transferor and the transferee and obtaining the DPA’s approval appears as one of those mechanisms. Two template forms are published on the DPA’s website for this purpose: one is for transfers from data controller to data controller, and another for transfers from data controller to data processor. You may access these templates (in Turkish) here. After the Law came into effect in 2016, the DPA announced its first approval of a commitment letter on 9 February 2021 and its second approval on 4 March 2021.
What was Discussed During the Seminar?
Procedural and material aspects of commitment letter applications were discussed separately in the seminar.
As for procedural issues, the following matters were highlighted:
- Applications for real person data controllers must specify the applicant’s name, surname, address and signature and include the document attesting to the signatory authorities (such as a signature circular) in the cover letter. The signature circular must be submitted with applications for legal entities as well. For applications made by proxy, a notarized copy of the power of attorney must be submitted. The DPA may not accept a copy of the power of attorney unless it is notarized.
- For foreign companies, an apostilled and notarized copy of the document attesting to the signatory authorities (such as a trade registry certificate obtained from the authority in the relevant country or a signature circular) must be submitted.
- The last pages of the commitment letter and Annex 1 must be signed and stamped, and other pages must be initialized by each signatory.
- Notarized Turkish translations of all documents in foreign languages (including the documents setting out technical and organizational measures) must be submitted.
- One of the template commitment letters published on the DPA’s website must be used to the extent applicable for a related application, and its content must be kept as is without removing any subject. That being said, additional information can be included in the commitment letter. Note that templates published on the DPA’s website, which are prepared in accordance with the Law, must be used and submitted, rather than templates prepared pursuant to the General Data Protection Regulation or the California Consumer Privacy Act.
The DPA first reviews the applications from the procedural perspective and then moves forward with review of material aspects. During the seminar with regard to the material aspects of applications, the following issues were highlighted:
- Course of transfer must be carefully analyzed (whether from data controller to data controller or from data controller to data processor) to duly select the applicable commitment letter template as published on the DPA’s website. The DPA’s decision dated 30 January 2020 and numbered 2020/71 can be taken as reference for determining the relationship between a data controller and data processor. The relevant decision is available here.
- The terminology set out by the Law must be used in the commitment letters. For instance, the term “data subject” must be used instead of “data owner.”
- Transfers based on explicit consent must not be included in the commitment letters.
- Annex 1 of the commitment letter template for cross-border transfers from data controller to data controller sets out four sections to be filled: (i) data subject groups (whose data is to be transferred); (ii) categories of data to be transferred (such as communication data and finance data); (iii) legal basis (set out under Articles 5(2) and 6(3) of the Law); and (iv) the purpose of data transfer (such as use of information technologies infrastructure). These sections, except for the section titled “Purpose of the Transfer,” are also included in Annex 1 of the commitment letter template for cross-border transfers from data controller to data processor. The relationship between these sections must be established and all required information must be submitted correctly. For this purpose, the DPA has suggested that applicants submit these sections in a table.
- According to the principle set forth in Article 4(2) of the Law, which requires that data processing activities must be in line with the purpose of processing, be limited, and be proportionate, applicants must avoid using vague, indefinite terms such as “etc.” or “future employees.” Submissions must also include clear and distinct information. To ensure understanding, the DPA has suggested using “Sub-category (name of the personal data)” formula when referring to the personal data being transferred.
- The purpose of data processing must not be mistaken for the legal basis. Related legal bases, such as those stated in Articles 5(2) and 6(3) of the Law, must be included in the submission. Note that with respect to the data relating to health and sexual life, the conditions under Article 6(3) of the Law must be met to be able to rely upon as a legal basis.
- The Law prohibits onward transfer (i.e., transfer of personal data to other data controllers by the transferee located in a foreign country) except for transfers to governmental and judicial authorities due to legal requirements. Accordingly, if the data will be subject to onward transfer to governmental authorities that are currently identifiable (for instance, the competition authority or telecommunications authority), the name of the authority must be specified under the “Recipient and recipient groups” section of the submission.
- The DPA’s relevant guidelines regarding technical and organizational measures must also be considered. With respect to sensitive personal data, the measures set out in the DPA’s decision dated 31 January 2018 and numbered 2018/10, in addition to those stated in the guideline, must be considered and included in the submission accordingly. The guideline is available here and the decision is available here.
- Retention periods must be specified under the section titled “Additional Helpful Information.” If the retention period is determined based on a legal requirement, the relevant law and article must be clearly referred to in the submission.
- Data processing activities to be carried out after the transfer must be specified under the section titled “Processing Activity” and must be in line with the definitions (such as storage and retention) set out in Article 3(1) of the Law. The purpose of processing must not be mistaken as a processing activity.
- As for the section on the Data Controllers Registry System (tr. VERBIS), if the applicant is exempt from the registration obligation, then the grounds of exemption must be clearly specified with reference to the relevant decision of the DPA. If the applicant is not exempt from such obligation, VERBIS registration information, such as the application registration number, must be included in the submission.
- The DPA’s announcement dated 7 May 2020 (available here) must be reviewed carefully when preparing the commitment letters.
Applications for commitment letters, which are one of the mechanisms in place enabling cross-border data transfer without explicit consent, are becoming more important. And in 2021, the DPA has started approving commitment letters that were previously submitted for approval. The information set out by the DPA during the seminar will enlighten data controllers wishing to proceed with the commitment letter mechanism.