Introduction
Procedural issues
Material issues
Matters to be considered in explanations under headings in Annex 1
The Data Protection Law (DPL) (6698) regulates the conditions for transferring personal data abroad. One such condition is that where one of the conditions for processing data stated in the DPL exists and the country to which the personal data is to be transferred does not provide adequate protection, data controllers in Turkey and the relevant foreign country must sign a commitment letter outlining adequate protection and get the approval of the data protection authority (DPA). On 9 February 2021 and 4 March 2021 the DPA announced the approval of the first two commitment letters since it started operating.
On 7 May 2020 the DPA published an announcement regarding the approval of commitment letters – Matters to Be Considered in the Commitment Letter to Be Prepared in the Transfer of Personal Data Abroad. On 24 March 2021 the issue was discussed in the DPA's Wednesday seminar. The procedural and material issues of commitment letter applications were thereby determined by the DPA.
The procedural issues relating to commitment letter applications include the following:
- The name, surname, address, signature and a document certifying the signature authorisation of the authorised person to file an application must be included for data controllers who are natural persons. In this respect, applications of legal entities must be made by persons who have the authority to represent and be bound by the documents certifying the applicant's authority. If the application is filed by proxy, the original power of attorney or its notarised or attorney-certified copy must be included.
- The last pages of the commitment letter and Annex 1 must be signed and stamped, and each signatory must initialise each page.
- To show the authorisation of the signatories, the signatory circular's original or certified copy must be annexed for companies located in Turkey. For transferring companies located in other countries that are party to the Lahey Convention 1961, the original or certified copy of the apostilled document stating the signatory's authorisation must be included. Each document prepared by the official authorities of countries that are party to the Lahey Convention must be apostilled.
- A notarised translation of each document must be included where it is in a foreign language.
- While the commitment letter is being prepared, the required provisions stipulated in the templates published on the DPA's website must be added. If additional provisions are to be added, they must be presented under the title "additional provisions".
- Commitment letter applications must be prepared in line with the DPL instead of the EU General Data Protection Regulation.
- The sentences of the commitment must use the future tense.
After the DPA reviews applications from a procedural perspective, they are examined with regard to their material issues.
The material issues of commitment letter applications include the following:
- The relationship between the parties of the transfer must be determined properly. The correct commitment letter template, determined by the characteristics of the transferee party, must be used. Such templates are published on the DPA's website.
- Detailed and clear explanations regarding the legal status of parties must be provided and documents – such as the agreement and the protocol that stipulates the relation between the parties – must be sent with the commitment letter application.
- The terminology of the DPL must be followed and the definitions must be in accordance with the DPL and secondary legislation.
- The interrelated issues must be presented together with sufficient explanations.
- Transfers of personal data abroad that are based on explicit consent cannot be the subject of the commitment.
- The general principles stipulated in the DPL should be observed when issuing the commitment letter and its annexes.
Matters to be considered in explanations under headings in Annex 1
The matters to be considered in the explanations under the headings of Annex 1 are as follows.
Data subject group and groups
The data subject group or groups must be specified clearly with no ambiguous expressions.
Data categories
While specifying the data categories, the principle of "being relevant, limited and proportionate to the purposes for which they are processed" must be observed. When expressing data categories, ambiguous and broad expressions should not be used, and the data categories must be presented in clear detail.
The personal data to be transferred must correlate with the heading "data subject group and groups" and clearly state which data categories belong to which data subject groups. Further, ambiguous expressions must not be included.
Purposes of transfer
The purposes of the transfer must be explained in correlation with the heading "data categories". Further, the limits of the purpose of processing personal data in the relevant section should be explained in specific and clearly understandable detail under the principle that it is being processed for specific, explicit and legitimate purposes.
Legal basis of transfer
The legal basis of the personal data transfer that is subject to the commitment letter must be set out separately in justified and clear detail by establishing a correlation with the heading "data categories". In this respect, the legal basis stipulated in the DPL must be shown.
Recipient and recipient groups
The DPL does not permit "onward transfers" (ie, data transfers from the transferee to any other data controller or data processor located in a foreign country). However, onward transfers to governmental authorities are accepted under the scope of the transferee's legal obligations. Therefore, if the governmental authorities can be identified, they must be specified.
Technical and organisational measures that receivers will take
While preparing this section, the DPA's Guideline on Technical and Organisational Measures must be considered. The technical and organisational measures to which the receiver is committed must be set out separately and the certifying documents must be included.
Additional measures taken for special categories of personal data
The compulsory technical and organisational measures stipulated in DPA Resolution 2018/10, Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data (31 January 2018), must be included in this section and the certifying documents must be included.
VERBIS information of data controllers
If the data controller is not obliged to register with the Data Controllers Registry Information System (VERBIS), the reason for this must be explained. Otherwise, the VERBIS information of the data controller must be specified.
Additional useful information
Retention periods and other information which is not included under any other heading is included in this section. The processing retention must be specified with information about at least the maximum period and the reason therefor. If legislation determines the retention period, the legislation and the related provisions must be specified.
Contact person's contact details
Contact details must be provided.
Other headings
"Data controller" and "data processor"
The titles of "data controller" and "data processor" are stipulated in the commitment letter template for "transfers to data processor from data controller".
In these sections, the data controller's and data processor's fields of activity must be explained. Explanations regarding the data transfer of the data controller and the processing activities to be performed by the data processor after the transfer must be presented in clear detail.
"Processing activities"
The title "processing activities" is stipulated in the commitment letter template for "transfers to data processor from data controller".
The processing activities of the transferee should be set out in clear detail.
For further information on this topic please contact Burak Özdağıstanli, Bensu Özdemir or Sümeyye Uçar at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/.