Turkish Personal Data Protection Board (“Board”), in its decision numbered 2020/559 dated July 22, 2020 (“Decision No. 2020/559”) evaluated cross-border data transfer rules of the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) and the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data numbered 108 dated January 28, 1981 (“Convention No. 108”). In particular, the Decision No. 2020/559 highlighted that relying on the Convention No. 108 for cross-border data transfers is unlawful in terms of the requirements of the Law No. 6698.
Background on Complaint
A data subject filed a complaint with the Board against the data controller, a company operating in automotive sector, regarding its cross-border data transfers which were taking place within the scope of marketing activities without the explicit consent of the data subject. As per the Decision No. 2020/559, the data controller was transferring its customers’ personal data to abroad with the purpose to send e-mails and messages to them, via its web based digital marketing software which requires customers’ data to be transferred to a cloud-based server in a member state of European Union.
Data Controller’s Response
In response to the complaint, the data controller claimed that (i) the explicit consent of the data subjects whose personal data had been transferred to abroad were obtained, (ii) transfer of personal data via its web based digital marketing software to its data processor was necessary for its legitimate interests, (iii) pursuant to Article 12 of the Convention No. 108 to which Turkey is a party, cross-border data transfers may not be prohibited or subjected to special authorization without meeting the exceptions listed under Article 12(3)(a)(b) and there were no legal restrictions in this regard in Turkey, and (iv) pursuant to Article 2 of Additional Protocol No. 181 to the Convention No. 108, the assessment on whether a country ensures an adequate level of protection may only be carried out on non-signatory countries. Therefore, cross-border data transfer made to its data processor in European Union was lawful and based on its legitimate interests as well the Convention No. 108.
International Data Transfer Rules and Legitimate Interest
Pursuant to Article 9 of the Law No. 6698, a cross-border data transfer may take place if data subject’s explicit consent is provided. However, personal data may be transferred abroad without explicit consent of data subject under several circumstances:
- If one of the conditions referred under Article 5(2) or Article 6(3) of the Law No. 6698 applies to subject cross-border data transfer and the country where personal data to be transferred provides adequate level of data protection which is recognized by the Board. The countries with adequate level of data protection shall be determined and announced by the Board. However, the Board has not announced such countries yet.
- In case the country where personal data are to be transferred does not provide adequate level of data protection, if the adequate level of data protection is provided with a written commitment between data exporter and data importer, or binding corporate rules that are approved by the Board.
Article 5 of the Law No. 6698 stipulates that personal data shall not be processed without the explicit consent of the data subject. Furthermore, personal data may be processed without the explicit consent of the data subject if it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not violated.
Pursuant to the Board’s decision numbered 2019/78 and dated March 25, 2019, when relying on legitimate interests, data controllers have to identify their specific legitimate interest which applies to that specific situation and conduct a balance test between the fundamental rights and freedoms of data subjects and the legitimate interest in order to assess whether any fundamental right or freedom is violated.
The Board’s Perspective
In response to the data controller’s claim stating explicit consents had been obtained where necessary, the Board replied that neither privacy notice nor explicit consent form provided by the data controller included any information regarding that personal data would be transferred abroad if data subjects consented to receiving e-mails and messages for marketing purposes.
Furthermore, the Board underlined that if a data processing activity requires obtaining explicit consent for more than one category of personal data, explicit consent requests have to include which categories of personal data are to be processed for which specific purpose. Moreover, data controllers must also obtain explicit consent for their further processing activities such as data transfer abroad to be carried out after its primary use of the data.
In the Decision No. 2020/559, it is stated that the data controller had not provided any information neither on what is its legitimate interest for such transfer, nor if a balance test took place in this regard. Therefore, the Board concluded that there was no valid legitimate interest for the subject cross-border transfer, since the data controller did not clarify its legitimate interest.
Article 12 of the Convention No. 108
In the Decision No. 2020/559, the Board stated that the purpose of Article 12 of the Convention No. 108 is to facilitate the data flow among the signatory countries based on the preliminary acceptance of sufficient safeguards in terms of protection of personal data in such countries.
The Board further mentioned that the Article 12 of the Convention No. 108 does not to prevent countries from making regulations in their domestic law to prohibit domestic and cross-border data transfers in certain situations. Therefore, the Board concluded that regardless of the fact that being a party to the Convention No. 108 may be considered as one of the criteria during the evaluation of the adequate level of protection, signatory countries cannot automatically be deemed as countries which ensures such level of protection. In this context, the Board underlined that the data controller should have signed a written commitment and submitted it to the Board for approval in order to rely on its legitimate interests to transfer data abroad. However, it is also stated in the Decision No. 2020/559 that the data controller did not follow any procedures regarding written commitments.
For these reasons, the Board concluded that:
- The data controller failed to fulfill the requirements of cross-border transfer of personal data and the obligation to “prevent unlawful processing of personal data” stipulated under Article 12(a) of the Law No. 6698, accordingly,
- An administrative fine worth TRY 900,000 pursuant to Article 18 of the Law No. 6698 shall be imposed to the data controller,
- The erasure and destruction of personal data which were unlawfully transferred abroad shall be conducted by the data controller in accordance with Article 7 of the Law No. 6698 and that the Board will be notified thereof, and
- The obligation to inform data subjects and to obtain explicit consent shall be fulfilled separately and lawfully.