June 2024 – In May, the Turkish Data Protection Authority (“DPA”) shared two draft regulations, approved two applications for cross-border data transferring, and announced 13 data breach notifications.
Reminder: Bells ring for compliance with new scope of DP Law
Amendments to the Turkish Personal Data Protection Law (“DP Law”) came into force as of 1 June 2024. Data controllers are now obliged to comply with the new scope of provisions. You can learn what will change from our information note here.
Dive into May updates
Draft regulation on cross border personal data transferring is published
With the amendments to the DP Law, the rules relating to the transfer of personal data abroad have changed. The details and procedure related to these new provisions were anticipated, and on 9 May 2024, the DPA published a draft regulation on this matter.
The draft regulation addresses the following issues:
- procedures for the transfer of personal data abroad;
- transfers of personal data abroad by data processors;
- transfers of personal data on the basis of an adequacy decision;
- transfers of personal data on the basis of appropriate safeguards; and
- exceptional circumstances for the transfer of personal data abroad.
The draft regulation has been made available to the public and opinions can be submitted to the DPA until 20 May. The DPA is expected to evaluate the opinion received and finalise the regulation.
Draft versions of standard contract clauses and binding corporate rules are published
After the new scope for cross-border data transfers under the DP Law was outlined, cross-border data transfers based on appropriate safeguards were introduced. Accordingly, with the existence of legal bases, cross-border data transfers based on either Standard Contract Clauses ("SCC") or Binding Corporate Rules ("BCR"), among other methods, can be applied.
On 17 May 2014, the DPA published draft versions of documents (e.g., templates, guidance notes, application form) relating to these two methods. Data controllers and data processors will have to use the documents published by the DPA if they prefer to carry out cross-border data transfers on the basis of SCC or BCR.
The draft documents were made available to the public for their opinions until 27 May. The DPA is expected to finalise the documents by evaluating the opinions.
Two new written undertaking letter approvals are announced
On 2 May and 28 May, the DPA announced the approval of the written undertaking applications submitted by Bosch Termoteknik and Huawei Telekomünikasyon, respectively. In this regard, the aforementioned data controllers may now carry out cross-border data transfers on the basis of a written undertaking letter approved by the DPA.
Public announcement on data breach notification – T-Soft data breach
Under Article 12(5) of the DP Law, data controllers must promptly report any unlawful acquisition of personal data to the affected data subjects and the DPA. Following assessments of breach notifications submitted by various data controllers to the DPA, it has been determined that:
- T-Soft's data breach occurred through unauthorised access to its management panel;
- the breach led to the acquisition of data belonging to other users;
- the breach involved a total of 25 affected data controllers that were utilizing T-Soft's e-commerce infrastructure services;
- breach detection varied but generally occurred after 20 April 2024; and
- affected data subjects include employees, users, subscribers, and customers, varying for each data controller, with customers being the common affected group.