July 2024 – The agenda of Turkish Personal Data Protection Authority (“DPA”) for July included the anticipated regulation on the transfer of personal data abroad and the implementation of new standard contract clauses. Also in July, the DPA published the second issue of its KVKK Journal and the fourth edition of its Bulletin.
Dive into July updates
1. Regulation on cross-border personal data transfer is published
Following the recent amendments to the Turkish Personal Data Protection Law (“DP Law”), the DPA published the "Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad" on 10 July 2024. This regulation is a significant component of the changes to the DP Law. Key aspects include:
Adequacy decisions: the amendments authorise the Board to designate specific countries, sectors, or international organisations as having adequate data protection levels. However, no countries have yet been granted this status.
Appropriate safeguards: When there is no adequacy decision, data can still be transferred internationally under certain conditions, including:
- binding corporate rules: multinational corporations can transfer data within their group using these rules, subject to the Board’s approval;
- standard contractual clauses: these clauses specify the conditions and obligations for data transfer and require only notification, not pre-approval by the Board;
- written commitments: organisations can provide written commitment on adequate protection, which the Board must approve.
Temporary data transfers: temporary data transfers are allowed without adequacy decisions or safeguards under specific conditions, such as explicit consent of data subjects.
2. Essential documents for cross-border personal data transfer released
The DPA has released the final versions of essential documents for cross-border data transfers, previously opened for public opinion. These documents include:
- standard contract clauses: texts that outline the requirements for using standard contracts in data transfers;
- binding corporate rules: application forms and guidelines for implementing binding corporate rules within corporate groups.
These documents are now available on the DPA's website. Data controllers and processors planning to transfer personal data abroad using BCRs or standard contract clauses must use these official documents. They are required to notify the Board within five business days after executing these agreements.
3. New issue of KVKK Journal
On 2 July 2024, the DPA published the second issue of the KVKK Journal, a peer-reviewed, scientific-academic publication that is released biannually. The new issue features articles on topics such as AI-supported video interview applications used in recruitment, ChatGPT and personal data protection, and the protection of personal data in blockchain technology.
4. Frequent mistakes in complaints and notifications
A brochure on common mistakes in the complaint and notification procedure to the DPA has been published on the DPA's website. Below is a summary of these common mistakes and recommendations for ensuring compliance:
Exhaustion of remedies with the data controller: data subjects must first address requests to the data controller before filing a complaint with the DPA. Direct complaints without this step are rejected.
Stamp duty for attorney submissions: Complaints submitted through an attorney must include the appropriate stamp duty on the power of attorney. Submissions without this stamp are not accepted.
Evidence of applications: complaints should attach evidence, such as receipts or confirmation emails, of prior applications to the data controller.
Correct communication channels: data subjects can use previously registered electronic methods for data controller applications.
Timeliness: Complainants should file their complaints within 30 days of a response or 60 days without one.
Clear documentation: Complainants should ensure all documents are legible and complete with dates.
Identification: Complaints must include their full name, signature, and contact information.
Authorised representation: Only data subjects or authorised representatives can file complaints.
Complaints about deceased individuals: Such complaints must involve identifiable data of living persons.
Data breach notifications
- Following a data leak from the systems of Adnan Özen İnşaat, a data breach occurred and the personal data of customers were affected.
- Following an attack on the systems of Creditwest Faktoring, a data breach occurred and the personal data of employees and customers were affected.
- A data breach at Uber Technologies affected the personal data of users and drivers, the source of which is not yet known.
- After a cyber-attack occurred at Güneş Express Havacılık, the personal data of employees and customers were affected.
- After a cyber-attack occurred at Ann & Robert H. Lurie Children's Hospital of Chicago, the personal data of employees, patients and family members were affected.