Merhaba sevgili okuyucularımız

Bu yazımızda, kişisel verilerin yurtdışına aktarılmasıyla ilgili yeni düzenlemeleri ve bu düzenlemelerin işletmeler için taşıdığı önemi Hukuk İngilizcesi bağlamında bir diyalog metni ile ele alacağız. 2025 yılı itibarıyla, Kişisel Verilerin Korunması Kanunu çerçevesinde yapılan güncellemeler ve yayımlanan kılavuzlar, veri transferlerinin nasıl yapılacağı konusunda daha net bir çerçeve sunuyor. Bu yazıda, başta veri sorumluları olmak üzere, tüm ilgili tarafların dikkat etmesi gereken hususları detaylı bir şekilde inceleyeceğiz. Yazımızın sonunda bir kelime listesi ve konu testi de bulunmaktadır.

Keyifli çalışmalar dileriz …

Dialogue

Attorney Ali BİLGİ: Good morning, Mr. Girişken. How can I assist you with your legal matters today?

Entrepreneur Murat GİRİŞKEN: Good morning, Mr. Bilgi. I’ve been reviewing the regulations on cross-border data transfers, but I still have some questions. Could you help clarify some points for me?

Attorney Ali BİLGİ: Of course, I’d be happy to assist. Are you familiar with the recent updates regarding cross-border transfers of personal data under the Personal Data Protection Law?

Entrepreneur Murat GİRİŞKEN: I’ve read about the guidelines, but I’m not entirely clear on the details. Could you explain the main changes that have been implemented?

Attorney Ali BİLGİ: Certainly. As of 2024, significant amendments were made to the Personal Data Protection Law to provide clearer guidelines on the cross-border transfer of personal data. A transition period of three months was also introduced. The new guidelines offer detailed explanations, including examples, to address ambiguities in the law’s implementation.

Entrepreneur Murat GİRİŞKEN: So, there’s a difference between cross-border data transfer and directly collecting data from individuals in Turkey, right?

Attorney Ali BİLGİ: Yes, that’s correct. If a foreign data controller directly collects personal data from data subjects in Turkey, it does not automatically count as a cross-border transfer. However, the processing of this data still needs to comply with the Law. If the foreign data controller shares the data with other controllers or processors abroad, that would be considered a cross-border transfer.

Entrepreneur Murat GİRİŞKEN: Understood. What about data transfers between group companies?

Attorney Ali BİLGİ: When it comes to group companies, the guidelines offer some clarity but not as much as expected. For example, if a Turkish subsidiary of a multinational company transfers employee data to its parent company abroad for storage, the Turkish subsidiary acts as the data controller. The parent company, in this case, could be considered a data processor. However, if the parent company processes this data for purposes beyond storage, it could also be considered a data controller.

Entrepreneur Murat GİRİŞKEN: I see. So, for multinational companies, would the use of standard contracts still apply?

Attorney Ali BİLGİ: Yes, exactly. Multinational companies typically rely on standard contractual clauses for data transfers between data controllers and processors. In cases where both the parent company and foreign subsidiaries are data controllers, data controller-to-data controller contracts are generally used.

Entrepreneur Murat GİRİŞKEN: What about the safeguards when there’s no adequacy decision for the country receiving the data?

Attorney Ali BİLGİ: The guidelines outline how to proceed in such cases, focusing on the use of appropriate safeguards. If there’s no adequacy decision for the recipient country, transfers must be based on standard contractual clauses or other safeguards to ensure data protection.

Entrepreneur Murat GİRİŞKEN: Can the standard contracts be modified?

Attorney Ali BİLGİ: No, it’s crucial that the standard contracts remain unchanged except for optional clauses provided by the Authority. Modifying the contracts could be seen as circumventing the law, especially if companies attempt to set an arbitrary effective date, such as September 1, 2024.

Entrepreneur Murat GİRİŞKEN: What about the annexes to these contracts? Are there any specific guidelines on how to fill them out?

Attorney Ali BİLGİ: Yes, the guidelines provide clear instructions for filling out the annexes. It’s essential that the information provided in the annexes aligns with the data controller’s registration in the VERBIS system. Ensuring consistency between the contract and VERBIS records is vital for compliance.

Entrepreneur Murat GİRİŞKEN: One last thing, what is the status of cross-border data transfers as of 2024?

Attorney Ali BİLGİ: The guidelines show that, prior to the amendments, there was limited compliance with cross-border data transfers, with only a small number of applications approved. Since the amendments, the situation has improved, but there are still gaps in data controllers’ compliance efforts. However, standard contractual clauses remain the most commonly used safeguard for data transfers, and companies must update their VERBIS records accordingly to stay compliant.

Entrepreneur Murat GİRİŞKEN: Thank you, Mr. Bilgi. This clarifies a lot for me.

Attorney Ali BİLGİ: You’re welcome, Mr. Girişken. If you have any further questions, feel free to reach out.

Vocabulary List

  1. cross-border data transfer – sınır ötesi veri transferi
  2. data controller – veri denetleyicisi
  3. data processor – veri işleyicisi
  4. adequacy decision – yeterlilik kararı
  5. standard contractual clauses – standart sözleşme hükümleri
  6. personal data protection – kişisel veri koruma
  7. regulations – düzenlemeler
  8. amendments – değişiklikler
  9. data subjects – veri sahipleri
  10. compliance – uyum
  11. safeguards – koruma önlemleri
  12. binding corporate rules – bağlayıcı kurumsal kurallar
  13. data transfer agreement – veri transferi anlaşması
  14. data privacy – veri gizliliği
  15. verbal agreement – sözlü anlaşma
  16. to comply with – uymak
  17. to circumvent the law – yasayı dolanmak
  18. unforeseen circumstances – öngörülemeyen durumlar
  19. to ensure consistency – tutarlılığı sağlamak
  20. to act as a data controller – veri denetleyicisi olarak hareket etmek
  21. to process data – veri işlemek
  22. data transfer mechanisms – veri transferi mekanizmaları
  23. legal requirements – yasal gereklilikler
  24. data protection authority – veri koruma otoritesi
  25. data protection law – veri koruma yasası

Test on Cross-Border Data Transfers

  1. Which of the following is true about cross-border data transfer under the Personal Data Protection Law?
    • a) It is always necessary to obtain explicit consent from data subjects.
    • b) Directly collecting personal data from data subjects in Turkey constitutes a cross-border transfer.
    • c) A cross-border data transfer occurs when data is shared with other controllers or processors abroad.
    • d) The law does not regulate cross-border data transfers.
  2. What is the role of a data controller in cross-border data transfers?
    • a) A data controller ensures data is securely stored within the same country.
    • b) A data controller determines the purposes and means of processing personal data.
    • c) A data controller merely processes data on behalf of other parties.
    • d) A data controller is responsible for implementing safeguards for data processors.
  3. What happens if a foreign data controller collects personal data directly from data subjects in Turkey?
    • a) It constitutes a cross-border transfer.
    • b) It is not considered a cross-border transfer but must comply with the Personal Data Protection Law.
    • c) The data must immediately be transferred to third parties abroad.
    • d) The foreign data controller is exempt from following the law.
  4. What are binding corporate rules?
    • a) Regulations for data protection in domestic transfers.
    • b) Internal policies of a company regarding employee data.
    • c) A mechanism for multinational companies to transfer data across borders.
    • d) A type of legal contract for processing personal data.
  5. Which of the following best describes the relationship between data controllers and data processors?
    • a) Data controllers process data on behalf of data processors.
    • b) Data processors determine the purpose of processing data.
    • c) Data controllers determine the purposes and means of processing personal data.
    • d) Data processors are responsible for setting data protection standards.
  6. What is the primary safeguard for cross-border data transfers according to the guidelines?
    • a) Using verbal agreements between parties.
    • b) Applying standard contractual clauses.
    • c) Relying on the consent of the data subject.
    • d) Creating binding corporate rules for the company.
  7. What is the requirement for standard contractual clauses in cross-border data transfers?
    • a) They must be signed only if the data is transferred for marketing purposes.
    • b) They should be modified to suit the specific needs of the parties.
    • c) They cannot be modified except for optional clauses provided by the Authority.
    • d) They are not required if both parties are based in the same country.
  8. What should be ensured when filling in the annexes of standard contracts?
    • a) The information must be aligned with the data protection policies of the parent company.
    • b) The information provided should be consistent with the VERBIS records of the data controller.
    • c) The data should only relate to the employee’s personal details.
    • d) The annexes should contain information unrelated to the data controller’s registration.
  9. What are the key criteria for determining if a data transfer is an “exceptional transfer”?
    • a) The transfer should be regular and continuous.
    • b) The transfer should take place under unforeseen circumstances and not as part of the normal course of actions.
    • c) The transfer must occur only once and must involve sensitive data.
    • d) The transfer should only occur if the recipient country is within the EU.
  10. Which of the following statements is true about the current status of cross-border data transfers in 2024?
  • a) All cross-border data transfers have been approved with no outstanding applications.
  • b) The DPA has approved several binding corporate rules applications for cross-border transfers.
  • c) There are still gaps in compliance, but standard contractual clauses remain the most common safeguard.
  • d) Data controllers no longer need to submit any data transfer agreements for approval.

Answers:

  1. c
  2. b
  3. b
  4. c
  5. c
  6. b
  7. c
  8. b
  9. b
  10. c

FAYDALI OLMASI DİLEKLERİMİZLE

KATKI, GÖRÜŞ, ELEŞTİRİ VE SORULARINIZI BİZE YORUM OLARAK YAZABİLİRSİNİZ.

Sayfa Başına Dön Creative Commons Lisansı Bu eser Creative Commons Atıf-GayriTicari-AynıLisanslaPaylaş 4.0 Uluslararası Lisansı ile lisanslanmıştır.