Time to Legalize Data Transfers from Turkey - Deadline: September 1, 2024.
TIME TO LEGALIZE DATA TRANSFERS FROM TURKEY - DEADLINE September 1, 2024
As we posted here last week, the Regulation on The Procedures and Principles for Cross-Border Transfers of Personal Data ("Regulation") has been published in the Official Gazette and entered into force on July 10, 2024.
Although the Regulation underwent a lengthy public consultation process of approximately 8 weeks, the changes to the Regulation at the end of the public consultation process were minimal.
The DPA also published the four standard contracts ("SCCs") together with the BCR application forms on 10 July 2024.
With the publication of the Regulation together with the mechanisms to be used by the DPA for data transfers on 10 July 2024, the legislative steps of the reform of the Personal Data Protection Law No. 6698 ("DPL") are now complete.
As we have already covered the DPL reform in our previous newsletter, this article will not go into the details of the legislative changes. Instead, we will focus on what steps need to be taken for data transfers in light of the changes, and what challenges may arise in taking those steps.
New Data Transfer Methodology
As detailed in previous newsletters, the data transfer methodology under the DPL has changed significantly with the amendments published on 12 March 2024, largely in line with the GDPR.
With the amendments, the current data transfer methodology is based on 3 different main categories, which should be applied in this order:
1- Adequacy Decision for Third Countries, International Organisations and Sectors ("Adequacy")
2- Appropriate safeguards such as SCCs, BCRs, data transfer undertakings, etc. in the absence of an adequacy decision ("Appropriate Safeguards").
3- Derogations for specific situations in the absence of both Adequacy and Appropriate Safeguards.
Please note that there is no adequacy decision from the Data Protection Authority ("DPA") yet. Therefore, in this article we will discuss the appropriate safeguards and focus on SCCs as the most favoured and expected appropriate safeguards.
Appropriate Safeguards
The DPL provides that personal data may be transferred abroad by data controllers and data processors if one of the data processing conditions (i.e. the legal basis set out in Art. 5 or 6 of the DPL, such as contract, legitimate interest, etc.) is met and one of the appropriate safeguards is provided by the parties, provided that the data subject has the opportunity to exercise his or her rights and obtain effective remedies in the country of transfer.
The appropriate safeguards that may be provided by the parties are listed in Art. 10 of the Regulation and are as follows
- Binding corporate rules, approved by the DPA, containing provisions on the protection of personal data, to be observed by the companies of the group engaged in joint economic activities.
- Standard Contractual Clauses, published by the DPA Board, which cover matters such as categories of data, purposes of data transfers, recipients and groups of recipients, technical and administrative measures to be taken by the data recipient, additional measures for special categories of personal data.
- A written commitment containing provisions to ensure adequate protection and approval of the transfer by the DPA.
- Existence of an agreement, which is not in the nature of an international contract, between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey, and the Board authorises the transfer.
When the appropriate safeguard options are reviewed, the Standard Contractual Clause option is the one that stands out as it is the only option which does not require the authorisation/approval of the DPA. As such, proceeding with the Standard Contractual Clauses is the quickest of the 4 options available to controllers and processors.
Use of Standard Contractual Clauses for Data Transfers
As mentioned above, the DPA published 4 modules of SCCs on 10 July 2024. These are controller to controller, controller to processor, processor to processor and processor to controller SCCS.
The published SCCs are only available in Turkish. You can find the texts of the SCCs together with machine translations here:
Although the SCCs published by the DPA are similar to those published by the European Commission, there are major differences when it comes to the steps that need to be taken to implement the SCCs. Below, we will focus on these differences and the challenges they pose to controllers or processors who wish to use the SCCs for data transfers out of Turkey.
- Text of the SCCs
The Regulation stipulates that the text of the SCC must be used exactly as it is and must not be changed/amended. The regulation also states that if the text of the SCC is changed, this will be grounds for an ex officio investigation by the DPA.
- Signature
The Regulation requires the parties to the transfer or their representative to sign the SCC. Please note that this is a strict signature requirement where the parties or their representative must sign the SCC with a wet/handwritten signature or with an electronic signature provided by an authorised certificate provider in Turkey. Please note that commonly used electronic signature software (e.g. Echosign) is not a valid electronic signature under Turkish law.
The absence of a valid signature of one or both of the parties to the transfer in the SCC is a valid ground for ex officio investigation by the DPA.
As a result, the regulation does not allow the SCCs to be entered into by incorporating them into a larger DPA or IGDTA. Each SCC must be signed in order to be valid.
- Language
The regulation stipulates that the SCC must be written in Turkish. Even if English is used together with Turkish, the Turkish version shall prevail.
- Supplementary Documents
The Regulation stipulates that all supplementary documents that prove the authority of the signatories shall be attached to the SCC as addenda. Please also note that any documents prepared outside Turkey relating to signatory powers must be notarised and apostilled in order to be valid in Turkey under the 1961 HCCH Apostille Convention. In addition, any documents prepared in a language other than Turkish must be translated and notarised in Turkey for the SCC to be valid.
- Notification to the DPA
The SCC shall be notified to the DPA physically or by registered electronic mail (KEP) address or other methods determined by the DPA within five business days after the completion of the signatures. The parties may determine in the SCC who will fulfill the notification obligation. If no such designation is made, the SCC will be notified to the DPA by the data exporter.
In addition, the DPA must be notified within five business days of any change in the parties to the SBC or in the information and declarations provided by the parties in the contents of the SBC, or of any termination of the SBC, either physically or by registered electronic mail or by other methods specified by the DPA.
Failing to notify to the DPA is subject to an administrative fine to be issued by the DPA
- No Docking Clause
The SCCs published by the DPA do not provide for the possibility of adding additional parties through the use of a docking clause. If the parties to the SCC change, the SCC must be re-signed and notified to the DPA.
- Number of Parties to the SCC
The SCCs published by the DPA appear to allow only one data exporter and one data importer to sign. Given that the Regulation strictly requires the SCC to be used as it is, the question arises as to whether additional parties can be added to the SCC by increasing the number of signature blocks and changing certain definitions in the SCC.
Given that any change to the SCCs will result in an ex officio investigation by the DPA, it is best to sign two-party SCCs at this stage.
Road Map
In light of the above and the amendments made to the DPL on 12 March 2024, the use of explicit consent will no longer be a valid legal basis for transfers outside Turkey as of 1 September 2024. As a result, controllers and processors in Turkey will need to develop and apply one of the appropriate safeguards by 1 September 2024.
As mentioned above, SCCs are the most convenient and quickest of the appropriate safeguards. As a result, the following steps must be taken to legalise data transfers outside Turkey.
1- Prepare/review data mapping in light of the most recent data flows
2- Decide on the relevant module and the parties to sign the SCC in light of the data flows.
3- Prepare the relevant documentation for signing the SCC.
4- Notify the DPA of the SCCs by 1 September 2024.
Saying Goodbye to Consent in Data Transfers: What is Next?
The Turkish Data Protection Law Has Been Amended. What Has Changed in Cross-Border Transfers?
This morning, the highly anticipated amendments in the Law on Protection of Personal Data w. no. 6698 (“DPL”) has been published in the Official Gazette. These changes mentioned below will enter into force in June 1, 2024. You may find our article about the changes here:
With the so called “Small DPL Reform” amendments that published in the Official Gazette, three important provision of the DPL has changed, two of which were creating deadlocks on the daily operation of businesses. The amendments were related to:
- Art. 6 of the DPL related to conditions for processing sensitive (special categories) personal data
- Art. 9 of the DPL related to transfer of personal data out of Turkey and
- Art. 18 of the DPL related to misdemeanors
In addition to the above, a provisional article (Prov. Art. 3) was introduced.
So, now that the changes have been published and are in force, what is the next step for compliance with the revised provisions for data controllers?
1- The Problem: Gridlock
Since the enactment of the DPL in 2016, the transfer of personal data outside Turkey has always been a problem for data controllers. Originally, Art. 9 of the DPL required explicit consent from the individual whose data is being transferred, as per the article's initial clause.
Other alternatives were:
- signing the standart undertaking by importer and exporter and seeking approval of the Data Protection Authority (“Authority”),
- BCRs, and
- Transfer to an importer located within an adequate country.
To date the Authority has not published any adequacy decisions. Also, it could also be argued that BCR was stillborn due to complexities of the legislation and practice. Lastly the Authority has approved only a handful of written undertakings despite numerous applications.
Therefore, since its inception in 2016, the framework for data transfers outside Turkey has faced challenges and this led to creation of a risk based approach to be taken by controllers with the following options:
• sign the undertaking and apply to the Authority for approval (least desireable option due to low number of approvals by the Authority and approval may put the controller in Authority’s radar)
• force data subjects to provide explicit consent (risk the consent being invalid due to lack of free-will but prepare a defense as explicit consent is the last and only resort) or,
• have IGDTA or a similar mechanism signed between the importer and exporter and wait for a sensible reform to fix the broken mechanism
And now, after almost 8 years of waiting, we are happy to announce that the mechanism has been fixed in a sensible way with the reform.
2- The Solution: Goodbye Consent, Welcome SCCs
Art. 9 of the DPL is rewritten to amend the whole cross-border transfer mechanism. With the change, a threefold system is introduced that covers: i- adequacy decision, ii- appropriate safeguards and iii- incidental transfers. Before diving in to details, with the changes:
- explicit consent can no longer be basis for data transfers abroad (except for incidental cases).
- a mechanism similar to SCCs is introduced where importer and exporter can simply sign the SCC and notify the Authority within 5 days to transfer personal data.
Here is how the threefold mechanism will work:
i- Adequacy Decision
As explained above, the previous version of the provision only allowed the Authority to give adequacy decisions about third countries and required the Authority to take into consideration of the reciprocity. This prevented the Authority from giving and adequacy decisions.
With the changes, data transfer is possible if an adequacy decision is given about the country, international organization or sector within the country where the transfer will be made. This way with the addition of international organization or sector specific adequacy options, the Authority may be more flexible in deciding for adequacy.
As a result, if there is an adequacy decision given, provided that there is legal basis for data processing exists (i.e. Art. 5 or 6 of the DPL), it will be possible to transfer personal data.
It should be noted that any adequacy decision must be reviewed and renewed by the Authority every 4 years at the latest. Also, the following are the criteria that will be taken into account by the Authority while making the adequacy decision:
• The mutual agreement on data privacy regulations regarding the movement of personal information from Turkey to any foreign nations, specific sectors within those nations, or global organizations.
• The applicable laws and customary practices of the nation receiving the personal data, along with the policies that the international organization receiving the personal data adheres to.
• The presence of an autonomous and competent authority dedicated to data protection in the destination country or organization, along with available administrative and legal measures for recourse.
• The engagement level of the receiving country or international organization with international treaties focused on personal data protection, or their participation in relevant global bodies.
• The affiliation of the receiving country or organization with worldwide or regional groups that Turkey is also a part of.
• International agreements that Turkey is a signatory to.
ii- Appropriate Safeguards
In the absence of an adequacy decision, any of the newly introduced appropriate safeguards shown below can be used to facilitate transfers, provided that one of the conditions specified in Art. 5 and 6 is present in the absence of an adequacy decision, the data subject has the opportunity to exercise his rights and to apply for effective legal remedies in the target country:
• The existence of SCCs to be published by the Authority, which will include data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the recipient and additional measures taken for special categories of personal data,
• The existence of a written undertaking with provisions to ensure adequate protection and approval of the transfer by the Board,
• Existence of BCRs approved by the Authority, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with, or
• Existence of an agreement that is not in the nature of an international agreement between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey and the Authority’s approval of the transfer.
It is important to note here that when SCCs are signed, there is no requirement to seek the approval of the Authority, however the SCCs must be notified to the Authority within 5 days signing.
iii- Incidental Transfers
In the absence of an adequacy decision and in the absence of any of the appropriate safeguards personal data may be transferred abroad only in one of the following cases, provided that it is incidental
• The data subject's explicit consent to the transfer, provided that he/she is informed about the possible risks.
• The transfer is necessary for the performance of a contract between the data subject and the data controller or for the mandatory for the implementation of pre-contractual measures taken at the request of the person is in favour of the data subject.
• The transfer is made between the data controller and another natural or legal person for the benefit of the data subject is mandatory for the establishment or performance of a contract to be concluded between the parties.
• The transfer is mandatory for a superior public interest.
• The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
• The transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
• Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
3- Next Steps For Controllers: Compliance
As mentioned above, the data controllers can be divided to three groups when it comes to what actions they have taken for data transfers: i- those that had to force data subjects to provide explicit consent for data transfers, ii- those that signed IGDTAs and applied a wait and see approach, and iii- those who applied to the Authority for approval of their data transfer undertaking. The actions that the data controller must take for compliance depends on this grouping.
i- Those That Relied on Consent
As mentioned above, consent can now be used only for incidental transfers. Therefore, controllers that (rightfully due to restrictons of the legislation) built all their data transfer operations on consent must now adopt any of the other mechanism that is being introduced. The provisional article 3 of the DPL provides a grace period until September 1, 2024 for these controllers and the consents obtained for transfers will be valid until this date.
As a result, the controllers in this category may wait for adequacy decision and in the meantime start making preparations for applying any of the appropriate safeguards (i.e SCCs) to comply with the new provision.
ii- Those That Signed IGDTAs and Applied a Wait & See Approach
Controller within this group do not rely on any legal basis to transfer personal data and with the new reform, it is now time to select any of the appropriate safeguards and legalize the transfers. Please note that there is no grace period for controllers in this group.
iii- Those That Applied to the Authority for Approval of Their Data Transfer Undertaking
The fate of the approved undertakings is not clear under the new mechanism, however since a similar approval mechanism is introduced, controllers that got approval from the Authority for their data transfer undertaking can wait until the announcement of secondary legislation by the Authority.
Controllers that have applied for approval however could not get approval from the Authority must immediately start preparations to apply any of the new safeguards to legalize transfers.
FAQ
1- We are a foreign data controller with no establishment in Turkey. We collect data directly from data subjects. What is our position?
The amendments do not solve this issue since this question is related to the interpretation of the Authority rather than the legislation. As you may know, contrary to EDPBs direct collection opinion in Guidelines 05/2021, the Authority’s decision on WhatsApp (numbered 2021/891 and dated September 3, 2021) underlines that, after the initial collection of personal data, all kinds of processing activities conducted in servers located outside Turkey constitutes a cross-border transfer. If the Authority does not align its interpretation with the EDPB, this will continue to be a problem for many foreign controllers that directly collect personal data from data subjects since there will be no data exporters in Turkey to run the mechanisms (SCCs, undertaking, BCR etc.) in the legislation.
Therefore, we hope that the Authority will reconsider the interpretation of what a transfer is and will clarify that direct collection scenarios where there is no exporter of personal data is not a data transfer.
2- We are a group company with approved BCR from an authority in the EU. Can we rely on such BCR for the transfer from Turkey?
No, transfers from Turkey is subject to the DPL and pursuant to the DPL, BCRs must be approved by the Authority in Turkey.
3- We have signed EUs standard SCCs for transfers, can we rely on such for transfers from Turkey?
No, the SCCs mentioned above is the version that will be published by the Authority in Turkey. Therefore, unless the SCCs published by the Authority is exactly same with the EU version, separate SCCs published by the Authority must be signed.
4- We have signed a intra group data transfer agreement, can we rely on such mechanism for transfers from Turkey?
No, however if such agreement ensures adequate protections, it would be possible to apply to the Authority for approval with such IGDTAs. The secondary legislation, when published by the Authority, will provide a more clear response.
5- We are located in an EU country, can EU countries automatically be considered as adequate for transfers from Turkey?
No, in order for a country to be accepted as adequate, it must be published by the Authority.
6- What constitutes as incidental transfer?
The reasoning of the amendments explains the incidental as follows: Single or several times and in a non-continuous manner. For example; a company in Turkey sharing information about its employees who will be in contact with the addressee company in terms of the commercial activity that it intends to carry out with a company abroad on an incidental basis.
Telehealth Services Q&A Guide - Turkey
Our firm's Q&A Guide on Telehealth Services in Turkey can be accessed here.
Data Subject Requests Under Turkish Data Protection Law
Data Subject Requests Under Turkish Data Protection Law
The Law on Protection of Personal Data w. no. 6698 (“DPL”) contains data subject rights that are similar to those that can be found in the General Data Protection Regulation. The data subject rights are stipulated under Art. 11 of the DPL and the rights available to data subjects are:
- to learn whether their personal data are processed or not,
- to demand for information as to if their personal data has been processed,
- to learn the purpose of the processing of their personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom their personal data is transferred in country or abroad,
- to request the rectification of the incomplete or inaccurate data, if any,
- to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
- to request reporting of the rectification, erasure and destruction operations carried out to third parties to whom their personal data have been transferred,
- to object against the results that may have occurred solely by analyzing the data through automated systems,
- to claim compensation for the damage arising from the unlawful processing of his/her personal data.
While certain rights are common, the exercise of the right under the DPL is subject to certain different requirements.
Conditions and Content for a Valid Data Subject Request
Under the Communiqué on The Procedures and Principles of Application to Data Controller dated March 10, 2018 (“Communiqué”), the rules related to exercise of data subject rights are determined.
Pursuant to the Communique prepared by the Turkish Data Protection Authority (“DPA”), all persons are entitled to apply to the controller to exercise their rights under the DPL, saved that the application to the controller must be in Turkish language.
Further, the Communique requires the following information to be present in data subject requests;
- Name, Surname (signature the application is made physically (in writing),
- For Turkish Citizens, TC identity number; for foreigners, nationality, passport number or identity number if available,
- Residential or business address which is available for the Data Controller to send a response to,
- E-mail address or telephone or fax number subject,
- The request itself.
Valid Methods to send a Data Subject Request
The Communiqué determines several methods for the data subject requests to be sent to the data controller. Therefore, data subject requests must be sent using any of the following methods to be valid:
- In writing (via notary public),
- KEP address (KEP is a registered e-mail system which allows id verification),
- Secure electronic signature or mobile signature,
- Via e-mail only if the e-mail address is already registered in the Data Controller’s system, or
- A system designed to receive data subject requests (i.e. data access portal).
The data subject is free to choose whichever method he/she wants to use, and it is not possible to force the data subject to use a specific method.
Consequences of an Invalid Data Subject Request
If the data subject request is not in line with the requirements mentioned above, which are determined in the Communiqué, in general the data controller is not required to respond since the request would not be a valid request.
Having said that, the DPA’s decisions suggest that the best course of action would be to assist the data subject by:
- informing the data subject as to which information must be present in their request and what methods can be used for a valid request and
- refraining from creating additional/unnecessary burden on the data subjects by asking for additional information that is not present in the Communiqué.
This is, of course, a risk-based decision that must be taken by the data controller based on the circumstances.
Consequences of a Valid Data Subject Request
Data controllers have a general obligation to take all measures to finalize all data subject requests in good faith and in an effective manner pursuant to Art. 6 of the Communiqué.
In case of a valid data subject request, the data controller either accepts the request and takes necessary action, or if there are valid grounds, refuses the request and responds to the data subject.
The data controller must finalize the data subject request as soon as possible and within 30 days at the latest, without any charges. Having said that, if the response requires an expense (i.e. if the response is 10+ pages), the data subject may be charged.
Consequences of Not Responding to or Not Accepting a Valid Data Subject Request.
The DPL does not determine a specific consequence for not responding to or not accepting a valid data subject request. Having said that, in those cases, the DPA evaluates that the data controller has not taken all measures to finalize all data subject requests in good faith and in an effective manner.
As a result, in case of a complaint, the DPA’s initial decision is to instruct the data controller to take all measures to finalize all data subject requests in good faith and in an effective manner. If the data controller fails to implement and abide by the instruction of the DPA, the DPA may apply an administrative fine of up to TRY 5.971.989 (approx. USD 305.985 as of 09.05.2023) for failure to fulfill the decisions issued by the DPA.
Burak Ozdagistanli, CIPM, CIPPE, LL.M.
Position Marks
The developments in business activities cause changes in Trademark Law, as well. In this respect, the non-traditional mark, also known as a non-conventional mark, has been adopted. The non-traditional mark is a new type of a trademark, and this category is not limited. European Union Intellectual Property Network (“EUIPN”) explains the examples for non-traditional such as shape, position, pattern, color, sound, motion, multimedia, hologram. ("Common Communication On The Representation Of New Types Of Trade Marks, p. 4-5")In this article, our purpose is to explain the “position mark” that is one of the non-traditionally marks.
A position mark was regulated firstly in 2017 by Article 3 of the Commission Implementing Regulation (EU) 2017/1431 (“EU Regulation”). The provision defines the position mark and explains the details of the application. The term “position mark” specifies that a trademark comprising the specific way in which the mark is placed or affixed on the goods. The best examples of the position marks are three stripes of Adidas and red bottoms of Louboutin's shoes.
Besides, any specific provision for position mark is not stipulated in Turkish Law. However, trademarks defined in Article 4 of the Industrial Property Law (“Turkish IP Law”) do not count as numerus clausus. Further, Article 7 of the Regulation on Enforcement of Industrial Property Law (“Regulation”) includes some examples of non-traditional marks and explains the requirements for the application of these trademarks. According to these legislations, “other” types of non-traditional marks are accepted, and the position mark is able to be registered.
On the other side, the elements of position marks are explained in Court Decisions. According to these practices, the position mark has two key elements which are “the sign” and “the position”. Firstly, the sign element should be specified. However, the sign element does not have to be distinctive by itself. The notable point is that the sign should be distinctive with its position. The other main element is the “position”. This position has to be the same for all goods, and the sign has to be placed identically. ("Assoc. Prof. Dr. Burçak Yıldız, “Position Marks in Light of Jurisprudence of Justice of the European Union”, 2018") According to the doctrinal approach, position mark becomes different from simple three-dimensional marks due to the fact that position marks are used with identical color, size and is placed on the goods’ identical area. Thus, these marks remind consumers of related goods in which the position mark is placed even though the signs are separate from the good.
Additionally, Trademark Examination Guide (“Guide”) published by the Turkish Patent and Trademark Office (“TURKPATENT”) explains the position trademarks, and the definition in this guide is the same with the explanation in EU Regulation. According to this Guide, the following points require to be considered:
-
The representation of the position. (mandatory)
-
The representation of the elements which do not form part of the subject matter of the registration. (mandatory) Broken or dotted lines may be preferred.
-
The explanation of how the sign is placed on goods. (optional) This explanation should be just for informing.
The most notable issue is making the representation of the sign’s position. For example, the application is for clothes and hats would be rejected due to the fact that the representation is just for shoes.
Accordingly, there is an example in which a circle on the side of a sports shoes was found distinctive for ‘footwear’ by the Board of Appeals of the EUIPO (“the Board of Appeals”). The Board of Appeals clarified that “it is entirely customary today for manufacturers of sports and leisure shoes always to display the same pattern on their goods, which may be a pattern of lines, stripes, geometric shapes or a combination thereof, always in the same place on the outside of the product, making it visible from a distance. The consumer is accustomed to such signs and can in principle be guided by them when buying sports and leisure shoes.”
A position mark which is placed on the toe of the sports shoes was found distinctive by the Turkish Supreme Court. On the other hand, when TURKPATENT’s practices were reviewed, it has been seen that the practices do not provide consistent results. Even though the Guide published by TURKPATENT explains the requirement for the registration of position marks, TURKPATENT does not have a consistent practice. For this reason, r in some cases, even though the position mark has distinctiveness, TURKPATENT may reject the application.
Briefly, the position mark is a new term for the Turkish trademark law. However, the registration of a position mark is possible according to Article 4 of the Turkish IP Law and Article 7 of the Regulation. The main point is the distinctiveness of the sign with its position on goods. The position mark’s distinctiveness should be examined in each individual concrete case. Further, if the position mark creates impressions of a specific business in the eye of the consumer, it should not be rejected.
Turkish Personal Data Protection Authority Decision w. no. 2020/47
On 23 June 2020, The Turkish Personal Data Protection Authority (“the DPA”) published a summary of decision w. no. 2020/47 to respond a request of a foreign bank that has a representative office in Turkey. DPA made the following explanations regarding whether a foreign bank that has a representative office in Turkey can be considered as a data controller according to the Law on the Protection of Personal Data (“the Law”). DPA published its evaluation on whether this foreign bank is obliged to register with the data controllers’ registry (“VERBIS”). Pursuant to Article 4 of the Communique on Procedures and Principles Related to Operations of the Representatives in Turkey (“Communique”), representatives can perform a promotional activity in Turkey related to affiliated bank’s services, and it can transfer the information obtained to the affiliated bank. These activities of the representative contribute to the services of the foreign bank. In this context, the activities of the representative in Turkey, cannot be considered separate from the personal data processing activities made for the banking activities. For this reason, it has to been accepted that there is a close connection between the representative’s activities and the bank’s activities related to the processing of personal data. In this respect, Guidelines 3/2018 on the territorial scope of the European Unity General Data Protection Regulation (“GDPR”) specifies this example. If an establishment has an office in the EU and this office’s activities increase the revenue, the absence of an establishment in the Union does not necessarily mean that processing activities by a data controller or processor established in a third country will be excluded from the scope of the GDPR. Due to the fact that bank located within a foreign country and establishment has an existence in our country through a representative, accepting that processing of personal data activities does not fall within the scope of the Law does not comply with the intent of the Law. The purpose of these registrations with the VERBIS and notification obligation set forth in Article 16 of the Law is providing the highest control over data subjects’ personal data. According to this, bank residing in abroad is obliged to register in VERBIS related to personal data processing activities. Also, Article 5(1-b) of the Regulation on Data Controllers Registry regulates that “Data controllers not established in Turkey are obliged to register with the Registry by their representatives prior to the start of data processing.” Similarly, the DPA’s decision w. no. 2019/10 of 24.01.2019 about Procedures and Principles of Personal Data Breach Notification clarifies that “If data breach occurs in the presence of data controller established abroad, in case this breach affects data subject residing in Turkey and Data Subjects benefit from the products and services provided within Turkey, data controller shall notify the Board within the same principles.” In parallel with these explanations, the DPA adopted the following decisions; Everyone has the right to request the protection of his/her personal data according to Article 20 of the Constitution of The Republic of Turkey. In determining the territorial scope of the Law, an approach that provides the highest and the broadest protection to the data subjects has to be adopted. The foreign bank has a continued existence in Turkey through its representative. As a consequence, the Law will apply to the above-mentioned bank, and the bank has to be deemed a data controller. Also, the bank is obliged to register with the VERBIS.
Our Evaluation of the Decision This decision of the DPA must be interpreted together with the decision regarding branch offices and liaison offices of foreign entities w. no. 2019/225. In that decision, the DPA decided that liaison offices are not required to register with VERBIS and are not data controllers. Liaison offices and foreign banks' branch offices are very similar in the eye of the Turkish Law. Both cannot engage in commercial activity, the sole purpose of both is to market the foreign entity, and both liaison offices and foreign banks do not have legal personality. For this purpose, liaison offices and branches of foreign banks are not data controllers under Turkish Law. Having said that, since these organizations collect and process personal data on behalf of the foreign entity, the foreign entity is the controller.
Key Takeaways
-
Liaison offices of foreign entities and branch offices of foreign banks are not required to register with VERBIS.
-
Foreign entities with liaison offices and foreign banks with branch offices in Turkey are data controllers and are required to register.
-
This decision does not affect the position of branches of foreign entities. Branches of foreign entities remain to be data controllers.
Turkey's Social Media Law
On 29.07.2020 the Turkish Parliament voted and agreed the proposed amendments on the Law on the Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of such Publications w. no 5651 (“the Internet Law”).
The amendment has been published in the Official Gazette on 31.07.2020. Here are the changes brought with the amendment:
1- Adding the term “social network provider”
With the amendment, the term “social network provider” has been added into the Internet Law.
Social network provider is defined as a natural or legal person who enables users to create, view or share texts, images, voice, location or other types of data for the purpose of social interaction. With the new “social network provider” definition, the Internet Law sets forth specific obligations to social network providers.
Unfortunately, the term social network provider is too broadly defined, and it may even contain live chat applications and in-game/in-application chat. We evaluate user-to-user chat should have been clearly made exempt however this is not the case.
Having said that, since the purpose of the Law is to check and control the content that is publicly available, we evaluate that in practice, the provisions of the Internet Law shall not be applied to chat applications or in-game chat programs.
2- Extraterritoriality and Jurisdiction
For social network providers that are not located in Turkey, the amendment allows the Turkish State to directly serve and notify any administrative fine to social network providers through email or other means. The Turkish State may determine the address of the social network provider to notify and serve administrative fines through the contact information on service providers’ website or any via any other source such as IP address, domain name, etc.
The amendment sets forth that this notification and service shall be accepted as a legal and valid notification and the social network provider will be deemed to have received the notification after 5 days as of sending the notification.
This amendment may be risky for social network providers since it will be very difficult to keep track of notifications by the Turkish State unless the social network provider does not appoint a representative in Turkey.
3- Appointing a Representative
The amendment requires foreign social network providers (social network companies that are not established in Turkey) and have daily access of 1.000.000 or more from Turkey must appoint a representative in Turkey. 1.000.000 daily access does not mean 1.000.000 unique users daily. Multiple access by the same user counts towards this limit.
The representative can be a Turkish natural person or a legal person established in Turkey.
The social network provider must keep the contact information of the representative on the website to allow easy access by users.
In addition, the social network provider must report the representative’s information (entity name, contact) to the Information and Communication Technologies Authority. (“Authority”)
4- Data Localization
Foreign and Turkish social network providers with 1.000.000 or more daily access from Turkey must keep Turkish users’ (users from Turkey) personal data in Turkey.
5- Content Removal/Access Blocking
Foreign and Turkish social network providers with 1.000.000 or more daily access from Turkey must respond to content removal and access blocking requests by natural and legal persons within 48 hours. If the request is rejected, the legal basis for rejection shall be provided.
If the request is accepted, the social network provider must respond to the requesting natural or legal person and take appropriate action such as removing the content or blocking the access to the content.
Failure to meet the above requirement is subject to an administrative fine of TRY 5.000.000 (approx. $ 716.000).
Further, for application of content removal or access blocking decisions by judges, courts or administrative bodies., social network providers must remove the content or block the access to the content within 24 hours as of receiving the decision. Social network providers who fail to comply shall be responsible for all damages that may arise due to content.
Failure to implement the blocking or removal decisions by social network providers with 1.000.000 or more daily access from Turkey is subject to administrative fines of TRY 1.000.000 (approx. $ 143.000) and judicial fines of up to TRY 5.000.000 (approx. $ 716.000)
6- Reporting
Foreign and Turkish social network providers with 1.000.000 or more daily access from Turkey must submit a report to the Authority every six months showing the statistics on content removal and/or blocking access requests, decisions and applications of such.
7- Timeline and Other Fines
Social network providers will be given 3 months to comply with the requirements. This period shall start after the publication of the amended Law in the Official Gazette. At the end of this 3 month period, a five-stage sanction plan will be implemented for the obligation to appoint a representative:
i) The Authority will notify the social network providers that did not fulfill their obligations to appoint and report representatives. An administrative fine of TRY 10.000.000 will be applied to the social network providers that fail to fulfill their obligations within 30 days from the date of notification (approx. $ 1.433.000).
ii) If the social network provider does not appoint a representative within 30 days as of the first administrative fine, an additional administrative fine of TRY 30.000.000 will be applied (approx. $ 4.300.000).
iii) If the social network provider does not appoint a representative within 30 days as of the second administrative fine, real and legal persons in Turkey will not be allowed to use online advertising services of the social network provider and money transfers to the social network provider will be restricted.
iv) If the social network provider does not appoint a representative within 3 months as of the restriction of advertisement services, the Authority may request from the judge to narrow the bandwidth of the social network provider to 50%.
v) If the social network provider does not appoint a representative within 30 days as of step iv, the Authority may request from the judge to narrow the bandwidth of the social network provider up to 90%.
If the social network provider decides to appoint a representative at any stage, only 25% of the administrative will be collected and the other restrictions will be removed.
Pozisyon Markalari
Ticari hayattaki gelişmeler Marka Hukuku’na da yeni yaklaşımlar getirmektedir. Bunun bir örneği olarak “geleneksel olmayan markalar” kavramı Marka Hukuku uygulamalarına dahil edilmiştir. Geleneksel olmayan markalar, geleneksel markaların aksine yeni bir kavramdır ve bu kategoriye dahil olan marka türleri yenilikler ve gelişmelerle birlikte artmaktadır. Avrupa Birliği Fikri Mülkiyet Ağı (“EUIPN”), pozisyon, ses, desen, renk, hologram, multimedya, hareket, şekil gibi marka çeşitlerini geleneksel olmayan markalara örnek göstermektedir.("Common Communication On The Representation Of New Types Of Trade Marks, s. 4-5") Bu makalede, geleneksel olmayan marka kategorisinde yer alan pozisyon markalarını açıklayacağız.
Pozisyon markası, Avrupa Birliği Düzenlemelerine ilk defa 2017’de 2017/1431 sayılı Uygulama Tüzüğü’nün (“Tüzük”) 3. maddesinde düzenlenerek dahil edilmiştir. İlgili düzenlemede pozisyon markası tanımlanmış ve başvuruların nasıl yapılması gerektiğine dair bilgi verilmiştir. Pozisyon markası terimi, işaretin özel bir şekilde ürünün üzerine yerleştirilmesi veya eklenmesiyle oluşturulan markaları ifade etmektedir. Bu markalar, belli bir ürün üzerinde yerleştirildikleri konum itibariyle ayırt edici nitelik kazanmaktadır. Pozisyon markası için verilen örnekler arasında en iyi bilinenleri ise Adidas’ın üç çizgisi ve Louboutin’ın özgün kırmızı tabanlı ayakkabılarıdır.
Türkiye’deki marka alanında pozisyon markaları için özel bir düzenleme bulunmamaktadır. Buna karşılık Sınai Mülkiyet Kanunu (“SMK”) 4.maddesinde yer alan marka tanımı, markaları numerus clausus bir şekilde saymamaktadır ve ilgili madde geleneksel olmayan markaların tescilini mümkün kılmaktadır. Ek olarak, Sınai Mülkiyet Kanununun Uygulanmasına Dair Yönetmelik’in (“Yönetmelik”) 7.maddesinde geleneksel olmayan markaların örneklemesi yapılmıştır ve bu markalara ilişkin başvuruların nasıl yapılması gerektiği açıklanmıştır. Doğrudan pozisyon markaları ile ilgili olmayan bu düzenlemeler, pozisyon markalarının tesciline olanak sağlamaktadır.
Pozisyon markasına ilişkin unsurlar mahkeme kararları ile detaylandırılmaktadır. Uygulamalar incelendiğinde pozisyon markasına ilişkin 2 ana unsurun ifade edildiği görülmektedir. İlki “işaret” unsuru, diğeri ise “pozisyon” unsurudur. “İşaret” unsuruna ilişkin olarak da 2 temel özellikten bahsedilmektedir. Öncelikle, ilgili işaret belirli/spesifik bir işaret olmalıdır. Ancak bu işaretin tek başına bir ayırt ediciliğinin olması şart değildir. Önemli olan yer aldıkları pozisyon nedeniyle ilgili üründen bağımsızlaştırıldığında bile o ürünü hatırlatmasıdır. Pozisyon markasına ilişkin diğer ana unsur olarak ifade edilen, “pozisyon” kavramı ise ilgili işaretin markaya ait ürünlerin her birinin aynı yerine aynı şekilde yerleştirilmesi ifade etmektedir.("Doç. Dr. Burçak Yıldız, “Avrupa Birliği Adalet Divanı Kararları Işığında Pozisyon Markaları”, 2018")Genel görüşe göre pozisyon markalarının ürünlerin daima belirli bir yerinde, aynı renk ve aynı boyutta kullanılması ve üründen bağımsız olarak düşünüldüğü zaman derhal üzerinde bulunan ürünü akla getirmesi nedeniyle basit 3 boyutlu markalardan ayrıldığı kabul edilmiştir.
Ek olarak, Türk Patent ve Marka Kurumu (“TÜRKPATENT”) tarafından yayımlanan Marka İnceleme Kılavuzu (“Kılavuz”) pozisyon markasını da içermektedir. İlgili Kılavuzda pozisyon markasının tanımı yapılırken AB Tüzüğünden yararlanılmıştır. Aynı zamanda bu Kılavuzda, pozisyon markası tescili başvurusunun ne şekilde yapılması gerektiği aşağıdaki yönlendirmeler ile açıklanmıştır:
-
Koruma talep edilen pozisyonun gösterimi (zorunludur).
-
Tescilin konusuna girmeyen unsurların gösterimi (zorunludur). Bu görseller kesik veya noktalı çizgilerle gösterilebilir.
-
İşaretin mallar üzerine nasıl eklendiğine ilişkin açıklama (isteğe bağlıdır). Açıklama sadece bilgilendirme amaçlı olmalıdır.
Belirtildiği üzere, en önemli husus koruma talep edilen işaretin pozisyonunun gösterimidir. Örnek olarak, yapılan bir pozisyon markası başvurusu kapsamında giysiler, ayak giysileri ve baş giysileri yer almakta; ancak, marka başvurusundaki gösterimin sadece ayak giysisi için yapılmış olması nedeniyle marka başvurusunun giysiler, baş giysileri kategorisi için reddedilmesi gerekmektedir.
Bununla birlikte, EUIPO Temyiz Kurulu (“Temyiz Kurulu”) spor ayakkabı üzerinde yer alan yuvarlak işaretini ayırt edici bulmuştur ve günümüzde çoğu spor markasının ayakkabıları için kendilerine özgü işareti aynı şekilde ve aynı yerde kullandığı tespit ederek, tüketicilerin ilgili malları almasında bu işaretlerin etkili olduğunu ifade etmiştir.
Temyiz Kurulunun kararına benzer bir şekilde, Yargıtay tarafından da ayakkabı burnuna yerleştirilmiş olan pozisyon markası ayırt edici bulunmuştur. Buna karşılık, TÜRKPATENT’in kararları incelendiğinde, TÜRKPATENT’in pozisyon markalarına karşı istikrarlı bir uygulaması olmadığı görülmektedir. Her ne kadar TÜRKPATENT tarafından yayımlanan Kılavuz, pozisyon markalarını açıklasa ve ilgili işaretlerin yer aldıkları konumla birlikte ayırt edici oldukları taktirde tescil edilmesi gerektiğini belirtse de TÜRKPATENT’in yerleşik bir uygulaması mevcut değildir. Bu nedenle, pozisyon markalarının ayırt edici olması halinde dahi TÜRKPATENT bazı durumlarda pozisyon marka başvurularını reddetmektedir.
Sonuç olarak, pozisyon markasının Türk marka hukuku için yeni bir kavramdır. Ancak, SMK’nın 4. Maddesine ve Yönetmelik’in 7. Maddesine göre pozisyon markaları tescil edilebilir niteliktedir. Asıl husus, ilgili işaretin sahip olduğu pozisyonla beraber ayırt edici niteliğe sahip olup olmadığıdır. Tescil başvurusu için gereklilikler sağlandığı takdirde, ortalama tüketicinin algısı esas alınmalıdır. Eğer işaret ve işaretin bulunduğu yer, tüketici de bir izlenim yaratmakta ise, ilgili işaretin pozisyon markası olarak tescil edilmesi gerekmektedir. Bu noktada Kılavuzda da belirtildiği üzere, her bir somut olay kendi koşullarına göre incelenmelidir ve tüketici nezdinde ayırt edicilik vasfı taşıyan başvuruların reddedilmemesi gerekmektedir.
İnternet Alan Adlari Tahsisi
Orta Doğu Teknik Üniversitesi (“ODTÜ”) uzun yıllardır Türkiye’de Nic.TR sistemi aracılığıyla ".tr" uzantılı alan adlarının tahsis ve işlemlerini yönetmektedir. Ancak 21 Aralık 2018 tarihinde imzaladığı sözleşme ile ".tr" Kayıt Otoritesi yetkisini, Bilgi Teknolojileri ve İletişim Kurumu (“BTK”)'na devretmiştir. Sözleşmede 2020 yılında Nic.TR sisteminin kapatılıp bu sistem yerine .tr Ağ Bilgi Sisteminin (“TRABİS”) faaliyete geçeceği düzenlenmiştir. TRABİS’in ne zaman faaliyete geçeceği ise BTK tarafından ayrıca duyurulacaktır.
TRABİS faaliyete geçene kadar ise geçiş döneminde, Kayıt Operatörleri alan adlarına ilişkin işlemleri yürütecektir. Bu kapsamda 14 Mart 2019 tarihinde ODTÜ tarafından METUnic, Nic.tr’nin Kayıt Operatörü işlevini devam ettirmek üzere kurulmuştur. 23 Mart 2020 tarihi itibarı ile de METUnic dahil Kayıt Operatörü sayısı toplam 20 adettir.
Artık yeni alan adı tahsis edecek ve mevcut alan adlarını yenileyecek kişilerin işlemlerini METUnic veya diğer Kayıt Operatörleri ile yürütmesi gerekmektedir. NicTR sistemi, 23 Mart 2020 tarihinde başvuru ve yenilemelere kapatılmıştır. Bu kapsamda, internet alan adı sahiplerinin işlemleri ile ilgili herhangi bir kesinti ve aksaklık yaşamamak adına alan adlarını METUnic veya diğer Kayıt Operatörlerine aktarması gerekmektedir. İlgili kişiler Nic.tr’de kayıtlı olan alan adlarını, Nic.tr’nin internet sitesi üzerinden aktarım sistemini kullanarak veya Sorumlu Değişikliği Onay Formunu ileterek, Kayıt Operatörlerine aktarabilmektedir. Aktarıma ilişkin tüm işlemler Nic.tr’nin internet sitesi üzerinden online olarak yapılmaktadır.
İnternet alan adı sahiplerinin dikkat etmesi gereken önemli husus, herhangi bir Kayıt Operatörüne taşınmayan alan adlarının ancak son ödeme tarihlerine kadar kullanılabileceği ve daha sonra yenilenemeyeceğidir. Bu nedenle, Kayıt Operatörlerine aktarımın yapılması zorunludur.
Sunucu değişikliği, sorumlu değişikliği ve bilgi güncelleme gibi işlemler ise TRABİS faaliyete geçene kadar Nic.TR üzerinden yapılmaya devam edecektir. NicTR sistemi TRABİS faaliyete geçene kadar aktif kalacak, TRABİS’in faaliyete geçmesiyle eş zamanlı olarak kapanacaktır. TRABİS faaliyete geçtikten sonra ise, Kayıt Operatörleri ilgili işlemleri TRABİS üzerinden yapacaktır.
Sonuç olarak, internet alan adı sahiplerinin TRABİS henüz faaliyete geçmemiş olsa dahi NicTR’nin Kayıt Operatörleri sayfasında yer alan Kayıt Operatörlerinden bir tanesini seçip alan adlarının aktarımını yapması gerekmektedir.
Domain Name Allocation
Middle East Technical University (“METU”) has managed the administration and registration of ".tr" domain names for many years in Turkey by means of Nic.tr system. On December 21, 2018, METU transferred its authorization of Registry regarding “.tr” domain names to Information and Communication Technologies Authority (“ICTA”) by signing a protocol. Under the Protocol, Nic.TR system shall shut down and .tr Network Information System (“TRABIS”) shall come into action. Also, TRABİS will be activated following the announcement by ICTA.
Until TRABİS is activated, Registrars will carry out the domain names transactions. One of these Registrars is METUnic established by METU on March 14, 2019, in order to pursue the Registrar function of Nic.tr. As of March 23, 2020, the number of Registrars including METUnic is 20 in total.
The persons who will allocate new domain names and renew their existing domain names must carry out their transactions through METUnic or other Registrars since NicTR was shut down to registrations and renewals on March 23, 2020. In this context, owners of internet domain names should transfer their domain names to METUnic or other Registrars in order not to experience any interruptions regarding their transactions. The related persons can transfer their domain names registered in Nic.tr to METUnic or other Registrars by submitting “Contact Change Approval Form” or by using online transfer page which is available on Nic.TR. All transfer transactions are taken online on website of Nic.tr.
The owners of internet domain names should particularly pay attention that domain names that are not transferred to any Registrars can only be used until the payment due date and cannot be renewed later. In this regard, the transfer to any Registrar is mandatory.
DNS Change, Contact Change and Owner Information Update transactions will continue to be made through Nic.TR until TRABİS is activated. NicTR system will be accessible until TRABİS is activated and it will be closed together with the activation of TRABİS. After TRABİS is activated, the Registrars pursue their transactions through TRABIS.
Briefly, even if TRABİS has not been activated yet, the owners of domain names should transfer their domain names to one of Registrars.