The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding transferring personal data of the data subject abroad without explicit consent by a technology company in its decision dated 17.03.2022 and numbered 2022/249.

The complaint subject to the decision is that the cookie policy is not included, and the privacy policy contains statements regarding transferring personal data abroad on the website on which the data subject is signed up. However, the personal data is transferred abroad without obtaining explicit consent from the data subject, and the data controller did not duly respond to the request of the data subject within the legally specified period.

The Board made the following explanations regarding the complaint;

  • There is no obligation to prepare a privacy policy pursuant to the Law on the Protection of Personal Data w. no. 6698 (“DPL”) and other legislation, but the primary responsibility of data controllers is to fulfill the obligation to inform before the personal data processing activity, as a rule, in cases where personal data is obtained from the data subject.
  • The defense that the request made by the data subject was not responded mistakenly indicates that all necessary administrative and technical measures were not taken by the data controller in order to conclude the requests to be made by the data subjects effectively and in accordance with the law and good faith.
  • Despite the argument that such implementation is being made because data is stored on servers abroad due to the use of hosting services and that a mechanism offering similar security measures does not exist in Turkey, the activity of storing data in the country or abroad is a processing activity.
  • Personal data has been transferred abroad without meeting the conditions stipulated in DPL’s Article 9 titled “Transferring Personal Data Abroad”.

In addition, the Board stated the reason why the transfer of personal data abroad is regulated in a separate provision and some other conditions are required is to ensure that the personal data is effectively protected can be effectively protected in the country where it is transferred. The aim is to enable data subjects to use their rights effectively and as close as possible to the implementation of the DPL.

It is reiterated that storing personal data in data centers located in various parts of the world is in the nature of transfer abroad, and personal data processing activities within the scope of storage services provided by data controllers/data processors whose servers are abroad are also carried out in accordance with Article 9 of the DPL in the under practices of the Board.

In this regard, the Board adopted the following decisions;

  • The conclusion is that the necessary technical and administrative measures have not been taken to ensure the appropriate level of security within the scope of the DPL since the transfer of personal data abroad is carried out through the use of a system whose servers are located abroad. In this regard, a commitment to provide adequate protection in the country to which the transfer will be made before the said activity is carried out has not been submitted to the Board, and also the data controller did not obtain explicit consent from the data subjects since there is no legal reason other than explicit consent in the concrete case.
  • The data controller company operates in many countries and a large number of personal data is collected through its economic situation, the application used to process personal data and the website have been transferred abroad unlawfully. The data subjects affected by the mentioned action are many, and it should be accepted that the act of transferring personal data abroad is not due to an individual event, but in a systematic way by the data controller deliberately and with an executive action. For all these reasons, considering that the violation constituting a misdemeanor was committed within the scope of commercial purposes and that the transfer activity abroad was not brought into compliance with the DPL, although 6 years have passed since the effective date of the DPL, an administrative fine of TRY 950.000 (approx. EUR 44.246) was imposed on the data controller.
  • The Board decided to instruct the data controller to make the necessary arrangements to ensure that the transactions regarding the transfer of personal data abroad are in compliance with Article 9 of the DPL and to inform the Board.
  • The Board decided to warn the data controller to take all necessary administrative and technical measures in order to conclude the applications to be made by the data subjects effectively, in accordance with the law and the rule of good faith.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş