Decision of the Personal Data Protection Board on the
Transfer of Personal Data Abroad
The Personal Data Protection Board (“Board“) published a noteworthy decision regarding the transfer of personal data abroad on 3 September 2020.
A car company has been sending out text messages to individuals for marketing purposes. One recipient of these advertisement messages complained to the Board accusing the car company for processing his/her personal data without obtaining a prior explicit consent. Further to the Board’s initial assessment, it was understood that the car company has been storing personal data of its customers in its servers located abroad, which means that the company transfers customers’ personal data outside of Turkey and accordingly, the Board initiated ex-officio investigation on personal data processing activities of the company.
In its decision, the Board first referred to Article 9 of the Law on the Protection of Personal Data numbered 6698 (“Law”), which stipulates that personal data shall not be transferred abroad without the explicit consent of the data subject (i.e. SMS recipients). The Board also noted the list of other conditions, which render personal data transfer abroad legally acceptable by pointing out that the company also cited these conditions in its defense. Indeed, the company claimed that its personal data processing is mandatory and therefore, necessary for achieving its legitimate interests in the light of paragraph (f) of Article 5/2 of the Law. The Board, however, was not convinced with the company’s justification and declared that the company failed to find a balance between its legitimate interest and data subjects’ fundamental rights and freedoms.
Moreover, the company relied on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108 (“Convention”) which regulates that the transfer of personal data to other states for defending the company’s data transfer abroad cannot be prohibited or restricted by also referring to Article 90(5) of the Turkish Constitution stipulating that international conventions duly entered into force are considered to be the law. The company argued that it had carried out its data transfer on the basis of Article 12 of the Convention, which does not require any special permission for personal data transfer abroad.
However, the Board did not accept this argument and asserted that data transfer conducted by the company is not incompatible with Article 9 of the Law, which requires the Board’s permission and a guarantee sufficient protection in writing by data controllers in Turkey and in the relevant foreign country. Thus, the Board ruled that being a party to the Convention does not necessarily mean that state parties meet safe country requirements under the Law.
As a conclusion, Board decided to impose TRY 900,000 administrative fine as the company failed to ensure adequate personal data security. Additionally, the Board ordered the company to update its privacy notice on a regular basis and instruct that the obligation to inform and obtaining explicit consent must separately fulfill.