Untitled Document
urn:nbn:de:0009-29-54944
1. Introduction*
1
Since 6698 numbered Law on Personal Data Protection (“PDP Law”) entered into force on 24 March 2016, the transborder transfer of personal data has been a challenging and confusing issue in Turkey. Due to the size of this confusion, the transborder transfer of personal data has become one of the most difficult subjects of the PDP Law compliance projects carried out with companies. While lawyers aim to eliminate all the legal risks and establish the order required by the current system, these efforts are criticized by company executives as incompatible with today's global economic system. In addition, it is characterized as the product of an extremely idealistic approach that is disconnected from reality and can cause serious loss of customers and income. With regard to the transborder transfer of personal data, where the aforementioned two attitudes are in conflict, company executives started to choose between the risk of loss of customers and income, and the risk of administrative fines.
2
The Personal Data Protection Authority seeks to establish a balance between the right to protect personal data and the data-based economy in the PDP Law [1], and the doctrine emphasizes its importance. [2] Nevertheless, it is not always easy to establish this balance in practice. As the outcome of this controversial situation, the decision of the Personal Data Protection Board regarding Amazon Turkey [3] is of great importance for companies transferring personal data from Turkey to third countries. At the time this decision was taken, there were some expectations and criticism arising from this controversial situation. Besides, the authorization process of Amazon Turkey’s undertakings regarding legality of its transborder transfers had not been concluded. Despite this, the Personal Data Protection Board imposed a large amount of administrative fines on Amazon Turkey, that were based on various violations including transborder transfer of personal data. [4]
3
The transborder transfer of personal data turned into a risky phenomenon in Turkey due to several reasons. For instance, there is misunderstanding and misperception of personal data and its protection because the PDP Law is new legislation in Turkey. Furthermore, this field can be handled detached from today's global economic system. Additionally, some provisions of the PDP Law are ambiguous, and there are vague matters.
4
One of the most significant matters in this field, which is commonly overlooked, is that the fourth industrial revolution, known as Industry 4.0 or the digital revolution, has been experienced in the history of humanity. [5] As a result of this digital revolution, the network society has been formed and the data economy has emerged. [6] Today’s global economy is closely linked to transborder data transfers especially due to digital trade. [7] Statistical and detailed reports reveal the speed of digitalization of the world and the boosting effect of global data flows and their importance in the global economy. [8] Moreover, the Covid-19 pandemic has caused the speed of digitalization in the world to increase exponentially and humanity to move to a new phase. [9] Therefore, personal data are now considered crucial raw materials of the global economy. [10]
5
Due to the lack of harmonized global rules on personal data protection, the transborder data flows especially through social networks, search engines, cloud computing, etc. can cause several business, technology, and security challenges. [11] All these developments put increasing pressure on regulatory systems. [12] As a result, it is generally accepted that law cannot keep up with the speed of technology, but as Christopher Kuner emphasizes, the key question is how we can speed up the conversion of legal thinking and knowledge into appropriate legal principles and rules. [13] It should be noted that the data ecosystem is undergoing tremendous changes all over the world, and in this context, laws that provide for the protection of personal data, including the General Data Protection Regulation (GDPR), which many countries take as a point of reference [14], are criticized for failing to protect the data subjects. [15] As some of these difficulties are global, it is important to closely follow up examples and developments in the world and to discuss how to reach more effective and balanced results by criticizing legislation and practice.
6
Within the scope of this article, the legislation and practice in Turkish law in the scope of transborder transfer of personal data are examined. In this context, in Chapter 2, the relevant legislation in Turkish law and the Council of Europe (CoE) conventions and protocols that interact with both Turkish and EU law are examined. In Chapter 3, the practice of transborder data transfer in Turkey is examined in the light of Personal Data Protection Board decisions.
2. Legislation, Conventions and Protocols
7
The legislation on the protection of personal data in Turkish law is based on EU law. Moreover, CoE conventions and protocols are of special importance due to the membership of Turkey to the CoE and the CoE's aim of creating internationally accepted, uniform norms that go beyond the borders of the EU in the field of personal data protection.
8
In this chapter, the transborder transfer of personal data shall be examined limited to the legislation in Turkey and conventions and protocols of the CoE, that have direct effect on Turkish law.
2.1. Legislation in Turkey
9
The protection of personal data does not have a long history in Turkish law. Provisions regarding processing personal data were included into the Constitution of the Republic of Turkey as the third paragraph of Article 20 titled "privacy of private life" in 2010. Furthermore, the Turkish Penal Code No 5237, which entered into force on 1 June 2005, contains provisions regarding the protection of personal data. However, as the main law that is solely regulating personal data protection, the PDP Law entered into force upon its publication in the Official Gazette on 7 April 2016. [16]
10
Transborder transfer of personal data is primarily regulated under the PDP Law. However, there are some other laws regulating this area for specific situations.
2.1.1. Law on Personal Data Protection
11
When the PDP Law entered into force, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive) was in force in the EU. At that time, the GDPR was in draft form. Nevertheless, it was published less than one month later in Official Journal of the European Union and repealed the Directive upon its entering into force in May 2018. [17] GDPR brought important innovations regarding the transfer of personal data to third countries and international organizations. Since the PDP Law [18] is mainly based on the Directive, it does not include the innovations and the detailed provisions regulated under the GDPR.
12
Nonetheless, the PDP Law is of great importance in terms of Turkish law as the first law that directly regulates personal data protection. It also introduces new institutions that play an important role in data protection in Turkey: the Personal Data Protection Authority (Authority) and the Personal Data Protection Board (Board). The Authority and its organization regulated under the sixth chapter of the PDP Law are among the regulatory and supervisory institutions. [19] Moreover, the Authority is registered as the authority regulated under Article 13(2) of Convention 108. [20] Within the Authority, which has administrative and financial autonomy [21], there is the Board, which performs and uses its duties and authorities independently under its own liability. [22] Article 22 of the PDP Law regulates various duties and powers of the Board, such as deciding on complaints, taking temporary measures, and deciding on administrative sanctions. Decisions taken by the Board can be divided into four groups in terms of their nature: (i) decision to stop data processing and transfer, (ii) instruction decision to eliminate the violation, (iii) administrative fine decision, and (iv) principal decision. [23] A Board decision may include a provision regarding one or more of these groups for the same or different reasons, because these decisions are not alternatives to each other. [24]
13
Regarding the transborder transfer of personal data, the provisions of the PDP Law on definitions and categories of transfers of personal data, conditions of transborder transfer and serious harm on interests of Turkey and the person concerned are particularly to be taken into consideration.
2.1.1.1. Definitions and categories of transfers of personal data
14
The PDP Law defines personal data as “all the information relating to an identified or identifiable natural person” [25] and divides personal data into two categories: personal data of normal nature and personal data of special nature. The conditions of processing these two categories of personal data are regulated differently under separate articles. [26]
15
The PDP Law does not define the term personal data transfer as in the Directive and GDPR. The fact that personal data goes outside the borders of Turkey is considered sufficient for transborder transfer, and transfer to a third party is not considered as a condition [27].
16
Within the scope of the PDP Law, the transfer of personal data is divided into two categories as transfer within Turkey and transfer outside of Turkey (transfer abroad or transborder transfer). These two categories of transfers are regulated under two different articles. [28] The transborder transfer of personal data of both normal and specific natures is regulated under “Transfer of Personal Data Abroad” titled Article 9 of the PDP Law.
2.1.1.2. Conditions of transborder transfer of personal data
17
In the PDP Law, it is essential that personal data is not transferred abroad without the explicit consent of the data subject concerned. [29] However, the exemptions from this rule are regulated under Article 9(2) of the PDP Law. Accordingly, provided that one of the compliance conditions for processing personal data of normal [30] or special nature [31] exists, the personal data can be transferred abroad on the basis of fulfilling one of the conditions set forth under Article 9(2). These conditions are as follows:
-
Adequate level of protection is provided in the foreign country where the data is to be transferred,
-
The controllers in Turkey and in the related foreign country undertake an adequate level of protection in writing and the Board has authorized such transfer, where adequate level of protection is not provided.
18
The PDP Law does not include specific provisions regarding the derogations and appropriate safeguards, apart from written undertakings. Additionally, explicit consent has become the most widely used transfer mechanism. In order to understand the role given to the explicit consent in Turkey and how the practice is mainly based on the explicit consent, it is first essential to understand how the other transfer mechanisms are regulated and implemented in practice in Turkey.
2.1.1.2.1. Adequate level of protection
19
It is regulated under Article 9(3) of the PDP Law that the Board shall determine and announce the countries where adequate level of protection is provided. In this regard, the Board shall take into consideration the following factors [32]:
-
The international conventions to which Turkey is a party,
-
The state of reciprocity concerning data transfer between the requesting country and Turkey,
-
The nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,
-
The relevant legislation and its implementation in the country to which the personal data is to be transferred,
-
The measures guaranteed by the controller in the country to which the personal data is to be transferred.
20
If needed, the Board shall decide upon receiving the opinions of related public institutions and organisations. [33]
21
Additionally, on 2 May 2019, the Board disclosed its criteria for countries with adequate levels of protection. [34] Through this decision, the Board created a detailed table regarding the criteria regulated in the PDP Law and ensured transparency on this subject. The criteria set forth by this decision are as follows [35]:
-
Reciprocity status,
-
Legislation of the relevant country and implementation of this legislation regarding the processing of personal data,
-
Personal data protection is a constitutional right,
-
The existence of a basic law on the personal data protection,
-
Effective date of the basic law,
-
Secondary regulations and compliance of these regulations with our legislation,
-
Basic concepts of personal data protection,
-
General principles on the personal data protection,
-
Compliance of the personal data processing conditions with the personal data processing conditions in the PDP Law,
-
Existence of specific processing conditions and additional security measures for the processing of personal data of special nature,
-
Existence of legal guarantees that personal data processing activities are carried out in accordance with the principle of transparency,
-
Obligation to take the necessary technical and organizational measures to provide the adequate level of security in order to prevent unlawful processing and access to personal data and to ensure the protection of personal data,
-
Implementation status of administrative and/or penal sanctions against the data breach and other mechanisms to prevent data breach,
-
Rights of data subject,
-
The right to request of data subjects to the controller and the right to lodge complaint with to the data protection authority,
-
The right to compensation of data subjects whose rights on personal data have been violated according to the general provisions,
-
Implementation guidelines/publications as reference,
-
Exemptions to the implementation of the Law,
-
Data transfer system,
-
-
Existence of an independent data protection authority,
-
Structure,
-
Independence status,
-
Duties and powers,
-
Its authority to audit/investigate,
-
Whether there is a remedy to appeal against its decisions,
-
-
The status of being a party in the international agreements on personal data protection and being a member of international organizations,
-
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108,
-
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows No.181,
-
Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters (CETS 182),
-
European Convention on Human Rights,
-
International Conference of Data Protection and Privacy Commissioners (ICDPPC),
-
Global Privacy Enforcement Network (GPEN),
-
-
Whether a member of global and regional organizations that Turkey is a member,
-
Trade volume with relevant country,
-
Other.
22
Among these criteria, which largely overlap with the criteria in Article 45 of the GDPR, criterion on the trade volume with the concerned country and reciprocity criterion are worrisome. [36] For instance, the reciprocity criterion raises the question: whether EU member states shall not be accepted as the countries with appropriate level of protection. Considering that GDPR is a much more detailed and advanced legislation than the PDP Law, this result would be unlikely. However, due to this reciprocity criterion, the key questions are whether Turkey shall be accepted as a country with appropriate level of protection in accordance with the GDPR; and if not, whether this reciprocity criterion shall avoid EU member states from being recognized as the countries with appropriate level of protection in accordance with the PDP Law. At this point there is a conflict between the protection of human rights in the scope of personal data protection and commerce as well as politics. Furthermore, the criterion on the trade volume raises the same worries of seeing the commercial and political dimensions of the adequacy decision. [37]
23
These two criteria and the critics they bring along are reminiscent of the relationship between the EU and the USA. Even though, the EU and the USA tried to find a solution to their situation, which would not affect the commercial relationship between them, first through the Safe Harbour Agreement [38] and then through the Privacy Shield Agreement [39], these agreements were repealed by Schrems I [40] and then Schrems II [41] judgements of the Court of Justice of the EU. Hence, the conflict between data protection and commercial and political relationships is not an issue specific to Turkey, but a global one.
24
Besides, probably the most important issue regarding this transfer mechanism in Turkey is the fact that the Board has not announced any countries with the adequate level of protection.
25
The announcement of the Authority on 26 October 2020 is significant because it replies to critics from Turkey regarding this subject. [42] The Authority stated that as of the date of the announcement, there has been no application made to the Authority by the other countries to be appointed as the country with the adequate level of protection. Besides, the Authority stated that the negotiations with the other countries in this regard are carried out in consideration of the existing and potential commercial relationships, geographical and/or cultural ties and political/diplomatic relationships and by the collaboration of the Ministries of Justice, Foreign Affairs and Commerce. Moreover, the Authority explicitly underlined that the reciprocity criterion is obligatory within these negotiations. [43]
26
Considering this announcement, it could be estimated that in the near future there will be no announcement of the countries with the adequate level of protection. Therefore, this transfer mechanism is not applicable in Turkey.
2.1.1.2.2. Undertakings
27
In the PDP Law, not the term “standard contractual clauses”, but the term “undertakings” is used, which is regulated under Article 9(2)(b). The Board published two different sets of the clauses to be included into the undertakings as the minimum standards within scope of transborder transfers of personal data. [44] One set is for transfers from the controller to the controller, and the other is for the transfers from the controller to the processor. These undertakings do not contain the transfers made by a processor to another processor or a controller.
28
The most significant difference of these undertakings from the standard contractual clauses regulated under GDPR is that the clauses contained by these sets are amendable examples open to negotiations. Moreover, regardless of the amendments made in the sets of undertakings, all the undertakings must be submitted to the Board for the concerned transborder transfer to be authorized by the Board.
29
On 7 May 2020, the Board published an announcement regarding the matters to be considered in the undertakings to be prepared for the transborder transfer of personal data. [45] This announcement aims to prevent common deficiencies and mistakes in the applications for authorization of transborder transfer of personal data through submitting an undertaking to the Board. The issues are divided into three categories: procedural ones, meritorious ones, and matters to be considered in the explanations given under the headings in the annex of the commitments.
30
As of August 2021, the Board announced its authorization of four transborder transfers upon reviewing the submitted undertakings, and the first authorization announcement was dated 9 February 2021. [46] Due to the delay in consideration process of the applications and the long interval between the first authorization date and the effective date of the PDP Law, this mechanism has not been an effective and fast-paced choice.
2.1.1.2.3. Binding corporate rules
31
On 10 April 2020, the Board published an announcement on binding corporate rules (BCR) and stated that BCR may be used within the principles set forth by the Board as the alternative mechanism for the transborder transfer of personal data. [47] The Board justified this due to the inadequacy of the undertakings in regard of the data transfers made between multinational groups of companies.
32
This parallels the development of the BCR in the EU where in the Directive, it was also not an explicitly regulated transfer mechanism. Article 29 Working Party determined the BCR as a transfer mechanism based on Article 26(2) of the Directive. This article regulates adequate safeguards without naming directly BCR and without limiting the mechanisms. As for the situation in Turkey, the adequate safeguard term is not used within the PDP Law. Instead, Article 9(2)(b) of the PDP Law regulates written undertakings. The Board based BCR on this article, [48] which proves that this undertaking term is to be broadly interpreted and can contain any written alternative safeguard mechanisms, such as standard contractual clauses and BCR. The Board defines BCR as follows:
Binding Corporate Rules are data protection policies used for the transfer of personal data for the multinational group of companies operating in countries where adequate level of protection is not provided and that enable them to commit adequate level of protection in writing. [49]
33
In the annex of the relevant announcement, there are an auxiliary document regarding the main points to be included in BCR and an application form. The main points to be included in BCR are gathered under seven main topics: (i) binding nature, (ii) effectiveness, (iii) cooperation with the Authority, (iv) processing and transfer of personal data, (v) mechanisms for reporting and recording changes, (vi) data security, (vii) accountability and other tools. [50] This table is like a literal translation of a working document of the Article 29 Working Group, [51] with a few changes and additions. Although the Board preferred this method, it was criticized for not being original and causing other problems in practice. [52]
34
While the Board's adoption of the BCR is an important step due to its simplifying effect on the transborder transfers made among the multinational group of companies, it is criticized for not being sufficient to solve the problems in practice and to prevent illegal transfers. [53] Moreover, it is criticized for requiring a great deal of effort and time to put into practice, and for being suitable for a limited number of controllers. [54]
35
As of August 2021, there has been no announcement by the Board, regarding authorization of transborder transfers of personal data upon submission of BCR. [55]
2.1.1.2.4. Explicit consent
36
The PDP Law defines explicit consent as freely given, specific, and informed consent. [56] Unlike GDPR, there is no specific article setting forth the conditions of consent in the PDP Law. However, the definition in the PDP Law sets forth three conditions for the explicit consent, which are discussed in the Explicit Consent titled Guideline of the Authority [57]: (i) freely given, (ii) being specific, (iii) informing the concerned data subject before taking the consent.
37
In order for a consent to be freely given, the Authority requires that the consenting data subject must be aware of this behaviour and this consent should be based on their decision. If the parties are not equal to each other, then it carries more importance to examine whether consent is freely given. Furthermore, consent cannot be a prerequisite for providing a service or goods. [58]
38
The Authority relates the condition of being specific to consent being related to and limited with a specific subject. Therefore, it should be clear which specific subject the consent is related to, and general or ambiguous statements are not consent in compliance with the PDP Law. [59]
39
The Authority emphasizes the importance of providing information to the concerned data subject in a clear and understandable manner before processing the data. Moreover, the Authority warns against the terms that may not be understood by the data subjects and unreadably small font sizes in written information forms. [60] However, unlike GDPR, it is not obligatory to inform the data subject about the possible risks of the concerned transborder transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards before taking the consent of the data subject.
40
In the EU law, explicit consent is among the derogations, which are to be strictly interpreted. [61] Moreover, the doctrine emphasizes that consent is not the silver bullet. [62] It is debatable whether consent is freely given and whether the data subject understands on which subject they consent, and it is not a reliable method as it can be withdrawn by the concerned data subject at any time. [63] Considering all these disadvantages, it is seen that explicit consent is not a frequently preferred method for transborder transfer of data in the EU, [64] and this contradicts with practice in Turkey.
41
In practice in Turkey, companies do not have many options as a transfer mechanism. The adequate level of protection is not an applicable transfer mechanism. Moreover, the slow authorization process of the undertakings and BCR has resulted in a long-term uncertainty of legal basis for the transborder transfers made by the applicants. As seen from the few authorization announcements regarding the undertakings and BCR, [65] these transfer mechanisms are also not widely implemented in practice. Additionally, through the Board decision on Convention 108, [66] it was also clarified that international agreements such as Convention 108 cannot be the sole legal basis for transborder transfers. Consequently, the most implemented transfer mechanism in practice has been to obtain explicit consent of the data subject, despite the fact that it is found risky both by the Board [67] and in the doctrine. [68]
42
In addition to unreliability of explicit consent as a transfer mechanism, it requires companies to adjust their infrastructures, location of databases, computer programs, and business relations in such a way that if explicit consent is not obtained or is withdrawn, the personal data of the related data subject can still be processed within the borders of Turkey without transborder transfer. However, such a change is often not practical, easy, or cheap particularly for large-scale companies. Moreover, requesting explicit consent from the customers instead of using other transfer mechanisms for the transborder transfers can cause a loss of customers and income in many cases. Consequently, company executives started to choose between the risk of losing customers and income versus the risk of administrative fines.
2.1.1.3. Serious harm on interests of Turkey and the person concerned
43
The PDP Law regulates that in cases where the interests of Turkey and the person concerned would be seriously harmed, personal data can be transferred abroad with the permission of the Board, only by obtaining the opinions of the relevant public institution or organization. However, in this case, the provisions of international conventions are reserved. [69] This provision is criticized for creating uncertainty, since there are no objective criteria for determining situations where the interest will be seriously harmed. [70]
2.1.2. Other laws regulating transborder transfer of personal data
44
Pursuant to Article 9(6) of the PDP Law, provisions regarding the transborder transfer of personal data from the other laws are reserved. As an example, in the recital on Article 9 of the PDP Law, it is stated that the articles of the Law No 5549 on the Prevention of Laundering of Crime Revenues, which authorizes the President of the Financial Crimes Investigation Board on international information exchange, shall be applied with priority.
45
Other fundamental laws that can be considered in this context are the Banking Law No 5411, the Notification Law No 7201, the Law No 6706 on International Judicial Cooperation in Criminal Matters, and the Turkish Civil Aviation Law No 2920 [71].
46
The processes regulated under these laws are independent of the PDP Law, and data transfers within the scope of these laws are not subject to the authorization of the Board. [72]
2.2. Conventions and protocols of the Council of Europe
47
Turkey joined the CoE as the thirteenth member state on 13 April 1950. [73] Today, the CoE has forty-seven states as members, including all the EU member states. [74] It became an international organization exceeding the borders of the EU and is in a leading position in the field of human rights and personal data protection in the world.
48
The conventions adopted by the CoE are significant due to their binding nature for the EU member states in terms of constitutional law and effect on international law. [75]
49
In Turkey, in accordance with Article 90(5) of the Constitution, the international conventions duly put into effect have the force of law. Moreover, it is prohibited to apply to the Constitutional Court about such conventions under the allegation of unconstitutionality. In case such conventions regulate fundamental rights and freedoms, and these conventions and Turkish laws contain different provisions on the same subject, the provisions of international conventions should be taken as basis.
50
Consequently, it is important to consider the CoE conventions regarding the protection of personal data, which have the force of law in Turkey, in terms of ensuring integrity in practice and theoretical studies in Turkey. [76]
2.2.1. Convention for the Protection of Human Rights and Fundamental Freedoms
51
The Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), to which Turkey is a party, was signed in Rome on 4 November 1950. [77] The ECHR contains provisions on human rights, fundamental freedoms and the protection of private life and it regulates the European Court of Human Rights, which is the first organ in the field of protection of human rights. [78] The ECHR does not contain a provision directly regulating the protection of personal data, but the case-law developed by the European Court of Human Rights in this context is of particular importance. [79] The protection of personal data has been dealt with by the European Court of Human Rights under the respect for private and family life titled Article 8 of the ECHR. [80]
2.2.2. Convention 108 and Additional Protocol 181
52
CoE started working in the field of personal data protection in the 1970s and opened the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) for signature on 28 January 1981. [81] This convention is open for signature by non-EC member states. [82] Although Turkey is one of the first states to sign the Convention 108, it duly entered into force in Turkey on 17 March 2016. [83]
53
Convention 108 is the first and only convention with an international character that explicitly emphasizes the realization of the international standard in the field of personal data protection and the strengthening of data protection in domestic law. [84] Indeed, regulating the transfer of personal data between the contracting states is among the objectives of the Convention 108. [85]
54
Transborder data flows are regulated under the third chapter of the Convention 108. Pursuant to Article 12(2) of the Convention 108, a contracting state shall not prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party for the sole purpose of the protection of privacy. However, there are two derogations regarding this rule:
-
Insofar as the legislation of the contracting state, from which data is to be transferred, includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other contracting state, which is to receive the data, provide an equivalent protection;
-
When the transfer is made from the territory of the contracting state to the territory of a non-contracting state through the intermediary of the territory of another contracting state, in order to avoid such transfers resulting in circumvention of the legislation of the party referred to at the beginning of this derogation [86].
55
Issues such as developing technology, easy transborder transfer of data and transformation of data into a means of financial gain made it necessary for the CoE to adopt Additional protocol to Convention 108 regarding supervisory authorities and transborder data flows (Additional Protocol 181). [87] Additional Protocol 181 was signed by Turkey on 8 November 2001 and duly entered into force on 5 May 2016. [88] Additional Protocol 181 regulated two additional articles to the Convention 108, titled “Supervisory Authorities” and "Transborder Flows of Personal Data to a Recipient which is not Subject to the Jurisdiction of a Party to the Convention”. Thus, contracting states are obliged to establish fully independent supervisory authorities that are responsible for ensuring compliance with the measures in domestic law that put the principles in Convention 108 and Additional Protocol 181 into practice. [89] The second novelty of Additional Protocol 181 is the provisions on transborder transfer of personal data to non-contracting states or organisations. Pursuant to Article 2 of Additional Protocol No 181, such transfers are to be made only if the receiving state or organisation ensures an adequate level of protection for the intended data transfer. However, there are two derogations from this rule:
-
In case that domestic law of the state, from which the data is to be transferred, provides for it because of specific interests of the data subject or legitimate prevailing interests, especially important public interests, or
-
In case that safeguards, which can in particular result from contractual clauses, are provided by the controller responsible for the transfer and are found adequate by the competent authorities according to domestic law of state, from which the data is to be transferred. [90]
56
It is possible to state that the PDP Law is mainly compliant with the Convention 108 [91] and Additional Protocol 181. However, the Board Decision on Convention 108, which is examined in Chapter 2, carries significant importance in this context.
2.2.3. Modernized Convention 108+
57
It is a natural result that the Convention 108, adopted by the EC in 1981, is insufficient in the face of developing technology and the pace of the changing world. This situation caused modernization efforts. The seven-year-long modernization work was completed in 2018. Protocol amending the Convention for the protection of individuals with regard to the processing of personal data (Modernized Convention 108+) was adopted by the EC on 18 May 2018. [92]
58
As of August 2021, thirty-nine CoE member states and four non-CoE member states have so far signed the Modernized Convention 108+. [93] Although it is expected in the doctrine that Turkey will be a party to the Modernized Convention 108+ since it meets today's requirements, Turkey has not signed this convention yet. [94] For this reason, this convention is not to be reviewed in detail within this article. However, it is necessary to state that while Modernized Convention 108+ keeps the main principles of the Convention 108, it also expands the scope of the Convention 108 and raises the standards of the Convention 108. [95] Modernized Convention 108+ carries significant importance with its potential to establish a standard for transborder transfers of personal data, [96] and it is hoped that soon this convention duly enters into force in Turkey.
3. Transborder Transfers in Turkey in the Light of Board Decisions
59
The fact that the PDP Law does not regulate the transborder transfer of personal data as detailed as the GDPR does not result in simplicity, but in ambiguity. This situation raises more questions in practice causing more work for the Authority. Additionally, Board decisions and publications have often shape the practice of transborder transfers of personal data. On the one hand, many decisions of the Board put an end to various discussions in the doctrine and in practice; while on the other hand, few decisions of the Board tend to complicate the matters in practice and result in unrealistic outcomes, such as qualifying explicit consent as the only applicable transfer mechanism.
60
Since the relevant publications of the Board have been examined under the previous chapter, in this chapter, the progress of the transborder transfer practice is examined in the light of the relevant Board decisions. The decisions below carry significant importance in the transborder transfer of personal data practice in Turkey as an addition to the decision for criteria determining whether countries have adequate levels of protection (that was reviewed under the previous chapter).
3.1. Board decision on the process of job application [97]
61
In business life, it is common for all the companies under a group of companies to operate using one common database. At the beginning of the legal compliance studies in Turkey, it was discussed whether such recordings would be considered as transfer of personal data in terms of the PDP Law and what would be the attitude of the Board in this regard. Through one of the first decisions published by the Board, an end to the relevant discussions was put in accordance with the PDP Law.
62
In this decision, the Board stated that each of the companies within a group of companies was a controller separately. Therefore, the personal data transfers between the companies within a group of companies were transfers of personal data within the scope of the PDP Law. For this reason, recording the personal data of the employee candidate in the database accessed by all the companies within a group of companies, without the explicit consent of the concerned employee candidate was to be interpreted as the transfer of personal data that violates the provisions of the PDP Law.
3.2. Board decision on Gmail [98]
63
In this decision, it was stated that the e-mails sent and received through Google’s Gmail e-mail service infrastructure were kept in data centers located in various parts of the world. Therefore, if Gmail was used, there would be transborder transfer of personal data in terms of Article 9 of the PDP Law. Furthermore, in this decision, the Board emphasized that the storage services provided by controllers or processors, which had servers outside of Turkey, transferred the personal data outside of Turkey.
64
It is expected that this decision will cause serious changes in information technologies in Turkey due to the infrastructure change in the corporate operation, the emergence of additional and higher costs, the loss of efficiency during the adaptation of employees to the new system, and the need for finding domestic and national solutions in Turkey. [99]
65
In this context, 7 April 2020 dated Announcement of the Authority on Distance Education Platforms [100] is also significant. In its announcement, the Authority stated that most of the software used in the distance education process was served by cloud service providers and the data centers belonging to these softwares. If these platforms were used, due to the fact that their data centers were abroad, it would result in transborder transfer of the personal data and bring an obligation to comply with Article 9 of the PDP Law. It should be noted that EDPB also emphasized that remote access from a third country (for instance in support cases) and/or storage in a cloud located outside the European Economic Area would be considered to be a transfer. [101]
3.3. Board decision on Amazon Turkey [102]
66
Due to the fact that transborder transfer of data from Turkey involves many uncertainties in practice and the Board does not publish the list of countries with appropriate level of protection, it has become technically impossible to ensure compliance with the law in many cases. [103] This situation created an expectation that the Board would not decide on a violation regarding transborder transfers and would not impose administrative fines under the current conditions. [104] However, contrary to this expectation, the Board imposed a large amount of administrative fine on Amazon Turkey based on a series of violations, including the violation regarding the transborder transfer of personal data.
67
In this Board decision, it was stated that Amazon Turkey, as the controller, had submitted its undertakings to the Board for the authorization of the concerned transborder transfers of personals data, but the Board had not yet decided on this issue. Therefore, it was underlined by the Board that the sole legal option for Amazon Turkey's transborder transfers of personal data was to obtain the explicit consent of the concerned data subject. It was determined that the method followed by Amazon did not contain explicit consent and was not in compliance with the procedure set forth by the PDP Law.
68
The current legislation and this Board decision are based on Turkey's government policy on ensuring that data is hosted within the country. [105] However, this decision contains many elements that are open to criticism. Some of the criticised points can be summarized as follows:
-
The Board’s narrow and literal interpretation of the PDP Law, its failure to consider the law as a whole, and its failure to account for international conventions duly enacted in accordance with Article 90 of the Constitution, particularly the Convention 108 and the Additional Protocol 181. [106]
-
The Board's acceptance of explicit consent as the only applicable mechanism in transborder transfers of the personal data and its conflict with the Board's other decisions and guidelines of the Authority. [107]
-
The impossibility of transborder transfers of personal data solely on the basis of the explicit consent of the concerned data subject, especially for large-scale companies or companies with many employees or connections abroad. [108]
-
The Board's refusal to publish the list of countries with appropriate levels of protection for years, but its ability to make such decisions, when it does not fulfil its own obligation, which constitutes one of the cornerstones for legal compliance in transborder transfers. [109]
-
The fact that the Board did not authorize any transborder transfers under the submitted undertakings, including Amazon Turkey's application, on the date of the decision . [110]
69
All these justified criticisms raise the question of how fair this Board decision was.
3.4. Board decision on Convention 108 [111]
70
This decision is of particular importance due to the Board's interpretation of how Convention 108 and Additional Protocol 181 should be applied in domestic law.
71
Since the mechanism of obtaining the explicit consent of the data subject for transborder transfers of the personal data is difficult in practice, it was discussed whether personal data could be transferred to the contracting states based on the basic rule in Article 12(2) of the Convention 108. Since the Board had not announced the countries with appropriate levels of protection, it was argued that pursuant to the Convention 108, it was possible to consider the personal data transfers to the contracting states of the Convention 108 as lawful. [112] Moreover, the transborder transfer scheme included in the Board's current Guideline on Transborder Transfer of Personal Data supported this interpretation. [113]
72
In this case, the relevant controller claimed that since the recipient company of the personal data was in an EU state, which was also a contracting state of Convention 108 and Additional Protocol 181, this transborder transfer of personal data is lawful pursuant to the Convention 108, Additional Protocol 181 and Article 90 of Constitution and cannot be subject to any prohibition or special authorisation.
73
In its assessment, the Board referred to the Explanatory Report to the Convention 108 and stated that the purpose of the provision of Article 12(2) of the Convention 108 was to facilitate the data flow between the parties, based on the pre-acceptance that the contracting states provided sufficient assurances in terms of the protection of personal data. The Board therefore concluded that this provision did not mean that data flows between contracting states cannot be subject to prohibition or special authorization. As an example, the Board pointed out that in the light of the GDPR, the contracting states of Convention 108 are not directly qualified as countries with adequate level of protection, and this situation is only a criterion to be considered in the adequacy assessment.
74
As explained above, in accordance with Article 90(5) of the Constitution, in case international conventions regulating fundamental rights and freedoms, that are duly put into effect in Turkey, and Turkish laws contain different provisions on the same subject, the provisions of international conventions should be taken as basis. In its interpretation of this article, the Board stated that the relevant international convention provision should be directly applicable and emphasized that this means that it is sufficiently clear, precise and unconditional and this does not require the state to take any additional measures for its implementation. The Board concluded that Convention 108 did not meet these criteria, therefore, as in the EU practice, it was not sufficient on its own in terms of determination of the country with adequate levels of protection under the PDP Law, but only had the quality of a positive element in the assessment to be made by the Board.
75
Since the Board is responsible for the implementation of the PDP Law, it was criticised that the Board evaluated when and under which conditions a provision of the Constitution would find application, that this evaluation was not based on any jurisprudence or doctrine, and that such an important interpretation was detached from the necessary justification and depth. [114]
76
Despite these criticisms, it is not possible to claim that solely the fact that the recipient is in a contracting state of Convention 108 and Additional Protocol 181 is sufficient for the lawful transborder transfer of personal data. [115]
-
Conclusion
77
Personal data protection law is a developing and rapidly changing field all over the world. Despite this change, personal data protection law has difficulty in keeping up with the requirements of today's technology and data-based economy. Considering the different dynamics of law and technology, this is not a surprising outcome. Nevertheless, this outcome means that there is more work to do for legislators, authorities and jurists in order to speed up the process of creating appropriate legal principles and rules. Only with such fast, detailed and ever-developing works, the legal systems would have the chance to establish a realistic and applicable balance between the right to protect personal data and the data-based economy in the PDP Law in the future.
78
In the past six years, Turkey took significant steps to develop personal data protection law and to enlighten people in Turkey. Examples include the PDP Law’s entry into force, establishment of the Authority and the Board, ratifications of the Convention 108 and Additional Protocol 181, various decisions of the Board, court and supreme courts and proactive works of the Authority, et cetera. The Authority sought to be active in organizing and attending conferences on the personal data protection, creating various videos on data protection and rights of the data subjects, regular publishing its journal, organizing various competitions, taking decisions, and publishing announcements and guidelines. All these efforts resulted in the enlightenment of people and lawyers in Turkey in this field, which is not to be taken lightly. Nevertheless, these efforts have not been sufficient to clear the vagueness regarding transborder transfers of personal data. Thus, there is much to do, and the Authority is burdened even more than usual due to the fact that this field is new in Turkey.
79
Even though, the evaluation of the law does not come to an end, there are urgent steps-to-be-taken for the personal data protection in Turkey. First, there is a need of more detailed and developed provisions on transborder transfer, which makes it necessary for Turkey to sign and ratify Modernized Convention 108+ and for the legislators to make the related amendments in the PDP Law as soon as possible. Secondly, all the transfer mechanisms are to be enabled, so that the explicit consent does not come to the fore as the first option among the other mechanisms. In this regard, adequate levels of protection are to be an effective transfer mechanism in Turkey. For this purpose, it is required that the trade volume with concerned country and reciprocity criteria with the relevant country are not considered as mandatory in the evaluation process of countries with highly developed personal data protection legislation and legal implementation. Also, the authorization process of BCR and undertakings need to be accelerated. In this context, the future announcements regarding clarification of the requirements and details of such new mechanisms need to be made by the Board at an earlier stage. Furthermore, the undertaking sets for the transfers by a processor to another processor or a controller would be useful in solving the problems experienced regarding the transborder transfer of personal data by data processors. Additionally, the creation of undertaking sets, which do not require the authorization of the Board if used without any amendments, would be a practical solution against the ineffectiveness of this mechanism in practice. Thirdly, the ambiguity of the provision on serious harm on interest of Turkey and the person concerned need to be removed in the light of the related international conventions. Finally, even if inspired by the GDPR, the critiques of the GDPR should be considered during such works, and the works of the Board need to be original instead of literal translations and to aim to bring transborder transfer of personal data to a new level. These needs are essential by today’s data-based economy and the obligatory speed for creating appropriate legal principles, rules, and processes.
80
The Authority and the Board are among the key figures in this process of required change. In order to achieve these goals without delay and to accelerate the process of authorizations, more experts can be recruited by the Authority if necessary. Moreover, the list of the countries with adequate levels of protection should be announced by the Board without any further delay. Furthermore, a deadline for authorization processes of the applications regarding transfer mechanisms is necessary in order to notify the applicants about the maximum period of time required and to avoid long-term uncertainties. Additionally, narrow and literal interpretations of the PDP Law are to be avoided in the Board decisions, and explicit consent is not to be considered as the sole applicable transfer mechanism. Finally, Board decisions need to be based on more detailed justifications through Turkish and foreign doctrines, resolutions, and international conventions.
*by Sevde Pelen, Istanbul Bar Association
[1] Personal Data Protection Authority, ‘100 Soruda Kişisel Verilerin Korunması Kanunu (Law on Personal Data Protection in 100 Questions)’ <https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7d5b0a2f-e0ea-41e0-bf0b-bc9e43dfb57a.pdf> accessed 17 April 2020.
[2] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850.
[3] 27.02.2020 dated and 2020/173 numbered decision of Personal Data Protection Board <https://www.kvkk.gov.tr/Icerik/6739/2020-173> accessed 23 April 2021.
[4] For more detailed information on this decision see “Board decision on Amazon Turkey” titled chapter C.III.
[5] Gediz Kocabaş, KVKK’da Yer Alan Kurum ve Kavramların TMK ve Kıta Avrupası Hukuk Sistemi Kapsamında Değerlendirilmesi (Evaluation of Authorities and Terms in the PDP Law within the Scope of Turkish Civil Code and Continental European Legal System) in Leyla Keser Berber and Ali Cem Bilgili (eds), Güncel Gelişmeler Işığında Kişisel Verilerin Korunması Hukuku (Law on Protection of Personal Data in the Light of Current Developments) (On İki Levha Yayınları 2020) 83.
[6] Mehmet Bedii Kaya, Kişisel Verilerin İşlenmesi ve Korunması Arasındaki Denge (Balance between Processing and Protecting Personal Data) in Leyla Keser Berber and Ali Cem Bilgili (eds), Güncel Gelişmeler Işığında Kişisel Verilerin Korunması Hukuku (Law on Protection of Personal Data in the Light of Current Developments), (On İki Levha Yayınları 2020) 33, 34.
[7] Svetlana Yakovleva/Kristina Irion, ‘Pitching Trade Against Privacy: Reconciling EU Governance of Personal Data Flows with External Trade’ (2020) 10 (3) International Data Privacy Law 201.
[8] IDC, ‘The Digitization of the World: From Edge to Core’ (2018) 2-26 <https://resources.moredirect.com/white-papers/idc-report-the-digitization-of-the-world-from-edge-to-core> accessed 10 April 2021; McKinsey & Company, ‘Digital Globalization: The New Era of Global Flows’ (2016) 1-41 <https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20globalization%20The%20new%20era%20of%20global%20flows/MGI-Digital-globalization-Full-report.ashx> accessed 10 April 2021.
[9] McKinsey & Company, ‘How Covid-19 Has Pushed Companies over the Technology Tipping Point—And Transformed Business Forever’ (2020) <https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever#> accessed 10 April 2021; International Telecommunication Union, ‘Economic Impact of Covid-19 on Digital Infrastructure’ (2020) 3-6 <https://www.itu.int/en/ITU-D/Conferences/GSR/2020/Documents/GSR-20_Impact-COVID-19-on-digital-economy_DiscussionPaper.pdf> accessed 10 April 2021.
[10] Christopher Kuner, ‘Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future’ (2011) 187 OECD Digital Economy Papers 1, 10.
[11] Rolf H. Weber, ‘Transborder Data Transfers: Concepts, Regulatory Approaches and New Legislative Initiatives’ (2013) 3 (2) International Data Privacy Law, 117, 118.
[12] Christopher Kuner, ‘Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future’ (2011) 187 OECD Digital Economy Papers 1, 8.
[13] Christopher Kuner et al, ‘The (data privacy) law hasn’t even checked in when technology takes off’ (2014) 4 (3) International Data Privacy Law, 175, 176.
[14] European Commission, ‘Digital Single Market – Communication on Exchanging and Protecting Personal Data in a Globalised World Questions and Answers’ < https://ec.europa.eu/commission/presscorner/ detail/en/MEMO_17_15> accessed 11 March 2021.
[15] Christopher Kuner et al, ‘If the legislature had been serious about data privacy…’ (2019) 9 (2) International Data Privacy Law 75, 77.
[16] <https://www.resmigazete.gov.tr/eskiler/2016/04/20160407.htm> accessed 7 June 2021.
[17] <https://op.europa.eu/en/publication-detail/-/publication/99caafe9-11bc-11e6-ba9a-01aa75ed71a1/language-en> accessed 7 June 2021.
[18] For the official English translation of the PDP Law see <https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/aea97a33-089b-4e7d-85cb-694adb57bed3.pdf> accessed 7 March 2021.
[19] Cemal Başar, ‘Türk İdare Hukuku ve Avrupa Birliği Hukuku Işığında Kişisel Verilerin Korunması (Protection of Personal Data in Turkish Administrative Law and EU Law)’ (PhD Thesis, Dokuz Eylül Üniversitesi 2019) 150.
[20] <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/declarations?p_auth=YP6ZdjNO&_coeconventions_WAR_coeconventionsportlet_enVigueur=false&_coeconventions_WAR_coeconventionsportlet_searchBy=state&_coeconventions_WAR_coeconventionsportlet_codePays=TUR&_coeconventions_WAR_coeconventionsportlet_codeNature=3> accessed 23 April 2021.
[21] PDP Law Article 19(1).
[22] PDP Law Article (1).
[23] Samet Saygı, ‘6698 Sayılı Kanunun Sistematiğinde Yargısal Başvuru Yolları (Judicial Remedies in the Systematics of Law No. 6698)’ 2020 2 (2) Kişisel Verileri Koruma Dergisi 30, 44-54.
[24] Samet Saygı, ‘6698 Sayılı Kanunun Sistematiğinde Yargısal Başvuru Yolları (Judicial Remedies in the Systematics of Law No. 6698)’ 2020 2 (2) Kişisel Verileri Koruma Dergisi 30, 49.
[25] PDP Law Article 3(1)(d).
[26] PDP Law Articles 5 and 6.
[27] Murat Volkan Dülger, Kişisel Verilerin Korunması Hukuku (Personal Data Protection Law) (3. Edition, Hukuk Akademisi 2020) 437-438.
[28] PDP Law Articles 8 and 9.
[29] PDP Law Article 9(1).
[30] The conditions of processing personal data of normal nature without the explicit consent of the data subject concerned are regulated as follows under Article 5(2) of the PDP Law: (i) it is clearly provided for by the laws; (ii) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid; (iii) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract; (iv) it is mandatory for the controller to be able to perform his legal obligations; (v) the data concerned is made available to the public by the data subject himself; (vi) data processing is mandatory for the establishment, exercise or protection of any right; (vii) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
[31] The conditions of processing personal data of special nature without the explicit consent of the data subject concerned are regulated as follows under Article 6(3) of the PDP Law: Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
[32] PDP Law Article 9(4).
[33] PDP Law Article 9(4).
[34] 02.05.2019 dated and 2019/125 numbered decision of Personal Data Protection Board <https://www.kvkk.gov.tr/Icerik/5469/-Yeterli-korumanin-bulundugu-ulkelerin-tayininde-kullanilmak-uzere-olusturulan-form-hakkindaki-02-05-2019-tarihli-ve-2019-125-sayili-Kurul-Karari> accessed 23 April 2021.
[35] <https://kvkk.gov.tr/SharedFolderServer/CMSFiles/93aa4e79-816f-4383-8377-a6e9f8a7574c.pdf> accessed 7 June 2021.
[36] Murat Volkan Dülger, Kişisel Verilerin Korunması Hukuku (Personal Data Protection Law) (3. Edition, Hukuk Akademisi 2020) 447.
[37] ibid.
[38] <https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ%3AL%3A2000%3A215%3A0007%3A0047%3AEN%3APDF> accessed 11 April 2021.
[39] <https://ec.europa.eu/info/sites/default/files/celex_32016d1250_en_txt.pdf> accessed 11 April 2021.
[40] CJEU, Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015].
[41] CJEU, Case C-311/18 Maximillian Schrems, Facebook Ireland Ltd v Data Protection Commissioner [2020].
[42] Personal Data Protection Authority, ‘Yurt Dışına Veri Aktarımı Kamuoyu Duyurusu (Public Announcement on Transborder Transfer of Data)’ (2020) <https://kvkk.gov.tr/Icerik/6828/YURTDISINA-VERI-AKTARIMI-KAMUOYU-DUYURUSU> accessed 23 April 2021.
[43] ibid.
[44] Personal Data Protection Board, ‘Taahhütnameler: Veri Sorumlusundan Veri Sorumlusuna Aktarım, Veri Sorumlusundan Veri İşleyene Aktarım (Undertakings: Transfer from Data Controller to Data Controller, Transfer from Data Controller to Data Processor)’ (2020) <https://www.kvkk.gov.tr/Icerik/5255/Taahhutnameler> accessed 23 April 2021.
[45] Personal Data Protection Authority, ‘Yurt Dışına Kişisel Veri Aktarımında Hazırlanacak Taahhütnamelerde Dikkat Edilmesi Gereken Hususlara İlişkin Duyuru (Announcement on the Matters to be Considered in the Undertakings to be Prepared for the Transborder Transfer of Personal Data)’ (2020) <https://www.kvkk.gov.tr/Icerik/6741/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-HAZIRLANACAK-TAAHHUTNAMELERDE-DIKKAT-EDILMESI-GEREKEN-HUSUSLARA-ILISKIN-DUYURU> accessed 23 April 2021.
[46] <https://www.kvkk.gov.tr/Icerik/6867/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU> accessed 23 April 2021; <https://www.kvkk.gov.tr/Icerik/6898/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU> accessed 23 April 2021; < https://kvkk.gov.tr/Icerik/6985/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU > accessed 15 September 2021.
[47] Personal Data Protection Authority, ‘Bağlayıcı Şirket Kuralları Hakkında Duyuru (Announcement on Binding Corporate Rules)’ (2020) <https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET-KURALLARI-HAKKINDA-DUYURU> accessed 23 April 2021.
[48] ibid.
[49] ibid Application Form 2.
[50] ibid main points to be included in BCR.
[51] Article 29 Working Party, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’ (2008) <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2008/wp153_en.pdf> accessed 23 April 2021.
[52] Murat Volkan Dülger/Cansu Ceren Kahraman, ‘KVKK’dan Kişisel Verilerin Yurt Dışına Aktarımında Önemli Bir Adım: Bağlayıcı Şirket Kuralları (An Important Step in Transborder Transferring of Personal Data: Binding Company Rule)’ (2021) 6 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792375> accesed 23 April 2021.
[53] ibid 6-7; Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulu’nun 108 Sayılı Sözleşme Hakkındaki Kararı ve Yurt Dışına Veri Aktarımı Sorunu (Decision of Personal Data Protection Board about Nr. 108 Agreement and Problem about Data Transfer to Abroad)’ (2021) 5-6 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792396> accessed 23 April 2021; Murat Volkan Dülger, Kişisel Verilerin Korunması Hukuku (Personal Data Protection Law) (3. Edition, Hukuk Akademisi 2020) 455.
[54] Murat Volkan Dülger/Cansu Ceren Kahraman, ‘KVKK’dan Kişisel Verilerin Yurt Dışına Aktarımında Önemli Bir Adım: Bağlayıcı Şirket Kuralları (An Important Step in Transborder Transferring of Personal Data: Binding Company Rule)’ (2021) 6-7 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792375> accesed 23 April 2021; Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulu’nun 108 Sayılı Sözleşme Hakkındaki Kararı ve Yurt Dışına Veri Aktarımı Sorunu (Decision of Personal Data Protection Board about Nr. 108 Agreement and Problem about Data Transfer to Abroad)’ (2021) 5-6 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792396> accessed 23 April 2021; Murat Volkan Dülger, Kişisel Verilerin Korunması Hukuku (Personal Data Protection Law) (3. Edition, Hukuk Akademisi 2020) 455.
[55] <https://kvkk.gov.tr/Search?keyword=bağlayıcı%20şirket%20kuralları&langText=tr> accessed 15 September 2021.
[56] PDP Law Article 3(1)(a).
[57] < https://kvkk.gov.tr/SharedFolderServer/CMSFiles/66b2e9c4-223a-4230-b745-568f096fd7de.pdf > accessed 7 March 2021.
[58] Personal Data Protection Board, ‘Açık Rıza (Explicit Consent)’ 5-6 <https://kvkk.gov.tr/SharedFolderServer/CMSFiles/66b2e9c4-223a-4230-b745-568f096fd7de.pdf> accessed 01.04.2018.
[59] ibid 4.
[60] ibid 5.
[61] Article 29 Working Party, ‘Working Document on a Common Interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’ (2005) 7 <https://www.pdpjournals.com/docs/88080.pdf> accessed 23 April 2021.
[62] Kirill Albrecht/Kareen Lee Lust, ‘GDPR Series: International Data Transfers - A High Level Review’ (2017) Thomson Reuters UK Westlaw, <https://0-uk-westlaw-com.opac.bilgi.edu.tr/Document/I6A4FE8F0E71911E79CABC75D43EB17D0/View/ FullText.html? navigationPath=Search%2Fv1%2Fresults%2Fnavigation%2Fi0ad62af00000017812d031ca9497f551%3Fppci%3D6c60aa16de1f41e79c6d042da8b3ce42%26Nav%3DRESEARCH_COMBINED_WLUK%26fragmentIdentifier%3DI6A4FE8F0E71911E79CABC75D43EB17D0%26parentRank%3D0%26startIndex%3D1%26contextData%3D%2528sc.Search%2529%26transitionType%3DSearchItem&listSource=Search&listPageSource=25e244b923ec2d22fe56b2baf08669ca&list=RESEARCH_COMBINED_WLUK&rank=3&sessionScopeId=6ad8a701e66706646be48252f2f7d6ddcaf651813e2177763894386479f5832d&ppcid=6c60aa16de1f41e79c6d042da8b3ce42&originationContext=Search%20Result &transitionType=SearchItem&contextData=%28sc.Search%29> accessed 8 March 2021.
[63] Nikolaos I. Theodorakis, ‘Cross Border Data Transfers Under the GDPR: The Example of Transferring Data from the EU to the US’ (2018) TTLF Working Papers No. 39, 44 < https://law.stanford.edu/publications/no-39-cross-border-data-transfers-under-the-gdpr-the-example-of-transferring-data-from-the-eu-to-the-us/> accessed 8 March 2021; Christopher Kuner, ‘Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future’ (2011) 187 OECD Digital Economy Papers 1, 21-22.
[64] Bilgi Information Technology Law Institute, ‘Kişisel Verilerin Korunmasına İlişkin Düzenlemeler Çerçevesinde Uluslararası Veri Aktarımı, Güncel Gelişmeler ve Uygulamaya İlişkin Hukuki Değerlendirmeler (Legal Evaluations Regarding International Data Transfer, Current Developments and Practice within the Framework of the Regulations on the Protection of Personal Data)’ (2020) 28 <https://itlaw.bilgi.edu.tr/media/2020/3/30/Final%20Veri_Aktarimi_Raporu_30.03.2020.pdf> accessed 8 March 2021.
[65] <https://www.kvkk.gov.tr/Icerik/6867/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU> accessed 23 April 2021; <https://www.kvkk.gov.tr/Icerik/6898/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU> accessed 23 April 2021; < https://kvkk.gov.tr/Icerik/6985/TAAHHUTNAME-BASVURUSU-HAKKINDA-DUYURU > accessed 15 September 2021; <https://kvkk.gov.tr/Search?keyword=bağlayıcı%20şirket%20kuralları&langText=tr> accessed 15 September 2021.
[66] For more detailed information on this decision see “Board decision on Convention 108” titled chapter C.IV.
[67] Personal Data Protection Authority, ‘Kişisel Verilerin Korunması Kanunu Hakkında Sıkça Sorulan Sorular (Frequently Asked Questions About the Law on the Protection of Personal Data)’ 25 <https://www.kvkk.gov.tr/Icerik/5412/Acik-Rizanin-Hizmet-Sartina-Baglanmasi> accessed 23 April 2021.
[68] Nafiye Yücedağ, ‘Medeni Hukuk Açısından Kişisel Verilerin Korunması Kanunu’nun Uygulama Alanı ve Genel Hukuka Uygunluk Sebepleri (General Legal Compliance Conditions and Field of Application of the Law on Protection of Personal Data in Terms of Civil Law)’ (2017) 75 (2) İstanbul Üniversitesi Hukuk Fakültesi Mecmuası, 765, 786; Nafiye Yücedağ, ‘Kişisel Verilerin Korunması Kanunu Kapsamında Genel İlkeler (General Principles under the Law on the Protection of Personal Data)’, (2019) 1 (1) Kişisel Verileri Koruma Dergisi 47, 50; Bilgi Information Technology Law Institute, ‘Kişisel Verilerin Korunmasına İlişkin Düzenlemeler Çerçevesinde Uluslararası Veri Aktarımı, Güncel Gelişmeler ve Uygulamaya İlişkin Hukuki Değerlendirmeler (Legal Evaluations Regarding International Data Transfer, Current Developments and Practice within the Framework of the Regulations on the Protection of Personal Data)’ (2020) 9 <https://itlaw.bilgi.edu.tr/media/2020/3/30/Final%20Veri_Aktarimi_Raporu_30.03.2020.pdf> accessed 8 March 2021; Elif Küzeci, Kişisel Verilerin Korunması (Protection of Personal Data) (4. Edition, On İki Levha Yayınları, 2020) 395.
[69] PDP Law Article 9(5).
[70] Elif Küzeci, Kişisel Verilerin Korunması (Protection of Personal Data) (4. Edition, On İki Levha Yayınları, 2020) 413; Elif Küzeci/Beri Boz, ‘The new Data Protection Act in Turkey and potential implication for E-commerce’ (2017) 7 (3) International Data Privacy Law 228.
[71] Bilgi Information Technology Law Institute, ‘Kişisel Verilerin Korunmasına İlişkin Düzenlemeler Çerçevesinde Uluslararası Veri Aktarımı, Güncel Gelişmeler ve Uygulamaya İlişkin Hukuki Değerlendirmeler (Legal Evaluations Regarding International Data Transfer, Current Developments and Practice within the Framework of the Regulations on the Protection of Personal Data)’ (2020) 100-102 <https://itlaw.bilgi.edu.tr/media/2020/3/30/Final%20Veri_Aktarimi_Raporu_30.03.2020.pdf> accessed 8 March 2021.
[72] ibid 100.
[73] <https://www.coe.int/en/web/portal/turkey> accessed 8 March 2021.
[74] <https://www.coe.int/en/web/portal/47-members-states> accessed 8 March 2021.
[75] Hayrunnisa Özdemir, Elektronik Haberleşme Alanında Kişisel Verilerin Özel Hukuk Hükümlerine Göre Korunması (Protection of Personal Data in the Field of Electronic Communications in Accordance with Private Law Provisions), (1. Edition, Seçkin Yayınları 2009) 21.
[76] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 870.
[77] Cemal Başar, ‘Türk İdare Hukuku ve Avrupa Birliği Hukuku Işığında Kişisel Verilerin Korunması (Protection of Personal Data in Turkish Administrative Law and EU Law)’ (PhD Thesis, Dokuz Eylül Üniversitesi 2019) 150.
[78] Hayrunnisa Özdemir, Elektronik Haberleşme Alanında Kişisel Verilerin Özel Hukuk Hükümlerine Göre Korunması (Protection of Personal Data in the Field of Electronic Communications in Accordance with Private Law Provisions), (1. Edition, Seçkin Yayınları 2009) 24.
[79] Personal Data Protection Authority, Kişisel Verilerin Korunması Kanununa İlişkin Uygulama Rehberi (Guideline on the Law on the Protection of Personal Data) (2019) 18; Şehriban İpek Aşıkoğlu, ‘Avrupa Birliği ve Türk Hukukunda Kişisel Verilerin Korunması ve Büyük Veri (Protection of Personal Data and Big Data in EU and Turkish Law)’ (LL.M. thesis, İstanbul Üniversitesi 2018) 49; Sena Karaduman İşlek, ‘Kişisel Verilerin Korunması Hakkı: Uygulamada Karşılaşılan Sorunlar ve Çözüm Önerileri (Right to Protection of Personal Data: Problems Encountered in Practice and Solution Suggestions)’ (LL.M. thesis, Maltepe Üniversitesi 2020) 30-31.
[80] Hayrunnisa Özdemir, Elektronik Haberleşme Alanında Kişisel Verilerin Özel Hukuk Hükümlerine Göre Korunması (Protection of Personal Data in the Field of Electronic Communications in Accordance with Private Law Provisions), (1. Edition, Seçkin Yayınları 2009) 24-25; Personal Data Protection Authority, Kişisel Verilerin Korunması Kanununa İlişkin Uygulama Rehberi (Guideline on the Law on the Protection of Personal Data) (2019) 18; Şehriban İpek Aşıkoğlu, ‘Avrupa Birliği ve Türk Hukukunda Kişisel Verilerin Korunması ve Büyük Veri (Protection of Personal Data and Big Data in EU and Turkish Law)’ (LL.M. thesis, İstanbul Üniversitesi 2018) 47; Ezgi Çabuk, ‘Avrupa Birliği Düzenlemeleri Işığında Türk Hukukunda Kişisel Verilerin Korunması (Protection of Personal Data in Turkish Law in the light of EU Regulations)’ (LL.M. thesis, Bahçeşehir Üniversitesi 2020) 19; Akif Sadık, ‘Uluslararası Hukukta Kişisel Verilerin Korunması (Protection of Personal Data in International Law)’ (LL.M. thesis, Anadolu Üniversitesi 2020) 22.
[81] Hayrunnisa Özdemir, Elektronik Haberleşme Alanında Kişisel Verilerin Özel Hukuk Hükümlerine Göre Korunması (Protection of Personal Data in the Field of Electronic Communications in Accordance with Private Law Provisions), (1. Edition, Seçkin Yayınları 2009) 20; Personal Data Protection Authority, Kişisel Verilerin Korunması Kanununa İlişkin Uygulama Rehberi (Guideline on the Law on the Protection of Personal Data) (2019) 17.
[82] Elif Küzeci, ‘Avrupa Konseyi’nin 108 sayılı Kişisel Verilerin Korunması Sözleşmesi Yenilendi! Sözleşme 108+, Carpenter kararı ve diğer bazı gelişmelere ilişkin bir değerlendirme (Council of Europe's Convention No. 108 Renewed! A review of Convention 108+, the Carpenter judgment and some other developments)’ < https://medium.com/@elfkzc/avrupa-konseyinin-108-sayılı-kişisel-verilerin-korunması-sözleşmesi-yenilendi-bc8daad9decc > accessed 8 March 2021; <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures> accessed 8 March 2021.
[83] Personal Data Protection Authority, Kişisel Verilerin Korunması Kanununa İlişkin Uygulama Rehberi (Guideline on the Law on the Protection of Personal Data) (2019) 17.
[84] Hayrunnisa Özdemir, Elektronik Haberleşme Alanında Kişisel Verilerin Özel Hukuk Hükümlerine Göre Korunması (Protection of Personal Data in the Field of Electronic Communications in Accordance with Private Law Provisions), (1. Edition, Seçkin Yayınları 2009) 21; Elif Küzeci, ‘Avrupa Konseyi’nin 108 sayılı Kişisel Verilerin Korunması Sözleşmesi Yenilendi! Sözleşme 108+, Carpenter kararı ve diğer bazı gelişmelere ilişkin bir değerlendirme (Council of Europe's Convention No. 108 Renewed! A review of Convention 108+, the Carpenter judgment and some other developments)’ < https://medium.com/@elfkzc/avrupa-konseyinin-108-sayılı-kişisel-verilerin-korunması-sözleşmesi-yenilendi-bc8daad9decc > accessed 8 March 2021; Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 854.
[85] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 855.
[86] Convention 108 Article 12(3).
[87] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 855.
[88] Personal Data Protection Authority, Kişisel Verilerin Korunması Kanununa İlişkin Uygulama Rehberi (Guideline on the Law on the Protection of Personal Data) (2019) 18.
[89] Additional Protocol 181 Article 1.
[90] Additional Protocol 181 Article 2(2).
[91] Elif Küzeci/Beri Boz, ‘The new Data Protection Act in Turkey and potential implication for E-commerce’ (2017) 7 (3) International Data Privacy Law 228.
[92] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 855.
[93] <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/223/signatures> accessed 8 March 2021.
[94] Elif Küzeci, ‘Avrupa Konseyi’nin 108 sayılı Kişisel Verilerin Korunması Sözleşmesi Yenilendi! Sözleşme 108+, Carpenter kararı ve diğer bazı gelişmelere ilişkin bir değerlendirme (Council of Europe's Convention No. 108 Renewed! A review of Convention 108+, the Carpenter judgment and some other developments)’ < https://medium.com/@elfkzc/avrupa-konseyinin-108-sayılı-kişisel-verilerin-korunması-sözleşmesi-yenilendi-bc8daad9decc > accessed 8 March 2021.
[95] Berna Akçalı Gür, ‘Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data with the Dimension of International Law and EU Law)’ (2019) 25 (2) Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi, 850, 855; Elif Küzeci, ‘Avrupa Konseyi’nin 108 sayılı Kişisel Verilerin Korunması Sözleşmesi Yenilendi! Sözleşme 108+, Carpenter kararı ve diğer bazı gelişmelere ilişkin bir değerlendirme (Council of Europe's Convention No. 108 Renewed! A review of Convention 108+, the Carpenter judgment and some other developments)’ < https://medium.com/@elfkzc/avrupa-konseyinin-108-sayılı-kişisel-verilerin-korunması-sözleşmesi-yenilendi-bc8daad9decc > accessed 8 March 2021.
[96] Elif Küzeci, ‘Avrupa Konseyi’nin 108 sayılı Kişisel Verilerin Korunması Sözleşmesi Yenilendi! Sözleşme 108+, Carpenter kararı ve diğer bazı gelişmelere ilişkin bir değerlendirme (Council of Europe's Convention No. 108 Renewed! A review of Convention 108+, the Carpenter judgment and some other developments)’ < https://medium.com/@elfkzc/avrupa-konseyinin-108-sayılı-kişisel-verilerin-korunması-sözleşmesi-yenilendi-bc8daad9decc > accessed 8 March 2021.
[97] <https://www.kvkk.gov.tr/Icerik/5410/Is-Basvurusu-Surecinde-Islenen-Kisisel-Verilerin-Hukuka-Aykiri-Sekilde-Paylasilmasi> accessed 23 April 2021.
[98] 31.05.2019 dated and 2019/157 numbered decision of Personal Data Protection Board <https://www.kvkk.gov.tr/Icerik/5493/2019-157> accessed 23 April 2021.
[99] Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulunun 17 Temmuz 2019 Tarihli Karar Özetlerine İlişkin Değerlendirme (Evaluation of the Personal Data Protection Board's Decision Summary dated 17 July 2019)’ (2021) 2-3 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792321> accessed 23.04.2021.
[100] <https://kvkk.gov.tr/Icerik/6723/Uzaktan-Egitim-Platformlari-Hakkinda-Kamuoyu-Duyurusu> accessed 23 April 2021.
[101] European Data Protection Board, ‘Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data’ (2020) 9 < https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/recommendations-012020-measures-supplement_en> accessed 23.04.2021.
[102] 27.02.2020 dated and 2020/173 numbered decision of Personal Data Protection Board <https://www.kvkk.gov.tr/Icerik/6739/2020-173> accessed 23 April 2021.
[103] Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulu’nun 108 Sayılı Sözleşme Hakkındaki Kararı ve Yurt Dışına Veri Aktarımı Sorunu (Decision of Personal Data Protection Board about Nr. 108 Agreement and Problem about Data Transfer to Abroad)’ (2021) 1 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792396> accessed 23 April 2021.
[104] Murat Volkan Dülger, ‘Yurt Dışına Veri Aktarımında Milyonluk Ceza: Kişisel Verileri Koruma Kurulunun Amazon Kararı (Million Lira Fine About Transferring Data Abroad: Decision from Board of Personal Data Protection about Amazon)’, (2021) 1 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792388> accessed 23.04.2021.
[105] Mehmet Bedii Kaya, Kişisel Verilerin İşlenmesi ve Korunması Arasındaki Denge (Balance between Processing and Protecting Personal Data) in Leyla Keser Berber and Ali Cem Bilgili (eds), Güncel Gelişmeler Işığında Kişisel Verilerin Korunması Hukuku (Law on Protection of Personal Data in the Light of Current Developments), (On İki Levha Yayınları 2020) 33, 54.
[106] ibid 55
[107] ibid 55
[108] Murat Volkan Dülger, ‘Yurt Dışına Veri Aktarımında Milyonluk Ceza: Kişisel Verileri Koruma Kurulunun Amazon Kararı (Million Lira Fine About Transferring Data Abroad: Decision from Board of Personal Data Protection about Amazon)’, (2021) 2 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792388> accessed 23.04.2021.
[109] ibid 1-2
[110] ibid 11
[111] 22.07.2020 dated and 2020/559 numbered decision of Personal Data Protection Board <https://kvkk.gov.tr/Icerik/6790/2020-559> accessed 23 April 2021.
[112] Bilgi Information Technology Law Institute, ‘Kişisel Verilerin Korunmasına İlişkin Düzenlemeler Çerçevesinde Uluslararası Veri Aktarımı, Güncel Gelişmeler ve Uygulamaya İlişkin Hukuki Değerlendirmeler (Legal Evaluations Regarding International Data Transfer, Current Developments and Practice within the Framework of the Regulations on the Protection of Personal Data)’ (2020) 18 <https://itlaw.bilgi.edu.tr/media/2020/3/30/Final%20Veri_Aktarimi_Raporu_30.03.2020.pdf> accessed 8 March 2021; Murat Volkan Dülger, Kişisel Verilerin Korunması Hukuku, 3. Baskı, İstanbul, 2020, 454; Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulu’nun 108 Sayılı Sözleşme Hakkındaki Kararı ve Yurt Dışına Veri Aktarımı Sorunu (Decision of Personal Data Protection Board about Nr. 108 Agreement and Problem about Data Transfer to Abroad)’ (2021) 6-7 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792396> accessed 23 April 2021.
[113] Personal Data Protection Authority, ‘Kişisel Verilerin Yurt Dışına Aktarılması (Transborder Transfer of Personal Data)’ <https://kvkk.gov.tr/yayinlar/KİŞİSEL%20VERİLERİN%20YURTDIŞINA%20AKTARILMASI.pdf> accessed 8 March 2021.
[114] Murat Volkan Dülger, ‘Kişisel Verileri Koruma Kurulu’nun 108 Sayılı Sözleşme Hakkındaki Kararı ve Yurt Dışına Veri Aktarımı Sorunu (Decision of Personal Data Protection Board about Nr. 108 Agreement and Problem about Data Transfer to Abroad)’ (2021) 12-13 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3792396> accessed 23 April 2021.
[115] ibid 16.