The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published in the Official Gazette dated 10.07.2024.
The Regulation was established in line with the amendment (“Amendment”) to the Law on the Protection of Personal Data No. 6698 (“KVKK”) dated 12.03.2024. The Regulation, which runs concurrently with the LPPD, outlines the specifics of the procedure for transferring personal data overseas, as detailed below.
- Data processors must carry out a transfer process in accordance with the Regulation and the LPPD, in line with the instructions of the data controller.
- The presence of suitable measures for the transfer of personal data is sought in the event that the country of transfer does not have an adequacy determination.
- The existence of a standard contract signed with the transferring party, a transfer undertaking approved by the PDP Board, a special international agreement regarding the transfer, binding company rules, and the ability for the relevant person to exercise his or her rights and seek effective legal remedies in the country of transfer are all examples of appropriate safeguards.
- In addition to the previously mentioned issues, only specific circumstances allow the transfer of personal data overseas.
- Information security precautions need to be taken while transferring data.
- A standard contract must be signed with these enterprises, listing the suppliers and transfer nations, and submitted to the PDP Authority by September 1, 2024 in order to track the compliance process.
- It is advisable to disclose any legally enforceable corporate policies signed with the Authority by the international group firms to which the data transfers.
- The PDPA website posted a notice on Standard Contracts and Binding Corporate Rules on July 10, 2024. It included sample documents.
In the light of such information, it is recommended that the personal data inventory is first transmitted to the departments within the company and the accuracy of the supplier and the country where the data is shared is confirmed.
Matters Regulated by Amendment and Regulation of Law
Article 9 of the LPPD regulates the transfer of personal data abroad. Pursuant to the Amendment to the Law and the Regulation, three different alternatives have been introduced in the transfer of personal data abroad: transfer based on the adequacy decision, transfer based on appropriate safeguards, and transfer based on incidental circumstances.
Evaluation of Adequacy Determination
In the transfer based on an adequacy determination, which is the first legal ground for the transfer of personal data abroad, the mutuality relationship with the country to which the data is to be transferred, the legislation of the country to which the data is to be transferred, whether this country has an independent data protection authority and whether it is a party to international conventions shall be evaluated while granting the adequacy determination. In addition to countries, international organisations and sectors may also be subject to the adequacy determination in the transfer based on the adequacy determination. The Amendment and the Regulation also introduce a rule that the adequacy determination should be evaluated every four years at the latest.
The Board has not yet published a qualification decision on its website.
Transfers With Proper Safety Measures
In the absence of an adequacy determination, it is necessary to first verify whether the persons concerned have the possibility to exercise their rights and to resort to effective legal remedies in the country of transfer, and to apply one of the transfer methods based on appropriate safeguards.
Appropriate safeguards are listed as follows in the Regulation:
- The presence of an agreement that is not in the nature of an international contract between public institutions and organisations or international organisations abroad and public institutions and organisations or professional associations having the status of public institutions in Turkey, and the Board's authorisation of the transfer.
- Presence of binding corporate rules, approved by the Board, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
- Presence of a standard contract announced by the Board containing data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.
- Presence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board.
In this context, if there is no binding company rules or commitment letter previously concluded, it is recommended to sign a standard contract with the suppliers to which the transfer is made and submit it to the PDP Authority in the following manner:
- The text of the standard contract must be used without any modification.
- In case the standard contract is concluded in a foreign language, the Turkish document shall supersede the standard contract.
- The standard contract shall be concluded between the data controller transferring the personal data and the data processor to whom the personal data is transferred. A sample standard contract is published on the website of the Authority.
- Since the standard contract must be signed by the parties to the transfer or by persons authorised to represent and sign the parties, the signature circular must be submitted together with the contract. Foreign language documents must be submitted to the Agency with Turkish translations and notarisation.
- The standard contract shall be notified to the Agency physically or via registered electronic mail (REM) address within five business days following the completion of the signatures.
- The transfer parties may determine in the standard contract who will fulfil the notification obligation. If no determination is made in this regard, the standard contract shall be notified to the Authority by the data controller transferring data.
- In the event of a change in the parties to the standard contract or in the information and explanations provided by the parties in the content of the standard contract or in the event of termination of the standard contract, notification is made to the Authority in the same procedure.
In the light of relevant developments, after the list of suppliers and transfer countries is clarified, standard contract signature and submission procedures may be conducted as of 1 September 2024.
Exceptional Transfers
It is stated that the transfer based on incidental circumstances should be used in a non-continuous manner in cases where there is no adequacy determination and one of the appropriate assurances is not provided. In accordance with this scope, provided that it is incidental;
- Transfer of personal data abroad based on explicit consent.
- Mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
- Situations that are mandatory for the overriding public interest.
- Mandatory conditions for the establishment, exercise or protection of a right.
- The actual impossibility cases.
- Access to open registers upon request of a person with a legitimate interest in the event that the data can be transferred abroad.
In accordance with the Regulation, it is emphasised that this method cannot be adopted for every data processing process where this method is exceptional. In this scope, explicit consent may be obtained until 1 September 2024, and then only in exceptional circumstances.
Risk of Sanctions
As indicated upon the Law Amendment, the current administrative fine risks within the scope of the LPPD are stated below, and the violation of the transfer procedures abroad is observed in the data security criteria.
Amounts Of Liability Penalties For 2024
- Violating the duty to notify 47.303 TL - 946.308 TL
- Violating the duties related to data security 141.934 TL - 9.463.213 TL
- Failure to comply with the Board's decisions 236.557 TL - 9.463.213 TL
- Not registering and notifying the Data Controllers Registry 189.245 TL - 9.463.213 TL as required
- Notifying the Authority about standard contracts after the deadline 50.000 TL - 1.000.000 TL
Consequently, with the entry into force of the Regulation and the publication of standard contract examples,
- Listing of the suppliers and countries of transfer abroad through the current personal data inventory,
- Negotiations with supplier companies and signing standard contracts until 01.09.2024,
- Submission of standard agreements to the PDP Authority in the manner described above,
- Informing the PDP Authority when the term of the contract expires or is terminated
- that necessary measures should be implemented in this respect.
The Outage of CrowdStrike: A Case Study in Light of Data Privacy
Leading cybersecurity company CrowdStrike had a significant outage on July 19, 2024, as a result of an incorrect update. This disruption caused havoc for banks, hospitals, and airlines, among other industries. All these industries rely significantly on consistent, dependable access to data and systems. Real-time access to flight data, reservation systems, and communication networks is critical for the aviation sector. The CrowdStrike outage's disruption, leading to aircraft delays, cancellations, and stranded passengers, underscores the importance of availability for maintaining operational continuity and ensuring customer satisfaction.
Availability in healthcare can mean the difference between life and death. Instant access to patient records, testing equipment, and treatment guidelines is essential for hospitals. The outage hampered these operations, raising concerns about patient safety and care and demonstrating the direct impact of availability issues on people's lives. To preserve client confidence and operational effectiveness, financial institutions need unhindered access to communication networks, transaction systems, and customer data. The outage impacted customer confidence and financial stability by causing transaction delays and possible SLA violations.
One of the three pillars of the CIA trinity, availability, guarantees that systems are operational and reachable when needed. An availability issue could lead to significant operational disruptions, monetary losses, and brand harm. The CrowdStrike incident highlights a number of important availability-related factors.
The outage exposed potential flaws in system redundancy and backup procedures. Robust failover and backup systems are essential components of effective cybersecurity frameworks that guarantee continuous availability even in the event of disruptions. Updates must be handled carefully to avoid interruptions even though they are necessary to fix vulnerabilities. The CrowdStrike incident emphasizes that, in order to reduce the chance of widespread disruptions, extensive testing and backup plans are essential when distributing upgrades.
It is critical to have the ability to react quickly and recover from availability disruptions. Plans for incident response that are effective should have explicit procedures for resuming service, interacting with stakeholders, and lessening the effects of disruptions. A lot of businesses depend on outside vendors for essential services. The CrowdStrike outage illustrates the potential risks associated with these relationships. It is imperative for organizations to evaluate and handle the availability risks associated with their vendors and partners. They should incorporate these factors into their comprehensive cybersecurity plans.
Data accessibility is just as important as data confidentiality and integrity when it comes to privacy. Personal data that is unavailable as a result of a system failure poses serious privacy concerns, as well as a cybersecurity risk. In many situations, ensuring the availability of personal data is essential. For security inspections and passenger management at airports, access to personal identity information is necessary. A disruption that hinders the availability of this information may result in significant delays in operations and security weaknesses.
Effective healthcare delivery depends on the availability of medical records, which include patient histories, test results, and allergy information. A system breakdown that prevents access to this data may compromise patient safety and breach data protection regulations. Lack of access to personal information when needed can have serious repercussions, even placing lives in danger. For example, not having access to a patient's medical history during an emergency can make it more difficult to provide prompt, effective care, which could cause harm or even death. Similar to this, a lack of the ability to confirm a passenger's identity at an airport could result in operational turmoil and security lapses.
Therefore, ensuring the accessibility of personal data is a crucial part of data protection laws. Organizations must comply with legal requirements to protect the availability, confidentiality, and integrity of personal data. Inadequate performance of this task jeopardizes the integrity of data protection rules by impeding access to and utilization of data during critical moments.
It could be summed up by saying that the CrowdStrike outage interruption serves as a clear reminder of the crucial function availability plays in the CIA trifecta. Preserving sensitive information, ensuring trust across sectors, and ensuring operational continuity all depend on systems and data being available when needed. To reduce the risks and effects of such interruptions, organizations should give availability top priority in their cybersecurity and privacy frameworks. They should also create strong redundancy, efficient update management, and extensive incident response plans. The incident also highlights how linked contemporary cybersecurity risks are, and how a single misstep can have far-reaching effects on numerous international industries. Ensuring the availability of personal data is essential to both privacy protection and legal compliance; it goes beyond cybersecurity.
Furthermore, the contradiction that the CrowdStrike outage presents—that is, a technology intended to ward against cyber threats turning into the catalyst for a significant cyber incident—underlines the necessity of thorough risk assessment and mitigation. It is imperative for organizations to conduct a thorough risk assessment of the tools they depend on for security and make sure their risk management plans consider the possibility of these technologies breaking down. This action can only guarantee a strong, resilient cybersecurity posture that sufficiently protects data privacy and operational continuity.
Conclusion
At Herdem Attorneys at Law, we recognize the critical role data protection plays in today’s interconnected business landscape. The recent CrowdStrike incident serves as a powerful reminder of the need for robust cybersecurity measures and legal preparedness.
It is worth recognising the importance of the fact that the companies must consult a law firm in today’s age that specializes in helping businesses safeguard sensitive information which could analyze the legal implications, including potential breaches of the General Data Protection Regulation (GDPR), ensure companies adhere to GDPR requirements and help you prepare for data breaches. Crowdstrike’s outage highlights the need for robust response plans. Furthermore, organizations affected by the outage may have breached data-protection rules and in that case we would highly advise the assesment of harm caused to individuals and determine liability by a data privacy expert.
In conclusion, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad and the CrowdStrike incident underscore the critical importance of robust data management and cybersecurity practices. By staying informed and prepared, businesses can navigate the digital age with confidence and resilience.