The Turkish Personal Data Protection Board (“Board”) adopted a decision regarding Amazon Turkey at the beginning of this year, on the 27th of February (“Amazon Turkey Decision”). Amazon Turkey Decision has touched upon several issues regarding Turkish Data Protection Law but this article focuses only on the sections regarding transfer of personal data to third countries.
Transfer of personal data to third countries
Transfer of personal data outside of Turkey is governed by article 9 of the Turkish Data Protection Law. As per the said article, explicit consent of the data subject is required for data transfers to third countries, except in the presence of either of the following conditions, where there is no need to seek data subjects’ explicit consent. The said conditions are as follows:
- The third country offers an adequate level of data protection. Please note that as of today, the Board has not adopted any adequacy decision yet.
- Both data controllers, established in Turkey and in the third country, undertake in writing an adequate level of protection and submit it to the approval of the Board. [The Board announced the minimum requirements to be included in the undertakings on its website on 9 March 2020]
Amazon Turkey Decision
One of the issues that was presented in the tip received by the Board about Amazon Turkey was with regard to transfer of personal data outside of Turkey. It was alleged that according to the Privacy Notice on amazon.com.tr, personal data could be transferred abroad; however, explicit consent of data subjects were not obtained while registering for an account or placing an order, thus unless Amazon Turkey has obtained the Board’s approval for such data transfer outside of Turkey, it was violating article 9 of the Data Protection Law.
Amazon Turkey’s defence was that on one hand data subjects have given their consent to data transfer by approving the Privacy Notice and on the other hand they were already negotiating with the Board regarding the undertakings for adequate protection and that should have been enough.
Is submission of undertakings to the Board enough?
Based on its investigation, the Board has confirmed that Amazon Turkey has already submitted the required undertaking but it has also added that such undertaking has not been approved yet. It is actually clear from the wording of the law that the undertaking must be approved by the Board but with this decision, it has been highlighted.
What about approval of the Privacy Notice by data subjects, is it sufficient?
We actually don’t need to read Amazon Turkey decision to find out the answer to this question. It is well known that the approval of a privacy notice cannot be considered as an explicit consent. The Board just reminds us that global consents or so-called blanket consents are not valid when it comes to data protection. The fact that someone has used the services offered on the website and approved the privacy notice cannot be interpreted as an explicit consent to transfer of personal data abroad. The relevant section of Amazon Turkey Decision reads as follows:
“Explicit consent ensures that the data subject can determine the limits, scope and duration of the data processing they approve. General consents, which are not restricted to a specific matter and not limited with the relevant operation, are considered “blanket consents” and legally invalid. In this context, we consider that informing that the “Privacy Notice” has been approved and all actions in scope of “data processing” (to track with cookies, transfer, share, store, etc.) have been accepted with one declaration of consent is against the law.”
Based on the aforementioned ground, the Board has decided that because Amazon Turkey has not obtained data subjects’ explicit consent to transfer of personal data to third countries, it has violated its obligations regarding data protection under article 12 of the Law. Since the Board has not adopted any adequacy decision yet, there are only two ways to transfer personal data outside of Turkey. One of them is to submit data transfer undertakings to the approval of the Board and the other one is to obtain data subject’s explicit consent in compliance with the criteria of a valid explicit consent.
There is no doubt that personal data protection has been one of the hottest topics in Turkey, similar to the rest of the world, for a while now. However, it seems that companies have not attached much importance to the legality of their data transfer outside of Turkey. Taking into consideration that most of the companies use servers that are located abroad, this approach must change. Amazon Turkey Decision has definitely been a wake-up call for many.