0312 216 50 00
ALO 198 Data Protection Line Information Consultancy Center
Decision Date | : | 22/07/2020 |
Decision No | : | 2020/559 |
Summary | : | Decision on the transfer of personal data abroad based on Convention No. 108 |
In the process of examining a short message (SMS) sent by the data controller operating in the automotive industry for advertising/information purposes, upon the complaint of the data subject, in the defence letter received from the data controller, although it is stated that the transfer of personal data, which has been consented to be processed by the companies for marketing purposes, to a company abroad, which is in the data processing position, and only to be processed by this company for the purpose of performing the service in question, are considered under the condition that "data processing is mandatory for the legitimate interests of the data controller" in line with Article 5, subparagraph 2 (f) of the Law on the Protection of Personal Data (Law) No. 6698, in the same defence, it was determined that the data controller's "data privacy text" was approved by the Complainant, in other words, there were statements that contradicted his/her previous statement regarding the consent to the transfer of his/her data abroad. Based on this situation, with the decision of the Personal Data Protection Board (Board) dated 08.07.2019 and numbered 2019/203, it was decided to initiate an ex officio investigation regarding the data controller to store personal data of its customers in foreign databases within the scope of paragraph (1) of Article 15 of the Law.
In this respect, the data controller was informed about the relevant articles of the Law No. 6698 and the explanations on the legal grounds in Article 9 of the Law on the transfer of personal data abroad and all information, documents and records related to the subject were requested to be sent to us. In the defence letter received from the data controller on the subject, in summary, the following issues are included;
As a result of the examination of the information and documents received from the data controller within the scope of ex officio examination within the framework of the relevant legislation, the following evaluations are included in the decision of the Personal Data Protection Board dated 22/07/2020 and numbered 2020/559.
1. As it is known, in the first paragraph of Article 5 titled “Conditions for Processing Personal Data” of the Law No.6698 on the Protection of Personal Data, the personal data cannot be processed without the explicit consent of the data subject, in the second paragraph, it is clearly provided for by the laws, it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid, processing of personal data belonging to the parties of a convention, is necessary provided that it is directly related to the conclusion or fulfilment of that convention, it is mandatory for the controller to be able to perform his legal obligations, he data concerned is made available to the public by the data subject himself, data processing is mandatory for the establishment, exercise or protection of any right, it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
In this context, it should be evaluated whether the personal data processing activity is based on one of the processing conditions other than explicit consent, if this activity cannot be performed based on at least one of the conditions other than explicit consent, in this case, the explicit consent of the person should be obtained for the continuation of the data processing activity. One of the situations in which explicit consent is not required is as stated by the data controller subject to ex officio examination, as stated in the sub- paragraph (f) of paragraph (2) of Article 5 of the Law, "it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.” In order to apply the aforementioned paragraph, it is necessary to comply with the basic principles of the protection of personal data, to observe the fundamental rights and freedoms of the data subject with the legitimate interest of the data controller, and to decide whether the personal data can be processed within the scope of the specified paragraph as a result of the evaluation to be made among competing interests.
In this respect, a two-stage test should be considered in order to apply the subparagraph (f) of paragraph (2) of Article 5 of the Law. In the first assessment to be made, the existence of the legitimate interest of the data controller should be determined, and secondly, it should be determined whether this interest harms the fundamental rights and freedoms of the data subject. However, when the processing condition in subparagraph (f) of paragraph (2) of Article 5 of the Law is based on the transfer of personal data other than explicit consent by the data controller who is a party to the review ex officio, since there is no explanation as to what the legitimate interest is and whether a balance test has been applied between this interest and the fundamental rights and freedoms of individuals, it has not been concluded that there is a valid legitimate interest in the processing of personal data by transferring it abroad by the data controller.
2. However, "explicit consent", whose definition is included in subparagraph (a) of paragraph (1) of Article 3 of Law No.6698, has three elements: disclosure with free will, relying on information and being related to a specific subject. In this context, if an explicit consent is to be made for the processing of data for more than one category, the explicit consent must be given regarding which data will be processed for what purposes. The data controller must also obtain explicit consent for secondary transactions (such as data transfer abroad) to be performed after using the data. However, if the personal data processing activity is based on one of the conditions other than explicit consent in the Law, explicit consent will not be obtained from the data subject. As a matter of fact, basing data processing on explicit consent while it is possible to carry out a basis other than explicit consent will be deceptive and abuse of the right.
In the defence letter of the data controller to the Board, it is stated that the legal reason for the processing of personal data is based on the condition that "it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”; in the informing text and consent text provided to the data subjects, considering that the information “you accept this text for the purpose of recommending and promoting the products and services offered by our company by customizing them according to your taste, usage habits and needs, sending commercial electronic messages such as advertising, promotions, etc. to your contact information you have shared within the scope of your acceptance, storing and ... can be processed within the scope of your explicit consent.” is included, it has been evaluated that the personal data processing activity is mainly based on the explicit consent of the data subjects.
In the continuation of the aforementioned defence letter, the transfer of data to abroad was made to the outsourcing company on legal grounds “it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.” specified in the paragraph (2) of Article 9 of Law No.6698 and subparagraph (f) of paragraph (2) of Article 5; in order to send e-mails/SMS to people/customers who have authorized marketing communications, it is observed that customer data is transferred to a cloud database whose servers are located in a member country of the European Union. However, since there is no explanation in the informing text and the explicit consent text to send a message for marketing purposes by the data subjects, this personal data will be transferred to a company abroad, it has been concluded that it is not clear whether it is within the scope of their legitimate interests or based on the explicit consent of the data subjects, or whether the personal data in question were processed within the framework of legitimate interests and which were based on the explicit consent of the data subjects.
3. The following provisions are regulated In Article 9 of the Law titled “Transfer of Personal Data Abroad”: personal data cannot be transferred abroad without explicit consent of the data subject, however Personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that; (a) sufficient protection is provided in the foreign country where the data is to be transferred, (b) the controllers in Türkiye and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
“(3) The Board determines and announces the countries where sufficient level of protection is provided.
(4) The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of related public institutions and organizations, where necessary: a) the international conventions to which Türkiye is a party, b) the state of reciprocity concerning data transfer between the requesting country and Türkiye, c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer, ç) the relevant legislation and its implementation in the country to which the personal data is to be transferred, d) the measures guaranteed by the controller in the country to which the personal data is to be transferred,
(5) In cases where interest of Türkiye or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.
(6) Provisions of other laws concerning the transfer of personal data abroad are reserved.” provisions are included.
As a result of the examination of the information, documents and explanations submitted to the Board by the data controller, it was understood that the data controller used a web-based software in digital marketing communications, data controller has transferred customer data (regarding customers; 1) customer information, (2) marketing information due to e-mail and SMS sending information and (3) contact information) to a cloud database whose servers are located in a European Union member country so that they can send e-mails / SMS to their customers via the software.
In Article 12 titled “Transborder flows of personal data and domestic law” of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108, the following provisions are included;
(1) The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.
(2) A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.
(3) Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:
(a) insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;
(b) when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.
In the defence letter of the data controller to the Board; it is stated that the legal reason for the transfer of customer information to the outsourcing company is that "data processing is mandatory for the legitimate interest of the data controller" within the scope of subparagraph (f) of paragraph (2) of Article 5 of the Law, regarding the reason in the Article 9 of the Law all European Union member states are a party to Convention No. 108, which has been transferred to our domestic law, it is accepted that, “International Treaties duly put into effect have the force of law” pursuant to Article 90 of the Constitution and in disputes that may arise due to the fact that international treaties and laws contain different provisions on the same subject the regulation based on the provisions of international treaties is included, accordingly, it is believed that in disputes between the Convention No. 108 and other laws regarding the right to protect personal data, which is one of the fundamental rights and freedoms of persons, Convention No. 108 should be taken as basis, there is no transaction carried out by these time by Türkiye regarding Any restriction or special permission based on the exception of subparagraphs (a) and (b) of paragraph (3) of Article 12, which adopts the principles of free transfer of the Convention No. 108, which has the force of law, in this context, considering the paragraphs (5) and (6) of Article 9 of the Law, based on Article 12 of Convention No. 108 it is believed that there is no legal limitation and/or obstacle regarding the transfer of data to the Parties of the Convention No. 108, in addition to this, it is regulated under the conditions under which a reservation can be made to the paragraph (1) of the paragraph (1) of the Article 2 (2) of the “Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows”, however, our country does not make any declaration about the relevant regulation, a concrete assessment of the countries providing sufficient protection by the Board has not yet been made, in this respect the transfer of personal data to an Outsourcing Company located in a country that is a Party of Convention No. 108 is made for the legal reasons specified in Convention No. 108 and the relevant Additional Protocol.
First of all, in Article 12 of Convention No. 108, it would be appropriate to state that it is stipulated that the states party to the convention cannot prohibit or restrict the transfer of personal data to other state parties solely on the grounds of the protection of private life, or by prescribing a special permission. In the second paragraph of the Explanatory Report on the Convention No. 108 (Explanatory Report), the purpose of this regulation is to facilitate the data flow between the parties, based on the pre-acceptance that the Contracting Parties provide sufficient safeguards for the protection of personal data, however, it is foreseen that this provision does not eliminate the possibility of subjecting the data flow between the parties to the notification or making arrangements in the domestic laws of the parties to prohibit domestic or transboundary transfers in certain cases. Regarding the implementation of Article 12 of the Convention in the European Union (EU) in the said Explanatory Report, in accordance with the provisions of the abolished Directive 95/46/EC of the EU and the European Parliament and Council Regulation (General Data Protection Regulation-GDPR) dated 27/04/2016 and numbered 2016/679, it is also worth noting that it does not qualify the countries that are parties to the Convention No. 108 as countries with sufficient protection without any further evaluation and that it accepts being a party to the Convention only as a criterion to be considered in the qualification assessment.
In this context, in accordance with the regulation stipulated in the second paragraph of Article 9 of the Law, it would be appropriate to state that personal data transfers to countries that have not been declared as safe countries by the Board, without the explicit consent of the data subject, can only be made if one of the conditions specified in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law, and if the parties undertake sufficient protection in writing and the transfer is allowed by the Board.
4. In the subparagraph (a) of paragraph 4 of Article 9 of the Law, it has been stipulated that international conventions to which Türkiye is a party shall be taken into account in the assessment of whether the Board will allow data transfer or not. The fact that the country to which personal data will be transferred is a party to Convention No. 108 is only one of the elements that will constitute the basis for the assessment of the Board, and this situation is among the criteria adopted in the decision of the Board dated 02.05.2019 and numbered 2019/125 to be used in determining the countries with sufficient protection by the Board. However, in the mentioned article, especially matters aimed at ensuring the effective protection of personal data such as the nature of the personal data subject to transfer and the purpose and duration of the processing, data protection legislation and implementation in the country where the transfer will be made and the measures to be committed by the data controller or data processor in this country and the reciprocity status regarding data transfer between our country and the country of transfer are other matters taken into account in the evaluation of the Board.
In this respect, with the explanation in the “Explanatory Report of the Convention No. 108”, which states that the contracting states may make a regulation in their domestic law to prohibit data transfer abroad, in the evaluation of the Board regarding the permission to transfer data abroad, considering both the international conventions to which our country is a party, such as the Convention No. 108, and the regulation included in Article 9 of the Law that it will take into account the state of reciprocity with the country where the transfer will be made without the purpose of protecting personal data or protecting the privacy of private life, it is considered that the personal data transfer regime stipulated in Law No. 6698 is in compliance with Convention No. 108.
5. In paragraph (6) of Article 9 of the Law, the provision “Provisions of other laws concerning the transfer of personal data abroad are reserved.” is included. As it is known, it is foreseen that international treaties put into effect pursuant to the regulation in Article 90 of the Constitution have the force of law, in this sense the Convention No. 108 has the nature of law in our law, the provisions of international treaties will be based on if the laws provide for different regulations on the same subject from international treaties on fundamental rights and freedoms with the addition made to Article 90 of the Constitution by Article 7 of Law No. 5170. However, in the justification of this article, the explanation “The provision is added to the last paragraph of Article 90 in order to eliminate the hesitations about which one will be given priority in the event of a conflict that will arise in case of conflict with the international treaties on human rights duly put into effect in practice and the provisions of the law” is included, for this to be implemented, the provisions of the said international treaty must be directly applicable, in other words, since it was stated that the provision of the treaty should be “sufficiently clear, precise, unconditional and not requiring the state to take any additional measures for its implementation”, it is considered that a conflict between a more abstract and general international treaty provision that is not directly applicable and a provision of law will not constitute a conflict within the context of the regulation in the paragraph 5 of Article 90 of the Constitution and for this reason, the aforementioned provision of the Constitution will not find a field of application; therefore, if the provision of a general international treaty conflicts with the provision of law, it should be applied on the basis of the conflicting provision of law.
First paragraph of Article 4 of Convention No. 108 includes the provision “Each Party shall take the necessary measures in its domestic law to give effect to the basic principles for data protection set out in this chapter.” In other words, the provisions of the Convention do not have direct provisions or consequences in the domestic law of the parties, and determines the basic principles that should be mastered on national data protection regulations and the procedures and principles regarding the assurance to be provided to the data subjects through these regulations. In the “Explanatory Report on the Convention No. 108”, it is stated that the convention is not directly applicable and therefore the parties are obliged to include data protection provisions in their domestic laws. Therefore it is worth noting that the provision in the second paragraph of Article 12 of the Convention No. 108, which the parties cannot prohibit the transfer of personal data to another party country or subject to permission conditions, exclusively to protect the privacy of private life, is not directly applicable; in this respect the aforementioned provision cannot primarily be applied in accordance with paragraph (6) of Article 9 of the Law or paragraph (5) of Article 90 of the Constitution; on the other hand, the regulation provided for in Article 9 of the Law does not contradict Article 12 of the Convention No. 108 and in this respect, considering that both regulations are complementary to each other, being a party to the Convention No. 108 is not sufficient by itself in determining the status of a safe country within the scope of Law No. 6698 as in EU practice, however, it will constitute a positive element in the assessment to be made by the Board.
In this respect, first of all, it should be noted that the Convention No. 108 does not permit the transfer of personal data abroad, if the data controller does not fulfil the conditions specified in Article 9 of the Law while transferring data abroad, an illegal data processing will be brought to the agenda, in this respect, obtaining the explicit consent of the data subject in order to transfer data abroad of personal data that requires explicit consent, in order to transfer data abroad based on other personal data processing conditions specified in the Law, the existence of one of the conditions specified in paragraph (2) of Article 5 and paragraph (3) of Article 6 of the Law, if the parties undertake an sufficient protection and are given permission by the Board, personal data can be transferred abroad. From the information, documents and explanations given by the data controller to our Authority, it is understood that the personal data of the data subjects processed for marketing purposes were transferred within the scope of explicit consent, and that other personal data were transferred based on the Article 12 of the Convention No. 108 within the scope of the legal justification “it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”, referring to paragraph (2) of Article 9 of Law No. 6698 and in sub- paragraph (f) of paragraph (2) of Article 5. However, while the data controller stated that it made a transfer within the scope of the Convention No. 108, it did not submit any information to the Board regarding the preparation of a commitment for transferring to the relevant outsourcing company. As of the date of the decision, no application regarding the undertaking has been encountered by the data controller in the Authority records.
As a result, both the explicit consent should not be duly drafted as a separate text by the data controller, and the data subjects did not clearly and understandably declare the transfer abroad; on the other hand, in international transfers that will take place depending on the processing conditions other than explicit consent, the balance test regarding the legitimate interest has not been carried out by the data controller and a copy of the letter of undertaking has not been sent to our Authority in order to obtain the permission of the Board by making a written undertaking with the relevant company. It has been concluded that there is an illegal data processing due to the fact that it does not meet the conditions specified in Article 3.
6. On the other hand, in Article 7 of the Law titled "Erasure, destruction or anonymizing of personal data", the provisions are included: “(1) Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process. (2) Provisions of other laws concerning the erasure, destruction or anonymizing of personal data are reserved. (3) Procedures and principles for the erasure, destruction or anonymizing of personal data shall be laid down through a by-law.” In the Article 7 of the Regulation on the Erasure, Destruction or Anonymizing of Personal Data, in the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, it is stated that the personal data must be erased, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
In this context, since an explicit consent in accordance with the law has not been obtained from the data subjects for the data transfer abroad by the data controller, the balance test has not been carried out indicating that there is a valid legitimate interest for processing conditions other than explicit consent, however, a letter of undertaking has not been prepared in accordance with Article 9 of the Law and has not been submitted to our Authority in order to obtain the Board's permission, it is concluded that illegal data processing is in question by transferring data abroad, it has been concluded that this personal data should be deleted or destroyed in accordance with paragraph (1) of Article 7 and the relevant Regulation, due to the fact that the data controller does not have a valid legal processing requirement for data transfer abroad.
7. On the other hand, as it is known, Article 10 of the Law titled “Obligation of Controller to Inform” includes that whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data, d) other rights referred to in Article 11. In the "Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform (Communiqué to Inform)", the procedures and principles to be followed by the data controllers or the person authorised by him within the scope of the obligation to inform are determined.
In the incident subject to ex officio review, it was seen that the data controller used the Informing Text and Consent Text updated since 2018 for obtaining explicit consent, as a result of the examination of the text in question;
it has been concluded that the data controller does not show sufficient attention and care in compliance with the Communiqué to Inform by understanding that;
As a result, it has been decided that;
1. The data controller has not made a data transfer in accordance with the provisions specified in Article 9 of the Law regulating the issue of data transfer abroad regarding the transfer of personal data abroad, in addition, being a party to the Convention No. 108 is not sufficient on its own in determining the status of a safe country within the scope of Law No. 6698, however it will constitute a positive element in the evaluation to be made by the Board, therefore, an illegal personal data processing activity is carried out by transferring personal data abroad without meeting the necessary conditions, for this reason, since it is concluded that the obligation of "preventing the illegal processing of personal data" stipulated in the sub-paragraph (a) of the first paragraph of Article 12 of the Law titled "Obligations Regarding Data Security" has not been fulfilled, an administrative fine of 900.000 TL in accordance with subparagraph (b) of the first paragraph of Article 18 titled "Misdemeanors" of the Law on the legal person data controller,
2. On the other hand, it is necessary to instruct the data controller to delete / destruct the personal data in question illegally transferred abroad in accordance with Article 7 of Law No. 6698 and to inform the Board of the result,
3. It is necessary to instruct the data controller to update the disclosure text in accordance with the provisions of Article 10 of the Law No. 6698 and the provisions of Article 5 of the Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform issued based on this article, and to instruct that the obligation to inform and obtaining explicit consent must separately fulfil.