In the process of examining a short message (SMS) sent by the data controller operating in the automotive industry for advertising/information purposes, upon the complaint of the data subject, in the defence letter received from the data controller, although it is stated that the transfer of personal data, which has been consented to be processed by the companies for marketing purposes, to a company abroad, which is in the data processing position, and only to be processed by this company for the purpose of performing the service in question, are considered under the condition that "data processing is mandatory for the legitimate interests of the data controller" in line with Article 5, subparagraph 2 (f) of the Law on the Protection of Personal Data (Law) No. 6698, in the same defence, it was determined that the data controller's "data privacy text" was approved by the Complainant, in other words, there were statements that contradicted his/her previous statement regarding the consent to the transfer of his/her data abroad. Based on this situation, with the decision of the Personal Data Protection Board (Board) dated 08.07.2019 and numbered 2019/203, it was decided to initiate an ex officio investigation regarding the data controller to store personal data of its customers in foreign databases within the scope of paragraph (1) of Article 15 of the Law.

In this respect, the data controller was informed about the relevant articles of the Law No. 6698 and the explanations on the legal grounds in Article 9 of the Law on the transfer of personal data abroad and all information, documents and records related to the subject were requested to be sent to us. In the defence letter received from the data controller on the subject, in summary, the following issues are included;

• In digital marketing communications carried out by the company, a web-based software was used, and since the software was web-based, customers' data were transferred to the cloud database located in a European Union member country by using SFTP (Outsourcing Company) to send e-mail / SMS to customers via software,
• Regarding customers; (1) customer information, (2) marketing information due to e-mail and SMS sending information and (3) contact information were transferred to the outsourcing company, and any sensitive personal data was not transferred abroad by the Company,
• Explicit consent from customers whose personal data was transferred to the outsourcing company abroad was obtained, and the said explicit consent was obtained with the Informing Text on the Processing of Customer Personal Data and Consent Text updated since 2018,
• The legal basis for the transfer of this data to the data processing company is based on the condition that data processing is mandatory for the legitimate interest of the Company as the data controller regulated in Article 5, subparagraph 2 (f) of the Law,
• In Article 9 of Law No. 6698, it is regulated that personal data can be transferred abroad by a) the explicit consent of the data subject, or b) there is sufficient protection or if there is not sufficient protection in the relevant country, by obtaining the permission of the Board, based on the data processing conditions specified in paragraph (2) of Article 5 and Article 6 (3) of the Law, the Board will decide whether there is sufficient protection in the foreign country within the framework of the matters in the paragraph (4) of Article 9 of the Law, however, it has not yet been decided by the Board whether there is sufficient protection in a foreign country, in addition, it is stated in the paragraphs (5) and (6) of the same article that the provisions of international conventions and other laws are reserved for the transfer of personal data abroad,
• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention No. 108) is transported to the domestic laws, all European Union member states became a party of the Convention No.108, concerning the parties to the Convention No. 108 Türkiye has declared that "... The claim that the "Republic of Cyprus", whose ratification of the convention is not valid, is represented by the Greek Cypriot Administration of Southern Cyprus, which is a party to the said convention will not mean acceptance in any form and in the so-called Republic of Cyprus and Türkiye will not make any contact to bring liability under this Agreement”, Türkiye has not made any statements regarding the parties to the Convention No. 108 out of this declaration, in accordance with the last paragraph of Article 90 of the Constitution, it is accepted that "International Treaties duly put into effect" have the force of law, and also, it is believed that international treaties on fundamental rights and freedoms duly put into effect as per the continuation of the relevant paragraph and the regulation that the provisions of the international treaty will be based on the disputes that may arise due to the different provisions of the laws on the same subject, therefore, in disputes between the Convention No. 108 on the right to the protection of personal data, which is one of the fundamental rights and freedoms of persons and other laws, Convention No. 108 should be taken as basis, 
• In accordance with Article 12 of Convention No. 108, it is believed that it is one of the clear rules of Convention No. 108 that personal data transfers to be made to the parties of Convention No. 108 are not prohibited or subject to special permission without one of the exceptions listed in subparagraphs (a) and (b), for any action that does not subjected to any restrictions or special permission has been carried out by Türkiye, in this context, considering the paragraphs (5) and (6) of Article 9 of the Law, there is no legal restriction and/or obstacle regarding the transfer of data to the Parties of the Convention No. 108 based on Article 12 of the Convention No. 108,
• In the paragraph (1) of Article 2 of the “Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows”, it is regulated that it will be assessed whether sufficient protection is provided for non-party transfers regarding cross-border personal data transfers, accordingly, it is understood that sufficient protection assessment cannot be made for those who are parties to the notion of the relevant article, in the paragraph (2) of the Article 2 of the additional protocol, regulates the conditions under which a reservation can be made to the paragraph (1), however, our country does not make any declaration about the relevant regulation,
• Within the framework of the legal grounds (paragraphs (5) and (6) of Article 9 of Law No.6698 and Article 12 of the Convention No. 108), on the basis of the legal ground “provided that the fundamental rights and freedoms of the data subject is not harmed, data processing is mandatory for the legitimate interests of the data controller” in the sub-paragraph (f) of paragraph (2) of Article 5 referring to the paragraph (2) of Article 9 of Law No. 6698, data transfer is made to the outsourcing company in the position of data processing in accordance with the law by taking all necessary administrative and technical measures.

As a result of the examination of the information and documents received from the data controller within the scope of ex officio examination within the framework of the relevant legislation, the following evaluations are included in the decision of the Personal Data Protection Board dated 22/07/2020 and numbered 2020/559.

1. As it is known, in the first paragraph of Article 5 titled “Conditions for Processing Personal Data” of the Law No.6698 on the Protection of Personal Data, the personal data cannot be processed without the explicit consent of the data subject, in the second paragraph, it is clearly provided for by the laws, it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid, processing of personal data belonging to the parties of a convention, is necessary provided that it is directly related to the conclusion or fulfilment of that convention, it is mandatory for the controller to be able to perform his legal obligations, he data concerned is made available to the public by the data subject himself, data processing is mandatory for the establishment, exercise or protection of any right, it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

In this context, it should be evaluated whether the personal data processing activity is based on one of the processing conditions other than explicit consent, if this activity cannot be performed based on at least one of the conditions other than explicit consent, in this case, the explicit consent of the person should be obtained for the continuation of the data processing activity. One of the situations in which explicit consent is not required is as stated by the data controller subject to ex officio examination, as stated in the sub- paragraph (f) of paragraph (2) of Article 5 of the Law, "it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.” In order to apply the aforementioned paragraph, it is necessary to comply with the basic principles of the protection of personal data, to observe the fundamental rights and freedoms of the data subject with the legitimate interest of the data controller, and to decide whether the personal data can be processed within the scope of the specified paragraph as a result of the evaluation to be made among competing interests.

In this respect, a two-stage test should be considered in order to apply the subparagraph (f) of paragraph (2) of Article 5 of the Law. In the first assessment to be made, the existence of the legitimate interest of the data controller should be determined, and secondly, it should be determined whether this interest harms the fundamental rights and freedoms of the data subject. However, when the processing condition in subparagraph (f) of paragraph (2) of Article 5 of the Law is based on the transfer of personal data other than explicit consent by the data controller who is a party to the review ex officio, since there is no explanation as to what the legitimate interest is and whether a balance test has been applied between this interest and the fundamental rights and freedoms of individuals, it has not been concluded that there is a valid legitimate interest in the processing of personal data by transferring it abroad by the data controller.

2. However, "explicit consent", whose definition is included in subparagraph (a) of paragraph (1) of Article 3 of Law No.6698, has three elements: disclosure with free will, relying on information and being related to a specific subject. In this context, if an explicit consent is to be made for the processing of data for more than one category, the explicit consent must be given regarding which data will be processed for what purposes. The data controller must also obtain explicit consent for secondary transactions (such as data transfer abroad) to be performed after using the data. However, if the personal data processing activity is based on one of the conditions other than explicit consent in the Law, explicit consent will not be obtained from the data subject. As a matter of fact, basing data processing on explicit consent while it is possible to carry out a basis other than explicit consent will be deceptive and abuse of the right.

In the defence letter of the data controller to the Board, it is stated that the legal reason for the processing of personal data is based on the condition that "it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”; in the informing text and consent text provided to the data subjects, considering that the information “you accept this text for the purpose of recommending and promoting the products and services offered by our company by customizing them according to your taste, usage habits and needs, sending commercial electronic messages such as advertising, promotions, etc. to your contact information you have shared within the scope of your acceptance, storing and ... can be processed within the scope of your explicit consent.” is included, it has been evaluated that the personal data processing activity is mainly based on the explicit consent of the data subjects.

In the continuation of the aforementioned defence letter, the transfer of data to abroad was made to the outsourcing company on legal grounds “it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.” specified in the paragraph (2) of Article 9 of Law No.6698 and subparagraph (f) of paragraph (2) of Article 5; in order to send e-mails/SMS to people/customers who have authorized marketing communications, it is observed that customer data is transferred to a cloud database whose servers are located in a member country of the European Union. However, since there is no explanation in the informing text and the explicit consent text to send a message for marketing purposes by the data subjects, this personal data will be transferred to a company abroad, it has been concluded that it is not clear whether it is within the scope of their legitimate interests or based on the explicit consent of the data subjects, or whether the personal data in question were processed within the framework of legitimate interests and which were based on the explicit consent of the data subjects.

3. The following provisions are regulated In Article 9 of the Law titled “Transfer of Personal Data Abroad”: personal data cannot be transferred abroad without explicit consent of the data subject, however Personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that; (a) sufficient protection is provided in the foreign country where the data is to be transferred, (b) the controllers in Türkiye and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.

“(3) The Board determines and announces the countries where sufficient level of protection is provided.

(4) The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of related public institutions and organizations, where necessary: a) the international conventions to which Türkiye is a party, b) the state of reciprocity concerning data transfer between the requesting country and Türkiye, c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer, ç) the relevant legislation and its implementation in the country to which the personal data is to be transferred, d) the measures guaranteed by the controller in the country to which the personal data is to be transferred,

(5) In cases where interest of Türkiye or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.

(6) Provisions of other laws concerning the transfer of personal data abroad are reserved.” provisions are included.

As a result of the examination of the information, documents and explanations submitted to the Board by the data controller, it was understood that the data controller used a web-based software in digital marketing communications, data controller has transferred customer data (regarding customers; 1) customer information, (2) marketing information due to e-mail and SMS sending information and (3) contact information) to a cloud database whose servers are located in a European Union member country so that they can send e-mails / SMS to their customers via the software.

In Article 12 titled “Transborder flows of personal data and domestic law” of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108, the following provisions are included;

(1) The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.

(2) A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.

(3) Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:

(a) insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;

(b) when the transfer is made from its territory to the territory of a non-Contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.

In the defence letter of the data controller to the Board; it is stated that the legal reason for the transfer of customer information to the outsourcing company is that "data processing is mandatory for the legitimate interest of the data controller" within the scope of subparagraph (f) of paragraph (2) of Article 5 of the Law, regarding the reason in the Article 9 of the Law all European Union member states are a party to Convention No. 108, which has been transferred to our domestic law, it is accepted that, “International Treaties duly put into effect have the force of law” pursuant to Article 90 of the Constitution and in disputes that may arise due to the fact that international treaties and laws contain different provisions on the same subject the regulation based on the provisions of international treaties is included, accordingly, it is believed that in disputes between the Convention No. 108 and other laws regarding the right to protect personal data, which is one of the fundamental rights and freedoms of persons, Convention No. 108 should be taken as basis, there is no transaction carried out by these time by Türkiye regarding Any restriction or special permission based on the exception of subparagraphs (a) and (b) of paragraph (3) of Article 12, which adopts the principles of free transfer of the Convention No. 108, which has the force of law, in this context, considering the paragraphs (5) and (6) of Article 9 of the Law, based on Article 12 of Convention No. 108 it is believed that there is no legal limitation and/or obstacle regarding the transfer of data to the Parties of the Convention No. 108, in addition to this, it is regulated under the conditions under which a reservation can be made to the paragraph (1) of the paragraph (1) of the Article 2 (2) of the “Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows”, however, our country does not make any declaration about the relevant regulation, a concrete assessment of the countries providing sufficient protection by the Board has not yet been made, in this respect the transfer of personal data to an Outsourcing Company located in a country that is a Party of Convention No. 108 is made for the legal reasons specified in Convention No. 108 and the relevant Additional Protocol.

First of all, in Article 12 of Convention No. 108, it would be appropriate to state that it is stipulated that the states party to the convention cannot prohibit or restrict the transfer of personal data to other state parties solely on the grounds of the protection of private life, or by prescribing a special permission. In the second paragraph of the Explanatory Report on the Convention No. 108 (Explanatory Report), the purpose of this regulation is to facilitate the data flow between the parties, based on the pre-acceptance that the Contracting Parties provide sufficient safeguards for the protection of personal data, however, it is foreseen that this provision does not eliminate the possibility of subjecting the data flow between the parties to the notification or making arrangements in the domestic laws of the parties to prohibit domestic or transboundary transfers in certain cases. Regarding the implementation of Article 12 of the Convention in the European Union (EU) in the said Explanatory Report, in accordance with the provisions of the abolished Directive 95/46/EC of the EU and the European Parliament and Council Regulation (General Data Protection Regulation-GDPR) dated 27/04/2016 and numbered 2016/679, it is also worth noting that it does not qualify the countries that are parties to the Convention No. 108 as countries with sufficient protection without any further evaluation and that it accepts being a party to the Convention only as a criterion to be considered in the qualification assessment.

In this context, in accordance with the regulation stipulated in the second paragraph of Article 9 of the Law, it would be appropriate to state that personal data transfers to countries that have not been declared as safe countries by the Board, without the explicit consent of the data subject, can only be made if one of the conditions specified in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law, and if the parties undertake sufficient protection in writing and the transfer is allowed by the Board.

4. In the subparagraph (a) of paragraph 4 of Article 9 of the Law, it has been stipulated that international conventions to which Türkiye is a party shall be taken into account in the assessment of whether the Board will allow data transfer or not. The fact that the country to which personal data will be transferred is a party to Convention No. 108 is only one of the elements that will constitute the basis for the assessment of the Board, and this situation is among the criteria adopted in the decision of the Board dated 02.05.2019 and numbered 2019/125 to be used in determining the countries with sufficient protection by the Board. However, in the mentioned article, especially matters aimed at ensuring the effective protection of personal data such as the nature of the personal data subject to transfer and the purpose and duration of the processing, data protection legislation and implementation in the country where the transfer will be made and the measures to be committed by the data controller or data processor in this country and the reciprocity status regarding data transfer between our country and the country of transfer are other matters taken into account in the evaluation of the Board.

In this respect, with the explanation in the “Explanatory Report of the Convention No. 108”, which states that the contracting states may make a regulation in their domestic law to prohibit data transfer abroad, in the evaluation of the Board regarding the permission to transfer data abroad, considering both the international conventions to which our country is a party, such as the Convention No. 108, and the regulation included in Article 9 of the Law that it will take into account the state of reciprocity with the country where the transfer will be made without the purpose of protecting personal data or protecting the privacy of private life, it is considered that the personal data transfer regime stipulated in Law No. 6698 is in compliance with Convention No. 108.

5. In paragraph (6) of Article 9 of the Law, the provision “Provisions of other laws concerning the transfer of personal data abroad are reserved.” is included. As it is known, it is foreseen that international treaties put into effect pursuant to the regulation in Article 90 of the Constitution have the force of law, in this sense the Convention No. 108 has the nature of law in our law, the provisions of international treaties will be based on if the laws provide for different regulations on the same subject from international treaties on fundamental rights and freedoms with the addition made to Article 90 of the Constitution by Article 7 of Law No. 5170. However, in the justification of this article, the explanation “The provision is added to the last paragraph of Article 90 in order to eliminate the hesitations about which one will be given priority in the event of a conflict that will arise in case of conflict with the international treaties on human rights duly put into effect in practice and the provisions of the law” is included, for this to be implemented, the provisions of the said international treaty must be directly applicable, in other words, since it was stated that the provision of the treaty should be “sufficiently clear, precise, unconditional and not requiring the state to take any additional measures for its implementation”, it is considered that a conflict between a more abstract and general international treaty provision that is not directly applicable and a provision of law will not constitute a conflict within the context of the regulation in the paragraph 5 of Article 90 of the Constitution and for this reason, the aforementioned provision of the Constitution will not find a field of application; therefore, if the provision of a general international treaty conflicts with the provision of law, it should be applied on the basis of the conflicting provision of law.

First paragraph of Article 4 of Convention No. 108 includes the provision “Each Party shall take the necessary measures in its domestic law to give effect to the basic principles for data protection set out in this chapter.” In other words, the provisions of the Convention do not have direct provisions or consequences in the domestic law of the parties, and determines the basic principles that should be mastered on national data protection regulations and the procedures and principles regarding the assurance to be provided to the data subjects through these regulations. In the “Explanatory Report on the Convention No. 108”, it is stated that the convention is not directly applicable and therefore the parties are obliged to include data protection provisions in their domestic laws. Therefore it is worth noting that the provision in the second paragraph of Article 12 of the Convention No. 108, which the parties cannot prohibit the transfer of personal data to another party country or subject to permission conditions, exclusively to protect the privacy of private life, is not directly applicable; in this respect the aforementioned provision cannot primarily be applied in accordance with paragraph (6) of Article 9 of the Law or paragraph (5) of Article 90 of the Constitution; on the other hand, the regulation provided for in Article 9 of the Law does not contradict Article 12 of the Convention No. 108 and in this respect, considering that both regulations are complementary to each other, being a party to the Convention No. 108 is not sufficient by itself in determining the status of a safe country within the scope of Law No. 6698 as in EU practice, however, it will constitute a positive element in the assessment to be made by the Board.

In this respect, first of all, it should be noted that the Convention No. 108 does not permit the transfer of personal data abroad, if the data controller does not fulfil the conditions specified in Article 9 of the Law while transferring data abroad, an illegal data processing will be brought to the agenda, in this respect, obtaining the explicit consent of the data subject in order to transfer data abroad of personal data that requires explicit consent, in order to transfer data abroad based on other personal data processing conditions specified in the Law, the existence of one of the conditions specified in paragraph (2) of Article 5 and paragraph (3) of Article 6 of the Law, if the parties undertake an sufficient protection and are given permission by the Board, personal data can be transferred abroad. From the information, documents and explanations given by the data controller to our Authority, it is understood that the personal data of the data subjects processed for marketing purposes were transferred within the scope of explicit consent, and that other personal data were transferred based on the Article 12 of the Convention No. 108 within the scope of the legal justification “it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”, referring to paragraph (2) of Article 9 of Law No. 6698 and in sub- paragraph (f) of paragraph (2) of Article 5. However, while the data controller stated that it made a transfer within the scope of the Convention No. 108, it did not submit any information to the Board regarding the preparation of a commitment for transferring to the relevant outsourcing company. As of the date of the decision, no application regarding the undertaking has been encountered by the data controller in the Authority records.

As a result, both the explicit consent should not be duly drafted as a separate text by the data controller, and the data subjects did not clearly and understandably declare the transfer abroad; on the other hand, in international transfers that will take place depending on the processing conditions other than explicit consent, the balance test regarding the legitimate interest has not been carried out by the data controller and a copy of the letter of undertaking has not been sent to our Authority in order to obtain the permission of the Board by making a written undertaking with the relevant company. It has been concluded that there is an illegal data processing due to the fact that it does not meet the conditions specified in Article 3.

6. On the other hand, in Article 7 of the Law titled "Erasure, destruction or anonymizing of personal data", the provisions are included: “(1) Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process. (2) Provisions of other laws concerning the erasure, destruction or anonymizing of personal data are reserved. (3) Procedures and principles for the erasure, destruction or anonymizing of personal data shall be laid down through a by-law.” In the Article 7 of the Regulation on the Erasure, Destruction or Anonymizing of Personal Data, in the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, it is stated that the personal data must be erased, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.

In this context, since an explicit consent in accordance with the law has not been obtained from the data subjects for the data transfer abroad by the data controller, the balance test has not been carried out indicating that there is a valid legitimate interest for processing conditions other than explicit consent, however, a letter of undertaking has not been prepared in accordance with Article 9 of the Law and has not been submitted to our Authority in order to obtain the Board's permission, it is concluded that illegal data processing is in question by transferring data abroad, it has been concluded that this personal data should be deleted or destroyed in accordance with paragraph (1) of Article 7 and the relevant Regulation, due to the fact that the data controller does not have a valid legal processing requirement for data transfer abroad.

7. On the other hand, as it is known, Article 10 of the Law titled “Obligation of Controller to Inform” includes that whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data, d) other rights referred to in Article 11. In the "Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform (Communiqué to Inform)", the procedures and principles to be followed by the data controllers or the person authorised by him within the scope of the obligation to inform are determined.

In the incident subject to ex officio review, it was seen that the data controller used the Informing Text and Consent Text updated since 2018 for obtaining explicit consent, as a result of the examination of the text in question;

it has been concluded that the data controller does not show sufficient attention and care in compliance with the Communiqué to Inform by understanding that;

• The informing text is not regulated in the detail specified in the Article 10 of the Law and the Communiqué to Inform,
• In the paragraph (f) of Article 5 of the Communiqué to Inform, it is regulated that in the event that processing personal data is on the basis of explicit consent, procedures of the obligation to inform and obtaining explicit consent shall be performed separately. Since it is seen that the data processing activity to be carried out based on the explicit consent of the data controller is arranged under a separate heading but with the informing text within the informing text, the said application constitutes a violation of the Article 5 of the Communiqué,
• In the paragraph (h) of the Article 5 of the Communiqué; the provision ““Legal basis” mentioned in sub-paragraph (ç) of Article 10(1) of the Law means that personal data are processed on the basis of which processing conditions determined in the Article 5 and 6 of the Law within the scope of the obligation to inform. Legal basis shall be explicitly provided at the time of fulfilment of the obligation to inform.” is included. In the informing text prepared by the data controller, there is a general statement that the legal reason for the collection of personal data is the processing conditions specified in Articles 5 and 6 of the Law, however, it is not clearly stated which of the processing conditions in Articles 5 and 6 of the Law, as stated in the Communiqué, the legal justification is based on,
• In the paragraph (j) of the mentioned article of the Communiqué to Inform, “At the time of fulfilment of the obligation to inform; information that is incomplete, incorrect and misleading the data subjects shall not be used.” In the informing text of the data controller, it is stated that the personal data will be processed within the scope of explicit consent for the purpose of sharing the service with third parties to send commercial messages, but the third person mentioned is a company named ..., in other words, there is no explanation that this data will be transferred abroad, due to incomplete and misleading information regarding the transfer of personal data abroad, the data subject does not have complete information about what the person consented to and the consequences of his/her consent,
• In the paragraph (a) of the mentioned article of the Communiqué to Inform, “The obligation to inform shall be fulfilled in any case of processing depending on the explicit consent of data subject or other conditions for processing in the Law.”, in the paragraph (f), “In the event that processing personal data is on the basis of explicit consent, procedures of the obligation to inform and obtaining explicit consent shall be performed separately.” However, the data controller regulates the informing text and obtaining explicit consent in a single text, so it does not offer the option to make a choice to the data subject.

As a result, it has been decided that;

1. The data controller has not made a data transfer in accordance with the provisions specified in Article 9 of the Law regulating the issue of data transfer abroad regarding the transfer of personal data abroad, in addition, being a party to the Convention No. 108 is not sufficient on its own in determining the status of a safe country within the scope of Law No. 6698, however it will constitute a positive element in the evaluation to be made by the Board, therefore, an illegal personal data processing activity is carried out by transferring personal data abroad without meeting the necessary conditions, for this reason, since it is concluded that the obligation of "preventing the illegal processing of personal data" stipulated in the sub-paragraph (a) of the first paragraph of Article 12 of the Law titled "Obligations Regarding Data Security" has not been fulfilled, an administrative fine of 900.000 TL in accordance with subparagraph (b) of the first paragraph of Article 18 titled "Misdemeanors" of the Law on the legal person data controller,

2. On the other hand, it is necessary to instruct the data controller to delete / destruct the personal data in question illegally transferred abroad in accordance with Article 7 of Law No. 6698 and to inform the Board of the result,

3. It is necessary to instruct the data controller to update the disclosure text in accordance with the provisions of Article 10 of the Law No. 6698 and the provisions of Article 5 of the Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform issued based on this article, and to instruct that the obligation to inform and obtaining explicit consent must separately fulfil.