Turkiye: Introduced Bill on Amendments to the Code of Criminal Procedure, Some Laws and the Decree Law No. 659 including cross-border data transfer regulation

On 16 February 2024, the Bill on Amendments to the Code of Criminal Procedure, Some Laws and Decree-Law No. 659, including cross-border data transfer regulation, was introduced in the Grand National Assembly of Turkey. The Bill includes measures amending Article 9 of the Personal Data Protection Law (Law 6698), specifying conditions that controllers have to meet to transfer personal data abroad. Under the Bill, data transfers are allowed if the conditions for the processing of personal data from Articles 5 and 6 are met and there is an adequacy decision for the destination country, international organisation, or sectors within the country where the transfer will occur. If no adequacy decision exists, personal data can be transferred abroad based on appropriate safeguards, such as non-international agreements, binding corporate rules, standard contracts approved by the Board, or written commitments ensuring adequate protection. The Bill specifies that the Authority must be notified of the standard contract within five business days of signing. In case no adequacy decision exists and appropriate safeguards cannot be provided, personal data may only be transferred abroad under specific circumstances, including explicit consent from the data subject and the necessity for contract performance or public interest. Furthermore, under the Bill, the appropriate safeguards used by the controller would apply to subsequent transfers of personal data. Finally, the Bill specifies the process of adequacy decision adoption.