Turkiye: Implemented Law No. 7499 including cross-border data transfer regulation

On 1 September 2024, Law No. 7499, previously Bill on Amendments to the Code of Criminal Procedure, Some Laws and Decree-Law No. 659, including cross-border data transfer regulation, entered into force. The law includes measures amending Article 9 of the Personal Data Protection Law (Law 6698), specifying conditions that controllers have to meet to transfer personal data abroad. Under the law, data transfers are allowed if the conditions for the processing of personal data from Articles 5 and 6 are met and there is an adequacy decision for the destination country, international organisation, or sectors within the country where the transfer will occur. If no adequacy decision exists, personal data can be transferred abroad based on appropriate safeguards, such as non-international agreements, binding corporate rules, standard contracts approved by the Board, or written commitments ensuring adequate protection. The law specifies that the Authority must be notified of the standard contract within five business days of signing. In case no adequacy decision exists and appropriate safeguards cannot be provided, personal data may only be transferred abroad under specific circumstances, including explicit consent from the data subject and the necessity for contract performance or public interest. Furthermore, under the law, the appropriate safeguards used by the controller would apply to subsequent transfers of personal data. Finally, the law specifies the process of adequacy decision adoption.