The EU’s General Data Protection Regulation (GDPR) was created with the aim of homogenising data privacy laws across the EU. GDPR also applies to organisations outside the EU, if they monitor EU data subjects, or offer goods and services to them. The GDPR applies to personal data, which is defined as any information relating to an identifiable natural person.
In certain cases, frameworks such as the EU-US Privacy Shield have been implemented to ensure the protection of data being transferred outside the EEA. However, such frameworks have not been established with all countries outside of the EEA. In such cases, businesses need to be keenly aware of the data protection laws in each territory, in order to ensure compliance.
Businesses based within the EEA that wish to send personal data outside the EEA also need to pay particularly close attention to GDPR. GDPR restricts the transfer of any personal data to countries outside the EEA.
The European Commission has made “adequacy decisions” as regards the data protection regimes in certain territories. Territories where the data protection regime has been deemed adequate include Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The EU Commission has also made partial findings as regard the adequacy of the regimes in the US, Japan and Canada.
If a business wishes to send data to a country which is not in the EEA, and which is not covered by an “adequacy decision”, it will need to ensure that the appropriate safeguards set out in the GDPR are implemented.
In order to facilitate data transfers within multinational corporate groups, “binding corporate rules” may be submitted to an EEA data supervisory authority for approval. If these are approved, then all members of the group must sign up to these rules and they then may transfer data outside the EEA, subject to the binding corporate rules.
Another way to make a restricted transfer outside the EEA is for both parties to enter into a data sharing agreement, which incorporates the standard data protection clauses adopted by the European Commission.
The Commission has published four sets of such model clauses, which set out the obligations of both the data exporter and data importer. The clauses may not be amended and must appear in the agreement in full. The penalties for noncompliance with GDPR are significant, since organisation can be fined €20 Million or 4% of their annual global turnover for breaches.
Article 49 of GDPR also sets out derogations from the GDPR’s general prohibition on transferring personal data outside the EEA without adequate protections. The derogations can apply, for example, where there is an important public interest, or the data must be transferred for legal proceedings. A derogation can also apply where the data subject has been fully informed of the risks, but has given their explicit consent to the transfer.
The advent of GDPR has a significance for companies doing business internationally. However, companies doing business internationally also need to think beyond GDPR. Companies may find themselves subject to the data protection regimes of third countries, even if they do not have any physical presence there. For example, international companies without a presence in Turkey may be subject to Turkish data protection law if their activities have an effect in Turkey.
A registration system for data processors is currently being rolled out in Turkey. Data processors based outside Turkey whose activities have an effect in Turkey may need to register by 30 September 2019.
Turkey’s 2016 Law on the Protection of Personal Data is based largely on EU data protection law. As a candidate state for EU membership, Turkey aligns much of its legal system with EU law. Many of its requirements are broadly similar to EU law. However, there are also some very important differences which companies whose businesses have an effect in Turkey should be mindful of.
Turkish data protection law allows for administrative fines of up to three per cent of a company’s net annual sales to be levied if personal data is stolen, or disclosed without consent. Turkish data protection law applies to both sensitive and non-sensitive personal information.
Personal data may not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Regulatory approval is required for such transfers where the transfer may harm Turkey or the data subject.
Unlike GDPR, however, “explicit consent” is required by Turkish Law to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data, and where such processing is necessary to protect the life of the subject. Further processing is not allowed without specific consent, and there is no “compatible purpose” exception in Turkish law. The definitions of consent also differ in Turkish law and under GDPR.
GDPR has caused many EEA companies to consider in detail the laws restricting the transfer of data out of the EEA. However, companies may also be subject to laws restricting the transfer of data into the EEA.
Elif Ecem Seçilmiş, Associate