On July 17, 2019, the Data Protection Authority published its decision on the use of Google (Gmail) services for corporate e-mail hosting.
In its decision w. no 2019/157 the Data Protection Authority decided that;
1- The use of Gmail e-mail service infrastructure by a data controller results in sent and received e-mails to be stored in data centres located in various parts of the world. This means that the personal data is transferred abroad and as a result, the data controller must make sure that the transfer is made in line with the “Transfer of Personal Data Abroad”provision in Art. 9 of the Law on Protection of Personal Data w. no 6698 (“DPL”),
2- Data hosting services that are obtained from data controllers/data processors must adhere to conditions in Art. 9 of the Law on Protection of Personal Data.
In summary, the Data Protection Authority’s decision states that the use of g-mail or other e-mail providers with servers abroad is transfer of personal data out of Turkey, which is not a surprise. Having said that, there are questions as to whether the decision is realistic or not in this connected world where almost all companies are using cloud solutions.
We are raising this question because Turkey’s current applicable regime to transfer personal data abroad is very complicated and challenging to comply with.
The transfer of personal data is stipulated under Art. 9 of the Law on Protection of Personal Data. Under Art. 9, personal data can be transferred to other countries based on the explicit consent of the data subject.
If explicit consent is non-existent, personal data can be transferred to other countries based on any of the statutory justifications in Art. 5/2 or 6 of the DPL on the condition that;
i- The transfer is being made to a country that is within the adequate countries list (the list has not been drafted by the DPA yet; therefore this is not applicable at this stage) or,
ii- An undertaking is signed between the exporting and importing party for protection of personal data, and the approval of the DPA is obtained (as of May 30, 2019, the DPA have not yet approved any transfers)
In light of the above, since option i) is not applicable and option ii) is not working very well in practice, the only option for transfer of personal data abroad is by obtaining the explicit consent of data subjects. But this raises even more questions such as; what happens if a data subject does not want to give consent, what happens if a data subject wishes to revoke his/her consent, are companies going to ask explicit consent from employees?
Considering the above, it seems that the companies in Turkey that use outsourced e-mail hosting services may face difficulties in the future and we believe that to ease this period, the Turkish Data Protection Authority must publish the list of countries that provide adequate protection urgently.