COMMITMENT LETTER APPLICATION FOR TRANSFER OF PERSONAL DATA ABROAD
Authors: Burak Özdagıstanli, Sümeyye Uçar, Bensu Özdemir
The conditions of the transfer of personal data abroad are regulated under Turkish Data Protection Law w. no 6698 (“DPL”). One of the conditions is that in the case that one of the conditions of processing data stated in DPL exists and the country where personal data are to be transferred does not provide adequate protection, data controllers in Turkey and the relevant foreign country shall sign a commitment letter on adequate protection and get approval of the Turkish Data Protection Authority (“DPA”). The DPA, for the first time since it started operating, announced two approval of commitment letters on 9 February 2021 and on 4 March 2021. Regarding approval of the commitment letters, on 07 May 2020 DPA published the announcement explaining “the Matters to Be Considered in the Commitment Letter to Be Prepared in the Transfer of Personal Data Abroad” and the issue was discussed in Wednesday Seminar of DPA on 24 March 2021. Under these evaluations, procedural and material issues of commitment letter applications are determined by the DPA.
A) Procedural issues of commitment letter applications are:
1) Name, surname, address, signature, and the document certifying the signature authorization of authorized person to file application must be included for natural person data controllers. In this respect, the applications of the legal entities must made by persons who have authority to represent and bind with the documents certifying it. If the application is filed by proxy, the original power of attorney or its notarized/attorney certified copy must be included.
2) The last pages of the commitment letter and Annex 1 must be signed and stamped, and each signatory must initialize each pages.
3) To show the authorization of signatories, signatory circular’s original or certified copy must be annexed for companies located in Turkey. For transferer companies located other countries that are party of 1961 Lahey Convention, original or certified copy of apostilled document stating signatory authorization must be included. Each document prepared by the official authorities of the countries that are parties to the aforementioned Convention must be apostilled.
4) Notarized translation of each document must be included in foreign language.
5) While the commitment letter is being prepared, the required provisions stipulated in templates published on the DPA’s website must be added. If additional provisions are to be added, they must be presented under the title “Additional Provisions”.
6) The commitment letter applications must be prepared in line with the DPL instead of GDPR.
The commitment sentences must be formed using future tense.
After the applications are reviewed in scope of the procedural perspective by the DPA, they are examined in scope of the material issues.
B) Material issues of commitment letter applications are:
1) The relationship between the parties of the transfer must be determined properly. According to characteristics of the transferee party, the proper commitment letter template published on the DPA’s website must be used.
2) Detailed understandable explanations regarding the legal status of parties must be provided and document such as agreement, protocol that stipulates the relation between them must be sent with the commitment letter application.
3) The terminology of the DPL must be followed, and the definitions must be in accordance with the DPL and secondary legislations.
4) The interrelated issues must be presented in together with sufficient explanations.
5) Transfer of personal data abroad based on explicit consent cannot be issue of the commitment.
6) The general principles stipulated in the DPL should be observed while issuing the commitment letter and its annexes.
C) Matters to be considered in the explanations under the titles in ANNEX-1 are:
1) Data subject group and groups
“Data subject group or groups” are specified clearly without ambiguous expressions.
2) Data categories
While specifying the “Data categories”, the principle of “being relevant, limited and proportionate to the purposes for which they are processed” must be observed. While expressing data categories, ambiguous and broad expressions should not be used, and the data categories must be presented in understandable details.
The personal data to be transferred must be correlated with the title "Data subject group and groups” and clearly stated which data categories belong to which data subject groups. Also, any ambiguous expressions must not be included.
3) Purposes of transfer
The purposes of transfer must be explained by correlating with the title “Data categories”. Additionally, the limits of the purpose of processing personal data in the relevant section should be explained in specific and clearly understandable detail under the principle that is being processed for specified, explicit and legitimate purposes.
4) Legal basis of transfer
The legal basis of personal data transfer which is subject to the commitment letter must be set forth separately in justified and understandable detail by establishing a correlation with the of "Data categories". In this respect, the legal basis stipulated in the DPL must be shown.
5) Recipient and recipient groups
DPL does not permit the onward transfer which is data transfers from the transferee to any other data controller or data processor located in a foreign country. However, onward transfer to governmental authorities is accepted under the scope of the transferee’s legal obligation. So, if the governmental authorities can be identifiable, these authorities must be specified.
6) The technical and organizational measures that will be taken by the receiver
While preparing this section, the Guideline on Technical and Organizational Measures published by the DPA must be considered. The technical and organizational measures that are committed must be set forth separately and the certifying documents must be included.
7) Additional measures which are taken for Special Categories of Personal Data
While preparing this section, the compulsory technical and organizational measures stipulated in Resolution of the DPA dated 31 January 2018 and numbered 2018/10 regarding "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” must be taken, and the certifying documents must be included.
8) VERBIS information of the transferer
If the data controller is not obliged to registry with VERBIS, the reason must be explained. Otherwise, VERBIS information of data controller must be specified.
9) Additional useful information
Retention periods and other information which are not subject of other titles are issued under this section. Processing retention must be specified as showing at least the maximum period and the reason. If legislation determines the retention period, the legislation and related provisions must be specified.
10) Contact person’s contact details
11) The titles of “Data Controller” and “Data Processor” stipulated in commitment letter template for “Transfer to Data Processor from Data Controller”
The fields of activity of the data controller and the data processor must be explained, and the explanations regarding the data transfer of the data controller and the processing activities to be performed by the data processor after the transfer must be presented in clear detail.
12) The title “Processing Activities” stipulated in commitment letter template for “Transfer to Data Processor from Data Controller”
The processing activities of transferee should be set forth in understandable detail and clarity.