Inspired by the GDPR, the Turkish Personal Data Protection Law, 2016 ("PDPL") also aims to ensure secure and lawful data processing activities. However, its approach to cross border data transfer differs and can be challenging in practice. The PDPL requires parties should rely either on adequacy decisions of the Turkish Data Protection Authority ("DPA") or implement adequate safeguards like Standard Contractual Clauses ("SCCs") or Binding Corporate Rules ("BCRs"), in case of cross border data transfers. As the DPA has not issued any adequacy decisions till date, organizations have no option but to rely on the SCCs published by the DPA or submit BCRs to the DPA for approval, if any.
Interestingly, these SCCs come with rigid requirements and unlike the GDPR, the PDPL does not offer any flexibility to amend or modify these SCCs. One particular clause in these SCCs that has become a sticking point is that the Data Importers must include a third-party beneficiary clause in their contract with sub-processors (often global cloud service providers), granting the Data Exporter rights to request deletion of data and backups in the event the Importer ceases to exist or goes insolvent.
In practice this poses problems as most cloud providers have their own standardized contracts and are unwilling to accept any modification of the same. Due to this inflexibility, Data Exporters now run the risk of non-compliance due to no fault of their own. The only solution to this is that the global cloud service providers now voluntarily revisit their standard contracts and to support these requirements for Turkish cross border data transfers. However, doing so also raises operational challenges, such as the ability to swiftly identify and delete specific data sets upon request that could require the provider to access and audit vast volumes of customer data, raising new concerns around data sovereignty and confidentiality.