Data Protection Board recently issued a new decision and fined
Background
Personal Data Protection in
In a globalized economy where technology companies dominate and control much of the content marketing and where data is seen as the new gold, restricting and monitoring cross-border data transfers is becoming ever-more important, which is also highlighted in the Data Protection Board's (DPB)
Transfer of Personal Data to Third Parties >
Personal data transfers to third parties are quite restrictively regulated under the LPPD (similar to provisions in the GDPR). Article 5 of the LPPD clearly states that data controllers cannot transfer personal data to third parties without the explicit consent of the data owner except for the circumstances set forth at Article 5/2 and 6/3. Article 9 further states that cross-border data transfers are forbidden unless the data owner consents explicitly to such cross-border data transfers. Article 9/2 provides an exception to this rule and allows for cross-border data transfers without the data owners explicit consent in cases where circumstances set forth at Articles 5/2 and 6/3 are applicable and if (i) "sufficient protection is provided in the foreign country where the data is to be transferred" or (ii) "the controllers in
Data Transfers and Exceptions to Explicit Consent
As noted above, the general rule for data transfers, either domestic or cross-border, is to obtain the prior explicit consent of the data owner. However, the LPPD does provide certain exemptions to this requirement both for personal data and for personal data of special nature, set forth at article 5/2 and 6/3 respectively. According to Article 5/2, personal data can be processed and transferred to third parties without the explicit consent of the data owner if:
- Provided/required by the law,
- Required for the protection of life or physical integrity of a person who is not bodily able to provide consent,
- Required for the conclusion, fulfillment or procurement of services noted in a contract,
- Required for the data controller to perform its legal duties,
- The data is disclosed to the public by the data owner,
- Data is deemed as mandatory for the establishment exercise or protection of any right, or
- Mandatory for the legitimate interests of the controller, provided that it does not violate the fundamental rights and freedoms of the data owner.
Article 6/3 further states that personal data of special nature, excluding data relating to health and sexual life, can be processed, and transferred to third parties without the explicit consent of the data owner if provided for by the laws.
Cross-Border Data Transfers and the Problem of Sufficient Protection
These provisions that set forth exceptions to the explicit consent rule for cross-border data transfers are quite clear, as Article 9/2 states that cross-border data transfers can be executed without the explicit consent of the data owner if sufficient protection is provided in the foreign country where the data is to be transferred. Taking into account that this LPPD is almost a direct translation of the GDPR, it is reasonable to assume that all cross-border data transfers into one or more of the countries where the GDPR is applicable will be covered by this provision and therefore will be exempt from the explicit consent requirement.
Unfortunately, this is not the case. The problem here arises from subparagraph 3 of the same Article 9, which states that the DPB shall determine and announce the countries where sufficient level of protection is provided. The DPB is yet to announce such list, which means that the exemption provided for at Article 9/2/a is not yet applicable to any cross-border data transfers, including to countries where the GDPR is applicable.
Summary of
Complaints against
As noted at the beginning of this article, following a complaint filed by an
DPB's
Following the complaint, the DPB launched an investigation into
Since
Since
Moving Forward: Effects of the
The decision to fine
Although we understand where the arguments against this decision are coming from, we also believe that the law is quite clear and transparent about exemptions. The LPPD provisions clearly state that exemptions for cross-border data transfers shall only be applicable if the country where the data is transferred has sufficient levels of protection (to be determined by the Board), or where sufficient protection is not available, a guarantee letter is provided and the transfer is approved by the Board. Since the exempted countries list is not yet published by the Board, the only way to benefit from cross-border data transfer exemptions is to submit a guarantee letter to the Board and wait for the Board's approval for transfers. Although
In this respect, the DPB have made its position abundantly clear; if data controllers want to conduct cross-border data transfers without obtaining explicit consents, they should either wait for the exempted countries list to be published, or submit a guarantee letter and wait for the Board's approval. Otherwise, all data controllers are required by the LPPD to obtain explicit consent from data owners before conducting cross-border data transfers.
Originally published by ASY Legal, on
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
ASY Legal
Konaklar Mahallesi, Selvili Sokak, 13 Blok B Kapısı
No:10 Kat:3 No:6,
Beşiktaş/
Tel: 530321 72 41
E-mail: Ali.yurtsever@asylegal.com
URL: www.asylegal.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source