Navigating Personal Data Transfers to Türkiye from the EU

// Eyüp Kun and Abdullah Elbi //

  1. Introduction and context

The GDPR establishes strict requirements for personal data transfers outside the EU, demanding adequate safeguards and ensuring that data subjects have enforceable rights and effective legal remedies. The blogpost is based on a comprehensive study commissioned by the EDPB titled “Government Access to Data in Third Countries II”. We intend to provide a concise summary of this report, highlighting the key aspects of Türkiye’s data protection approach in the context of international data transfers from the EU to Türkiye. Overall, this post aims to inform readers about the specific challenges and considerations in data transfers to Türkiye.

Türkiye’s relationship with the EU is a rich and sometimes complex tapestry of economic and socio-political ties, stretching back decades. A partner in diverse domains such as trade and migration, Türkiye’s alignment with the EU has deep roots. Among others, Türkiye is a member of Council of Europe (CoE) since 1950 and has been an EU candidate country since December 1999, although has not progressed recently. In light of these intricate connections, understanding the international data transfer dynamics for a country which inextricably linked with the EU becomes crucial, since data transfer likely to be occur between Türkiye, and EU Member States.

  1. Rule of law, respect for human rights and fundamental freedoms in Türkiye

Celebrating its 100th anniversary recently, Türkiye is a democratic constitutional republic with separation of powers between the parliament, the president (the head of state and head of government), and the judiciary. Like many EU countries, the legal system in Türkiye is based on civil law and codified laws. The Constitution of Türkiye includes protection for several basic human rights and freedoms such as the right to privacy and right to data protection.

The study refers to several reports by the EU, CoE and NGOs(e.g. Amnesty international, Privacy International etc.) which notes, importantly, serious deficiencies in the protection of fundamental rights, deterioration of the rule of law and the systemic lack of independence of the judiciary in Türkiye. Compared to other CoE members, Türkiye has the most registered human rights violations in front of the European Court of Human Rights (ECtHR) (3900 cases, an interesting but maybe not a surprising statistic.)

With regard to data protection in Türkiye, there are specific, context dependent measures in place. For example, violation of privacy and secrecy, illegal recording of data, illegal transfer and dissemination of personal data and non-destruction of data is penalized under Turkish Criminal Law(TCL). Also, since 7 April 2016, of The Turkish Personal Data Protection Law (TPDPL), 95/46 Directive alike, applies. TPDL establishes Personal Data Protection Supervisory Authority (SA) and obliges controllers and processors to comply with certain principles(e.g. lawfulness, accuracy, purpose and storage limitation) and rules when processing personal data in Türkiye and sets criteria for international personal data transfer(Art. 9 TPDL). However, in the matter of national security and law enforcement use, TPDL does not apply. Against this exception clause, the study addresses certain safeguards in secondary legislation setting out the powers and duties of competent authorities particularly, in the context of law enforcement and national security domain (i.e. MIT Law, Police Law, Gendarmerie Law and Criminal Procedure Law).

  1. Government access to personal data in Türkiye

a) Government access to personal data for national security purposes

Several key aspects are highlighted in a detailed analysis of personal data access in Türkiye, particularly by the National Intelligence Organisation (MIT), the General Directorate of Security and Gendarmerie of General Command.

The primary responsibilities of MIT include national security, counter-intelligence, and anti-terrorism tasks. Its responsibilities are outlined in the MIT Law (Law numbered 2937), which divides them into five categories, including intelligence provision, counter-terrorism, and intelligence coordination. The MIT has the authority to request information from both public and private entities, access databases containing information about foreigners, and intercept communication data. Personal data is involved in the MIT’s data access powers, particularly in human and signal intelligence.

The MIT Law establishes general safeguards such as confidentiality requirements and purpose limitation, ensuring that data is only used for the tasks specified in Article 4 of the MIT Law. However, there are concerns about the lack of privacy and data protection in the competencies of MIT. The Constitutional Court of Türkiye has examined the constitutionality of MIT’s powers, concluding that they do interfere with privacy and data protection rights. In the decision, the majority justified the intervention, citing internal oversight mechanisms and legal redress options. However, dissenting opinions expressed concerns about MIT’s broad powers without further safeguards.

Eight specific safeguards to the authority to government data access apply to Turkish citizens residing in Turkey, including the requirement of a judge’s order for data access, the limitation of the measure’s duration, and the requirement for the destruction of accessed communication content. In contrast, the safeguards for accessing foreigners’ communications are less stringent. Though general safeguards apply, specific conditions are limited, and the MIT Law does not explicitly mention the necessity and proportionality requirements.

Personal data access by the General Directorate of Security and the General Command Gendarmerie is slightly different and limited in contrast to MIT. These entities, unlike MIT, can only request information from public entities, not private ones. Their safeguards and procedural requirements are similar to those of MIT, but they require judicial approval and written requests, which do not apply to MIT.

Regarding the judicial redresses, individuals have access to redress mechanisms via administrative and constitutional law. Furthermore, there are three ex-post external oversight mechanisms: the State Supervisory Council, parliamentary oversight, and Ombudsman oversight. However, the effectiveness of these mechanisms has been called into question, with EU progress reports recommending stronger oversight.

b) Government access to personal data for the purpose of criminal investigation and prosecution

Several means are available to prosecutors and judges under the Turkish Criminal Procedure Law(TCPL) to obtain evidence during a criminal investigation or prosecution with the support of law enforcement agencies. Among others, The TCPL allows prosecutors, judges, or courts, to request any information in writing during the investigation and prosecution of offenses.

The study analyzes two measures available to public prosecutors (i) search of computers, computer programs and transcripts, copying and provisional seizure(TCPL 134); and (ii) interception of correspondence through telecommunication(TCPL 135), stressing their intrusiveness for fundamental rights in the digital age. These measures can be applied with the decision of a judge or in case of urgency by prosecutor( later to be approved by judge within 24 hours).

The former allows for searching the computers, computer programs and computer logs used by a suspect, and for making copies of computer records and decoding and transcribing these records. The latter allows for intercepting or recording the telecommunication of a suspect or defendant and evaluating signal information (with maximum period of three months, save extensions) while being applied in secret during investigations (logically). Unlike the other measures, “detection of telecommunications”, i.e. Historical Traffic Search (HTS) does not require strong suspicion and (for)specific crimes limitations, hence the study notes that it will likely to find broader scope of application compared to other measures.

The study also addresses some procedural and substantial conditions and safeguards provided in law such as, applying these measures for a “limited duration”, or “transcribing records” and all the data obtained, and only “if there are strong indications of suspicion that crime is attempted”(simple suspicion is not sufficient) noting that some of these safeguards found proportionate, legitimate and compliant with the Constitution by the Constitutional Court.

  1. Data subject rights

In Türkiye, constitutionally recognized data protection rights are entitled to all individuals, regardless of their nationality, and includes rights such as the right to be informed, access, rectification, and the right to be forgotten. The TPDL does not implement these rights for intelligence and law enforcement purposes since the personal data processing for these purposes are excluded from the scope of the TPDPL. In addition, The MIT is completely exempt from the scope of the Law on the Right to Information, according to Article 30(5) of the MIT Law. The Constitutional Court addressed this exemption in a significant ruling (Case No. 2022/86, 12 January 2023). The Court ruled that MIT’s complete exclusion from data access rights is unconstitutional, emphasising that such exclusion undermines transparency and democratic exercise of public power. Among others, the report addresses that in criminal cases, defence counsel can access investigation data, allowing them to partially maintain their right of access.

  1. Conclusion

Personal data is strongly protected by Türkiye’s constitutional framework, which recognizes it as a fundamental right alongside privacy. Also, data processing by judicial, law enforcement and intelligence agencies is exempt under TPDL, raising concerns about the proportionality and necessity of government data access. Despite these exemptions, the Constitutional Court determined that they were necessary and proportionate, considering existing safeguards and oversight mechanisms. Individuals, including foreigners, can seek judicial redress and file complaints with the Constitutional Court, which can be escalated to the ECtHR if necessary. However, the effectiveness of oversight mechanisms and the full realisation of constitutionally guaranteed data subject rights are still hotly debated and developing issues. Therefore, when the data exporters from the EU transfer personal data to the economic operators in Türkiye, they should carefully address these issues while they are conducting their transfer impact assessment prior to data transfer to Türkiye and take appropriate technical and contractual safeguards.

Eyüp Kun, Doctoral Researcher @ KU Leuven | Cybersecurity and Data Protection

Abdullah Elbi, Law Expert Lawyer | CIPP/E | CIPM | Legal Researcher at Centre for IT & IP Law (CiTiP) @KU Leuven