Following numerous filings from Turkish citizens, residing abroad, concerning transfer and sharing of their personal data with institutions and organizations of other countries, the Personal Data Protection Authority (“the Authority”) has clarified the following issues, in accordance with the Article 9 of the Law on Personal Data Protection Nr. 6689 (“the Law”);
First, it has been observed by the Authority that in the complaints had broad and general requests concerning the transfer of the personal information, and without reference to any data controller. Under the Article 13/1 of the Law titled "Application to the Data Controller"; it is stated that the data subject will submit his/her requests for the implementation of this Law to the data controller in writing or by other methods to be determined by the Authority. Furthermore, Article 5 of the "Communiqué on the Procedures and Principles of Application to the Data Controller" (Communiqué) in accordance with the Article 13 of the Law includes the provision that "The data subject submits his/her requests within the scope of his/her rights specified in Article 11 of the Law to…… the data controller". Mandatory elements for the application are the name, surname, signature if the application is written, Identity Number, place of residence or workplace address for notification, the e-mail address for notification, if any, and the subject of the request.
Secondly, multiple the requests of citizens residing abroad have requested prevention of transferring their financial account information abroad. The transfer of financial information was based on the “Mutual Administrative Assistance Agreement in Tax Matters” (Agreement) signed by the members of the OECD on 3 November 2011 and approved by Law No. 7018 dated 03.05.2017 and the “Multilateral Competent Authority Agreement on Automatic Exchange of Account Information”” (Agreement) signed in 2017 and published in the Official Gazette dated 31.12.2019 and numbered 30995 within the scope of this Agreement. Therefore, in Turkey, the authorized authority to collect and share information for automatic information exchange within the scope of both Agreements has been determined as the Revenue Administration under the Ministry of Treasury and Finance, and complaints must be submitted to the Ministry.
However, because of many similar petitions by Turkish citizens, residing abroad, have been submitted to the Authority, the issue has been separately evaluated by a decision. The Authority has decided on its decision dated 07.07.2021 and numbered 693 that;
The complaints which are submitted by the data subjects to our Authority are of a general nature, and the subject of not transferring personal data abroad do not point to any data controller, and the requests are of an abstract nature. Therefore, it has been considered that they do not meet the legal requirements due to the violation of Articles 13 and 14 of the Law and will not be investigated. Regarding the complaints referred to as "Automatic Information Sharing" it is considered that the competent authority is the Revenue Administration, which is affiliated to the Ministry of Treasury and Finance, in terms of the implementation of the above-mentioned Agreement provisions in our country. Therefore, it has been decided that there is no action to be taken within the scope of Law, regarding the petitions in question, considering that the applicants should submit them to the relevant Ministry.
In accordance with the decision, the Authority has stated that the cited petitions, which have been submitted to the Authority so far and will be forwarded thereafter, will not be evaluated for the reasons given in the decision, and no separate response will be given to the applicants.
Author: Sinan Erkan