Turkish Personal Data Protection Board (“Board”) rendered a Decision numbered 2019/157 and dated 31 May 2019 and (the “Decision”) published on the webpage of the Data Protection Authority of the Republic of Turkey (the “Authority”) 17 July 2019, relating to the use of Google (Gmail) for corporate e-mail hosting.
Scope of the Decision and Legal Analyses
The Board has rendered the Decision as a response to a request from a data controller for Board’s guidance on the matter of whether a private e-mail service, provided by a company with servers abroad, may be used for corporate e-mail addresses obtained through an open source e-mail service.
The Decision on the use of Google (Gmail) services for corporate e-mail hosting stipulates that:
- As Gmail data centers are located all over the world in different countries, use of Gmail e-mail service infrastructure through the procurement of Gmail e-mail by the data controllers bears the outcome that the sent/received emails by subjects results in transfer of personal data to abroad. Putting it more bluntly, use of e-mail services from service providers with servers (data centers) outside of Turkey (such as Gmail) shall be deemed as data transfer outside of Turkey for the purposes for personal data protection legislation of Turkey.
- Consequently, it is now clarified that the data controllers outsourcing Gmail service for corporate email hosting services are obliged to comply with the Article 9 of the Law on Protection of Personal Data no.6698 (the “ PDP Law”) regulating the rules and requirement for transferring personal data abroad.
Under the Decision, the Board further rules that the data storage services obtained through data controllers or data processors of which the servers are located outside of Turkey (such as Gmail) shall comply with the provisions of the Article 9 of the PDP Law relating to the transfer of personal data abroad.
The Article 9 of the PDP Law states that personal data may be transferred to outside of Turkey only either: (a) with the explicit consent of the data subject; or (b), if such consent is non-existent or impossible to obtain, based on the lawful processing grounds stipulated under the Articles 5/2 and 6/3 of the Law are met provided that: (i) The transfer is to be made to a country that is within the countries list which ensure adequate level of protection (only the criteria to determine the countries providing adequate level of protection is determined but the list designating the countries with adequate level of protections has not been rendered by the Board yet) or, (ii) an undertaking is signed between the data controller in Turkey and the relevant foreign country for the relevant data transfer to ensure sufficient level of personal data protection, and the approval of the Board shall be obtained.
Possible Further Implications and Compliance Actions
The Decision will surely raise a number of practical and operational difficulties for data controllers under circumstances that data subjects may refrain from providing explicit consent and even if the data subjects grant explicit consent, the data subject’s consent may be withdrawn freely at all times under the PDP Law.
Considering the above the data controllers that use outsourced e-mail hosting services provided by a company with servers abroad should sign an undertaking to ensure a sufficient level of protection with the data controller/ processor with servers abroad and request the approval of the Board until the Board publishes the list of countries that provide adequate level of data protection.