What does the Guideline on Transfer of Personal Data Abroad Regulate?
Introduction
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer personal data to the Personal Data Protection Board (Board) took a considerable amount of time, making the transfer of data from Türkiye to abroad largely dependent on the data subject's explicit consent. This created a significant obstacle, especially for those using cloud-based software and applications whose servers are located abroad, and caused severe blockages in commercial life.
Considering the needs arising from the developing technology and the dynamism of commercial life, an important amendment to the Law[1] was made in 2024 to make cross-border data transfer processes more sustainable and to eliminate the problems in practice. The new regulation introduced alternative mechanisms in line with the European Union General Data Protection Regulation.
In January 2025, the Personal Data Protection Authority (Authority) published a guiding study on how these changes in the systematic transfer abroad should be interpreted in practice: "Guidelines on the Transfer of Personal Data Abroad"[2](Guidelines). The Guidelines are intended to guide the implementation of personal data transfers and the safeguards that the Board expects during the transfer.
In this article, the prominent provisions of the Guidelines will be discussed and the process of drafting and signing standard contracts, which is of particular interest in practice, will be detailed with concrete examples in the Guidelines.
Transfer of Personal Data Abroad: Legal Framework
The transfer of personal data abroad is handled within the KVKK and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad[3] . With the publication of the Guidelines, the procedures and principles regarding transferring personal data abroad have become more specific. Within the scope of the legislation and the Guidelines, a three-step structure has been established to legally transfer personal data from Türkiye to abroad. Accordingly, the following safeguards must be provided in data transfer:
- Existence of one of the conditions specified in Article 5 and Article 6 of the KVKK (such as explicitly stipulated in the law, the performance of the contract, legitimate interest) and included in the list of countries with an adequate level of protection (adequacy decision) (If the transfer will be made to a country with adequate protection within the scope of the list to be published by the Board, no additional permission or additional commitment is required.).[4]
- If an adequacy decision is not available, cross-border data transfer may be carried out by the data controller and processors by providing one of the following appropriate safeguards, provided that one of the conditions for personal data processing exists and the data subject can exercise their rights and take legal remedies abroad:
- Agreement between Public Institutions + Board Permission: If there is an agreement between public institutions in Türkiye and public institutions or international organizations abroad that is not like an international agreement and the Board grants permission, the transfer can be made.
- Binding Corporate Rules (BCRs): Group companies engaged in joint economic activity can provide appropriate safeguards for data transfers abroad through binding corporate rules[5] approved by the Board.
- Standard Contracts (SCCs): If the standard contracts[6] announced by the Board are used, personal data can be transferred without additional authorization. However, in this case, the Authority must be notified of the standard contract within five business days following the completion of the signatures.
- Letter of Undertaking + Board Authorization: If the data controller submits a written undertaking stating that adequate protection will be ensured and the Board approves the said undertaking, data transfer can be carried out by the law.
If none of the data transfer mechanisms listed above that provide appropriate safeguards are applicable, cross-border transfer may be possible in the following exceptional circumstances, provided that it is incidental:
- Existence of the informed and freely given explicit consent of the data subject.
- The transfer is mandatory for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken upon the data subject's request.
- The transfer is mandatory for establishing or performing a contract between the data controller and a third party for the benefit of the data subject.
- The necessity of data transfer in the public interest.
- The transfer of personal data is mandatory to establish, exercise, or protect a right.
- The need for immediate transfer to protect the life or safety of the individual.
- Transfer from a registry open to the public or persons with a legitimate interest provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
When the new cross-border transfer systematic is analyzed as a whole, it is seen that alternative mechanisms have been offered to data controllers and data processors in cross-border transfers and that the data transfer processes of companies have been facilitated to some extent, especially with standard contracts that do not require Board approval.
What does the Guidelines Regulate?
The Guidelines detail the new legal framework and identify which methods can be used in which situations. The Guidelines also explain, with examples, the process of drafting and notification of standard agreements, the drafting of binding corporate rules, submission to the Board for approval, and the issues to be taken into account in the transfer process. However, before going into the details of the agreements, it would be helpful to focus on the section of the Guidelines that define and concretizes the situations that will be considered as "transfer of personal data abroad". If there is no foreign transfer activity, additional obligations will not arise.
In the Guidelines, the transfer activity is defined by three criteria: (i) the data transferor is subject to the KVKK in terms of personal data processing activity; (ii) the data processed by the data transferor is directly shared or made accessible in a different way; and (iii) the data transferee is in a third country, regardless of whether it is subject to the KVKK. In this context, for example, if remote access is provided from a third country for technical support, troubleshooting or management purposes (even if the data is only displayed on the screen), personal data should be considered to be transferred abroad.
Based on this definition, a Turkish hotel chain managing its reservation system through a service provider abroad and thus processing the data of customers in Türkiye on servers abroad, a company operating in Türkiye providing access to a database containing employee information to a group company abroad, or a hospital in Türkiye using an artificial intelligence-based health platform hosted abroad to analyze patient information will be considered as transfers of personal data abroad. On the other hand, the direct acquisition of personal data by the data controller resident in a third country from the data subject resident in Türkiye will not constitute a transfer and it will not be necessary to apply the foreign transfer mechanisms. However, of course, it should not be forgotten that the said personal data processing activity must always be carried out by the fundamental principles of the KVKK.
The content of the Guidelines detailing how standard contracts should be organized, signed and notified are undoubtedly the most important sections that will shed light on practice.
Standard contracts are announced on the Authority's website by considering four different transfer scenarios, and data controllers and data processors should determine and select the appropriate standard contract type for each transfer. Once the contract type is selected, only the standard contract clauses granting optional rights or alternative content can be amended; otherwise, revising the text is impossible. The parties shall include the details regarding the transfer of personal data in the annex, which is an integral part of the contract. The drafting and signing of the annexes to the agreement is of critical importance and the issues to be considered in this process are emphasized in the Guidelines. The important sections can be summarized as follows:
- It should be clearly stated to which group of data subjects the personal data subject to data transfer belongs and which personal data of which data subjects will be transferred; personal data categories should be detailed -for example, the e-mail address is under the contact data category.
- The retention period of the personal data; if it is impossible to determine this period, the criteria taken into account in determining the storage period (for example, the period for which the contract including the personal data processing activity will be in force) should be specified.
- Within the scope of the subsequent transfer to be made by the data recipient, the recipients to whom personal data will be transferred based on the standard contract should be included. Under the new transfer systematics, safeguards in the KVKK will also need to be provided for the subsequent transfer of personal data abroad.
- In the scenario where the data recipient is a processor and works with sub-processors (subsequent transfer), the data processing activities performed by the sub-processors must be disclosed.
- In terms of subsequent transfers, if there is a change after the notification of the standard contract to the Authority, these changes must also be notified.
- The standard contract must only be signed by the parties to the transfer or authorized persons. Otherwise, the standard contract will not be valid.
Following the Guidelines, a public announcement[7] was published to prevent common mistakes in the drafting and notification of standard contracts. The public announcement emphasizes the importance of checking whether the signatories of the standard contract are authorized, the importance of writing the names of the parties in detail, the contract's signature date, and the impossibility of setting a retroactive effective date in the contract.
Conclusion
The Guidelines, which practitioners have been looking forward to, have made the new transfer mechanisms offered to data controllers through the law amendment in 2024 more predictable and eliminated some question marks, especially regarding the implementation of standard contracts. However, due to the rapid development of technology and the dynamic nature of digitalization, some questions remain unanswered in cross-border data transfer processes.
The introduction to the Guidelines states that they will be reviewed and updated as necessary based on implementation experience. This statement creates an expectation that, although uncertainties may not be eliminated entirely, new regulations may be made according to the needs arising from the implementation in the future, and that some open issues may be clarified over time. Therefore, it is of great importance for data controllers and practitioners to continue to closely follow the process and comply with the existing regulations.
- Law No. 6698 on the Amendment of the Code of Criminal Procedure and Certain Laws, including provisions on the Law on the Protection of Personal Data, was published in the Official Gazette dated 12.03.2024 and numbered 32487. The amendments entered into force on 01.06.2024 and the existing first paragraph of Article 9, which regulates the procedures and principles regarding the transfer of personal data abroad, continued to be applied until 01.09.2024 with the amended version of the article.
- Personal Data Protection Authority, "Kişisel Verilerin Yurt Dışına Aktarılması Rehberi" , (Date of Access: 15.02.2025).
- Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, Official Gazette dated 10.07.2024 and numbered 32598, https://www.resmigazete.gov.tr/eskiler/2024/07/20240710-2.htm, (Date of Access: 15.02.2025).
- As the list has not yet been published, there is currently no equivalent in practice.
- Personal Data Protection Authority, https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET-KURALLARI-HAKKINDA-DUYURU, (Date of Access: 15.02.2205).
- For the standard contracts announced by the Personal Data Protection Board, please see https://www.kvkk.gov.tr/Icerik/7929/Standart-Sozlesmeler , (Date of Access: 15.02.2025). With the Board's decision dated 04.06.2024 and numbered 2024/959, 4 types of standard contract texts containing different transfer scenarios were adopted and announced on the website of the Authority.
- Personal Data Protection Authority, "Public Announcement on the Issues to be Considered in Standard Contracts to be Used in the Transfer of Personal Data Abroad", https://www.kvkk.gov.tr/Icerik/8170/Yurt-Disina-Kisisel-Veri-Aktariminda-Kullanilacak-Standart-Sozlesmelerde-Dikkat-Edilmesi-Gereken-Hususlara-Iliskin-Kamuoyu-Duyurusu, (Date of Access: 15.02.2025).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
