News

Guideline on the Transfers of Personal Data Abroad

Published in January 2025, this guideline aims to explain the processes for transferring personal data abroad under Article 9 of the Personal Data Protection Law No. 6698 (“the Law”). The guideline serves as an instructive document regarding the implementation of the Law and the safeguards established by the Personal Data Protection Board (“the Board”). While the guideline primarily explains the provisions of the Law, it also aims to provide practical guidance through case studies and scenarios. Notably, this guideline reflects the Personal Data Protection Authority's approach of aligning with the European Data Protection Board's guidelines in terms of methodology. As an overview, it is essential to summarize the legislative changes addressed in the guide.

Transfer of Personal Data Abroad

The transfer of personal data abroad is defined as the transmission or accessibility of data from a data controller or processor based in Turkey to a data controller or processor located abroad. Transfers may be carried out under the following conditions:

1. Transfers Based on Adequacy Decisions: Adequacy decisions issued by the Board apply to specific countries, sectors, or international organizations. These decisions are reviewed at least once every four years.
2. Transfers Based on Appropriate Safeguards: In the absence of an adequacy decision, the parties must ensure appropriate safeguards.
3. Exceptional Transfers: If neither an adequacy decision nor appropriate safeguards are available, single or incidental data transfers may be made under specific conditions.

Definition of Transfer According to the Guide

The guideline clarifies which actions are considered transfers according to the Authority. The concept of data transfer has been concretized in alignment with the General Data Protection Regulation (“GDPR”). Examples include creating an account, granting access to an existing account, approving or accepting an effective request for remote access, placing a hard drive, or sending a password for a file. Various examples of transfers are provided in the guide:

1. Direct Collection of Data by a Data Controller in a Third Country from a Data Subject in Turkey: If a person residing in Turkey fills out an online form and shares their personal information with a company in a third country, this is considered a direct data transfer. Since the data is not transmitted by a data controller/processor, it does not qualify as a "transfer of personal data abroad." However, this processing activity is subject to the Law, and obligations such as providing a privacy notice and registering with VERBIS (Data Controllers’ Registry Information System) must be fulfilled.
2. Direct Collection of Personal Data by a Data Controller in a Third Country and Processing by a Data Processor Outside Turkey: If a person residing in Turkey fills out an online form and their order information is shared with a data processor located in a third country by the data controller in that country, the data controller in the third country is required to comply with the obligations under the Law. For data shared with processors abroad, Company A must implement one of the solutions provided under the Law.
3. Transfer of Data Collected in Turkey to a Data Controller or Processor in a Third Country: When personal data collected by an online travel agency in Turkey is shared with a hotel abroad or transmitted to a call center abroad, it constitutes a transfer of personal data abroad, and the provisions of the Law apply.
4. Transfer of Data by a Data Processor in Turkey to a Sub-Processor in a Third Country: If a Turkish data controller works with a data processor in Turkey, and that processor collaborates with a sub-processor located abroad, this also constitutes a transfer of personal data abroad
5. Sharing Personal Data by a Subsidiary in Turkey with its Parent Company (Processor) in a Third Country: When a subsidiary transfers employee data to its parent company in a third country to store it in a centralized HR database, the parent company acts as the data processor, while the subsidiary processes the data as an employer and data controller.

Methods of Transfer

Transfers Based on Adequacy Decisions

Article 9 of the Personal Data Protection Law No. 6698 requires that one of the conditions in Articles 5 or 6 is fulfilled and that the Board has issued an adequacy decision for the country, sector, or international organization to which personal data will be transferred. Adequacy decisions are reviewed at least every four years and assess whether the country of destination has a level of data protection equivalent to that in Turkey. Factors such as the legislation of the destination country, supervisory mechanisms and international cooperation are taken into account when making these decisions. Decisions on adequacy may be subject to suspension, amendment or revocation in the light of changes in circumstances. The process of determining safe country status is detailed, long-term and dynamic.

Transfers Based on Appropriate Safeguards

Appropriate Safeguards through Non-International Agreements

The transfer of personal data abroad under non-international agreements is subject to certain safeguards and conditions pursuant to Article 9 of the Law. These transfers require the approval of the Board and are typically carried out under cooperation protocols or administrative agreements between public institutions in Turkey and those in foreign countries. Such agreements must outline data protection security measures and obligations regarding the safeguarding of personal data. Transfers can only begin after the Board’s approval, and the parties involved must activate mutual cooperation mechanisms. Non-international agreements may take the form of cooperation protocols, memorandums of understanding, or administrative agreements. A concrete example of such agreements is the administrative agreement between the Turkish Medicines and Medical Devices Agency and the European Commission.

Binding Corporate Rules (BCRs)

Binding Corporate Rules (BCRs) are global privacy policies developed by multinational corporations to ensure adequate safeguards when transferring personal data abroad. The amendments introduced by Law No. 7499 to Article 9 of the Law explicitly recognize BCRs as an adequate safeguard. Requests for BCRs must be approved by the Board before they become effective, and these rules require that an equivalent level of protection to that provided by the Law be ensured in the countries to which data is transferred.
Requests for BCRs must be made using standard forms and guidelines established by the Board and must be accompanied by the necessary documentation. The Board’s approval is only valid for transfers to countries that do not provide an adequate level of protection, and the compliance of the approved rules is regularly audited. Documents regarding BCRs have been prepared separately and in detail for both data controllers (DC BCR) and data processors (DP BCR).

The minimum requirements for BCRs include:

1. Organizational Structure and Contact Information: The organizational structure and contact details of group members must be clearly stated.
2. Explanations on Personal Data Flow: The data categories, processing activities, purposes, data subject groups, and destination countries must be detailed.
3. Binding Nature: The rules must be legally binding among group members.
4. Data Protection Measures: Compliance with the general principles of the Law, security measures, and additional safeguards for sensitive personal data must be included.
5. Rights of Data Subjects: Commitments and procedures must ensure that data subjects can exercise their rights.
6. Assumption of Liability: The data controller in Turkey must assume responsibility for any breaches of the rules.
7. Easy Access to BCRs for Data Subjects: Mechanisms must be in place to ensure data subjects have easy access to the rules and their rights.
8. Appropriate Training Programs: Regular and appropriate data protection training must be planned for employees.
9. Monitoring Compliance and Protecting Data Subject Rights: Audit mechanisms must be established to monitor compliance and protect data subject rights.
10. Recording and Reporting Changes: Changes to the rules must be recorded and reported to the Board.
11. Obligation to Cooperate with the Authority: Mechanisms must facilitate cooperation with the Authority and submission of audit results.
12. Impact of National Laws and Practices: The impact of national regulations in foreign countries on BCRs must be monitored and reported to the Board.

Standard Contracts 

The standard contracts are model agreements approved by the Board for the purpose of ensuring adequate safeguards for the transfer of personal data abroad. These contracts, executed between the data exporter and data importer, guarantee compliance with data protection principles, implementation of security measures, and protection of data subject rights. Standard contracts must be prepared in the format specified by the Board and reported to the Authority within five business days of signing. Any amendments to or termination of these contracts must also be reported to ensure updated information. Regulations require that the contracts be drafted in Turkish, and certified translations of foreign language documents must be attached. A module introduced by the Authority is also presented in this guide.

Undertakings:

The introduction of standard contracts and other rules has significantly reduced the use of undertakings, which also existed under the previous legislation. However, in the absence of adequacy decisions, undertakings remain a mechanism to provide appropriate safeguards for transferring personal data abroad. This requires a written document signed between the parties to the transfer, subject to the Board’s approval. An undertaking must include elements such as the purpose and scope of the transfer, the rights of the data subject, the security measures and the compliance with Turkish law. It is unlawful to initiate a data transfer without the Board's approval, and the undertaking must be based on a Turkish text, with the parties agreeing to the jurisdiction of Turkish courts.

Exceptional Transfers

Exceptional transfers occur only occasionally, are not continuous, and fall outside routine workflows.
Explicit Consent: In this context, the explicit consent of the data subject must be obtained prior to the transfer, accompanied by detailed information on the potential risks. The information must cover all elements, such as the lack of a supervisory authority in the recipient country or the possible lack of data processing principles or data subject rights.

1. Transfers Necessary for Contract Performance or Pre-Contractual Measures: These transfers are necessary for the performance of a contract or pre-contractual measures, such as an online travel agency transferring its customers' hotel booking information abroad.
2. Transfers for Overriding Public Interest: Transfers may be made for important public interests such as national security or crime prevention, for example, data sharing between financial regulators.
3. Transfers for Establishing, Exercising, or Protecting a Legal Right: Transfers may occur for legal purposes, such as presenting documents in a lawsuit abroad.
4. Transfers Due to Physical Impossibility: In cases where the data subject cannot give consent, transfers may be made to meet vital or medical needs, such as sending a patient's medical records to a healthcare institution abroad.
5. Transfers from Public Registers: Transfers may be limited to individuals with a legitimate interest, such as a foreign citizen seeking access to land registry records in Turkey.

 

Conclusion

The Guideline on the Transfer of Personal Data Abroad provides a detailed explanation of cross-border data transfer processes under the Personal Data Protection Law No. 6698. It serves as a guiding resource for data controllers and processors regarding adequacy decisions, appropriate safeguards, and exceptional situations. The guideline, enriched with case studies and scenarios, aims to facilitate compliance in international data transfer processes.

The provisions outlined in the guideline aim to ensure that personal data transferred abroad is protected at a level equivalent to Turkey's data protection standards, while maintaining alignment with the GDPR. It is therefore crucial that data controllers and data processors to fully comply with the obligations set out in the Law and select appropriate safeguard methods tailored to each transfer.

The guideline is not only a tool for meeting legal obligations but also plays a vital role in protecting individuals’ fundamental rights and freedoms and securely managing international data flows. In this context, data transfer processes must be carried out meticulously, and necessary notifications and approvals must be obtained in a timely manner in accordance with the principles established by the Board.

 

Article provided by INPLP member: Can Cayirpare (CVG Law Firm, Türkiye)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)