Guidelines on cross-border data transfers are published

Pursuant to Article 34 of Law No 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws, published in the Official Gazette dated 12 March 2024 and numbered 32487, various amendments were made to Article 9 titled “Cross-border Data Transfer” of Law No 6698 on the Protection of Personal Data (the “Law“).¹ Following the amendment of the Law, the “Regulation on the Procedures and Principles Regarding Cross-border Data Transfers” (the “Regulation“) was published in the Official Gazette on 10 July 2024.² In this context, the Turkish Personal Data Protection Authority (“DPA“) published Guidelines on Cross-border Data Transfers (the “Guidelines“) on 2 January 2025. The Guidelines aim to answer questions regarding these amendments, which have been in force since September 2024, and to guide data controllers and data processors in terms of the cross-border transfer of data. The Guidelines mainly include explanations on the definition and scope of cross-border data transfers, along with further details on the methods of transferring personal data abroad through specific examples. 

Definition and Scope of Cross-border Data Transfers   

Although cross-border data transfers are not explicitly defined in the Law, they are explained in the Regulation as “the transfer of personal data by a data controller or data processor within the scope of Law No 6698 to a data controller or data processor abroad, or making it accessible by any other means.” Within the framework of this definition, the Guidelines assess the activity of cross-border data transfers under three criteria. To that end, in order to consider a data transfer as a cross-border data transfer; (i) the data controller or data processor must be subject to the Law for the personal data processing activity in question, (ii) the personal data processed by the data exporter must be transferred or made accessible by any other means, and (iii) the data controller or data processor to whom the data is transferred must be located abroad.  

Thus, if any of these three criteria are not met, there will be no cross-border data transfer. The Guidelines include various examples of cross-border data transfers in relation to these criteria:  

Methods for Cross-border Data Transfer 

With the amendment of Article 9 of the Law, a three-step approach has been introduced regarding the methods to be used for cross-border data transfers. The Guidelines explain these methods and provide details on the procedures to be implemented regarding such methods, through specific examples: 

a) Adequacy decision 

The first method envisaged for cross-border data transfers is meeting at least one of the legal bases for personal data processing set out in Articles 5 and 6 of the Law, and the existence of an adequacy decision. An adequacy decision is issued by the Personal Data Protection Board (the “Board“) on whether the level of data protection in the foreign country, sector or international organisation to which personal data will be transferred is adequate. The Guidelines set out the criteria that the Board will take into account while issuing an adequacy decision: 

• Reciprocity between the country to which personal data will be transferred and Türkiye regarding data transfers, 

• The relevant country’s legislation on personal data processing and its implementation, 

• Whether there is an independent data protection authority in the relevant country, 

• The relevant country’s status of being a party to international conventions on the protection of personal data and being a member of international organisations  

• The relevant country’s membership status in global and regional organisations of which Türkiye is a member, 

• Trade volume with the relevant country

b) Appropriate safeguards 

In the absence of an adequacy decision, it is possible to transfer personal data abroad by providing one of the following appropriate safeguards, given that one of the legal bases specified in Articles 5 and 6 of the Law is present and the data subject has the opportunity to exercise their rights and apply for effective remedies in the country of transfer. In order to ensure harmonisation in practice and to resolve questions that may arise, the Guidelines provide various guidance on these safeguards. 

• Transfer by Non-International Agreement  

One of the appropriate safeguards that can be provided regarding the cross-border transfer of data is the existence of an agreement that does not constitute an international contract between (i) public institutions and organisations or international organisations abroad, and (ii) public institutions and organisations and professional associations with public entity status in Türkiye, with the Board’s permission. Non-international agreements may be in the form of a cooperation report, memorandum or administrative agreement. The Guidelines cite as an example the administrative agreement concluded between the Turkish Medicines and Medical Devices Agency and the European Commission. 

• Transfer Based on Binding Corporate Rules  

Another appropriate safeguard is binding corporate rules (“BCR“). BCR refer to the personal data protection rules that must be complied by the members of a group of undertakings engaged in a common economic activity in terms of the transfer of personal data from a Turkish resident data controller or data processor to a foreign resident data controller or data processor within the same company group. These rules, which are important in terms of data transfers between group companies of multinational companies, are subject to the approval of the Board.  In this context, on 10 July 2024, BCR application forms and guidelines for data controllers and data processors were published on the website of the DPA. 

The Guidelines basically restate the minimum elements that must be included in the BCR and explain the procedure to be followed in the approval application to the Board. It is also stated in the Guidelines that, if an application for approval is made for both BCR of the data controller and the data processor, a separate form must be filled out for each application. 

• Transfer under Standard Contractual Clauses  

Another method of personal data transfer are the standard contracts – the content of which is determined by the Board – between the data controller or data processor transferring personal data and the data controller or data processor to whom the personal data is transferred, which undertake that appropriate safeguards are provided for the cross-border data transfer. The transfer parties may only make changes to the standard contract clauses with optional or alternative content. Although no approval is required for cross-border data transfers through a standard contract, the relevant standard contract must be reported to the DPA within five business days of being signed.  

The Guidelines indicate that standard contracts can be prepared in Turkish or in a bilingual version, in which case the Turkish text will be binding. In addition, the Guidelines explain how to fill in the attachments to the contract, which contain details regarding the transfer of personal data subject to the standard contract. 

• Transfer with a Letter of Undertaking  

The last of the appropriate safeguards is the existence of a written undertaking containing provisions to ensure adequate data protection. The letter of undertaking mechanism starts to operate with the data exporter applying to the Board. After that, the Board gives permission to the transfer within the scope of the relevant letter of undertaking. The Guidelines also emphasise that the parties cannot start data transfers without the Board’s express permission.  

c) Existence of one of the exceptional transfer cases   

In the event that one of these adequacy decision and appropriate safeguards is not provided, it is possible to transfer data abroad provided that it is incidental, one or several times, and not continuously. The cases for exceptional transfers are listed in a limited manner in Article 9 of the Law. Unlike other cross-border data transfer methods, the existence of one of the legal bases specified in Articles 5 and 6 of the Law is not required for exceptional transfers and such transfers are not subject to any permission, approval or notification of the DPA or the Board.  

Exceptional transfers do not necessarily have to be one-offs; indeed the transfers may be made more than once. However, in order to be considered exceptional, multiple transfers must not be regular and continuous, and must occur outside the ordinary course of business within uncertain time intervals. The Guidelines emphasise that exceptional transfer cases must be interpreted narrowly and that such transfers are of last resort.  

The Guidelines clarify the cases of exceptional transfers by giving several examples. These cases and the examples are briefly as follows:   

1. Explicit consent

In the absence of an adequacy decision or any of the appropriate safeguards, personal data may be transferred abroad with the explicit consent of the data subject, provided that the transfer is incidental and the data subject is informed about the possible risks. The issues to be considered for an exceptional transfer based on explicit consent are as follows: 

• Explicit consent must relate to a specific matter and must be obtained before the transfer. 

For example, a company based in Türkiye collects the personal data of its customers in order to carry out the delivery of ordered products and it does not intend to transfer these data abroad, but a few years later, the same company is acquired by a company outside Türkiye, and the new company wants to transfer the personal data of its customers to another company abroad. In order for this transfer to be carried out on the basis of explicit consent, the consent must be given at the time the transfer is envisaged. 

• The data subject must be fully informed about the transfer of personal data, including any special conditions. 

For example, the information should include the identity of the data exporter, the purpose of the transfer, the type of personal data transferred, the existence of the right to withdraw explicit consent, the possible risks that may arise due to the transfer; and should explain that explicit consent constitutes a legal justification for the transfer, there is

no adequacy decision taken by the Board for the relevant country, there may not be a supervisory authority in the relevant country, and/or that data processing principles and/or data subject rights may not be provided in the country of transfer. 

• Explicit consent must be freely given by the data subject. 

For example, in cases where explicit consent is given as a precondition for the provision of a particular service or product, or where the data subject is unable to withdraw or refuse their explicit consent without suffering any harm, explicit consent is not considered to be freely given.  

2. The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject

Basing the transfer on an exceptional circumstance related to the performance of the contract or the application of pre-contractual measures is limited by the criteria of being “incidental” and “mandatory”. 

• Being mandatory: 

For example, if a group company transfers its payroll and human resources activities abroad within the framework of its business organisation, it cannot be argued that the transfer is mandatory for the performance of the contract. On the other hand, the transfer of personal data of individual customers of travel agencies to hotels or other commercial partners in order to organise the accommodation of the customers, may be deemed mandatory for the purposes of the contracts concluded between the travel agency and the customers. In this case, there is a close and important connection between the data transfer and the purpose of the contract. 

• Being incidental: 

For example, the transfer of personal data belonging to a sales manager who travels to visit customers abroad as part of the performance of their employment contract, for the purpose of organising meetings with these customers, may be considered incidental. In addition, a transfer of personal data by a Turkish company to another company abroad in order to fulfil a customer’s payment request may be considered incidental, provided that the transfers between the two companies are not regular, not continuous and not in the ordinary course of business. On the contrary, it is considered that the case where a multinational company organises training in a centre abroad and systematically transfers personal data such as the name, surname, job title of its employees participating in the training course cannot be considered incidental. 

3. The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject

For example, the transfer of personal data of employees by a company based in Türkiye to a service provider abroad for payroll processing cannot be considered as mandatory under this exception. This is because, even if the purpose of the transfer is the wage management of the employees, it is considered that a close and significant link cannot be established between this transfer and the contract which concluded in favour of the data subject.  

4. The transfer is necessary for an overriding public interest

This may apply to transfers between the prevention and detection of a crime, national security, public health, competition, tax, customs and financial supervisory authorities.  

5. The transfer of personal data is mandatory for the establishment, exercise or protection of a right

For example, the submission of documents containing personal data to judicial authorities in order to exercise the right to a defence in the context of an investigation abroad may be considered within this scope. It is not possible to expand this scope for situations that are likely to occur in the future or that are abstract and cannot be linked to any administrative/judicial proceedings.  

6. The transfer of personal data is mandatory for the protection of the life or physical integrity of a person who is unable to disclose their consent due to an actual impossibility or whose consent is not legally valid, or of another person

For example, the transfer of health records of a person who is abroad and who will undergo an operation regarding their health condition may be considered within this scope. Another example is the case where the data subject is unable to disclose their consent due to their lack of legal (age of majority, etc.), physical or mental competence. 

7. Transfer from a registry open to the public or persons with a legitimate interest, to the extent that the conditions laid down by applicable law for accessing the registry is met and transfer is requested by those having legitimate interest

For example, if a citizen living abroad requests access to the land registry records in Türkiye to benefit from a right in the country where they live, the relevant transfer may be considered within this scope. Note that there is no difference as to whether the registry in question is written or electronic. 

Conclusion and Evaluation 

Prepared in a comprehensive manner in order to clarify practical questions arising as a result of the amendments to the Law and to the Regulation regarding cross-border data transfers and to guide data controllers/processors correctly, the Guidelines provide valuable information in terms of good practices based on specific examples. We strongly recommend companies to take the Guidelines into account while assessing, structuring or conducting any cross-border data transfers.   

¹ You can access our article on the relevant matter via the link: Amendments to the turkish Data Protection Law
2 You can access our article on the relevant matter via the link: New regulation on cross-border data transfer has been published