fbpx

Cross-Border Transfer of Personal Data

Articles -
Data Protection and Privacy Gün + Partners

Prior to the Amendment Law, personal data could mostly be transferred abroad with the explicit consent of the data subject, as the other legal grounds specified in the legislation were either not available or not applicable. Since the Law's enactment in 2016, the fact that the Board had not yet established a list of countries providing adequate protection had significantly limited and complicated the practice of cross-border data transfer. This situation made obtaining explicit consent the only method (practically) applicable for transferring personal data abroad.

Important steps have been taken regarding this issue, which also negatively affects commercial relationships, and these steps will come into effect on June 1, 2024, with the Amendment Law. In this context, the Amendment Law introduces a three-stage assessment system for cross-border data transfer. Under the new provisions, personal data can be transferred abroad if one of the legal processing grounds specified in the Law is present and if the Board issues an adequacy decision. In cases where no adequacy decision is available, the data can still be transferred abroad if the parties involved provide one of the appropriate safeguards listed in the Law.

With the amendment, the new system for cross-border data transfer is structured as follows:

  • Transfer of personal data abroad in the presence of an Adequacy Decision

If one of the legal grounds specified in Articles 5 and 6 of the Law exists, and if an adequacy decision is in place for the country, sector within the country, or international organization to which the data will be transferred, personal data can be transferred abroad, including subsequent transfers. The Board will make a decision on the adequacy based primarily on the principle of reciprocity, along with other criteria. The adequacy decision will also be subject to periodic review.

It is foreseen that the Board can issue adequacy decisions not only for countries but also for international organizations or sectors within a country, and that cross-border data transfer can occur in accordance with these decisions.

  • In the absence of an Adequacy Decision, the transfer of personal data abroad with the provision of one of the Appropriate Safeguards

In the absence of an adequacy decision by the Board, personal data may be transferred abroad provided that one of the appropriate safeguards listed below is fulfilled and a legal ground set out in the Law is also available:

  • The existence of an agreement, which is not an international treaty, between public institutions and organizations abroad or international organizations and public institutions or professional organizations with the status of public institutions in Turkiye, and the Board's approval for the transfer.
  • Existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, which the companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
    • (i) Data controllers that are part of a corporate group can prepare binding corporate rules in accordance with the guidelines published for intra-group data transfers and submit them for approval by the Board. After these binding corporate rules are approved by the Board, cross-border data transfers can take place between the member companies of the corporate group. Although the preparation and approval processes are expected to take time, this is shaping up as a permanent solution for intra-group data transfers.
  • The existence of a standard contract published by the Board, which includes aspects such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures taken by the data recipient, and additional safeguards for sensitive personal data.
    • (i) Standard contracts, considered one of the most significant changes introduced by the Amendment Law, resemble the Standard Contractual Clauses (SCCs) under the GDPR framework.
    • (ii) However, the implementation of standard contracts under the Law differs significantly from the Standard Contractual Clauses (SCCs) under the GDPR. The Board has mandated that standard contract texts must be signed without any modifications, except in explicitly permitted cases. Additionally, signed contracts must be submitted to the Authority within 5 business days from the signing date, along with documents verifying the signatories' authorization.
    • (iii) Moreover, the published standard contracts require extensive preparation by both the data recipient and the data transferring party and necessitate the provision of information on the following matters:
      1. The activities of both the data transferring party and the data recipient regarding the transferred personal data,
      2. The data subject groups whose personal data is being transferred,
  • The categories of transferred personal data and, if applicable, the categories of transferred special category personal data,
  1. The legal basis for the transfer,
  2. The frequency of the transfer,
  3. The nature of the data processing activity,
  • The purposes of data transfer and subsequent processing activities,
  • The retention period of personal data,
  1. The recipients or recipient groups,
  2. The data controller’s registration details in the Data Controllers’ Registry Information System (VERBİS),
  3. In cases of transfer to data processors or sub-processors, the subject, nature, and duration of the processing activity,
  • The technical and administrative measures implemented, and, if special categories of personal data are transferred, the additional technical and administrative measures taken specifically for such transfers,
  • If applicable, the list of sub-processors.
  • The existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.
    • (i) Finally, in cases where no adequacy decision exists or data controllers transferring data cannot provide any of the appropriate safeguards, certain exceptions are provided only for incidental transfers. In other words, these exceptions apply to irregular, one-time, or occasional transfers that are not part of routine business operations. However, since these exceptions are limited to specific cases, data controllers are advised not to rely on them for regular and systematic cross-border data transfers. Instead, they should ensure that their data transfer processes comply with the other appropriate safeguards specified in the Law. The exceptions include:
  • Provided that data subjects are informed about potential risks, they may give explicit consent to the transfer,
  • The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject,
  • The transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the data controller and another natural or legal person,
  • The transfer is necessary for overriding public interest,
  • The transfer is necessary for the establishment, exercise, or defense of a legal right,
  • The transfer is necessary for the protection of the life or physical integrity of the data subject or another person in cases where the data subject is unable to express consent due to actual impossibility or when their consent is not legally valid,
  • The transfer is carried out from a public register or a register accessible to persons with a legitimate interest, provided that the conditions required by the relevant legislation for access to the register are met and the request comes from a person with a legitimate interest.

It should be noted that, with the Amendment Law, data transfers based on the legal ground of explicit consent have been regulated in a manner that is only accepted in exceptional cases. Since most cross-border data transfers in practice were previously based on explicit consent, a transition period has been introduced by adding a temporary article to the Law under the Amendment Law. Accordingly, until September 1, 2024, it will still be possible to transfer personal data abroad based on explicit consent. In this context, after September 1, 2024, data controllers must ensure that they comply with one of the appropriate safeguards stipulated in the Law for regular cross-border data transfers, considering that no adequacy decision has been issued yet. Given that the transition period provided by the temporary provision has also ended, data controllers who have not yet aligned their cross-border data transfer processes must immediately identify the scope of their cross-border data transfers in detail, determine which companies they are transferring data to, and complete the necessary work as soon as possible to ensure compliance with one of the appropriate safeguards provided in the Law..

Finally, with the Amendment Law, a new administrative fine has been added to the Law. As mentioned above, if data controllers and data processors fail to comply with the obligation to notify the Personal Data Protection Authority within 5 business days about the standard contracts they sign for international data transfers, they will face administrative fines ranging from 71,965 Turkish Liras to 1,439,300 Turkish Liras for 2025, with the reassessed rate. Additionally, if it is determined that an appropriate safeguard has not been provided in the international data transfer processes by data controllers by September 1, 2024, there is a risk of an administrative fine ranging from 204,285 Turkish Liras to 13,620,402 Turkish Liras for 2025.

First published by Gün + Partners in Mar 04, 2025.

Stay Informed

Subscribe to stay up to date on the latest legal insights and events of your choice.

Subscribe Now