Transferring Personal Data Abroad: Current Legal Framework in Türkiye

Published in the Official Gazette No. 32487 dated 12.03.2024, Law No. 7499 introduced changes to the Personal Data Protection Law No. 6698 (the “Law”). Subsequently, the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad (“Regulation”) was published and came into effect in the Official Gazette No. 32598 dated 10.07.2024. In January 2025, the Guide on Transferring Personal Data Abroad (“Guide”) was published on the website of the Personal Data Protection Authority (“Authority”).

1. Introduction

Previously, transferring personal data abroad without obtaining the explicit consent of the data subject, required the existence of one of the conditions foreseen by the Law, and the Personal Data Protection Board (“Board”) deciding that the country to which the data would be transferred had adequate protection (being listed on the safe countries list).

If a country was not deemed to have adequate protection, personal data could still be transferred without the data subject’s explicit consent, if one of the relevant data processing conditions was met, provided that data controllers in Türkiye and the relevant country committed to adequate protection (by submitting a commitment letter) and the Board granted permission. For multinational companies transferring data amongst themselves, binding corporate rules (“BCR”) needed to be created and approved by the Board.

However, due to the lack of practical application of commitment letters and BCRs and the Board granting permission for very few applications, transferring data abroad had practically become dependent solely on obtaining the explicit consent from the data subjects. Up until 01.06.2024, the Board received 86 applications made by providing commitment letters, of which only 10 were approved. Moreover, 3 BCR applications were made but none of them were approved due to procedural and substantive deficiencies.

This situation had made it almost impossible to use most servers located abroad and most cloud-based software and applications legally, and it was becoming a barrier to investment in our country. In this context, a three-alternative mechanism for the transfer of personal data abroad has been envisioned. The changes aim to align the legislation with EU Regulation 2016/679 (General Data Protection Regulation (GDPR)) and address practical needs.

2. Transfer Methods

a. Adequacy Decision

The transfer of data abroad can occur if one of the data processing conditions mentioned in Articles 5 and 6 of the Law exists and the Board issues an adequacy decision concerning the place of transfer.

The adequacy decision practice is parallel to the previous practice of “safe countries list”. The purpose of this assessment is to confirm that the data protection level of the country, sector, or international organization to which the data is being transferred is equivalent to that in Türkiye. This assessment will consider factors such as reciprocity, the legislation of the relevant country, the existence of an independent and effective data protection authority, administrative and judicial remedies, and whether the country is a party to international treaties or a member of international organizations.

It was previously stated in the Board’s decision dated 02.05.2019 and numbered 2019/125 that even the trade volume with the relevant country would be taken into consideration during the relevant assessment. At this point, as emphasized in the Guideline, countries that are parties to international treaties, to which Türkiye is a party, are expected to be prioritized while issuing the adequacy decision.

The adequacy decision to be issued by the Board may pertain not only to the country to which the data will be transferred, but also to a specific sector in that country or to an international organization. The Board will review the adequacy decision at least once every four years and, if deemed necessary, may modify, suspend, or revoke it. This four-year period is a regulatory timeframe, and if the Board deems necessary, it may reassess the adequacy decision before the expiration of this period.

b. Appropriate Safeguards

Where there is no adequacy decision, the transfer can still proceed if one of the data processing conditions specified in Articles 5 and 6 exists, provided that the data subject can exercise their rights and access effective legal remedies in the country of transfer, and that appropriate safeguards are in place.

Agreements: Transfer can be made if there is an agreement, which is not classified as an international convention, between public institutions and organizations, or professional organizations with public institution status in Türkiye and public institutions, organizations, or international organizations abroad, and if the Board grants permission for transfer. These agreements can be in the form of cooperation protocols, memoranda of understanding, or administrative agreements, such as the administrative agreement for the transfer of personal data between the Turkish Medicines and Medical Devices Agency and the European Commission.

Binding Corporate Rules: Transfers may be made in the presence of BCRs approved by the Board, which contain provisions regarding the protection of personal data that companies within a group engaged in joint economic activity are required to comply with. BCRs are personal data protection rules that must be followed by group members in the case of personal data transfer activities from a data controller or data processor established in Türkiye to a data controller or data processor established abroad within the same group. Guidelines containing the considerations to be taken into account when preparing BCRs were published on the official website of the Authority on 10.07.2024.

Standard Contracts: If the parties of the transfer sign a standard contract announced by the Board, which contain details such as data categories, purposes of data transfer, groups of recipients, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data, data can be transferred abroad. Four types of standard contract templates covering different transfer scenarios were announced on the Authority’s website following a public announcement on 10.07.2024.

After choosing the appropriate type of standard contract, parties can only make changes to optional or alternative provisions of it. No additions, deletions, or amendments can be made to the standard contracts apart from these provisions. These standard contracts must be reported to the Authority by the data controller or processor within 5 business days as of signing. Failure to comply with this notification obligation is subject to an administrative fine. Also, if there are any changes in the declarations or information provided by the parties or if the standard contract expires, a notification must be made to the Authority.

Commitment Letter: If there is a written undertaking between the parties to the transfer that includes provisions ensuring adequate protection, the purpose, scope, nature, and legal basis of the transfer, a commitment to comply with general principles, restrictions on subsequent transfers of data, and similar regulations, and if the Board grants permission for the transfer, the transfer may proceed as in the previous implementation period.

c. Incidental (Exceptional) Cases

In cases where there is no adequacy decision or appropriate safeguards cannot be provided; data may be transferred abroad under limited circumstances specified as incidental. These incidental cases specified in the Law include:

Data subject giving explicit consent after being informed of potential risks,
Transfer being necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject,
Transfer being necessary for the conclusion or performance of a contract to be executed between the data controller and another natural or legal person for the benefit of the data subject,
Transfer being necessary for an overriding public interest,
Transfer being necessary for the establishment, exercise, or protection of a legal claim,
Transfer being necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid,
Transfer is made from a registry that is open to the public or accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are fulfilled, and that the person with a legitimate interest has requested the transfer.

In cases of incidental circumstances, the conditions set forth in Articles 5 and 6 of the Law are not required. Personal data transfers based on incidental circumstances do not require the Board’s permission or approval, nor is there any notification obligation either.

However, since transfers made under incidental circumstances constitute an exception, a narrow interpretation should be applied. First, it should be assessed whether an adequacy decision or one of the appropriate safeguards is available; in their absence, exceptional transfer should be used only as a last resort.

Incidental transfers may occur more than once; however, for repeatedly occurring transfers to be considered exceptional, they must not be regular, must not have continuity, and must take place under unforeseen circumstances and at irregular intervals, outside the ordinary course of actions.”

3. Evaluations and Conclusion

The regulations, stating that if there is a provision in an international treaty or other laws regarding the transfer of data abroad, personal data may be transferred abroad pursuant to such provisions, have been preserved. Therefore, before evaluating adequacy decisions, appropriate safeguards, or exceptional transfer cases, it must be determined whether a provision exists in an international treaty or other laws at the initial stage of the transfer activity.

If there is no provision in international agreements or other laws, it should first be examined whether an adequacy decision is available. If there is no adequacy decision, it should be evaluated whether one of the appropriate safeguards can be provided. If this is not possible, as a last resort, it should be assessed whether the transfer constitutes an incidental (exceptional) transfer.

As of the date of publication of this article, there is no country, sector, or international organization that has been granted an adequacy decision. The reasons that delayed the creation of the safe countries list in the past are generally factors that will also come into play in the process of obtaining an adequacy decision, so it remains to be seen whether the decision will be made in the short term. Therefore, it is expected that, for now, practical applications will focus on appropriate safeguards, with standard contractual clauses being predominantly applied among these safeguards.

As another note, the Law stipulates that safeguards in the legislation must also be provided for subsequent transfers of personal data transferred abroad. Although, the legislation does not explicitly regulate how the compliance of third parties with the relevant regulations should be enforced when the recipient party transfers the data to third parties, nor does the Guide provide clarity on how subsequent transfers will be monitored. Therefore, practical issues may arise regarding subsequent transfers. It is expected that these issues will be shaped by practices in the upcoming period.

According to the transitional provision “Temporary Article 3” added to the Law, data processing activities must comply with the new regulations as of 01.09.2024. Indeed, it is clear that the transfers made by companies based on explicit consent obtained from data subjects during the previous implementation period are no longer valid, and it is crucial for companies that have not yet complied with the new regulations to promptly identify the most applicable method for their business processes and complete their compliance procedures.