Guide on Cross-Border Transfers of Personal Data

On 2 January 2025, the Guide on Cross-Border Transfers of Personal Data (“Guide”) was published on the official website of the Personal Data Protection Authority (“Authority”).

The Guide was prepared to provide guidance on the implementation of cross-border data transfers and the safeguards expected by the Personal Data Protection Board (“Board”) following the amendments to Article 9 of the Personal Data Protection Law numbered 6698 (“DP Law”) introduced by Article 34 of Law numbered 7499 on Amendments to the Code of Criminal Procedure and Certain Laws, published in the Official Gazette dated 12 March 2024, and numbered 32487 (“Law No.7499”). The Guide comprehensively addresses the purpose, rationale, and scope of the legislative amendments, providing detailed explanations of the new conditions for cross-border transfers, supported by examples.

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”), published in the Official Gazette dated 10 July 2024, and numbered 32598, defined cross-border data transfer for the first time as “the transfer of personal data by a data controller or data processor under the DP Law to a data controller or data processor abroad, or making such data accessible in any other manner”. The Guide categorizes cross-border data transfer activities into three main criteria for further clarification.

• The data controller or data processor (data exporter) must be subject to the DP Law for the relevant personal data processing activity. The Guide provides detailed explanations under this heading regarding the territorial scope of the DP Law and emphasizes that the DP Law’s scope is interpreted based on the “effect principle” rather than the “territoriality principle.”
• The personal data processed by the data exporter must be transmitted or otherwise made accessible. In this regard the Guide includes numerous practical examples related to data transfers.
• The data controller or data processor receiving the data must be geographically located in a third country, regardless of whether they are subject to the DP Law.

The new provisions introduced by Law No. 7499 have altered the framework of Article 9 of the DP Law, establishing a three-tier structure for cross-border data transfer processes. The details are provided below:

1. Transfers Based on Adequacy Decisions

In cases where one of the conditions outlined in Articles 5 and 6 of the DP Law is met, the first step is to determine whether an adequacy decision exists regarding the country, specific sectors within the country, or international organizations to which the data will be transferred. The purpose of the adequacy decision is to confirm that the level of data protection in the receiving party matches the standard in Türkiye.

2. Transfers Based on Appropriate Safeguards

a. Ensuring Appropriate Safeguards Through Non-International Treaty Agreements

Cross-border data transfers can be conducted through agreements that are not considered international treaties between public institutions and organizations in Türkiye and their counterparts abroad, including professional organizations with public institution status. Such transfers require the approval of the Board. During the negotiation of these agreements, the parties must seek the Board’s opinion.

Additionally, the Guide specifies that the provisions of the agreement concerning the protection of personal data must be detailed and comply with the standards set by the Board. It also outlines the minimum requirements that such agreements should include. These non-international treaty agreements may take the form of cooperation protocols, memorandums of understanding, or administrative arrangements. As a concrete example, the administrative agreement between the Turkish Medicines and Medical Devices Agency and the European Commission is cited in the Guide.

b. Transfers via Binding Corporate Rules

The Guide explains the historical development of the inclusion of Binding Corporate Rules (“BCRs”) within the legislative framework. It notes that three BCR applications were submitted to the Authority before the enactment of Law No. 7499 on 1 June 2024; however, these were rejected due to procedural and substantive deficiencies. Prior to the amendments introduced by Law No. 7499, Article 9 of the Dp Law regulated cross-border data transfers but did not include transfers by “data processors”. With the amendments, both “data controllers” and “data processors” can transfer personal data abroad, provided their BCR applications are approved by the Board.

On 10 July 2024, the Authority published the following on its official website: KVKK-BŞK/2024-1 “Binding Corporate Rules Application Form” and KVKK-BŞK/2024-2 “Binding Corporate Rules Guide” for data controllers; KVKK-BŞK/2024-3 “Binding Corporate Rules Application Form” and KVKK-BŞK/2024-4 “Binding Corporate Rules Guide” for data processors. These documents aim to standardize the application process, clarify the minimum elements required in BCRs applications, ensure compliance with legislative requirements via guides, and specify the documents to be submitted to the Board.

The minimum requirements for BCRs applications, outlined in Article 13/1 of the Regulation, are detailed in the Guide under the following headings: The organizational structure and contact information of the group, explanations regarding the flow of personal data, the binding nature of the rules, data protection measures, rights of data subjects, assumption of responsibility, accessibility of the BCRs to data subjects, availability of appropriate training programs, mechanisms for compliance monitoring and oversight, recording and reporting of changes, obligation to cooperate with the Authority, and national regulations and practices affecting BCRs compliance.

In addition, other aspects to be considered for BCR applications are outlined as follows:

• An approval application must be submitted to the Board for the cross-border transfer of personal data, and the application can be delivered in person, by mail, or via methods determined by the Board.
• The application must include the BCRs text, Application Form, and Guide, along with the necessary documents and information.
• If the Application Form or Guide does not provide sufficient space for responses, additional pages or attachments may be used.
• Notarized Turkish translations of documents in foreign languages must be included in the application. If the BCRs text is prepared in a foreign language, the Turkish version will prevail.
• Documents proving the authority of the signatory, representation authority for legal entities, or the original or certified copies of powers of attorney for proxy applications must be included.
• If the group’s headquarters is in Türkiye, the application must be submitted by the Turkish entity. If another entity is authorized, justification must be provided.
• If the group’s headquarters is outside Türkiye, a Turkish group entity must be designated to submit the application on behalf of the group.
• Separate forms must be completed and submitted for both Data Controller BCR and Data Processor BCR applications.
• Supporting documents should only be submitted for clarification purposes and must be appropriately labeled (e.g., “(Annex-3-1)”).
• The contact person or unit for inquiries related to the application must be specified, and for practical reasons, it is recommended that this person or unit be based in Türkiye.

c. Transfers via Standard Contractual Clauses

The Guide defines Standard Contractual Clauses (“SCCs”) as one of the practical tools providing appropriate safeguards for cross-border data transfers under Article 9/4(c) of the DP Law. The SCCs aim to ensure compliance with data protection principles outlined in the DP Law and the Regulation, maintain data security measures, implement additional safeguards for sensitive data, and provide ongoing protections for personal data even after the transfer is completed.

Four types of SCCs prepared and approved by the Board have been adopted to address different transfer scenarios. The Guide emphasizes that modifications to the SCC are only allowed for optional or alternative clauses; no changes can be made to the other provisions. Additionally, SCCs drafted in a dual-column format in both Turkish and another language are deemed compliant with DP Law requirements.

The Guide also outlines the headings of the annexes included in SCC as follows:

• Activities of the Data Exporter and Data Importer Regarding the Transferred Personal Data: General explanations regarding the personal data transfer should be provided, specifying the activities carried out by the parties on the personal data subject to transfer.
• Data Subject Group(s): The group(s) of data subjects to whom the transferred personal data relates must be specified for each data type.
• Categories of Transferred Personal Data and (if applicable) Categories of Transferred Sensitive Personal Data: The personal data subject to transfer must be detailed by category (e.g., contact information) and type (e.g., email address).
• Legal Basis for the Transfer: The transfer must specify the processing condition under Articles 5 and 6 of the DP Law upon which it is based.
• Nature of the Processing Activities: The type of personal data processing activities performed on the transferred data (e.g., storage, recording, publishing, combining, categorizing, etc.) must be detailed.
• Purpose of the Transfer and Subsequent Processing Activities: The purpose of the data transfer under the SCC and any subsequent data processing by the recipient (e.g., executing bank payments, providing customer support, conducting market research, etc.) must be specified.
• Data Retention Period: The duration for which the transferred personal data will be retained must be indicated. If a definite retention period cannot be specified, the criteria for determining the retention period (e.g., the validity period of the data processing agreement) should be explained. If different data categories are subject to varying retention periods, these durations must also be detailed.
• Recipients or Groups of Recipients: For any onward transfer by the data importer, the recipients of the personal data initially transferred under the SCCs must be specified and kept up-to-date throughout the duration of the SCC.
• Data Controllers Registry Information System Information of the Data Exporter: If the data exporter is required to register with the Data Controllers Registry Information System (“VERBIS”), the VERBIS information must be included in SCC-Data Controller to Data Controller and SCC-Data Controller to Data Processor. The information provided by the data exporter in the SCC annexes must be consistent with its VERBIS registration.
• Subject, Nature, and Duration of Processing Activities for Transfers to Sub-Processors: For onward transfers to sub-processors by the data importer, the transfer and the processing activities carried out by the sub-processor must be detailed under the relevant section of SCC-Data Controller to Data Processor and SCC-Data Processor to Data Processor.
• This framework ensures that SCCs provide a robust mechanism for cross-border data transfers while maintaining compliance with DP Law requirements and international data protection standards.

d. Transfers via Undertakings

The Guide outlines the procedures and principles for cross-border personal data transfers through written undertakings. It details the essential elements that must be included in such undertakings between the parties to the transfer. Key elements highlighted include the purpose and legal basis of the personal data transfer, data security measures, additional safeguards for sensitive personal data, and the protection of data subjects’ rights. Furthermore, the Guide emphasizes that the undertaking must include provisions on remedies available in case of a breach, as well as regulations concerning the suspension or termination of the data transfer. It is explicitly stated in the Guide that commencing data transfers before the Board completes its evaluation of the undertaking application is considered unlawful.

3. Exceptional Transfers

In cases where an adequacy decision or appropriate safeguards cannot be ensured under the DP Law, personal data may only be transferred abroad under certain exceptional circumstances. The Guide provides the following key points regarding exceptional transfers:

• In exceptional situations, the conditions outlined in Articles 5 and 6 of the DP Law are not required.
• The Guide emphasizes that exceptional transfers must be interpreted narrowly. Before resorting to exceptional transfers, it must first be determined whether an adequacy decision or appropriate safeguards are available, with exceptional transfers considered only as a last resort.
• Exceptional transfers can only occur when they are incidental in nature, meaning they happen once or a few times, are not continuous, and are not part of the ordinary course of business activities.

The Guide also provides practical examples of exceptional transfers:

• Transfers by a tourism company of its customers’ reservation information as part of its regular business activities are not considered exceptional transfers.
• Transfers by travel agencies of personal data belonging to individual customers to hotels or other business partners abroad for the purpose of organizing accommodations may be deemed necessary under the terms of the contract between the agency and its customers.
• The transfer of personal data belonging to a sales manager traveling abroad to visit different clients as part of their employment contract to arrange meetings can be considered exceptional.
• A Turkish company transferring personal data to a foreign company to fulfill a client’s payment request can be considered incidental, provided the transfer is irregular, occurs once or a few times, is not continuous, and is not part of ordinary business activities.
• Systematic transfers of employees’ personal data, such as names, surnames, and job titles, by a multinational company to a training center abroad are not considered exceptional.
• Submitting documents containing personal data to foreign judicial authorities as part of a defense in a legal investigation may be considered incidental if the transfer is necessary for the establishment, exercise, or defense of a legal right.

The full text of the Guide can be reached via this link (Only available in Turkish).