The Personal Data Protection Authority (“Authority”) published the Guide to the Transfer of Personal Data Abroad (“Guide”) on its official website on January 2, 2025. This Guide aims to clarify the provisions of the Personal Data Protection Law No. 6698 (“Law”) regarding the transfer of personal data abroad for practitioners.
Overview of Data Transfer Abroad
The concept of “data transfer abroad” was first defined in the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”), published in the Official Gazette dated July 10, 2024, and numbered 32598. According to this regulation, the transfer of personal data by a data controller or processor subject to the Law to another data controller or processor located abroad, or making it accessible in any other way, constitutes data transfer abroad.
The Guide elaborates on the conditions for such activities:
The data controller or data processor (data transferor) must be subject to the Law, based on the “effect principle.”
Personal data must be transferred or made accessible in any manner.
The recipient data controller or processor must be geographically located in a third country, regardless of whether it is subject to the Law.
The Guide further introduces a three-phase structure for data transfer abroad.
Accordingly, personal data may be transferred abroad if one of the following conditions is met.
Adequacy decisions,
Appropriate safeguards, or
Exceptional transfer cases.
In this structure, the primary condition for transferring data abroad is the presence of an adequacy decision. If no adequacy decision exists, alternative safeguard mechanisms must be implemented. If neither of these is available, transfers may occur only under limited exceptional circumstances.
Adequacy Decision
An adequacy decision refers to a determination that the data protection level of a country, sector, or international organization is equivalent to that of Türkiye. This decision is made by the Personal Data Protection Board (“Board”) and published in the Official Gazette.
Reevaluation of Adequacy Decisions
The Board reviews adequacy decisions at least once every four years. If necessary, such decisions may be suspended, amended, or revoked.
Appropriate Safeguards
When an adequacy decision is absent, data transfers may proceed if the parties provide one of the following safeguards:
a. Agreements Without International Treaty Status
Data transfer to foreign public and international organizations is possible through agreements that do not qualify as international treaties but are made between public institutions or professional organizations of public nature in Türkiye. The process requires Board approval, and agreements must detail personal data protection provisions in line with the Board’s standards. These agreements, such as cooperation protocols, memorandums of understanding, or administrative agreements, must comply with the Guide's stipulations. For example, the administrative agreement between the Turkish Medicines and Medical Devices Agency and the European Commission is cited as a reference.
b. Binding Corporate Rules (BCRs)
The new regulation allows both data controllers and data processors to transfer data abroad under Binding Corporate Rules (BCRs). Both entities may apply to the Board for approval of their BCRs, after which data transfer may commence. The Authority has published a “Binding Corporate Rules Application Form” and a “Binding Corporate Rules Support Guide” on its website to standardize the process. In line with this purpose, the minimum elements to be included in the application are detailed in the Guide. These elements include the organizational structure, explanations regarding data flow, binding nature, data protection measures, compliance audits, and the obligation to cooperate with the Authority.
Applications must meet certain requirements, such as Board approval, submission of BCR texts, notarized translations of foreign documents, and authorization certificates of signatories.
c. Data Transfer Through Standard Contracts
The Guide defines standard contracts as agreements between data controllers/processors and recipients to ensure personal data protection. These contracts facilitate efficient data transfer while adhering to legal requirements.
The Board has approved four types of standard contracts, with modifications allowed only in optional or alternative clauses.The agreements are structured in four main sections: general provisions, the obligations of the parties, obligations regarding access by national law and public authorities, and final provisions.
In the annexes of the agreement, information such as the activities of the data controller and the data processor, the type of data, the purpose of the transfer, its frequency, the nature of the processing activities, and the retention period must be included. The agreement must be notified to the Authority by the data controller within five business days, and the notified documents should include notarized translations, if applicable. In case of any amendments to the agreement or its termination, an updated notification with the revised information must be provided.
d. Data Transfer via Undertakings
The Guide outlines the principles and procedures for data transfer abroad using written undertakings. Such undertakings must detail the purpose, scope, legal basis, and security measures for the transfer. For sensitive personal data, additional security measures are required. Undertakings must also cover the protection of data subjects’ rights and the mechanisms to exercise these rights. Violations of the undertaking can result in suspension or termination of the transfer.
The Board’s approval of the undertaking is mandatory before initiating any data transfer.
Transfers Based on Exceptional Cases
When neither adequacy decisions nor appropriate safeguards exist, transfers may occur only under the following exceptional circumstances:
Explicit Consent: The data subject provides valid explicit consent.
Contractual Necessity: The transfer is essential for the performance of a contract with the data subject or pre-contractual measures.
Vital Situations: The transfer is necessary to protect a person’s life or physical integrity.
Public Interest: The transfer serves an overriding public interest.
Legal Obligations: The transfer is essential for the establishment, exercise, or protection of legal rights.
Exceptional cases are temporary and only apply for one-time or short-term situations.
Summary and Conclusion
The transfer of personal data abroad is subject to strict regulations under the Law. Transfers must rely on adequacy decisions, appropriate safeguards, or exceptional cases. Data controllers and processors must take technical and administrative measures to ensure full legal compliance.
This Guide serves as a roadmap to minimize potential issues and enhance legal compliance in practice.