top of page
Search

REGULATION ON THE PROCEDURES AND PRINCIPLES REGARDING THE TRANSFER OF PERSONAL DATA ABROAD HAS BEEN PUBLISHED TOGETHER WITH THE RELEVANT GUIDELINES.

Updated: Aug 6, 2024


1. About the Regulation on the Procedures and Principles Regarding the Transfer of
Personal Data Abroad (“Regulation”)

As stated in our Blog Post dated 19.03.2024, The Law on the Amendment of the Code of Criminal Procedure and Certain Laws, known as the "Eighth Judicial Package", which provides for significant amendments to the Personal Data Protection Law ("PDPL"), was published in the Official Gazette dated 12.03.2024. Thus, amendments aiming to harmonize the Law with the European Union General Data Protection Regulation (GDPR) were adopted into law and a new system was introduced for the transfer of personal data abroad as regulated in Article 9 of the PDPL.


With the Regulation, which entered into force after being published in the Official Gazette dated 10.07.2024, the procedures and obligations regarding the transfer of data abroad were determined in terms of the amendments made to the PDPL  on 12.03.2024. Following the publication of the regulation in the Official Gazette on the same day, with the public announcement made by the Personal Data Protection Authority, the guidelines on Standard Contracts and Binding Corporate Rules (BCR) referred to in the law and regulation were shared on the website of the Authority.


In this article, we have compiled the main changes introduced by the regulation.

 


2.     Procedures for Transferring Personal Data Abroad

As it may be recalled, with the recent amendment to the Article 9 of the LPPD titled "Transfer of Personal Data Abroad", the understanding that personal data cannot be transferred abroad without the explicit consent of the data subject was relaxed and an alternative transfer regime was established where personal data can be transferred abroad if certain requirements are met. The regulation, on the other hand, provides that personal data may be transferred abroad by data controllers and data processors in three different procedures in parallel with the systematic of the Law. 


Within this framework, it is regulated that personal data may be transferred abroad in the presence of one of the conditions for processing personal data and conditions for processing of Special categories of personal data set out in Articles 5 and 6 of the LPPD and in the event that one of the situations we examine below occurs.


The transfer procedures set out in the regulation are briefly as follows: 


Transfers on the Basis of an Adequacy Decision: Firstly, Article 8 of the regulation paves the way for transfers to be made if the Personal Data Protection Board decides that a country, one or more sectors within a country, or an international organization provides an adequate level of protection. In this way, the requirement to have an adequacy decision on the entire country has and the problems encountered in practice have been tried to be reduced by making an adequacy decision on a sectoral basis in the country where personal data will be transferred. It is stated that the Board will prioritize criteria such as the reciprocity between Turkey and the country or organizations to which the personal data are to be transferred , the relevant legislation and its implementation in the country or international organization, the existence of an independent and effective data protection institution, the status of being a party to international conventions on the protection of personal data, and membership to international organizations of which Turkey is a member. It also stipulates that the qualification decision can be reassessed, modified, suspended or revoked every four years at the latest. 


Transfers Subject to Appropriate Safeguards: Secondly, Article 10 of the Regulation stipulates that in the absence of an adequacy decision, transfers may be made based on appropriate safeguards. Accordingly, in the presence of one of the conditions for the processing of personal data or conditions for the processing of special categories of personal data provided that the data subject has the opportunity to exercise his/her rights and to apply for effective remedies in the country where the transfer will be made, it is possible to make a transfer if assurance is provided by the following means:


An Agreement That is Not an International Convention: Article 11 stipulates that with this method, appropriate protection can be provided in terms of personal data transfers between public institutions and public professional organizations in Turkey and public institutions and organizations in foreign countries or international organizations. Thus, a controller or processor may transfer personal data only if the controller or processor has provided appropriate safeguards. Within this framework, it is stated that in order to transfer personal data abroad, it is mandatory to apply for an authorization to the Board and personal data may only be transferred abroad upon the authorization to be given by the Board.


  • Binding Corporate Rules (BCR): Article 12 recognizes the existence of binding corporate rules on the protection of personal data that group of undertakings engaged in joint economic activity are obliged to comply with as an appropriate safeguard. The regulation contains detailed provisions on the minimum requirements for binding corporate rules. As a matter of fact, the Auxiliary Guidelines on Binding Corporate Rules published on the website of the Authority on 10.07.2024 sheds light on the issue. Similarly, the Board's authorization is required to initiate personal data transfers based on binding company rules.

  • Standard Contractual Clauses: Another alternative method introduced by the regulation is to provide appropriate safeguards through a standard contract. With this mechanism regulated in Article 14, data transfer abroad is also permitted with a standard contract containing issues such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data. The standard contract announced by the Board must be used without any changes, concluded between the parties to the personal data transfer, and notified to the Authority within five business days after it is signed by the parties. Thus, with the announcement published on the website of the Authority on 10.07.2024, four different types of standard contract texts were shared with the public.



Letter Of Commitment: The last method of data transfer envisaged on the basis of appropriate assurance is the submission of a written commitment to be concluded between the transfer parties.The minimum conditions to be included in the letter of commitment are regulated in Article 15. In order to transfer personal data abroad based on the letter of commitment, a controller or processor may transfer personal data by applying to the Board and obtaining the Board's approval to start the data transfer. 


Transfers in Exceptional Situtations: The last transfer method introduced by the regulation is transfers in exceptional situations. Accordingly, in the absence of an adequacy decision, or of appropriate safeguards, including binding corporate rules, data transfer abroad may be carried out in the presence of one of the exceptional conditions only if the transfer is incidental. According to the regulation, incidental transfers of data are transfers that are not regular, occur only once or a few times, are not continuous and are not within the ordinary course of business. 


In Article 16, the exceptional circumstances are defined as: 


  • The data subject gives explicit consent to the transfer, provided that he/she is informed about the possible risks.

  • The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.

  • The transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.

  • The transfer is mandatory for a superior public interest.

  • The transfer of personal data is mandatory for the establishment, exercise or protection of a right.

  • The transfer of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.

  • Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.



3. Conclusion

The issue of transferring personal data abroad was an issue that was frequently brought to the agenda in recent years and created some problems in terms of the functioning of the commercial activities of the undertakings. With the amendments made to the Law and the regulations put into force with the Regulation, the long-awaited legislative changes have been implemented and harmonization with the European Union General Data Protection Regulation has been achieved.

 

CONTACT

 

Maidan Business and Life Center Block C Floor:9 No:107-108, Mustafa Kemal Mah. 2118. St. No: 4 Çankaya - Ankara - Türkiye

    

           

+90 312 511 05 35

info@incelegal.com

You can subscribe to our newsletter to keep up with the legal updates.

OTHER LINKS

  • LinkedIn Clean

© 2025 by İnce Legal

bottom of page