ARTICLE
8 January 2025

Guidelines On Transfer Of Personal Data Abroad Has Been Published

GO
Güner Law Office

Contributor

Güner Law Office was established in 1996 and has since grown into one of the leading law firms in Turkiye with its TMT (telecommunication, media and technology), corporate/M&A, banking/finance, and energy practices. Besides consultancy services, Güner Law Office also provides dispute resolution (arbitration, litigation etc.) services. Güner Law Office, with its strong team including members at all levels of seniority and practice in Turkish, English and French, provide excellent services to its global/multinational clients, sophisticated institutional investors, and private equity funds. ert all levels of seniority. All our lawyers practice regularly in Turkish, English and French. Awards and Rankings of Güner Law Office (Merger Market & Thomson Reuter) Güner Law Office ranks at 4th place regarding company mergers & acquisitions (M&A), among local firms with 26 closed projects worth 4.3 billion Euros after 2003.
On January 2, 2025, the Personal Data Protection Authority ("KVKK") published the Guidelines on the Transfer of Personal Data Abroad ("Guidelines"), which guides the implementation of the legislation on the transfer of personal data abroad.
Turkey Privacy

Introduction:

On January 2, 2025, the Personal Data Protection Authority ("KVKK") published the Guidelines on the Transfer of Personal Data Abroad ("Guidelines"), which guides the implementation of the legislation on the transfer of personal data abroad. In particular, the Guidelines aim to shed light on the implementation of the amendments made to Article 9 of the Law No. 6698 on the Protection of Personal Data ("Law"). This Guidelines, which is of critical importance for both data controllers and data processors, provides an important roadmap for conducting data transfer processes in a transparent and lawful manner.

  • Purpose and Scope of the Guidelines

The main purpose of the Guidelines is to clarify the procedures to be followed during the transfer of personal data abroad within the framework of Article 9 of the Law and the appropriate assurance mechanisms determined by the LPPD. The Law has been reorganized in line with the European Union's General Data Protection Regulation (GDPR) in order to overcome the difficulties encountered especially in international data transfers. In this context, the guidance addresses in detail both data transfers to countries with adequacy decisions and situations where appropriate safeguards need to be provided.

  • Qualification Decision and Appropriate Safeguards

The Law facilitates the transfer of personal data to a country if that country has an adequacy decision either in general or on the basis of specific sectors. However, for countries that do not have an adequacy decision, the ability to transfer data is based on one of four main safeguards:

  1. International Agreements: Existence of agreements signed between Turkey and the country to which data will be transferred.
  2. Standard Contracts: The use of contract texts approved by the KVKK.
  3. Binding Company Rules: Rules set by multinational company groups for internal data transfers and approved by the PDPL.
  4. Undertakings: Statements of assurance given in writing by data controllers.
  • Exceptional Transfers

Where an adequacy decision or appropriate safeguards cannot be provided, data transfer is permitted in certain exceptional circumstances. These circumstances include obtaining the explicit consent of the data subject, observing the public interest or preventing a vital harm. However, these transfers should not be continuous and should be incidental.

  • Impact of New Regulations on Business

The amendments to the law aim to facilitate international data transfers, especially at a time of rapid digitalization. However, the details highlighted in the Guidelines also indicate that companies need to make a serious compliance effort in their data transfer processes. Therefore, it is of great importance for companies to carefully review the guidance and update their data processing policies.

Conclusion:

This guidance published by the PDPL aims to ensure data security and business continuity by providing clearer rules and standards on the transfer of personal data abroad. For companies, acting 1 in accordance with the guidance is a strategic necessity in terms of both legal compliance and increasing customer trust.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More