ARTICLE
28 January 2025

Crossing The Borders: The New Turkish Personal Data Transfer Guidelines

BS
Balcıoğlu Selçuk Eymirlioğlu Ardıyok Keki Attorney Partnersh

Contributor

Balcioglu Selcuk Eymirlioglu Ardiyok Keki Attorney Partnership is an Istanbul based full service law firm with exceptional practices in corporate, M&A, banking and finance, real estate, energy, competition and litigation. BASEAK has gained an outstanding reputation and valued clientele by tailoring effective legal solutions to a broad spectrum of clients.
[1] As is known, Article 9 of the Personal Data Protection Act, titled "Transfer of personal data abroad," was amended ("Amendment to the Act") under Act No. 7499.
Turkey Privacy

As is known, Article 9 of the Personal Data Protection Act, titled "Transfer of personal data abroad," was amended ("Amendment to the Act") under Act No. 7499. You can visit our previous article for more details on this amendment. Following this, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad came into effect, and the decision of the Board, along with the "Public Announcement on Documents Related to Standard Contractual Clauses and Binding Corporate Rules," was published on the authority's website.

In this article, we will discuss the details of the Guidelines, which is the most up-to-date regulation shedding light on potential questions that may arise in practice concerning the set of regulations on the transfer of personal data abroad.

Definitions

First, the Guidelines revisits the procedures for transferring personal data abroad under previous legislation and then explains the purpose, rationale, and scope of the Amendment to the Act. Next, definitions related to the transfer of personal data abroad are provided. Notably among these definitions is the term "Sub-Processor," which, despite not being explicitly regulated under the relevant legislation but referenced in standard contracts, is defined for the first time as:

"A natural or legal person that acts in accordance with the instructions of the data processor and processes personal data on behalf of the data processor."

Criteria For the Transfer of Personal Data Abroad

The Guidelines examines cross-border data transfer activities under three criteria. Accordingly:

1) The data controller or data processor (data exporter) must be subject to the Act for the given personal data processing activity:

The Guidelines clarify the territorial scope of the Act. They note that, although the Act does not include a specific provision regarding its territorial scope, the preamble to Article 18 states that, in situations where there are no relevant provisions in the Act with respect to misdemeanours, the provisions of the Misdemeanours Act No. 5236 shall apply. Moreover, because Article 6 of the Misdemeanours Act, titled "Application in terms of location," refers to Article 8 of the Turkish Penal Act No. 5237, it follows that the Turkish Penal Act adopts the principle of territoriality for determining its own scope.

The Guidelines also highlight that strictly following the principle of territoriality does not provide strong enough data protection, especially given today's global and rapidly evolving data processing technologies. Therefore, the Act should be read in a way that safeguards personal data, reflecting its main purpose of protecting fundamental rights and freedoms—particularly the right to privacy. In the end, the Act favors using the principle of effect rather than territoriality alone when deciding its geographic reach.

2) The personal data processed by the data exporter must be transmitted or otherwise made accessible

As an example of when this criterion is concretely met, the Guidelines provides instances such as creating an account, granting access to an existing account, approving/accepting a valid request for remote access, placing a fixed drive, or sending a password for a file. In this regard, the Guidelines explicitly states that "remote access from a third country (even if it only involves displaying personal data on a screen, for example in support, troubleshooting, or administrative cases) and/or cloud storage abroad offered by a service provider" will be considered a transfer, provided that other two criteria explained in this section are met.

In this context, the Guidelines lists the following as examples of activities deemed cross-border data transfers under the Act:

  • A data controller in a third country directly obtaining personal data from the data subject in Turkey,
  • A data controller in a third country directly obtaining personal data from the data subject in Turkey and having certain processing activities carried out by a data processor located outside Turkey,
  • Data collected by a platform in Turkey and subsequently transferred to a data controller in a third country,
  • A data controller in Turkey transmitting data to a data processor in a third country,
  • A data processor in Turkey sending data back to a data controller in a third country,
  • A data processor in Turkey transmitting data to a sub-processor located in a third country,
  • A data controller that is a subsidiary in Turkey sharing personal data with its parent company (data processor) in a third country.

3) Regardless of whether the data recipient (data controller or data processor) is subject to the Act, they must be located in a third country.

According to this criterion, the data controller or processor to whom the data is transferred must be geographically situated in a third country.

The remainder of the Guidelines elaborates in detail on the procedures for transferring personal data abroad in line with the Act, the Regulation, and Board announcements.

Details Regarding Transfer Methods

As is known, Article 9 of the Act establishes a three-tier structure for the transfer of personal data abroad. The Guideline provides detailed explanations regarding these tiers. In this article, we will address the matters we deem most significant below.

Presence of an Adequacy Decision

The Guidelines refers to the Act, listing the points to be considered when granting an adequacy decision. It then cites the Personal Data Protection Board's ("Board") Decision No. 2019/125 dated May 2, 2019, titled "Form Created for the Determination of Countries with Adequate Protection" and includes the criteria for determining countries considered to have adequate protection pursuant to Article 9 of the Act. It emphasizes that this assessment process will be conducted meticulously and highlights the provision in subparagraph (e) of the third paragraph of Article 9 of the Act, stipulating that "international treaties to which Turkey is a party" shall be primarily considered when deciding whether to permit data transfers. In this framework, it was stated in the Public Announcement dated October 26, 2020, that being a party to Convention 108 will be one of the main elements the Board considers when evaluating whether to allow personal data transfers to a given country.

Finally, the Guidelines underscores that adequacy decisions, which can be regarded as "living" documents, will be subjected to periodic reviews and may be amended, suspended, or revoked depending on changing circumstances.

Presence of One of the Appropriate Safeguards

The guidelines comprehensively examine appropriate safeguards, namely, Agreements Not Constituting an International Treaty, Binding Corporate Rules, Standard Contracts.

In our article, we will highlight the key details that we deem most beneficial in practice, particularly with regard to standard contracts, and clarify any issues that undertakings may encounter in practice.

As a side note, the Guidelines do not emphasise the need to conduct transfer impact assessments. However, since the amended Act states that a controller or processor may transfer personal data to a third country only if appropriate safeguards are in place and if data subjects have enforceable rights and effective remedies in the destination country, we believe that fulfilling the obligation set forth in the Act may necessitate appropriate documentation to demonstrate compliance with this requirement.

Standard Contractual Clauses (SCCs)

First, it is noted that while standard contractual clauses must essentially be executed in Turkish, it is clarified that the notification requirement for standard contractual clauses can also be fulfilled by submitting dual-column contracts, one column in Turkish and the other in a different language, to the Authority.

Noting that the standard contractual clauses announced by the Board will be deemed to provide appropriate safeguards for the transfer of personal data abroad as published, it is once again emphasized that no additions, deletions, or modifications may be made to the standard contractual clause texts (except for optional or alternative clauses).

The Guidelines also explains how to complete the annexes to the standard contractual clauses. Expectations under each title are presented below:

  • Activities of the Data Exporter and Data Importer: Outline the general explanations related to the personal data transfer carried out under the standard contract and specify the activities conducted on the transferred personal data.
  • Data Subject Group(s): Should indicate, on a personal data basis, which data subject group(s) the transferred data belongs to.
  • Categories of Transferred Personal Data: List data categories (e.g., contact) and types (e.g., email address) and include special categories of personal data, if applicable.
  • Legal Ground for the Transfer: Reference which processing condition(s) under Articles 5 and 6 of the Act apply.
  • Frequency of Transfer: Clarify whether the data is transferred once only or continuously.
  • Nature of the Processing Activity: Describe the form of processing (e.g., storage, recording, publishing, merging, categorizing, etc.).
  • Purposes of the Transfer and Subsequent Processing: Explain why the transfer is taking place and how the data importer will further process the data (e.g., for payments, customer support, market research).
  • Retention Period: State the length of time the data will be stored or the criteria for determining it and differentiate if various data categories have different retention periods.
  • Recipients or Recipient Groups: Specify who will receive the data in subsequent transfers and keep this information updated during the term of the contract.
  • VERBİS Information (Data Controllers' Registry): If the data exporter is a data controller required to register with VERBİS, list the relevant information in SCC-1 and SCC-2 and ensure consistency with the official VERBİS records.
  • Transfers to (Sub) Data Processors: If data are forwarded to sub-processors, explain the nature, scope, and duration of these activities in SCC-2 and SCC-3.

It is clarified that, under the main rule, the authenticity of the signature on official documents issued in foreign countries, the title of the signer, or, when necessary, the original seal or stamp on the document must be confirmed by the relevant Turkish consulate or diplomatic officers in the foreign country. However, it is also explained that an apostille certification is sufficient for documents from other states that are parties to the Convention Abolishing the Requirement of Legalisation for Foreign Public Documents ("Apostille Convention").

The Guidelines reiterates that if any changes are made to the texts of standard contractual clauses or if such clauses do not bear the valid signature of one or both parties to the transfer, the Board will conduct an examination.

Following the notification of the standard contractual clauses to the Authority, if there is any change in the statements or information provided by the parties to the transfer (e.g., details given on the recipients or groups of recipients in the standard contractual clauses) or if the standard contractual clauses are terminated, such changes must be reported to the Authority within five business days via physical submission, via Registered Electronic Mail (KEP), or through other alternative methods determined by the Board (e.g., Standard Contractual Clauses Notification Module).

Presence Of One of The Exceptional Transfer Cases

As is known, the Amendment to the Act has established explicit consent as a secondary mechanism for use in exceptional transfers. In the absence of an adequacy decision or appropriate safeguards, data transfers abroad may be conducted on an exceptional basis, provided they are occasional, limited to one or a few instances, and do not involve continuity. This section outlines guidelines that elaborate on how such exceptional transfers may arise in practice and provide details regarding the processes involved.

The Guidelines explicitly states that the exceptional data transfer mechanisms listed in the Act should be interpreted strictly and should only be relied upon as a last resort. Unlike other cross-border personal data transfer mechanisms, there is no requirement to fulfill the personal data processing conditions under Articles 5 and 6 of the Act for these exceptional transfers.

It is emphasized that transfers performed multiple times can also fall within the scope of exceptional transfers, but to be considered exceptional, the transfer must not be performed regularly or on a continuous basis, i.e., it must occur outside the ordinary flow of actions.

When personal data transfer is mandatory for the establishment, exercise, or protection of a right, incidental transfers of personal data may be allowed. For instance, submitting documents containing personal data to judicial authorities in the context of an investigation abroad can be considered under this scope. However, there must be (i) a connection between the personal data in question and the processing activity, and (ii) the data processing activity must be relevant, proportionate, and limited to the intended purpose. It is specified that cases that may occur in the future, are merely hypothetical, or lack a connection to any administrative/judicial proceeding will not be covered, nor will their scope be expanded.

Final Remarks

The newly published Guidelines adds helpful clarity to the cross-border data transfer regime by providing additional detail and introducing new concepts (e.g., the Sub-Processor definition). The Guidelines serve as a reminder that undertakings engaged in transferring personal data abroad should carefully analyze whether their activities meet all the relevant criteria and must ensure compliance with the updated requirements, including adequacy decisions, appropriate safeguards, or exceptional transfer mechanisms.

Organizations in Turkey should revisit or update their internal documentation, policies, and cross-border data transfer agreements (especially standard contractual clauses) and remain attentive to the Board's potential decisions or upcoming developments that may further refine the implementation of these provisions. Given the substantial changes that have entered into force, proactive compliance measures are essential to mitigate potential risks and ensure alignment with the evolving data protection landscape.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More