Introduction

The Turkish Personal Data Protection Law (dated March 24, 2016 and No. 6698) (“Law”) includes general provisions in relation to transfer of personal data within Türkiye (Article 8) and abroad (Article 9). In line with Article 9 of the Law, the Personal Data Protection Authority (“Authority”) issued the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) on July 10, 2024. 

In this article, we will examine the transfer of personal data abroad under Turkish law in light of the Law and Regulation.

 

Definitions

Both the Law and the Regulation start with providing a number of definitions for the main terms used in them such as personal data, processing of personal data, data subject, data transferor, data recipient, data controller, data processor, etc. As such terms and definitions are closely aligned with those used in the General Data Protection Regulation (“GDPR”), we refrain from going into further detail here.  

 

I. General Principle for Transfer of Personal Data Abroad

Article 9 of the Law, as amended in March 2, 2024, sets forth general principles with regards to transfer of personal data abroad. In line with Article 9(11) of the Law, the Regulation was issued with the aim to provide detailed procedures and principles with regards to transfer of personal data abroad.

The Law and the Regulation stipulate that personal data may only be transferred abroad by data controllers and data processors;

a) in the presence of one of the conditions specified in Articles 5 and 6 of the Law, and

b) in the presence of an adequacy decision with regards to the country or sectors within that country or international organisations, to which the transfer will be made, or

c) in the absence of an adequacy decision, in the presence of one of the appropriate safeguards laid down in the Law and Regulation, provided that the data subject has the possibility to exercise his/her rights and to have recourse to effective remedies in the country to which the transfer will be made, or 

d) in the absence of an adequacy decision and any of the appropriate safeguards laid down in the Law and Regulation, in the presence of one of the exceptional circumstances specified in the Law and Regulation, provided that it is occasional.


Onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation by data controllers and data processors are also subject to the appropriate safeguards set forth in the Law and Regulation.

Furthermore, both the Law and the Regulation state that, without prejudice to the provisions of international agreements, in cases where the interests of Türkiye or the data subject would be seriously harmed, personal data may only be transferred abroad with the permission of the Personal Data Protection Board (“Board”), the decision-making body of the Authority, by obtaining the opinion of the relevant public institution or organisation. It should be noted that what the term “interests of Türkiye” means is not easy to determine. As the Regulation, in its Article 17, authorises the Board to resolve any doubts that may arise during the implementation of the Regulation and to decide on matters not covered therein within the framework of the provisions of the relevant legislation, the Board may clarify what “interests of Türkiye” means within this specific area in the future.

 

II. Conditions for processing personal data

Both Article 9 of the Law and Article 6 of the Regulation refer to the conditions for processing personal data specified in Articles 5 and 6 of the Law.

a) Conditions for processing personal data under Article 5

Article 5 of the Law begins with the main principle that personal data cannot be processed without the explicit consent of the data subject and provides a number of exceptions where it is possible to process personal data without seeking the data subject’s explicit consent. Within the scope of the exceptions under Article 5, it is possible to process personal data when;

a) it is expressly provided for by the laws,

b) it is necessary for the protection of life or physical integrity of the data subject or of another person, where the data subject is physically or legally incapable of giving consent due to actual impossibility or consent of the data subject is not legally valid,

c) processing of personal data of the parties of a contract is necessary, provided that it is directly related to the conclusion or performance of such contract,

d) it is necessary for compliance with a legal obligation which the data controller is subject to,

e) such personal data has been already made public by the data subject himself/herself,

f) data processing is necessary for the establishment, exercise or protection of any right, or

g) data processing is necessary for the legitimate interests pursued by the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject.

b) Conditions for processing of special categories of personal data under Article 6

Article 6 lays down the conditions for processing special categories of personal data. The personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

Under Article 6, it is generally prohibited to process special categories of personal data without the explicit consent of the data subject. However, Article 6 provides that special categories of personal data, except for data concerning health and sexual life, may be processed without seeking data subject’s explicit consent, in the cases provided for by laws. Furthermore, even the personal data concerning health and sexual life may be processed, without seeking explicit consent of the data subject, by competent public institutions and organizations or the persons subject to secrecy obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as financing thereof.

III. Transfer of Personal Data Abroad based on Adequacy Decision

Apart from the presence of one of the conditions laid down under Articles 5 and 6, there must further be an adequacy decision a) on the country, or b) sectors within the country, or c) international organisations, to which the transfer of personal data will be made. The Board is authorised to decide whether a country, one or more sectors within a country or an international organisation provides an adequate level of protection in relation to the transfer of personal data or not.

The adequacy decisions are made by the Board. The opinion of the relevant institutions and organisations is sought after if deemed necessary. The decision is reviewed periodically, at least every four years. The periodic reviews are clearly determined in the relevant adequacy decision. If the Board determines, without being bound with the periodic reviews, that the relevant country, one or more sectors within the country or international organisation no longer ensures an adequate level of protection, it may repeal, amend or suspend its decision with prospective effect. The Board may enter into consultations with the competent authorities of the country or international organisation concerned with a view to remedying the situation giving rise to revocation, amendment or suspension decision. Both the adequacy decisions and the decisions to repeal, amend or suspend existing adequacy decisions are published on the Official Gazette and the website of the Authority.

When making an adequacy decision, the Board shall, in particular, take account of the following elements:

a) the reciprocity status regarding the transfer of personal data between Türkiye and the country, sectors within the country or international organisations to which personal data will be transferred,

b) the relevant legislation and practice of the country and the rules governing the international organisation to which personal data will be transferred,

c) the existence of an independent and effective data protection institution in the country to which personal data will be transferred or to which the international organisation is subject, and further the existence of administrative and judicial remedies,

d) the status of the country or international organisation to which personal data will be transferred being a party to the international conventions on the protection of personal data or a member of the relevant international organisations,

e) the status of the country or international organisation to which personal data will be transferred being a member to global or regional organisations of which Türkiye is also a member, and

f) the status of the country or international organisation to which personal data will be transferred being a party to international conventions to which Türkiye is also a party.

The Regulation authorises the Board to add further matters to the list, other than those specified in the Law and Regulation.

 

IV. Appropriate Safeguards

In the absence of an adequacy decision, provided that one of the conditions specified under Articles 5 and 6 exists and the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer, personal data may still be transferred abroad by a data controller or a data processor only if one of the following appropriate safeguards is provided by the controller or processor:

a) Existence of a legally binding and enforceable instrument, which is not characterised as an international treaty, between the public authorities or bodies in the country or international organisations to which personal data will be transferred and the public authorities or bodies or national professional organisations in Türkiye together with the permission by the Board for the transfer of personal data abroad. 

By means of the provisions on the protection of personal data to be included in a legally binding and enforceable instrument, which is not an international treaty, appropriate safeguards in terms of personal data transfers may be provided between the public authorities or bodies in Türkiye and in foreign countries or international organisations. The legally binding and enforceable instrument must be concluded between the parties to the personal data transfer and the Board must be consulted during the negotiation process of such legally binding and enforceable instrument.   

The provisions for the protection of personal data to be included in a legally binding and enforceable instrument must, in particular, include the following;

a) purpose, scope, nature and legal reason of transfer of personal data abroad,

b) definitions of basic concepts in accordance with the Law and relevant legislation,

c) an undertaking to comply with the general principles specified under the Law,

d) procedures and principles for informing the data subjects about the legally binding and enforceable instrument and the personal data to be transferred within the scope of such instrument,

e) an undertaking for the exercise of the rights specified under Article 11 of the Law by the data subjects whose personal data is transferred and the procedures and principles regarding the application to be made for the exercise of these rights,

f) an undertaking to take all necessary technical and administrative measures to ensure appropriate level of data security,

g) an undertaking that adequate measures determined by the Board will be taken in case of transfer of special categories of personal data,

h) restrictions on the onward transfer of personal data,

i) the remedies that the data subject may have a right to in case of a violation of the provisions on the protection of personal data to be included in the legally binding and enforceable instrument,

j) the audit mechanism for the implementation of the provisions on the protection of personal data to be included in the legally binding and enforceable instrument,

k) a provision stipulating that the data transferor shall have the right to suspend the data transfer and terminate the legally binding and enforceable instrument if the data recipient fails to comply with the provisions regarding the protection of personal data to be included in such instrument, and

l) an undertaking by the data recipient to return the personal data to the data transferor together with the backups or to destroy the personal data completely, depending on the preference of the data transferor, in case the legally binding and enforceable instrument expires or is terminated.

In order to transfer personal data abroad based on a legally binding and enforceable instrument, which is not an international treaty, the data transferor must apply the Board for a permit. Within the scope of the application to be made, the final version of the legally binding and enforceable instrument and other information and documents required for the evaluation to be made by the Board must be submitted. The transfer of personal data may commence only after such permit is granted by the Board.

b) Existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, which every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity are obliged to comply with. In order to transfer personal data abroad based on binding corporate rules, an application for a permit must be made to the Board.

Within the scope of the application to be made, the text of the binding corporate rules and other information and documents required for the assessment to be made by the Board must be submitted. Official translation of each foreign language document submitted in the application must be attached to the application as well. In case the text of the binding corporate rules is prepared in two languages, i.e. Turkish and a foreign language, the Turkish text prevails.

When granting a permit for binding corporate rules, the Board, in particular, takes into account;

a) that the binding corporate rules are legally binding for and apply to and will be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees,

b) that the binding corporate rules contain an undertaking that the relevant personal rights may be exercised, and

c) that the binding corporate rules fulfil the requirements laid down under Article 13 of the Regulation.

Article 13 of the Regulation stipulates that the binding corporate rules must specify at least the following;

a) organisational structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members,

b) the issues regarding the transfers to be carried out within the scope of binding corporate rules, particularly the categories of personal data, the processing activity and purpose, the group or groups of persons concerned and the country or countries to which the transfer will be made,

c) an undertaking that the binding corporate rules are legally binding both in the internal relationship and in other legal relations of the group of undertakings, or group of enterprises engaged in a joint economic activity,

 d) data protection measures such as compliance with the general data protection principles specified under Article 4 of the Law, conditions for processing personal data and special categories of personal data, technical and administrative measures to ensure data security, adequate measures to be taken in the processing of special categories of personal data and restrictions on the onward transfer of personal data,

e) an undertaking for the exercise of the rights of the data subjects whose personal data is transferred, specified under Article 11 of the Law and the right to lodge a complaint with the Board in accordance with the procedures and principles stipulated under Article 14 of the Law, and the procedures and principles regarding the exercise of these rights,

f) an undertaking that in the event of a breach of binding corporate rules by any member concerned that is not resident in Türkiye, a data controller and/or data processor established in Türkiye will assume liability for such breach,

g) explanation on how the data subjects will be informed about the matters related to the binding corporate rules, particularly those specified in subparagraphs (d), (e) and (f), in addition to the matters on which the data subjects will be informed within the scope of the disclosure obligation pursuant to Article 10 of the Law,

h) explanation on the training to be provided to the employees on the protection of personal data,

i) the duties of the persons or departments responsible for monitoring the compliance of group of undertakings, or group of enterprises engaged in a joint economic activity with the binding corporate rules, including the resolution of applications made by data subjects,

j) the mechanisms for auditing and verifying compliance with binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular data protection audits and methods for ensuring corrective actions to protect the rights of data subjects, and an undertaking that the results thereof will be submitted to the person or department referred to in subparagraph (i) and to the board of directors of the controlling company within the relevant group of undertakings, or group of enterprises engaged in a joint economic activity, and to the Board upon request,

k) mechanisms for reporting and recording changes to the binding corporate rules and for reporting such changes to the Board,

l) the obligation to cooperate with the Authority to ensure compliance with the binding corporate rules by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular the submission of the results of the audit and verification activities referred to in subparagraph (j) to the Authority,

m) regarding the personal data to be transferred under the binding corporate rules, an undertaking by each member of the group of undertakings, or group of enterprises engaged in a joint economic activity that there is no national regulation contrary to the appropriate safeguards provided by the binding corporate rules in the country or countries where the transfer of personal data will be made to, and mechanisms to notify the Board in the event of a legislative change that is likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules, and

n) an undertaking that appropriate data protection training will be provided to staff with permanent or regular access to personal data.

The Board is authorised to add further matters to the list of matters specified above. The list of the documents to be attached in the application for binding corporate rules is determined by the Board.

Personal data transfer may commence only after the binding corporate rules are approved by the Board.

c) Existence of standard data protection clauses, containing matters such as data categories, purpose of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data, etc.

Appropriate safeguards can be provided by means of standard data protection clauses drafted and announced by the Board. It is obligatory to use the text of the standard data protection clauses without any modification. In case the standard data protection clauses are concluded in two languages, i.e. Turkish and a foreign language, the Turkish text prevails. 

The standard data protection clauses must be concluded between the parties to the personal data transfer or by persons authorised to represent and sign on behalf of them.

The executed standard data protection clauses must be notified to the Authority, within five business days following the completion of the signatures, physically or by registered electronic mail or other methods determined by the Board. The transfer parties may determine in the standard data protection clauses who will fulfil the notification obligation. If no determination is made in this regard, the standard data protection clauses must be notified to the Authority by the data transferor.

Documents certifying that the signatories of the standard data protection clauses are authorised to sign, and official translation of each foreign language document must be attached to the notification.

The Authority must be notified when there is a change in the parties to the standard data protection clauses or in the information and explanation provided by the parties in the content of the standard data protection clauses or when the standard data protection clauses are terminated.

d) Existence of a written undertaking containing provisions to ensure adequate level of protection and an authorisation by the Board for the transfer.

Appropriate safeguards may be provided by means of provisions for the protection of personal data to be included in a written undertaking to be concluded between the transfer parties. The provisions for the protection of personal data to be included in the written undertaking must, in particular, include the following;

a) purpose, scope, nature and legal reason of personal data transfer,

b) definitions of basic concepts in accordance with the Law and the relevant legislation,

c) an undertaking to comply with the general principles specified under Article 4 of the Law,

d) procedures and principles for informing the data subjects with regards to the undertaking and the personal data transfer to be made within the scope of such undertaking,

e) an undertaking for the exercise of the rights specified under Article 11 of the Law by the data subjects whose personal data will be transferred and the procedures and principles regarding the application to be made for the exercise of such rights,

f) an undertaking to take all necessary technical and administrative measures to ensure the appropriate level of data security,

g) an undertaking that adequate measures determined by the Board will be taken in case of transfer of special categories of personal data,

h) restrictions on the onward transfer of personal data,

i) in case of breach of undertaking, the methods of legal remedies that the data subjects may have right to,

j) an undertaking that the data recipient will comply with the resolutions and opinions of the Board regarding the processing of personal data to be transferred,

k) an undertaking that there is no national regulation that would cause the data recipient to fail to comply with the undertaking and that it will notify the data transferor as soon as possible of a change in legislation that may lead to a potential failure, and that in this case the data transferor will have the right to suspend the data transfer and terminate the undertaking,

l) an arrangement providing that the data transferor shall have the right to suspend the data transfer and terminate the undertaking in case the data recipient fails to comply with the undertaking,

m) an undertaking by the data recipient to return personal data to the data transferor together with the backups or to destroy the personal data completely, whichever is preferred by the data transferor, in case the written undertaking expires or is terminated, and

n) an arrangement providing that the written undertaking is governed by Turkish law and that the competent Turkish courts shall have jurisdiction in case of a dispute and an undertaking that the data recipient agrees to recognise the jurisdiction of Turkish courts.

In order to transfer personal data abroad based on a written undertaking, the data transferor must apply the Board for a permit. Within the scope of the application to be made, the text of the undertaking and other information and documents required for the evaluation to be made by the Board must be submitted. In case the undertaking is concluded in two languages, i.e. Turkish and a foreign language, the Turkish text prevails.

The transfer of personal data may only commence after such permit is granted by the Board.

 

V. Occasional circumstances

In the absence of an adequacy decision and a legally binding and enforceable instrument or binding corporate rules or standard data protection clauses or a written undertaking as explained above, provided that it is occasional, i.e. transfers are not regular, continuous and in the ordinary course of business and furthermore not repetitive, data controllers and data processors may transfer personal data abroad only if;

a) the data subject has explicitly consented to the proposed transfer, provided that he/she is informed about the possible risks,*

b) the transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject’s request,*

c) the transfer is mandatory for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,*

d) the transfer is mandatory for important reasons of public interest,

e) the transfer is mandatory for the establishment, exercise or defence of legal claims,

f) the transfer is mandatory for the protection of life or physical integrity of the data subject or of another person where the data subject is physically or legally incapable of giving consent due to actual impossibility or consent of the data subject is not legally valid, or

g) the transfer is made from a register accessible by the public or persons with a legitimate interest, provided that the conditions for access to the register in the relevant legislation are met and the person with a legitimate interest requests such transfer.**

*The above subparagraphs (a), (b) and (c) do not apply to activities carried out by public authorities in the exercise of their public powers.

** In the case of transfers from a register accessible by the public or persons with a legitimate interest;

a) the transfers cannot be made in a way to involve the entirety of the personal data or entire categories of the personal data contained in the register, and

b) the transfers from registers accessible by persons with legitimate interest may only be made at the request of those persons and where they are the recipients of such transfer.

 

VI. Transfer of Personal Data Abroad by the Data Processor

In case personal data is transferred abroad by the data processor, the data processor is obliged to act on behalf of the data controller and in accordance with the instructions given within the framework of the purpose and scope determined by the data controller. The data processor shall take all necessary technical and administrative measures to ensure the appropriate level of security according to the nature of the personal data in order to prevent unlawful access to and processing of such personal data, and to ensure protection of it.

Transfer of personal data abroad by the data processor does not eliminate the data controller’s responsibility to ensure that the procedures and principles stipulated in the Law and the Regulation are complied with and the appropriate safeguards are duly provided. The data controller is obliged to ensure that the technical and administrative measures specified in the above paragraph are taken by the data processor.

Finally, in cases where the data processor is obliged to notify the standard data protection clauses to the Authority in accordance with the notification obligation under Article 14(5) of the Regulation, the data processor must fulfil such obligation even without the instruction of the data controller.