On 2 January 2025, Türkiye’s Personal Data Protection Authority issued the Cross-Border Personal Data Transfer Guidelines to clarify issues arising from legislative and regulatory changes concerning personal-data cross-border transfers.
The fundamental principles regarding the cross-border transfer of personal data transfer are regulated in Article 9 of the Law No. 6698 on the Protection of Personal Data. As explained in our previous article, Article 9 underwent a comprehensive change in March 2024 as part of Türkiye’s compliance efforts with global data protection standards.
The Guidelines issued on 2 January detail the safeguards that data controllers and data processors should implement when involved in cross-border personal data transfers and provides practical guidance on the implementation of the applicable legal framework.
Purpose of the regulation
The amendment to Article 9 of the Law seeks to address the challenges Türkiye faces in cross-border data transfers, while aligning the country’s framework with the EU’s General Data Protection Regulation (GDPR). Under the previous regulation, cross-border transfers were primarily contingent on the explicit consent of the data subject, which imposed significant constraints on sectors such as commerce and cloud-based services. This not only hampered the ability of businesses to engage in international trade but also made data processing activities more challenging for foreign investors in Türkiye.
With the recent amendments, the scope of adequacy decisions has been broadened, mirroring the structure of the GDPR.
For instance, adequacy decisions could only be made on a country-by-country basis before the amendments to the Law took effect whereas the new regulation allows for adequacy decisions for specific sectors or international organisations. Within this framework, an adequacy decision can now be granted for a particular sector within a country, facilitating more efficient commercial interactions within that sector.
Furthermore, alternative data transfer mechanisms, such as the execution of standard agreements between data transferors and receivers, which do not require an approval from the Board, have also been implemented.
These regulatory changes are designed to streamline cross-border data transfers and resolve legal ambiguities. Overall, the amendments aim to enhance the ease of conducting business, encourage investment, and bolster adherence to international standards for personal data protection.
Definition of cross-border transfer of personal data
Under the new regulation, a “cross-border transfer of personal data” is defined as the transfer of data by a controller or processor to another country or the provision of access to data by any means, consistent with the newly passed law. This includes both physical and digital transfers, such as through cloud services or remote access platforms.
Conditions for transferring personal data abroad
The transfer of personal data abroad will first be assessed considering any relevant provisions in international agreements or other applicable laws. If such provisions exist, the data may be transferred directly. Otherwise, one of the conditions for the processing of personal data set out in Articles 5 and 6 of the law must be met.
The transfer, however, will be subject to an assessment under three possible scenarios.
In the first scenario, the transfer takes place based on an adequacy decision, which is issued by the Board and relates to a specific country, a specific sector or a specific international organisation.
Without an adequacy decision, transfers must be secured through the following appropriate safeguards:
- standard contracts;
- binding corporate rules; or
- written undertakings.
Finally, exceptional circumstances may allow limited transfers in the absence of both an adequacy determination and appropriate safeguards. These are generally cases where the data subject has given explicit consent, the transfer is necessary to fulfill a contract, or the transfer serves a public interest.
This structured approach ensures robust data security and compliance with international standards.
Conclusion
In conclusion, Türkiye’s recent overhaul of its personal data protection regulations marks a significant step forward in aligning it laws with global standards, particularly the EU’s GDPR. The amendments to Article 9 and the issuance of the Guidelines reflect a clear intention to modernise the legal framework governing data transfers, facilitating smoother international business transactions while ensuring robust protections for personal data.
By broadening the scope of adequacy decisions and introducing alternative mechanisms for cross-border data transfers, Türkiye is enhancing its appeal as a destination for foreign investment and international trade. As businesses and organisations navigate these new provisions, the emphasis on compliance, transparency, and data security remains paramount, ensuring that Türkiye remains at the forefront of responsible data protection practices on the global stage.
For more information on the Guidelines and impact on your company or business, contact your CMS partner or local CMS expert: Dr. Döne Yalçın or Sinan Abra.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.