Significant amendments were introduced to the Personal Data Protection Law (“Law”) regarding the transfer of personal data abroad, and subsequently, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad was published. The Personal Data Protection Authority (“Authority”) published the Guideline on the Transfer of Personal Data Abroad (“Guideline”) on 02.01.2025 in order to present its expectations regarding the safeguards stipulated by the aforementioned amendments and to eliminate the uncertainties in practice. You may find some of the significant matters in the Guideline below.

1. Being Subject to the Provisions of the Law on Data Transfer Abroad

The Guideline explains by giving examples whether the transfer of personal data will be subject to the provisions of the Law according to the location of the data transferor and data recipient. Accordingly, if the data controller in the foreign country obtains personal data directly from the data subject, this transaction does not constitute a data transfer abroad. However, if the data controller in the foreign country transfers the data obtained directly from Türkiye to a data processor in a foreign country, the provisions of the Law on data transfer abroad shall apply. For example, the transfer of personal data of the data subject who shops online and lives in Türkiye from a company resident in a foreign country and targeting the Turkish market is not considered as data transfer abroad. However, the transfer of personal data by this foreign company to the data processor in the same or different foreign country will be considered as data transfer abroad.

On the other hand, the transfers to be made by (i) the Turkish data controller to the foreign data controller, (ii) the Turkish data controller to the foreign data processor, (iii) the Turkish data processor to the foreign data controller, and (iv) the Turkish data processor to the foreign sub-processor are subject to the provisions of the Law on data transfer abroad. For instance, if a foreign parent company’s subsidiary residing in Türkiye transfers the employee’s data to the parent company, for the purpose of storing them in a centralized human resources database, the provisions of the Law on data transfer abroad are also applicable. As clearly stated in another example, the transfer of the personal data of the employees and customers of the data controller company in Türkiye to the data processor abroad, for instance, to receive data storage services, constitutes data transfer abroad.

2. Standard Contractual Clauses

Pursuant to the aforementioned amendments, a three-stage compliance mechanism was introduced for the transfer of personal data abroad. Standard contractual clauses stipulated under the appropriate safeguards attracted attention in practice as a practical tool. The Guideline includes some explanations to eliminate the uncertainties in practice in the preparation of standard contractual clauses. For instance, it is stated that it is possible to prepare the standard contractual clauses in more than one column in Turkish and in another language, provided that Turkish version shall prevail. Pursuant to the Guideline, although it is not explicitly stated in the draft standard contractual clauses, the group or groups of data subjects to whom the transferred personal data relate should be specified based on each personal data. In addition, not only the category of data (e.g. contact) but also the type of data (e.g. e-mail address) should be included in the standard contractual clauses.

3. Incidental Transfers

Pursuant to the aforementioned amendments, in the absence of an adequacy decision issued by the Authority, or of appropriate safeguards, personal data may be exceptionally transferred abroad without any authorization or notification, provided that it is incidental. The Guideline states that incidental transfer must take place outside the ordinary course of business, irregularly, once or a few times, under unforeseen circumstances, and at indefinite intervals. In this case, personal data transfers that take place regularly as a result of an ongoing relationship between the data transferor and the data recipient cannot be considered under this provision. For example, granting direct access to a database to the data recipient will be considered as a regular and continuous data transfer and will not be incidental. In addition, transfers that take place in the ordinary course of business are also not incidental. For instance, the transfers to be made by a tourism company regarding the reservation information of its customers will take place in the ordinary course of business of the company and thus will not be considered incidental.

Should you have any inquiries, please do not hesitate to contact us.