The Regulation On The Procedures and Principles Regarding the Transfer Of Personal Data Abroad Has Been Published

7/11/2024

All News
Long-awaited amendments to the Law No. 6698 on the Protection of Personal Data (“Personal Data Protection Law”) have been implemented through the Law No. 7499 on the Amendment of the Criminal Procedure Code and Some Other Laws . Although the provisions amending the Personal Data Protection Law came into force on June 1, 2024, the secondary regulations that will determine the details regarding the transfer of personal data abroad have not been published during this process, delaying the steps to comply with the new rules.
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”), which is expected to determine the details of the transfer abroad, was published in the Official Gazette on July 10, 2024. The Regulation details the new rules regarding the transfer of data abroad as stipulated in the Personal Data Protection Law.

Additionally, on the same day as the Regulation, the Personal Data Protection Authority (“Authority”) published standard contract templates, binding corporate rules application forms, and guidance documents on the essential elements that should be included in binding corporate rules on its website for use in the transfer of personal data abroad:

  1. Standard Contract for the Transfer of Personal Data Abroad-1 (From Data Controller to Data Controller)
  2. Standard Contract for the Transfer of Personal Data Abroad -2 (From Data Controller to Data Processor)
  3. Standard Contract for the Transfer of Personal Data Abroad - 3 (From Data Processor to Data Processor)
  4. Standard Contract for the Transfer of Personal Data Abroad - 4 (From Data Processor to Data Controller)
  5. Binding Corporate Rules Application Form for Data Controllers
  6. Essential Elements that Should be Included in Binding Corporate Rules for Data Controllers – Guidance Document
  7. Binding Corporate Rules Application Form for Data Processors
  8. Essential Elements that Should be Included in Binding Corporate Rules for Data Processors – Guidance Document

New Era Rules for Data Transfer Abroad

With the amendment to the Law, the approach prioritizing explicit consent for the transfer of personal data abroad has been changed. Under the amendment, both data controllers and processors must ensure compliance with the requirements specified in Article 9 of the Personal Data Protection Law for transfers of personal data abroad.

Accordingly, before initiating the transfer, the parties involved in the transfer should evaluate the following conditions in sequence:
  1. Existence of adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made,
  2. 2. Ensuring adequate safeguards by the parties involved in the transfer,
  3. 3. Assessing the existence of the conditions regarding occasional data transfers.

1- Transfers Based on Adequacy Decisions

The Personal Data Protection Board (“Board”) may decide that a country, one or more sectors within a country, or an international organization ensures an adequate level of protection for the transfer of personal data abroad. Adequacy decisions issued by the Board will be published in the Official Gazette and on the Authority's website.

The Regulation lists the factors to be considered during the adequacy decision-making process in accordance with the provisions of the Personal Data Protection Law. Additionally, it specifies that the Board is authorized to determine additional factors for evaluation. If necessary, the Board may seek the opinion of relevant institutions and organizations in its assessment related to the adequacy decision.

2- Transfers Based on Adequate Safeguards

If there is no adequacy decision for the country, sectors within the country, or international organizations to which transfer will be made, personal data may be transferred only if the following conditions are met and provided that the parties involved in the transfer provide adequate safeguards:

  • Existence of one of the conditions stated in Article 5 and Article 6 of the Personal Data Protection Law,
  • The data subject having the alternative to exercise their rights and access effective legal remedies in the country to which the transfer will be made.

In this case, the parties to the data transfer should consider ensuring adequate safeguards through the following alternatives, depending on the identities of the parties and the nature of the transfer activity:

Method of Adequate Safeguards Scope of Application
The existence of an agreement that is not considered an international treaty and permission granted by the Board for the transfer The transfer of personal data between public institutions and organizations, professional organizations with public entity status in Turkey, and foreign public institutions and organizations or international organizations
The existence of binding corporate rules approved by the Board containing provisions on the protection of personal data Transfers between companies within a group of enterprises engaged in joint economic activities
Existence of a standard contract (+notification to the Authority within five business days) Regular data transfers
The existence of a written undertaking and permission granted by the Board for the transfer Regular data transfers


The Regulation provides detailed guidelines on the procedures and content of each safeguard to be implemented.

In the new era, the standard contract method is expected to be frequently used due to its suitability as a transfer safeguard, both for not requiring approval/permission processes and for being widely preferred in the European Union.

3- Key Considerations for Transfers Based on the Existence of Standard Contracts:

  • Standard contract templates must be used as published by the Board without any modifications.
  • The Turkish version of the standard contract must always be prioritized.
  • The standard contract must be executed between the parties involved in the transfer of personal data and signed by individuals authorized to represent and sign on behalf of the parties.
  • The standard contract must be notified to the Authority within five business days following the completion of signatures, either physically or through registered electronic mail (REM / KEP) address or other methods specified by the Authority.
  • The parties to the standard contract may determine themselves who will fulfil the notification obligation as mentioned above, but if not specified, the notification should be made by the data transferor.
  • In the notification to the Authority, documents verifying the authorities of the signatories of the standard contract and notarized translations of documents in foreign languages must also be submitted.
  • If modifications are made to the standard contract text published by the Board or if it is determined that the signatories of the standard contract do not have authority, the Board may conduct an examination under Article 15 of the Personal Data Protection Law.
  • In case of any change in the information and explanations provided by the parties in the standard contract or in the content of the standard contract, or in the event of termination of the standard contract, notification must be made to the Authority within five business days.

4- Occasional Data Transfers:

The Regulation defines the exceptional cases of data transfer that may lead to occasional data transfers. Accordingly, irregular, one-time or exceptional cases of data transfers that do not constitute a continuous part of routine business operations are considered occasional.

If adequacy decisions are not applicable for transferring data abroad and adequate safeguards cannot be ensured, personal data may be transferred abroad on an ad hoc/occasional basis within the limited exceptional circumstances specified in the Regulation.

Examples of these exceptions include the explicit consent of the data subject, the necessity of the transfer for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject.

Final Remarks

The implementation of the new rules for data transfers abroad, introduced with the amendments to the Personal Data Protection Law, has been specified in the Regulation and the texts to be used by the parties for ensuring adequate safeguards have been published by the Authority. In this regard, as of September 1, 2024, explicit consent alone will not be considered valid for non-occasional transfers, Therefore, considering the challenges in declaration adequacy decisions by the Board within this short period of time, data controllers are required to assess their cross border data transfers to ensure adequate safeguards.


For the Regulation, please see:(in Turkish)

For the announcement regarding the decision of the Personal Data Protection Board dated June 4, 2024, numbered 2024/959, and for guidance on standard contract templates, application forms for binding corporate rules, and guidance documents outlining essential elements for binding corporate rules, please see:(in Turkish)



Selen Akgün, Associate


Other News