Eryürekli | International Data Transfer Regime in Türkiye Eryürekli | International Data Transfer Regime in Türkiye
Eryürekli | International Data Transfer Regime in Türkiye

24 Feb 2026 Briefing Note
Data Protection General

International Data Transfer Regime in Türkiye

Eryürekli | International Data Transfer Regime in Türkiye

Download PDF

Share

  • Yazdır

With amendments to the regulations in recent years, data transfer regime in Türkiye is converging to the practices of European Union (namely, General Data Protection Regulation), with certain localization differences arising from Turkish laws and the practices of the Personal Data Protection Authority. We hereby present you this briefing note regarding the Turkish international data transfer regime including transfers to international institutions outlined under (i) Legislative Framework, (ii) Definition: International Transfer of Personal Data, (iii) Transfer Mechanisms, and (iv) Subsequent Transfers.

1. Legislative Framework

General framework in Türkiye for international transfers of personal data is set through the Personal Data Protection Law No. 6698 (the “PDPL”). The Regulation on the Procedures and Principles Regarding the International Transfer of Personal Data (the “Regulation”) clarifies the details of the international transfers whereas the Guidance of International Transfer of Personal Data (the “Guidance”) sheds light to the practice of the transfer regime, both introduced by the Personal Data Protection Authority (the “PDPA”).

2. Definition: International Transfer of Personal Data

The scope of international data transfers is provided with the Regulation instead of PDPL; accordingly, international transfer of personal data refers to “the transmission of personal data from a data controller or data processor under the PDPL to a data controller or data processor established abroad, or making such data accessible to them by any other means”.

The definition sets forth the three criteria below for a data transfer to be considered as international:

  1. The data transferor (data controller or processor) shall be subject to the PDPL for the personal data processing activity in question. When determining whether the data transferor is subject to PDPL, “impact principle” has been used by the Board of PDPA (the “Board”) instead of “territoriality principle”. Accordingly, even an entity established abroad might be extraterritorially subject to PDPL.
  2. The personal data processed by the data transferor shall be transmitted or otherwise made accessible. Opening an account, permitting remote access, deploying a hard drive, etc. can be regarded as examples. In case the data subject transmits or makes available the personal data themselves, this will not constitute an international transfer of personal data.
  3. The controller or processor, to whom the data is transferred, whether it is subject to the PDPL or not, shall be in a third country.

3. Transfer Mechanisms

The new regime regarding international transfer of personal data brings three alternatives gradually and respectively applicable to transfers, in the absence of provisions in any relevant international agreements or other laws (e.g. anti money laundering laws).

As a first mechanism, the country to which the transfer will be made shall be declared by the Board as a country with adequate protection (adequacy decision mechanism). Secondly, in the absence of an adequacy decision, appropriate safeguards regulated in the PDPL shall be implemented (appropriate safeguard mechanism). Thirdly and lastly, in the absence of adequate protection and appropriate safeguards, the existence of one of the exceptional circumstances shall be required (exception mechanism).

3.1. Adequacy Decision

Principally, personal data processing conditions determined in PDPL are required to be able to international transfer of personal data based on adequacy decisions.

Adequacy decisions may have been resolved by the Board on a country, sectors in the country, or international organization basis. In such a case, data controllers and processors will be able to transfer personal data abroad without further procedures. It shall be highlighted that as of the date of this briefing note, there is not any adequacy decision resolved by the Board yet.

An adequacy decision by the Board shall be published in the Official Gazette, and it shall be evaluated every four years at the latest. Notwithstanding the re-assessment period specified, the Board may, if deemed necessary, review the adequacy decision and amend, suspend or revoke it with prospective effect.

3.2. Appropriate Safeguards

In the absence of an adequacy decision, personal data may be transferred abroad if one of the appropriate safeguards listed below is implemented by the parties, provided that the person concerned has the opportunity to exercise their rights and to apply for effective legal remedies in the country of transfer, in addition to the presence of personal data processing conditions determined in PDPL.

3.2.1. Agreement and Authorization

Personal data may be transferred abroad if there is an agreement related to public institutions and organizations or international organizations, which cannot be categorized as an international contract and if the transfer is authorized by the Board.

According to the Regulation, the Board’s opinion is required throughout negotiations of the agreement that shall be executed between the parties of transfer and in all cases, transfer of personal data based on the agreement cannot be initiated without the Board’s authorization.

3.2.2. Binding Corporate Rules and Approval

Personal data may be transferred abroad in the presence of binding corporate rules approved by the Board, that contain provisions on the protection of personal data, with which companies within the group of undertakings engaged in joint economic activities are obliged to comply.

The following points are specifically taken into consideration by the Board while evaluating binding corporate rules:

  1. Binding corporate rules shall be legally binding and enforceable on each relevant member of the group of undertakings engaged in joint economic activity, including its employees;
  2. A commitment shall exist in the binding corporate rules that the rights of the person concerned can be exercised; and
  3. Binding corporate rules shall include the matters specified by the Regulation.

It shall be noted that the Board is entitled to expand the context above and that transfers can only be executed upon the Board’s approval.

3.2.3. Standard Contracts and Notification

Personal data may be transferred abroad by executing a standard contract announced by the Board, which contains matters such as data categories, purposes of data transfer, recipients, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data.

It is mandatory to execute the standard contracts announced by the Board without any modification except on the points where indicated the content is optional or has alternatives. The prevailing language of the standard contract is Turkish; accordingly, even if the parties execute standard contracts in different languages, their signatures shall be present in the Turkish version. After due execution, standard contracts shall be submitted to PDPA with supporting documents.

Standard contracts include four standard sections which might be slightly changed depending on the contract type, namely:

  1. General provisions, that include provisions regarding the purpose, scope, impact and characteristics of the standard contract and its status against other agreements between parties, scope of the rights of persons concerned, and interpretation of the contract;
  2. Obligations of parties, that include provisions regarding the protection of personal data depending on the type of contract, remedies, liabilities, and the power of the Board;
  3. Obligations under national law and access by public authorities; and
  4. Final provisions that include actions taken in case of noncompliance and rules regarding termination and return or destruction of personal data, governing law, and jurisdiction.

The details regarding the transfer of personal data subject to the standard contract shall be included in the annexes to the standard contract and these shall form an integral part of the same.

The execution of the standard contracts and, if any, the amendments regarding the information contained therein shall be notified to the PDPA within 5 (five) business days following the execution.

3.2.4. Letter of Undertaking and Authorization

Personal data may be transferred abroad in the presence of a written undertaking containing provisions framed by the Board to ensure adequate data protection.

Undertakings are not completely predesigned like standard contracts and offer extensive useability contrary to binding corporate rules. Accordingly, undertakings allow for a wider range to structure specific international transfer. However, it shall be highlighted that transfers through a letter of undertaking can only be executed upon the Board’s authorization.

3.3. Exceptional Situations

In the absence of an adequacy decision and if any of the appropriate safeguards cannot be provided, personal data may be transferred abroad only in the presence of one of the following exceptional and incidental1 transfer situations:

  1. Explicit consent of the data subject who is informed about the possible risks.
  2. The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
  3. The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
  4. The transfer is necessary for an overriding public interest.
  5. The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
  6. The transfer of personal data is mandatory for the protection of the life or physical integrity of the person, or a third person, unable to disclose consent due to actual impossibility or whose consent is not legally valid.
  7. Transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

Contrary to other transfer mechanisms, in transfers based on exceptional situations, it is not required to fulfil the generic personal data processing conditions, but the existence of exceptional transfer conditions is sought. Further, transfers based on incidental circumstances require neither authorization nor approval of the Board, nor any notification.

4. Subsequent Transfers

New international data transfer regime also applies to subsequent transfers. Accordingly, initial foreign recipients of data shall be obliged to transfer data abroad only by ensuring sufficient protection and compliance with PDPL. Subsequent transfer shall rely on a valid transfer mechanism and maintain equivalent safeguards regardless of whether the subsequent recipient is a third country, a private entity, or an international organization.

5. Conclusion

Compliance with data transfer regulation converged to more clear and structured grounds with new framework. Gradual regime for international transfers together with incidental basis transfer mechanism ensures protection of data subjects’ rights and provides broadscale range for diversified transfer requirements. Data controllers and processors are advised to review the personal data transfer methods and select the most tailored mechanism for their cross-border transactions. Considering the obligations envisaged for subsequent transfers, data flows shall be periodically reviewed.

***

1 Transfers, that are irregular, that occur only once or few times, that are not continuous and not in the ordinary course of business, are incidental.

***

A. Baran Çakır, Partner

Mustafa Adıgüzel, Associate

Relevant Expert Insights

Data Protection
General
Eryürekli | Transfer of Personal Data Abroad: Data Protection Authority Clarifies the Details
10 Jul 2024 Legal Alert EN

Transfer of Personal Data Abroad: Data Protection Authority Clarifies the Details

Data Protection
General
Eryürekli | Kişisel Verilerin Yurt Dışına Aktarılması: Kişisel Verileri Koruma Kurumu Ayrıntıları Açıkladı
10 Jul 2024 Legal Alert TR

Kişisel Verilerin Yurt Dışına Aktarılması: Kişisel Verileri Koruma Kurumu Ayrıntıları Açıkladı

Data Protection
General
Eryürekli | A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules
14 Mar 2024 Legal Alert EN

A New Era for Transfer of Personal Data Abroad: GDPR-Based Amendments to Data Protection Rules

Publication Subscription Privacy Notice

Thank you for your interest in our Firm.

As Eryürekli Law Firm (“Eryürekli”), we attach great importance to the protection of your personal data and to the processing of such data in compliance with the Law No. 6698 on the Protection of Personal Data (“Law”) and other applicable legislation.

If you subscribe to our newsletter and other publications through the “Newsletter” section by visiting our office website, we collect and process your personal data in our capacity as the data controller.

By providing your explicit consent in the “Newsletter” section and filling out the form on our website and/or the relevant directed page, we automatically collect and process your name, surname, e-mail address, and language preference in an electronic environment for the purposes of managing your subscription and delivering our publications to you.

Within the framework of the data processing activities mentioned above, our publications are sent to the e-mail address you have shared. Since the servers of the service infrastructure we use for these transmissions are located abroad, your personal data shared through the form will be transferred to servers located abroad based on your explicit consent.

Your personal data will be destroyed in the event that you unsubscribe from our publications.

We would like to inform you that, pursuant to Article 11 of the Law, you hold the following rights regarding your personal data processed by Eryürekli:

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of the processing of your personal data and whether such data are used in accordance with that purpose,
  • To learn the identity of third parties to whom your personal data are transferred, whether domestically or abroad,
  • To request the correction of personal data if it is incomplete or inaccurately processed,
  • To request the deletion or destruction of your personal data if the reasons requiring their processing cease to exist,
  • To request that the correction, deletion, or destruction of your personal data be notified to third parties to whom such data have been transferred,
  • To object to any outcome detrimental to you resulting from the analysis of your data exclusively through automated systems,
  • To claim compensation for damages incurred due to the unlawful processing of your personal data.

You may contact us regarding your requests via [email protected].

Yayın Aboneliği Aydınlatma Metni

Büromuza göstermiş olduğunuz ilgi için teşekkür ederiz.

Eryürekli Hukuk Bürosu (“Eryürekli”) olarak kişisel verilerinizin korunmasını ve 6698 sayılı Kişisel Verilerin Korunması Kanunu (“Kanun”) ve sair mevzuata uygun olarak işlenmesini önemsiyoruz.

Ofis web sitemizi ziyaret ederek “Newsletter” bölümünden bültenimize ve diğer yayınlarımıza abone olmanız durumunda kişisel verilerinizi veri sorumlusu sıfatıyla topluyor ve işliyoruz.

“Newsletter” bölümününde açık rızanızı vermek suretiyle web sitemiz ve/veya yönlendirildiğiniz ilgili sayfada yer alan formu doldurmanız ve yayınlarımıza abone olmanız halinde, adınız ve soyadınızı, elektronik posta adresinizi ve dil tercihinizi, aboneliğinizin gerçekleştirilmesi ve yayınlarımızın size iletilmesi amacıyla elektronik ortamda otomatik olarak toplamakta ve işlemekteyiz.

Yayınlarımız, yukarıdaki veri işleme faaliyetleri çerçevesinde, paylaşmış olduğunuz elektronik posta adresine gönderilmekte olup; gönderilerde kullandığımız servis altyapısı sunucularının yurt dışında olması sebebiyle, form aracılığıyla paylaştığınız kişisel verileriniz, açık rızanıza istinaden yurt dışında bulunan sunuculara aktarılacaktır.

Kişisel verileriniz, yayınlarımıza abonelikten çıkmanız halinde imha edilir.

Eryürekli bünyesinde işlenmekte olan kişisel verilerinize ilişkin olarak Kanun’un 11.maddesi uyarınca aşağıda sayılan haklarınızın bulunduğunu belirtmek isteriz:

  • Kişisel verilerinizin işlenip işlenmediğini öğrenme,
  • Kişisel verileriniz işleniyorsa bunlara ilişkin bilgi edinme,
  • Kişisel verilerinizin işlenme amacının ne olduğu ve kişisel verilerinizin amacına uygun olarak kullanılıp kullanılmadığını öğrenme,
  • Varsa yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişilerin kimler olduğunu öğrenme,
  • İşlenen kişisel verilerinizin eksik veya yanlış olması halinde bunların düzeltilmesini isteme,
  • Kişisel verilerinizin işlenmesini gerektiren sebeplerin ortadan kalkması halinde, işlenmiş olunan kişisel verilerinizin silinmesini veya yok edilmesini isteme,
  • Kişisel verilerinizin düzeltilmesi, silinmesi ya da yok edilmesi halinde bu işlemlerin kişisel verilerinizin aktarıldığı üçüncü kişilere bildirilmesini isteme,
  • İşlenen kişisel verilerinizin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme,
  • Kişisel verilerinizin kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız halinde zararın giderilmesini talep etme.

Talepleriniz için bizimle [email protected] adresimiz aracılığıyla iletişime geçebilirsiniz.

Career Privacy Notice

Thank you for your interest in our Firm.

As Eryürekli Law Firm (“Eryürekli”), we attach great importance to the protection of your personal data and to the processing of such data in compliance with the Law No. 6698 on the Protection of Personal Data (“Law”) and other applicable legislation.

If you apply for a position through our career page, we collect and process your personal data in our capacity as the data controller.

By filling out the form on our career page and providing your explicit consent to apply for a position, we automatically collect and process your name and surname, e-mail address, telephone number, and any other personal data included in your CV through electronic means. This data is processed solely for the purposes of evaluating your job application and contacting you if necessary.

The personal data you share during your job application is not transferred to third parties.

Once your application has been evaluated, your personal data stored in the electronic environment will be destroyed as soon as possible.

We would like to inform you that, pursuant to Article 11 of the Law, you hold the following rights regarding your personal data processed by Eryürekli:

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of the processing of your personal data and whether such data are used in accordance with that purpose,
  • To learn the identity of third parties to whom your personal data are transferred, whether domestically or abroad,
  • To request the correction of personal data if it is incomplete or inaccurately processed,
  • To request the deletion or destruction of your personal data if the reasons requiring their processing cease to exist,
  • To request that the correction, deletion, or destruction of your personal data be notified to third parties to whom such data have been transferred,
  • To object to any outcome detrimental to you resulting from the analysis of your data exclusively through automated systems,
  • To claim compensation for damages incurred due to the unlawful processing of your personal data.

You may contact us regarding your requests via [email protected].

 

Kariyer Aydınlatma Metni

Büromuza göstermiş olduğunuz ilgi için teşekkür ederiz.

Eryürekli Hukuk Bürosu (“Eryürekli”) olarak kişisel verilerinizin korunmasını ve 6698 sayılı Kişisel Verilerin Korunması Kanunu (“Kanun”) ve sair mevzuata uygun olarak işlenmesini önemsiyoruz.

Kariyer sayfamızdan iş başvurusunda bulunmanız durumunda kişisel verilerinizi veri sorumlusu sıfatıyla topluyor ve işliyoruz.

Kariyer sayfamızda yer alan formu doldurmak ve açık rızanızı vermek suretiyle iş başvurusunda bulunmanız halinde, adınız ve soyadınızı, elektronik posta adresinizi, telefon numaranızı ve özgeçmişinizde yer alan diğer kişisel verilerinizi, iş başvurunuzu değerlendirmek ve gerekmesi halinde size ulaşabilmek amacıyla elektronik ortamda otomatik olarak toplamakta ve işlemekteyiz.

İş başvurusu esnasında paylaşmış olduğunuz kişisel verileriniz üçüncü taraflara aktarılmamaktadır.

İş başvurunuzun en kısa sürede değerlendirilmesi üzerine kişisel verileriniz kayıtlı bulunduğu elektronik ortamda imha edilmektedir.

Eryürekli bünyesinde işlenmekte olan kişisel verilerinize ilişkin olarak Kanun’un 11.maddesi uyarınca aşağıda sayılan haklarınızın bulunduğunu belirtmek isteriz:

  • Kişisel verilerinizin işlenip işlenmediğini öğrenme,
  • Kişisel verileriniz işleniyorsa bunlara ilişkin bilgi edinme,
  • Kişisel verilerinizin işlenme amacının ne olduğu ve kişisel verilerinizin amacına uygun olarak kullanılıp kullanılmadığını öğrenme,
  • Varsa yurt içinde veya yurt dışında kişisel verilerinizin aktarıldığı üçüncü kişilerin kimler olduğunu öğrenme,
  • İşlenen kişisel verilerinizin eksik veya yanlış olması halinde bunların düzeltilmesini isteme,
  • Kişisel verilerinizin işlenmesini gerektiren sebeplerin ortadan kalkması halinde, işlenmiş olunan kişisel verilerinizin silinmesini veya yok edilmesini isteme,
  • Kişisel verilerinizin düzeltilmesi, silinmesi ya da yok edilmesi halinde bu işlemlerin kişisel verilerinizin aktarıldığı üçüncü kişilere bildirilmesini isteme,
  • İşlenen kişisel verilerinizin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme,
  • Kişisel verilerinizin kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız halinde zararın giderilmesini talep etme.

Talepleriniz için bizimle [email protected] adresimiz aracılığıyla iletişime geçebilirsiniz.

Kayıt Formu / Subscription Form

* indicates required
Your e-mail address
Your First name
Your Last Name
Gönderi Dili / Publication Language
Herhangi birisi veya her ikisi / Either any or both
Cookie Settings
This website uses third party analytic cookies “_ga_*” and “_ga” of Google Analytics for statistical analysis/measurements, which are stored for 1 year and 1 month. You may refer to https://policies.google.com/privacy for details on the use of cookies and further information.