Navigating Türkiye's Updated International Data Transfer Rules: What You Need to Know

In 2024, Türkiye introduced significant updates to its international data transfer rules, aligning them more closely with the GDPR. Following this legislative update, Türkiye’s data protection authority (KVKK) published SCC-like clauses and an application form for BCRs. KVKK also recently issued detailed guidelines (available here in Turkish), providing clarity on the definition of cross-border transfers and the application of appropriate safeguards under the new regime.

These changes, much awaited by businesses in Türkiye, now offer clearer guidance and more practical solutions for compliant cross-border transfers of personal data. 

The Previous Regime: An Infeasible Framework

Before the updates, Türkiye’s data protection rules regarding international transfers were restrictive and not particularly practical. Under the previous system, cross-border data transfers were only permitted if controllers (i) obtained explicit consent from the data subjects, or (ii) entered into a written undertaking (pre-defined bilateral agreement or binding corporate rules) and obtained approval from KVKK for that undertaking.

This framework created significant challenges for businesses. As noted in KVKK’s guidelines, the authority has received over 80 applications for approval of written undertakings, but only a few have been granted approval. This regime has therefore left the businesses in Türkiye with limited options for transferring personal data to jurisdictions outside the country, leading to uncertainty around compliance. 

New Regime: Streamlined and Aligned with GDPR

Türkiye now has a more streamlined and practical framework for international data transfers. The new rules are largely aligned with the GDPR, marking a significant improvement in the ability to conduct compliant data transfers between Türkiye and other countries. Below are the key components of the new regime:

• Adequacy:  This mechanism remains in place, where personal data can be transferred to a third country if that country offers an adequate level of protection. However, no countries have yet been officially recognised by Türkiye as providing adequate protection for personal data.
• SCC-like clauses: KVKK has introduced a set of SCC-like clauses (available here in English), similar to those used under the GDPR, to ensure that personal data transferred out of Türkiye is adequately protected. These clauses offer businesses a standard legal mechanism for cross-border transfers, making it easier to transfer personal data without requiring individual approval from KVKK. However, businesses are required to notify KVKK within five business days of executing these clauses.
• BCRs: The updated rules also include an application form and guidance for BCRs (available here in English), which are subject to KVKK’s approval. BCRs provide an internal compliance framework for multinational companies to transfer personal data within their corporate groups while ensuring compliance with data protection standards. 
• Derogations: In addition, the new framework acknowledges derogations in specific situations. These derogations include circumstances such as when the data subject has explicitly consented to the transfer, when the transfer is necessary for the performance of a contract, or when an overriding public interest is at play. Similar to the GDPR, these derogations are only intended for one-off or non-repetitive transfers.

In addition, under the new regime, executing a written undertaking and seeking KVKK’s approval remains a valid mechanism; however, as of 1 September 2024, explicit consent is no longer considered a valid mechanism for regular or repeated international transfers.

The Next Steps for Businesses in Türkiye

Türkiye’s updated international data transfer rules are a much-needed step toward aligning the country’s data protection framework with global standards, particularly the GDPR. The introduction of SCCs and BCRs provides businesses with clear, standardised tools to ensure that personal data is protected when transferred internationally. 

If your business in Türkiye engages in the international transfer of personal data, you should review your existing contracts with international partners and implement the necessary safeguards where applicable. In addition, it is important to review intra-group data sharing agreements to ensure that they reflect these changes. 

We would like to thank Melis Mert, Senior Associate at BTS & Partners, Istanbul, for her input into this blog.