Introduction:

On January 2, 2025, the Personal Data Protection Authority (“KVKK”) published the Guidelines on the Transfer of Personal Data Abroad (“Guidelines”), which guides the implementation of the legislation on the transfer of personal data abroad. In particular, the Guidelines aim to shed light on the implementation of the amendments made to Article 9 of the Law No. 6698 on the Protection of Personal Data (“Law”). This Guidelines, which is of critical importance for both data controllers and data processors, provides an important roadmap for conducting data transfer processes in a transparent and lawful manner.

• Purpose and Scope of the Guidelines

The main purpose of the Guidelines is to clarify the procedures to be followed during the transfer of personal data abroad within the framework of Article 9 of the Law and the appropriate assurance mechanisms determined by the LPPD. The Law has been reorganized in line with the European Union's General Data Protection Regulation (GDPR) in order to overcome the difficulties encountered especially in international data transfers. In this context, the guidance addresses in detail both data transfers to countries with adequacy decisions and situations where appropriate safeguards need to be provided.

• Qualification Decision and Appropriate Safeguards

The Law facilitates the transfer of personal data to a country if that country has an adequacy decision either in general or on the basis of specific sectors. However, for countries that do not have an adequacy decision, the ability to transfer data is based on one of four main safeguards:

• International Agreements: Existence of agreements signed between Turkey and the country to which data will be transferred.
• Standard Contracts: The use of contract texts approved by the KVKK.
• Binding Company Rules: Rules set by multinational company groups for internal data transfers and approved by the PDPL.
• Undertakings: Statements of assurance given in writing by data controllers.

• Exceptional Transfers

Where an adequacy decision or appropriate safeguards cannot be provided, data transfer is permitted in certain exceptional circumstances. These circumstances include obtaining the explicit consent of the data subject, observing the public interest or preventing a vital harm. However, these transfers should not be continuous and should be incidental.

• Impact of New Regulations on Business

The amendments to the law aim to facilitate international data transfers, especially at a time of rapid digitalization. However, the details highlighted in the Guidelines also indicate that companies need to make a serious compliance effort in their data transfer processes. Therefore, it is of great importance for companies to carefully review the guidance and update their data processing policies.

Conclusion:

This guidance published by the PDPL aims to ensure data security and business continuity by providing clearer rules and standards on the transfer of personal data abroad. For companies, acting in accordance with the guidance is a strategic necessity in terms of both legal compliance and increasing customer trust.

---

Contact

Burcu Dal Gökalp
Partner
bdg@guner.av.tr

Yiğit Narin
Associate
yn@guner.av.tr