This article describes the transfer of personal data to third parties abroad under Turkish Personal Data Protection Law No 6689 (hereinafter referred to as “KVKK”). It also includes the summary of the Turkish Personal Data Protection Boards’ (hereinafter referred to as ‘the Board’) decision evaluating the cross-border transfer of personal data by a data controller relying on Convention 108.

The Board’s full announcement is available online here

Transferring Personal Data Abroad

Article 9 (nine) of the KVKK, titled Transfer of Personal Data Abroad, regulates the transfer of personal data abroad.

A cross-border transfer could take place, if:

1) the explicit consent of the data subject is provided, or

2) there is adequate protection provided, or

3) if there is not adequate protection in the foreign country, by obtaining the permission of the Board, based on the data processing conditions specified in paragraph (2) of Article 5 and Article 6 (3) of the Law,

Countries with adequate protection levels shall be determined and announced by the Board. Despite the Board’s requirement to publish a list of countries offering an adequate level of protection, no country has yet been appointed due to a lack of reciprocity with other countries. As a result, organizations/companies could not currently rely on the legal reason that the “destination country ensures an adequate level of data protection.”

Furthermore, The Board may use the criteria in paragraph 4 of Article 9 to determine whether the foreign target country offers adequate protection and whether the transfer is permitted under the previous subparagraph (b) of paragraph 2.

The Board introduced the concept of Binding Corporate Rules (“BCR“) as a different approach for transferring data between multinational group companies where the destination country does not provide adequate protection. Therefore, binding corporate rules may be submitted to the Board for approval, and this approval is necessary to transfer personal data between multinational group companies legally without obtaining explicit consent.

Decision on Cross-Border Data Transfer

It is widely known that companies with foreign headquarters frequently provide software systems like CRM and ERP across the globe. Most Turkish companies utilize software, email, and cloud storage services provided by foreign companies with servers located abroad. Some companies either avoid using these software and storage systems or are unsure of how they will comply with the KVKK if they do.

•  Complaint

A data subject complained to the Board about a company in the automotive industry that transferred personal data abroad without the data subject’s explicit consent. According to Decision No. 2020/559, the data controller was sending emails and other messages to its customers via its web-based digital marketing software, which requires sending customers’ personal data to a cloud-based server in a European Union member state. 

•   Data Controller’s Response 

In response to the complaint, the data controller claimed that; (i) the explicit consent of the data subjects whose personal data had been transferred abroad was obtained, (ii) the transfer of personal data via its web-based digital marketing software to its data processor was necessary for data controllers legitimate interests, (iii) Cross-border data transfers may not be prohibited or subject to special authorization under Article 12 of the Convention No. 108, to which Turkey is a party, and there were no legal restrictions in this area in Turkey. Additionally, (iv) under Article 2 of Additional Protocol No. 181 to the Convention No. 108, the determination of whether a country provides an adequate level of protection may only be made by the carrier. As a result, the cross-border data transfer to its data processor in the European Union was legal and based on both its legitimate interests and Convention No. 108.

• The Board’s Opinion

The Board mentioned that neither the privacy notice nor the explicit consent form submitted by the data controller to data subjects didn’t mention the possibility of a transfer of personal data outside of the country.

The Board also clarified that explicit consent requests must state which categories of personal data are to be processed for which specific purposes if a data processing activity necessitates obtaining consent for more than one category of personal data. Additionally, data controllers must obtain explicit consent before further processing except for sending marketing emails.

Additionally, The Board states that countries that are signatories to Treaty No. 108 cannot be assumed to have an adequate level of protection without further assessment. The Board noted that being a party to the agreement to Treaty No. 108 could be used as one of the criteria in the Board’s assessment of countries that have an adequate level of protection. It stated that within the scope of the obligations regarding data security under the Law, “the obligation to prevent the unlawful processing of personal data” was not fulfilled and the data controller has imposed an administrative fine of TRY 900,000.

• In Conclusion

The Board clarified that a cross-border transfer to an “unsafe” country without the data subject’s explicit consent is only possible if parties undertake adequate protection in written form and obtain Board’s approval, as per (b) subparagraph of the second paragraph of Article 9 of the Law, by also considering the Board’s instructions.

Cross-border data transfer has become one of the most contentious issues in Turkish data protection law because the Board has not yet declared any country “safe” and does not appear to be able to rapidly complete the approval process. As a result, data controllers’ only option in the short term is to obtain explicit consent for cross-border transfers.

For integrating with GDPR, amendments to the Turkish Data Protection Legislation’s provisions on cross-border data transfers are on The Turkish government’s agenda. These amendments are expected to help companies in overcoming the challenges associated with complying with cross-border data transfer rules.