Cross-Border Data Transfers from Türkiye (KVKK Art. 9): Standard Contracts, Undertakings, BCRs & Practical Alternatives
yazarı lawyerfbc
açık Kasım 10, 2025

Executive Summary

Following the 2024 reforms to KVKK Article 9 and subsequent secondary rules and guidance, Türkiye now operates a three-tier model for sending personal data abroad:

  1. Adequacy decisions (where available);
  2. Appropriate safeguards (notably Standard Contracts, Undertakings, and Binding Corporate Rules);
  3. Derogations for occasional/exceptional situations.

The Authority has published four role-based Standard Contract templates (Controller→Controller, Controller→Processor, Processor→Processor, Processor→Controller). These must be notified to the Authority within 5 business days of signature, and changes/termination must also be notified. For complex or non-templated risk profiles, Undertakings remain viable (subject to Board approval). For large, continuous intra-group flows, BCRs provide a scalable, single-policy solution (also subject to approval).

The bottom line for practitioners: map your transfers, choose the right legal route (Adequacy → Safeguard → Derogation), perform a Transfer Impact Assessment (TIA), align DPIA where high-risk processing exists, and keep your contractual, technical and organizational controls coherent with your privacy notices and retention policies.

Table of Contents

  • KVKK Art. 9 in 2025: The Framework
  • Adequacy Decisions: Scope, renewal, strategy
  • Appropriate Safeguards (Art. 9/4):
    • Standard Contracts: 4 templates, notification, drafting traps
    • Undertakings: approval path, pros/cons, when to use
    • Binding Corporate Rules (BCRs): approval, contents, governance
    • Other tools: codes of conduct & certification
  • Derogations: when they apply and how to document
  • TIA & DPIA: building defensible documentation
  • Sector Playbooks: Cloud/SaaS, HR, Health data
  • Common Pitfalls & How to Avoid Them
  • Checklists (SCC/Undertaking/BCR)
  • Sample Clauses & Annex Structures
  • 12-Step Compliance Roadmap
  • FAQ (practitioner-level answers)
  • SEO notes & content ideas (for legal teams’ websites)

KVKK Art. 9 in 2025: The Framework

The amended Article 9 mirrors the GDPR logic:

  • Step 1 — Adequacy available? If the destination country/sector/institution is covered by an adequacy decision and you have a processing ground under KVKK Arts. 5 and 6, you can transfer without extra safeguards (still keep internal documentation and purpose/retention alignment).
  • Step 2 — No adequacy? Use appropriate safeguards, such as Standard Contracts, Undertakings (subject to Board approval), or BCRs (subject to approval). Codes of conduct and certification may also serve, once operational.
  • Step 3 — Derogations: If neither adequacy nor a safeguard is available, transfers may proceed only in exceptional, occasional scenarios (e.g., explicit consent for a specific transfer, necessity for contract performance, establishment/exercise/defense of legal claims, important public interest, etc.). Routine, ongoing data flows must not rely on derogations.

Practice tip: Your internal privacy governance should make the three-tier logic obvious: adequacy screening, then a safeguards menu with role mapping, then a strictly controlled derogations playbook.

Adequacy Decisions: Scope, Renewal & Strategy

What adequacy is: A formal recognition that a third country (or a sector within a country, or an international organization) ensures a protective level essentially equivalent to KVKK.

What it means for you: If your destination is covered, transfers are operationally simpler. Still, maintain alignment across your records of processing, privacy notices, retention schedules, and incident response plans. Adequacy is dynamic; be prepared to adjust documentation if the Authority reviews or changes scope.

Strategy: In vendor selection and group structuring, a destination that becomes “adequate” can materially lower compliance friction. Keep your contract kit modular so you can switch from a safeguard pathway to adequacy with minimal re-drafting (e.g., by using annexes and change-order clauses).

Appropriate Safeguards (Art. 9/4)

1) Standard Contracts (SCC) — Four Templates & a 5-Business-Day Notification

The Authority released four templates tailored to roles:

  1. Controller → Controller (C2C)
  2. Controller → Processor (C2P)
  3. Processor → Processor (P2P)
  4. Processor → Controller (P2C)

Mandatory notification: Once signed, a Standard Contract must be notified to the Authority within five business days. If amended or terminated, notify again. For bi-lingual forms, signatures must appear on the Turkish column; ensure language governance in your template instructions.

Ten drafting & operational essentials:

  1. Stay inside the template rails. Don’t alter mandatory language. Use the variables and annexes to tailor the arrangement.
  2. Get the roles right. Misclassifying Controller/Processor is the No. 1 failure. Confirm roles via data-flow diagrams and RACI matrices.
  3. Sub-processor control. For C2P/P2P flows, document approval mechanics, onboarding criteria, and an up-to-date sub-processor registry.
  4. Concrete security annexes. Spell out encryption at rest/in transit, key management (customer-managed keys if available), backup and continuity, geo-access constraints, and admin access control.
  5. Data categories & purposes. Synchronize the SCC annexes with your privacy notice, record of processing activities, and retention & deletion policy.
  6. Change-control & termination. Define how changes propagate (especially data-location changes or new sub-processors) and remember notification duties.
  7. Bi-lingual mechanics. If you maintain TR/EN text, ensure the Turkish column is signed and the precedence clause is clear.
  8. Evidence bundle. Keep a “transfer file”: signed SCC, technical annexes, TIA/DPIA, sub-processor list, logs of notifications, and key correspondence.
  9. Lifecycle vigilance. Revisit SCCs whenever you change vendors, regions, hosting layers, or post-M&A.
  10. Plan for the clock. Build an internal T-5 business day workflow (signatures → notification pack → KEP/e-module submission checklist).

When SCCs are a great fit: classical SaaS/Cloud procurement, discrete controller-to-controller analytics feeds, processor chains with clear security baselines, and quick deployment needs where Board approval timelines would cause friction.

2) Undertakings — Board-Approved, Highly Customizable

What it is: A bespoke set of transfer commitments that the parties propose for Board approval. It predates the Standard Contracts and remains valuable for non-standard risk profiles.

When to use Undertakings:

  • Your processing model doesn’t fit any of the four SCC templates;
  • You need additional commitments or sector-specific controls that exceed the SCC’s annex structure;
  • You want a non-group arrangement with extensive custom technical/organizational clauses.

Pros / Cons

  • Pros: Maximum flexibility; tailor-made safeguards for complex data ecosystems; alignment with industry certifications and client demands.
  • Cons: Approval required (timeline, back-and-forth, maintenance). Not ideal for urgent deployments.

Approval file hygiene: Provide a crisp, testable structure—scope and roles, categories and purposes, full security program (crypto, key custody, access control, continuity), audit and supervision, redress and liability, exit & irreversible deletion, and sub-processor governance. Align each promise with a verifiable control (policy, procedure, tooling log, KPI).

3) Binding Corporate Rules (BCRs) — One Policy to Rule Them All (Intra-Group)

What BCRs are: Legally binding rules that govern group-internal transfers. They are ideal for frequent, multi-jurisdiction, multi-system intra-group flows where maintaining dozens of bilateral SCCs is operationally costly.

Approval focus areas:

  • Binding effect on all group entities and employees (including enforcement and sanctions);
  • Data subject rights (exercise and redress mechanisms);
  • Minimum content: scope, roles, transfer types, technical/organizational measures, complaint handling, internal audit, training, and cooperation with the Authority;
  • Operationalization: a lived program (audits, periodic reporting, metrics).

When BCRs shine: large multinationals with constant HR, finance, security logging, and R&D flows; global shared services; cloud platforms with regional footprints and internal support escalations.

BCR vs. SCC vs. Undertaking — at a glance

  • SCC: fastest route; standardized; immediate with notification.
  • Undertaking: flexible but approval-bound; for bespoke risks.
  • BCR: strategic investment; scalable governance for group-wide flows.

4) Other Appropriate Safeguards: Codes of Conduct & Certification

KVKK’s architecture anticipates sector codes of conduct and certification as transfer tools. As these ecosystems mature (schemes, accreditation, monitoring), they will support standardized commitments—especially valuable for SME supply chains and regulated verticals.

Derogations (Last-Resort, Occasional)

If you cannot rely on adequacy or build an appropriate safeguard in time, you may use derogationsonly for occasional, exceptional transfers. Examples include:

  • Explicit consent for a clearly identified transfer;
  • Necessity for the performance of a contract with the data subject or to take steps at their request;
  • Establishment, exercise, or defense of legal claims;
  • Important public interest recognized by law.

Caution: Do not operationalize routine exports under derogations. Document why the transfer is exceptional, how you minimized data, which security measures apply, and why no other route was feasible.

TIA & DPIA: The Backbone of Defensible Compliance

A Transfer Impact Assessment (TIA) evaluates the legal, technical, and practical environment at the destination: surveillance and access regimes, redress mechanisms, regulator independence, vendor control over data location and keys, sub-processor cascades, and the feasibility of additional technical measures (e.g., strong encryption with customer-held keys).

A DPIA is required where the processing is likely to result in high risk (large-scale monitoring, sensitive categories, profiling, automated decisions with legal effects). Its conclusions should align with your SCC/Undertaking/BCR annexes, your privacy notice, and your retention & deletion schedule.

Documentation pack to maintain:

  • TIA narrative and references;
  • DPIA (if applicable);
  • Security architecture (encryption, key management, IAM, logging, backup/DR);
  • Sub-processor register & change logs;
  • Copies of notifications, approvals, and board minutes;
  • Evidence of user rights handling and complaint channels.

Sector Playbooks

A) Cloud / SaaS (CRM, email, storage, analytics)

  • Role mapping: Turkish customer typically Controller, cloud provider Processor → use C2P template.
  • Sub-processors: IaaS, support desks, monitoring tools → pre-approval mechanics, rapid change notifications, exit plans.
  • TIA focal points: data-center regions, encryption & key custody (prefer customer-managed keys), remote admin access, backup locations, and incident SLAs.
  • Operational tip: maintain a “transfer ledger” per vendor: SCC version, annexes, TIA snapshot, sub-processor list, and notification IDs.

B) HR & Payroll (global HRIS)

  • Frequent intra-group flows lend themselves to BCRs. Without BCRs, use C2C for controller-to-controller HR exchanges, and P2P for processor chains (e.g., outsourced payroll + benefits administrators).
  • Protect special categories (health, biometrics) with pseudonymization, separate key custody, and strict role-based access.

C) Health & Special Categories

  • Emphasize minimization, pseudonymization, immutable audit logs, and separate encryption keys.
  • For research collaborations, isolate datasets, set short retention periods, and design a clean exit & irreversible deletion routine.

Common Pitfalls & How to Avoid Them

  1. Wrong template (confusing C2C/C2P/P2P/P2C).
    → Build a role matrix and a BPMN data-flow diagram; validate with IT/security.
  2. Missing the 5-day notification window after SCC signature.
    → Automate an internal “T-5 business day” workflow with owners and backups.
  3. Bi-lingual signature mistakes (no signature on the Turkish column).
    → Add a pre-signing checklist and a document controller role.
  4. Weak sub-processor governance.
    → Keep an authoritative register, define onboarding criteria, and set change-notification SLAs; cascade SCC/Undertaking terms.
  5. Over-use of explicit consent to justify routine exports.
    → Treat derogations as exceptional; move routine flows to SCC/Undertaking/BCR.
  6. Misalignment between SCC annexes, privacy notice, and retention rules.
    → Synchronize artefacts through a quarterly privacy governance review.
  7. Static TIAs in a changing vendor stack.
    → Revisit TIA when you add regions, new services, or a major incident occurs.

Checklists

SCC Quick Check

  • Correct role template selected (C2C/C2P/P2P/P2C).
  • Annexes complete: purposes, categories, recipients, retention, security.
  • Notification prepared for submission within 5 business days of signature.
  • Bi-lingual: Turkish column signed; precedence clause vetted.
  • Sub-processor governance: approval path, register, change notices.
  • Evidence bundle: signed SCC + annexes, TIA/DPIA, notifications, correspondence.

Undertaking Check

  • Minimum content covered (scope/roles, categories/purposes, TOMs, audits, redress/liability, sub-processors, exit).
  • Board approval requested/obtained; versioning managed.
  • TIA/DPIA aligned with bespoke commitments; proofs attached.

BCR Check

  • Binding effect across the group (policies, employment terms, sanctions).
  • Data subject rights (exercise, complaint, redress, liability).
  • Internal audit & training programs scheduled with metrics.
  • Cooperation & reporting mechanics toward the Authority.
  • Up-to-date register of intra-group data flows.

Sample Clauses & Annex Structures (Illustrative)

Disclaimer: Illustrative language only. Tailor to your facts and obtain legal review.

Security Annex Highlights (attach to SCC/Undertaking/BCR):

  • Encryption: FIPS-validated algorithms; key rotation every 90 days; customer-managed KMS where available; split-knowledge and dual-control for HSM use.
  • Access Control: Role-based access (RBAC), least privilege, privileged access management (PAM) with just-in-time elevation; geo-IP restrictions for admin sessions.
  • Logging & Monitoring: Immutable logs, 12-month retention, SIEM correlation rules for export-relevant events; quarterly log reviews.
  • Business Continuity: RPO ≤ 24h, RTO ≤ 8h; DR tests semi-annually; regional failover plans documented.
  • Incident Response: 72-hour regulator notification objective; customer notice pathway; vendor-to-customer incident SLAs; post-mortem within 10 business days.

Sub-Processor Clause Snippets:

  • Prior written authorization model with ten-day objection window;
  • Onboarding checklist (security review, TIA delta, contractual cascade);
  • Rolling public list of sub-processors + change-notification feed;
  • Exit assistance on termination and provable deletion of data.

Exit & Deletion:

  • Return in machine-readable format within 30 days;
  • Irreversible deletion (e.g., NIST-conformant sanitization);
  • Certificate of destruction;
  • Survival of confidentiality, audit, and liability clauses.

12-Step Compliance Roadmap

  1. Inventory & mapping: systems, countries, vendors, purposes, categories.
  2. Role determination: controller/processor/joint controller, with RACI.
  3. Adequacy screen: can you rely on an adequacy decision?
  4. Safeguard selection: SCC vs. Undertaking vs. BCR (plus codes/certification when available).
  5. TIA and, where applicable, DPIA (high-risk processing).
  6. Contract annexes: security, sub-processors, retention & deletion.
  7. Sub-processor procedure: approval, registry, notification SLA.
  8. Notification prep: signatures, KEP/e-module, 5-day timer.
  9. Policies & training: embed commitments into do-able processes.
  10. Monitoring & audits: log reviews, KPI dashboards, corrective actions.
  11. Change management: vendor/region/service changes trigger review + notifications.
  12. Incident handling: 72-hour notification objective; playbooks and drills.

FAQ

Q1: Which route is “fastest” to operationalize?
A: Standard Contracts are typically quickest (no prior approval), provided you can complete annexes, submit the 5-day notification, and demonstrate security controls. Undertakings and BCRs require approval and therefore longer lead times.

Q2: Can we rely on explicit consent for ongoing exports?
A: Treat consent as a derogation for occasional, exceptional cases. For routine flows, use SCC/Undertaking/BCR (or adequacy where available).

Q3: We use bi-lingual contracts. Which text prevails?
A: Keep a language-precedence clause and ensure signatures on the Turkish column where the templates require it. Align annex content across languages.

Q4: Our cloud provider keeps adding sub-processors. How do we stay compliant?
A: Contract for advance notice, maintain a register, re-evaluate your TIA on material changes, and manage objections/escalations through a defined SLA.

Q5: Do BCRs replace SCCs?
A: For intra-group transfers, yes—BCRs can replace a web of SCCs with one approved framework. For external vendors, you’ll still use SCCs or Undertakings.

Final Takeaways

  1. Don’t start with consent. Start with Adequacy → Safeguards → Derogations.
  2. Choose the right instrument: SCC for speed and standardization; Undertaking for bespoke needs; BCR for scalable intra-group governance.
  3. Prove it on paper: TIA/DPIA, coherent annexes, and an evidence bundle.
  4. Make it sustainable: registers, notifications, change-control, and periodic reviews.
  5. Design for exit: reversibility and verifiable deletion are not afterthoughts—they’re non-negotiables.

Categories:

Genel

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button