Cross border data transfers from Turkiye KVKK Art 9 is no longer a niche topic for privacy lawyers only. After the recent amendments to the Personal Data Protection Law (KVKK), Article 9 has been reshaped into a more structured, but also more demanding regime. The old “just get explicit consent and send the data abroad” mentality has been replaced by a layered model built on legal processing grounds, transfer mechanisms and narrowly defined exceptions.
This guide explains, in practical terms, how standard contracts, undertakings, binding corporate rules (BCRs) and other alternatives can be used to build a compliant transfer framework for data leaving Türkiye.
1. The new logic of KVKK Article 9
The starting point is simple but strict: you can only transfer personal data abroad if:
- The processing itself has a legal ground (KVKK Articles 5–6: contract performance, legal obligation, legitimate interest, explicit consent, etc.), and
- The transfer satisfies one of the permitted routes under Article 9.
Article 9 now works in layers:
- First layer – Adequacy: if there is an adequacy decision for a given country, sector or international organisation, transfers to that destination can be made on the basis of that decision, provided the underlying processing conditions are satisfied.
- Second layer – Appropriate safeguards: if there is no adequacy, you need one of the structured tools such as standard contracts, binding corporate rules or written undertakings.
- Third layer – Exceptions: only if none of those work can you fall back on exceptional transfer grounds (explicit consent informed of risks, contract performance, public interest, legal claims, vital interests, public registers, etc.), which are designed for one-off or incidental scenarios, not daily business flows.
For most organisations, the second layer is where the real work—and risk—now sits.
2. Standard contracts: Türkiye’s main operational tool
2.1. What are standard contracts?
Standard contracts are pre-approved contractual templates issued by the data protection authority for different exporter–importer relationships, such as:
- controller in Türkiye → controller abroad
- controller in Türkiye → processor abroad
- processor in Türkiye → controller abroad
- processor in Türkiye → processor abroad
They are essentially Türkiye’s version of “SCCs”: the core wording is fixed and cannot be rewritten, but the parties can complete annexes, select certain options and add commercial clauses that do not contradict the mandatory content.
Standard contracts usually cover:
- identification of exporter and importer,
- purposes and scope of the transfer,
- categories of data and data subjects,
- legal bases and retention periods,
- security and confidentiality obligations,
- rules on sub-processors and onward transfers,
- audit, cooperation and liability provisions.
2.2. How do you use them in practice?
For cross-border data transfers from Türkiye under KVKK Article 9, a compliant standard-contract set-up has three main steps:
- Choose the correct module
Identify whether you are acting as a controller or processor and what the role of the non-Turkish party is. Using the wrong module (for example, treating a processor as a controller) can undermine the whole mechanism. - Fill in the annexes with real information
This is where most mistakes happen. You should:- describe the activities of each party (what each one actually does to the data),
- list data subject categories (employees, customers, website users, suppliers, etc.),
- list data categories (identification, contact details, financial data, health data, usage logs, etc.),
- explain purposes, frequency of transfers and retention periods,
- document technical and organisational security measures.
- Sign and notify
The contract must be signed by persons who are properly authorised for each party. For foreign entities, corporate documents and signature proofs may be needed for internal compliance.
Once signed, the exporter in Türkiye must notify the authority within the legal deadline. Skipping the notification step means you are transferring data abroad without a valid safeguard in place.
Standard contracts work particularly well for ongoing, structured data flows such as cloud hosting, HR systems, CRM, ticketing tools and group IT services.
3. Written undertakings: flexible but approval-based
Before the standard contract regime, the main tool for many companies was a written undertaking submitted to the authority for approval. This mechanism still exists, but its position has changed.
3.1. What is a written undertaking?
A written undertaking is a bespoke document in which the Turkish exporter and the foreign recipient promise that:
- the recipient will provide a level of protection “at least as adequate” as KVKK,
- both parties will comply with specific safeguards, security measures and data subject rights,
- onward transfers will also comply with defined guarantees.
Unlike standard contracts, there is more room to customise the wording and adapt it to highly specific or complex group structures.
3.2. Pros and cons
Advantages:
- Flexibility for unusual structures (multi-jurisdiction groups, complex outsourcing, niche services).
- Possibility to integrate KVKK and GDPR concepts into a single harmonised document.
Disadvantages:
- It requires prior approval by the authority, which takes time and may involve back-and-forth correspondence.
- Until approval is granted, you cannot rely on the undertaking as a valid safeguard.
- Any material change in the transfer scenario may require a revised submission.
Today, written undertakings are more appropriate where standard contracts clearly do not fit or where a group wants a single, consolidated framework that still needs Turkish approval.
4. Binding Corporate Rules (BCRs): the high-end solution
BCRs are internal, group-wide rules that govern how personal data is protected and transferred within a corporate group across borders.
4.1. Nature and scope
A BCR framework typically:
- applies to all entities in the group (controllers and/or processors),
- sets a common standard on data protection principles, security, transparency, data subject rights and complaint handling,
- defines enforceability both for data subjects and for the authority,
- includes mechanisms for audits, internal reporting and sanctions in case of non-compliance.
For a group that already uses EU-style BCRs, there is a natural interest in having these rules recognised under KVKK as well, so that intra-group transfers from Türkiye can rely on a single, coherent mechanism.
4.2. When BCRs make sense
BCRs are not for everyone. They are:
- expensive and time-consuming to design,
- subject to supervisory authority review and approval,
- most suitable for large, multinational groups with significant cross-border traffic and a mature privacy programme.
For a smaller company in Türkiye, BCRs are usually overkill. For a global group that treats Türkiye as an important hub, however, a BCR route can create a very stable long-term legal basis for transfers.
5. Practical alternatives and exceptional cases
Even with standard contracts, undertakings and BCRs, there will be situations where none of these tools are available or proportionate. Article 9 therefore recognises exceptional transfer grounds, which must be interpreted narrowly.
Examples include:
- Explicit consent with full risk information
The data subject gives explicit, informed consent after being clearly told that the destination country may not offer an adequate level of protection and that no appropriate safeguards are in place. This is a last resort and should not be used for routine, structural transfers. - Contract performance or pre-contractual steps
Transfers necessary to perform a contract between the data subject and the controller (for example, sending booking details to a foreign hotel) or to take pre-contractual steps at the individual’s request. - Important public interest or legal claims
Transfers necessary for important public interest reasons, for the establishment, exercise or defence of legal claims, or for vital interests where the person is unable to give consent. - Data manifestly made public by the data subject
Transfers based on data that the individual clearly made public, within the limits of the purpose for which it was made public.
These are useful safety valves, but they are not a substitute for structured mechanisms. For a serious organisation, exceptional grounds should appear only as narrowly documented exceptions, not as a general policy.
6. Building a practical compliance strategy
For a company that regularly performs cross-border data transfers from Türkiye (KVKK Art. 9), a realistic roadmap looks like this:
- Map your transfers
Identify all systems and flows where Turkish personal data leaves Türkiye: cloud, email, HR, payroll, analytics, ticketing, support, intra-group reporting, vendors, etc. - Check processing grounds
For each flow, confirm the legal basis under KVKK (contract, legal obligation, legitimate interest, explicit consent, special categories). - Choose the main safeguard
- For typical vendor relationships: standard contracts.
- For complex group structures: possibly BCRs or, if needed, written undertakings.
- Upgrade contracts and notifications
Put the correct standard contracts in place, fill in annexes properly, sign with the right parties, and make all required notifications to the authority. - Document exceptional flows
For cases where you rely on explicit consent or other exceptions, keep a clear record of the reasoning, the risks explained, and why no other safeguard was suitable. - Integrate into governance
Update privacy notices, records of processing, vendor management procedures, incident response plans and internal privacy policies so that cross-border transfers are controlled and monitored—not accidental.
Handled this way, cross-border data transfers from Türkiye under KVKK Article 9 stop being a constant fire drill and become a managed, defensible part of your compliance framework.
Yanıt yok