Introduction
Cross-border data transfers have become one of the most important compliance issues under Turkish Personal Data Protection Law. Companies operating in Turkey frequently use foreign cloud servers, international software providers, global CRM systems, HR platforms, payment processors, analytics tools, customer support systems, cyber security tools, and group company databases located outside Türkiye. Each of these activities may involve the transfer of personal data abroad.
Under Turkish law, the transfer of personal data abroad is not treated as a simple technical operation. It is a regulated legal activity that must comply with Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The most important provision governing international transfers is Article 9, titled “Transfer of Personal Data Abroad.” This article was significantly amended in 2024, creating a more structured transfer regime based on adequacy decisions, appropriate safeguards, standard contracts, binding corporate rules, written commitments, and limited exceptional transfer grounds.
For local and foreign companies, the new regime requires a careful legal review of all international data flows. A company may be fully compliant in relation to domestic processing but still face legal risk if it transfers personal data abroad without satisfying Article 9 requirements. Therefore, cross-border data transfer compliance should be treated as a central part of every KVKK compliance program.
What Is a Cross-Border Data Transfer?
A cross-border data transfer occurs when personal data processed in Türkiye is transferred, disclosed, made accessible, stored, or otherwise transmitted to a person, company, server, system, or organization located outside Türkiye. The concept should be interpreted broadly. A transfer may occur not only when a company actively sends a file abroad, but also when a foreign service provider remotely accesses personal data stored in Türkiye or when data collected in Türkiye is stored on foreign cloud infrastructure.
For example, the following activities may constitute cross-border transfers under Turkish Personal Data Protection Law:
A Turkish e-commerce company stores customer data on servers located in Germany. A Turkish subsidiary uploads employee data to the global HR system of its parent company in the United States. A hospital in Türkiye uses foreign medical software that stores patient data abroad. A mobile application operating in Türkiye sends user analytics to a foreign analytics provider. A Turkish company uses an international CRM platform for customer management. A foreign call center accesses Turkish customer records. A multinational company transfers Turkish employee data to its regional headquarters for internal audit, compliance, payroll, or reporting purposes.
In each case, the company must identify whether personal data is being transferred abroad and whether the transfer is lawful under KVKK Article 9.
Why Cross-Border Data Transfers Are Highly Regulated
International data transfers create additional privacy risks because once personal data leaves Türkiye, it may become subject to foreign laws, foreign authorities, different security standards, different judicial remedies, and different regulatory systems. Data subjects may face practical difficulties in exercising their rights against foreign recipients. Turkish regulators may also face difficulties in supervising foreign entities.
For this reason, Turkish law does not permit unrestricted transfer of personal data abroad. Article 9 requires that certain legal conditions be met before such transfers take place. The amended system aims to balance commercial necessity with data subject protection. It recognizes that modern business cannot function without international data flows, but it also requires enforceable safeguards, effective remedies, and transparent documentation.
The 2024 Amendment to KVKK Article 9
The 2024 amendment is a turning point for international data transfers in Türkiye. Article 9 of Law No. 6698 was amended by Article 34 of Law No. 7499. Following this amendment, the Turkish Personal Data Protection Authority announced English translations of the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and the standard contract texts prepared for international transfer compliance.
Before the amendment, international transfers often depended heavily on explicit consent or Board-approved commitments. This created practical difficulties for businesses, especially multinational companies, technology service providers, cloud-based platforms, and companies with regular intra-group data flows. The amended Article 9 creates a layered model. It first looks at whether there is an adequacy decision. If not, it allows transfers through appropriate safeguards. If neither adequacy nor appropriate safeguards are available, limited exceptional transfers may be possible, provided that the transfer is incidental.
This structure is closer to modern international data transfer models and provides companies with more predictable compliance tools. However, it also imposes strict documentation, notification, and risk assessment obligations.
First Layer: Adequacy Decisions
Under amended Article 9, personal data may be transferred abroad by data controllers and data processors if one of the processing conditions under Articles 5 or 6 is met and there is an adequacy decision regarding the country, sector within that country, or international organization to which the transfer will be made.
An adequacy decision means that the Turkish Personal Data Protection Board considers the recipient country, sector, or international organization to provide an adequate level of protection for personal data. The Board issues and publishes adequacy decisions in the Official Gazette. The law also states that adequacy decisions must be assessed at least every four years. The Board may amend, suspend, or revoke an adequacy decision with prospective effect if necessary.
When issuing an adequacy decision, the Board considers several factors, including reciprocity between Türkiye and the recipient country, the legislation and practice of the recipient country, the existence of an independent and effective data protection authority, available administrative and judicial remedies, participation in international data protection conventions, membership in relevant international organizations, and international conventions to which Türkiye is a party.
For businesses, the adequacy route is the simplest mechanism. If the recipient country, sector, or organization is covered by an adequacy decision, and the underlying processing condition is satisfied, the transfer may be made without needing standard contracts, binding corporate rules, or written commitments. However, companies must still comply with general KVKK principles, transparency obligations, data minimization, purpose limitation, data security, and retention rules.
Second Layer: Appropriate Safeguards
If there is no adequacy decision, the transfer may still be possible if one of the processing conditions under Articles 5 or 6 is met, data subjects retain enforceable rights and effective legal remedies in the recipient country, and one of the appropriate safeguards listed in Article 9 is provided.
Appropriate safeguards under Article 9 include certain agreements between public institutions or international organizations approved by the Board, binding corporate rules approved by the Board, standard contracts published by the Board, and written commitments approved by the Board.
This is the most important part of the new regime for private companies. In practice, many companies will rely on standard contracts or binding corporate rules, while certain complex or exceptional arrangements may require written commitments and Board approval.
Standard Contracts for Cross-Border Transfers
The standard contract mechanism is likely to become the most widely used tool for international data transfers under Turkish law. Article 9 expressly recognizes standard contracts published by the Board as an appropriate safeguard. These contracts must contain information such as data categories, transfer purposes, recipients and recipient groups, technical and organizational measures to be taken by the data importer, and additional measures for special categories of personal data.
The Authority has published four standard contract types: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. This distinction is important because companies must choose the correct module according to the roles of the parties. A Turkish e-commerce company transferring customer data to an independent foreign business partner may need a controller-to-controller contract. A Turkish data controller using a foreign cloud provider may need a controller-to-processor contract. A foreign processor using a sub-processor abroad may need a processor-to-processor contract. A processor transferring data back to a foreign controller may require a processor-to-controller structure.
The standard contract texts are not ordinary commercial clauses. The controller-to-controller standard contract states that it sets out appropriate safeguards for transferring personal data abroad, including enforceable data subject rights and effective legal remedies in the recipient country, provided that no additions, deletions, or modifications are made. This means that companies should not freely modify the mandatory standard contract text. Commercial terms may be regulated separately, but the standard contract itself must preserve the official structure.
Notification of Standard Contracts
One of the most important procedural obligations under the amended Article 9 is the notification requirement. The standard contract must be notified to the Turkish Personal Data Protection Authority by the data controller or data processor within five business days following its signature.
This is not a mere formality. Failure to fulfill the Article 9/5 notification obligation is subject to administrative fine exposure under Article 18. The law expressly introduced an administrative fine for those who fail to fulfill the notification obligation under Article 9/5.
Therefore, companies should establish an internal workflow for standard contracts. The workflow should identify who signs the contract, who checks the correct module, who prepares the annexes, who files the notification, who stores evidence of notification, and who monitors subsequent changes. In multinational companies, this process should be coordinated between the Turkish legal team, global privacy team, procurement department, IT department, and vendor management team.
Binding Corporate Rules
Binding corporate rules are another important safeguard under Article 9. They are particularly useful for multinational corporate groups that regularly transfer personal data between group companies located in different countries. Article 9 recognizes binding corporate rules approved by the Board and containing provisions on personal data protection that companies within a group of undertakings engaged in joint economic activities must comply with.
Binding corporate rules may be suitable where a multinational group has continuous and systematic intra-group data flows, such as HR data, customer data, compliance data, audit data, finance data, cyber security logs, or whistleblowing reports. However, they usually require significant preparation, internal governance, documentation, and Board approval. For this reason, they may be more practical for large corporate groups than for small companies with limited data transfer activities.
A strong binding corporate rules framework should include data protection principles, data subject rights, complaint mechanisms, audit rights, training obligations, liability rules, onward transfer restrictions, security measures, breach notification procedures, and internal enforcement mechanisms.
Written Commitments Approved by the Board
Another safeguard under Article 9 is the existence of a written commitment containing provisions to ensure adequate protection, together with Board approval for the transfer.
This mechanism may be relevant where standard contracts are not suitable or where the parties require a more specific transfer structure. However, because it requires Board approval, it may be slower and less practical than standard contracts for routine commercial transfers. Companies considering written commitments should prepare detailed documentation explaining the data categories, transfer purposes, recipient identity, security measures, legal basis, data subject rights, remedies, onward transfers, retention periods, and risk mitigation measures.
Exceptional Transfers
If there is no adequacy decision and no appropriate safeguard can be ensured, Article 9 allows international transfers only under limited circumstances, provided that the transfer is incidental. These exceptional circumstances include explicit consent after informing the data subject of potential risks, necessity for contract performance, necessity for a contract concluded for the benefit of the data subject, overriding public interest, establishment, exercise or protection of a right, protection of life or physical integrity where consent cannot be obtained, and transfers from public registries under legal conditions.
The word “incidental” is critical. Exceptional transfer grounds should not be used as a basis for regular, systematic, repetitive, or large-scale international data transfers. For example, a company should not rely on exceptional explicit consent to operate a continuous cloud-based infrastructure if standard contracts or another safeguard should be used. Exceptional grounds should be interpreted narrowly and used only where the transfer is occasional and truly falls within one of the listed circumstances.
Explicit Consent in Cross-Border Transfers
Explicit consent remains relevant under the amended regime, but its role has changed. Under Article 9, explicit consent may be used as one of the exceptional transfer grounds only where there is no adequacy decision and no appropriate safeguard, provided that the transfer is incidental and the data subject has been informed of potential risks.
This means that consent should not be treated as a universal solution for all international transfers. In practice, relying on consent for systematic transfers may be legally risky. Consent must be specific, informed, and freely given. It must also be capable of withdrawal. If a business depends on consent for an essential technical infrastructure, withdrawal may create operational and legal problems.
For this reason, companies should first assess whether an adequacy decision or appropriate safeguard is available. Explicit consent should generally be reserved for limited incidental transfers where no other transfer mechanism can be applied.
Onward Transfers
Article 9 also requires data controllers and data processors to ensure that the safeguards established under Turkish law and Article 9 apply to onward transfers of personal data that has already been transferred abroad, as well as transfers to international organizations.
This is especially important for cloud services, SaaS providers, global support systems, and subcontracting chains. A Turkish company may transfer data to a foreign vendor, but that vendor may then transfer or allow access to another sub-processor in a different country. The Turkish data exporter must assess not only the first transfer but also onward transfers.
Standard contracts, vendor agreements, and data processing addendums should therefore include clear rules on sub-processors, onward transfers, audit rights, notification duties, security measures, and termination consequences. Companies should request a list of sub-processors and identify where data is hosted, backed up, accessed, and supported.
Special Categories of Personal Data
Cross-border transfer compliance becomes more sensitive when special categories of personal data are involved. These include health data, biometric data, genetic data, criminal conviction and security measure data, religious belief, political opinion, union membership, and similar sensitive categories. Under Article 9, the transfer must satisfy one of the processing conditions under Article 6 where special categories are involved.
Examples include hospitals transferring patient records to foreign laboratories, employers using biometric systems connected to foreign servers, insurance companies sharing health-related claim data with foreign reinsurers, or multinational employers transferring criminal record checks for global compliance purposes.
In such cases, companies must pay attention not only to Article 9 but also to special category data processing conditions, additional security measures, access controls, encryption, confidentiality undertakings, data minimization, and retention limits. Standard contract annexes should accurately describe special category data and the additional technical and organizational measures applied.
Relationship With the Obligation to Inform
International data transfers must also be reflected in privacy notices. Article 10 requires data controllers to inform data subjects about the identity of the controller, the purpose of processing, to whom and for what purposes personal data may be transferred, the method and legal basis of collection, and the rights of the data subject.
Therefore, a company transferring data abroad should ensure that its privacy notice clearly explains foreign recipients or recipient groups, transfer purposes, legal basis, and data subject rights. A generic privacy notice stating that data “may be shared with business partners” is often insufficient for a strong compliance position. The notice should be tailored to actual data flows.
For example, an e-commerce company should explain transfers to foreign cloud providers, payment infrastructure, analytics providers, customer support tools, and group companies where applicable. An employer should explain transfers to global HR systems, payroll systems, audit teams, parent companies, and IT support providers. A healthcare business should provide even more detailed explanations due to the sensitivity of health data.
Data Subject Rights and International Transfers
Data subjects have the right to know third parties to whom their personal data has been transferred domestically or abroad. They also have rights to request information, correction, deletion, notification of correction or deletion to recipients, objection to certain automated results, and compensation for damage caused by unlawful processing.
A company must therefore be able to answer questions about international transfers. If a data subject asks whether their personal data has been transferred abroad, the controller should be able to identify the relevant recipient categories, purposes, legal basis, and retention structure. This requires a well-maintained data inventory.
In practice, companies that do not map their international transfers often struggle to respond to data subject requests. This creates regulatory risk and weakens the company’s defense in case of complaints.
Data Security in Cross-Border Transfers
Cross-border transfers must be supported by strong technical and organizational measures. These may include encryption, access control, multi-factor authentication, secure transmission protocols, logging, vulnerability management, data loss prevention, network security, backup controls, incident response plans, and contractual security obligations.
The standard contract mechanism also emphasizes technical and organizational measures. The controller-to-controller standard contract provides that the data exporter warrants it has used reasonable efforts to determine that the data importer is competent through appropriate technical and organizational measures to satisfy its obligations under the contract.
This means that companies should not sign standard contracts blindly. The Turkish data exporter should conduct vendor due diligence and assess whether the foreign recipient can actually protect the transferred data. Relevant evidence may include security certifications, audit reports, penetration test summaries, data processing policies, encryption standards, breach history, sub-processor lists, and data center locations.
Practical Compliance Checklist
A company transferring personal data abroad from Türkiye should follow a structured compliance process.
First, identify all international data flows. This includes cloud storage, email services, CRM systems, HR platforms, accounting software, marketing tools, analytics providers, payment processors, customer support systems, group company databases, remote access tools, and backups.
Second, determine the roles of the parties. Are they controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller transfers? The answer affects which standard contract module should be used.
Third, identify the personal data categories transferred. Ordinary personal data and special category data should be separated. Special categories require stricter legal and technical assessment.
Fourth, determine the purpose of each transfer. The purpose must be specific, explicit, legitimate, and proportionate.
Fifth, identify the legal basis under Article 5 or Article 6. Cross-border transfer is not lawful unless the underlying processing condition is also satisfied.
Sixth, check whether there is an adequacy decision for the recipient country, sector, or international organization.
Seventh, if there is no adequacy decision, select an appropriate safeguard. In most private sector cases, this may be a standard contract. In group company structures, binding corporate rules may be considered.
Eighth, complete the annexes accurately. Data categories, purposes, recipients, security measures, retention periods, and onward transfer rules should be clearly described.
Ninth, notify the Authority within five business days after signing the standard contract where the standard contract mechanism is used.
Tenth, update privacy notices. Data subjects should be informed about international transfers in a transparent and accurate manner.
Eleventh, review vendor agreements and data processing addendums. Commercial contracts should be consistent with KVKK transfer documentation.
Twelfth, monitor onward transfers. Sub-processors, support teams, backup locations, and international access should be controlled.
Thirteenth, maintain records. Companies should store signed contracts, notification evidence, transfer assessments, vendor due diligence records, data inventories, and privacy notices.
Common Mistakes in Cross-Border Data Transfer Compliance
One common mistake is assuming that foreign cloud storage is not a transfer because the company remains the owner of the data. In reality, storing Turkish personal data on foreign infrastructure may still constitute a transfer abroad.
Another mistake is relying on general explicit consent for continuous international transfers. Under the amended Article 9, consent is not designed to replace adequacy decisions or appropriate safeguards for systematic transfers.
A third mistake is signing the wrong standard contract module. If the parties’ roles are misunderstood, the chosen contract may not properly reflect the legal relationship.
A fourth mistake is failing to notify the Authority within five business days after signing the standard contract. This may create independent administrative fine exposure.
A fifth mistake is ignoring onward transfers. A company may sign a standard contract with one foreign vendor but fail to assess the vendor’s sub-processors in other countries.
A sixth mistake is using generic privacy notices that do not accurately disclose foreign transfers.
A seventh mistake is failing to document vendor due diligence. The data exporter should be able to show that it assessed whether the importer can provide appropriate protection.
Conclusion
Cross-border data transfers under Turkish Personal Data Protection Law require careful legal and operational planning. After the 2024 amendment to KVKK Article 9, companies must follow a structured transfer model based on adequacy decisions, appropriate safeguards, and limited incidental exceptions. The new system provides more practical tools for businesses, especially through standard contracts and binding corporate rules, but it also creates new responsibilities.
For companies operating in Türkiye, the most important task is to map all international data flows. Without accurate data mapping, it is impossible to determine whether there is a transfer, which parties are involved, which data categories are transferred, which legal basis applies, which safeguard is required, and whether data subjects have been properly informed.
A strong compliance program should include data inventory, role analysis, legal basis assessment, transfer impact review, standard contract selection, Authority notification, privacy notice updates, vendor due diligence, security measures, onward transfer controls, and retention management.
Cross-border data transfer compliance is not only a legal requirement. It is also a commercial trust issue. Companies that handle international data flows transparently and lawfully reduce regulatory risk, strengthen customer confidence, improve contractual reliability, and protect their long-term business operations in Türkiye.
Yanıt yok