Guide on Cross-Border Transfer of Personal Data Published

The Personal Data Protection Authority (Authority) published the Guide on Cross-Border Transfer of Personal Data (Guide) prepared by the Authority, on 2 January 2025. The Guide details the implementation principles and procedural requirements introduced by the comprehensive amendments to Article 9 of the Personal Data Protection Law No. 6698 (Law) regarding the cross-border transfer of personal data. It provides guidance for data controllers and processors.

The Guide includes definitions, methods for cross-border transfers of personal data, transfers based on adequacy decisions, transfers based on appropriate safeguards, and exceptional transfers. Each section thoroughly explains the implementation of the relevant cross-border transfer mechanisms.

The Guide also provides concrete examples of common scenarios encountered in cross-border data transfer processes. Some of the notable examples are briefly summarized below:

• If a Turkiye-based group company uploads employee data to a centralized human resources system provided by its parent company located abroad, the parent company is considered a data processor. Accordingly, the provisions on cross-border transfer under the Law will apply, and appropriate safeguards, such as standard contractual clauses or binding corporate rules, must be adopted.
• If a data subject residing in Turkey makes a reservation at a hotel abroad through an online travel agency, collecting personal data by the travel agency in Turkiye and sharing it with the hotel is considered a cross-border transfer under the Law, necessitating the implementation of appropriate safeguards.
• Conversely, if a consumer residing in Turkiye shares their name, surname, and address through a foreign e-commerce website targeting the Turkish market to deliver a purchased product to their address in Turkey, this does not constitute a cross-border transfer of personal data. In other words, direct sharing of personal data by data subjects with foreign third-party companies does not trigger the application of Article 9 of the Law. However, the data processing activity must still comply with the Law.
• Another example frequently encountered in practice involves working with sub-processors. According to the Guide, if a data processor in Turkiye transfers data to a sub-processor located abroad (e.g., cloud service providers), the provisions on cross-border transfer under the Law will apply. Consequently, appropriate safeguards, such as standard contractual clauses, binding corporate rules, or commitments, must be utilized.
• Incidental transfers are also explained in the Guide with detailed and concrete examples. For instance, if a Turkish company transfers personal data to a foreign company to fulfill a customer’s payment request, and the transfers between the two companies are irregular, occur only once or a few times, are not continuous, and are not part of the regular course of business, such transfers are deemed incidental.

While the Guide addresses existing uncertainties in practice, it will be reviewed and updated based on practical experience gained from implementing the Law. It is noted that the Guide should be considered in conjunction with the Authority's efforts and activities related to cross-border data transfers.