KVKK Data Transactions Guideline

28.04.2025

1. Introduction
2. Purpose, Justification and Scope of the Amendments to the Procedures and Principles Regarding the Cross-Border Transaction of Personal Data
3. Cross-Border Personal Data Transactions
4. Data Transaction Based on Adequacy Decision
5. Transactions Based on Appropriate Safeguards
6. Existence of One of the Occasional Case Conditions
7. Conclusion

1. Introduction

On January 2, 2025, the Personal Data Protection Authority (“Authority“) published the Guideline on the Cross-Border Transaction of Personal Data Cross-border (“Guideline“) in order to enlighten the public on the implementation of transactions of personal data cross-border within the scope of Article 9 of the Personal Data Protection Law No. 6698 (“KVKK“) and the appropriate safeguards expected by the Personal Data Protection Board (“Board“).[1]

This Guideline paves the way for the public to understand the changes made in the foreign data transaction procedures and to ensure that the practices comply with the KVKK and the Board’s expectations.

2. Purpose, Justification and Scope of the Amendments to the Procedures and Principles Regarding the Cross-Border Transaction of Personal Data

Prior to the amendment of the Law, personal data could not be transactioned cross-border without the explicit consent of the data subject, and exceptionally, it was regulated that personal data could be transactioned cross-border without explicit consent, provided that the data processing conditions of the KVKK existed and (i) there was adequate protection in the foreign country to which the personal data would be transactioned, or (ii) in the absence of adequate protection, the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection, and (iii) the Board’s permission was obtained.

However, the Board did not determine the countries with adequate protection, and the Board accepted and announced the “Written Undertakings” that can be used for the data controller in Türkiye and the data controller and/or data processor in the relevant foreign country to commit in writing to adequate protection. As a result of the evaluation of the applications made within this scope by the Board, the transaction of personal data cross-border was authorized or not.

From April 7, 2016, the date of entry into force of all these regulations, until June 1, 2024, the Board received only 86 commitment letter applications, of which only 10 were accepted by the Board. In addition, although 3 Binding Corporate Rule (BCR) applications were submitted, these applications were not accepted due to procedural and substantive deficiencies.

Therefore, in the pre-amendment period, the transaction of personal data to foreign countries was possible only upon (i) the explicit consent of the data subjects individually, or (ii) the written undertaking of adequate protection by the data controllers in Türkiye and the relevant country, and (iii) the authorization of the Board, making the transaction of data cross-border dependent in practice only on the explicit consent of the data subjects. As a result, it became very difficult to use and most cloud-based software and applications, which are frequently used by many companies in commercial life and whose servers are located cross-border, in accordance with the law.

The European Union General Data Protection Regulation (“GDPR“), which was put into force by the European Union in 2018, has envisaged methods in terms of transactioning data outside the EU in a way to protect the rights of the data subjects, taking into account the needs arising from the ever-evolving technology and digitalization and the dynamism of commercial life, and with the regulation of 1 June 2024, it is aimed to bring the changes in the KVKK closer to these methods.

3. Cross-Border Personal Data Transactions

Cross-border personal data transaction is defined in Article 4 of the Regulation (“Regulation“) determining the procedures and principles regarding the implementation of Article 9 as “the transaction of personal data by a data controller or data processor within the scope of Law No. 6698 to a data controller or data processor cross-border or making it accessible by any other means“. In this context, the cross-border personal data transaction is divided into 3 elements:

- Obligation of the Data Controller or Data Processor (Data Transmitter) to be Subject to the Law for the Personal Data Processing Activity in Subject

At the point of being subject to the Law, the issue of the scope of application of the Law in terms of location comes to the agenda. In this framework, Article 2 of the Law titled “Scope” sets out the material scope of the scope of application of the Law as follows: “The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process such data wholly or partially by automatic means or by non-automatic means provided that they are part of any data recording system.” On the other hand, it is similarly stipulated that the provisions of both Directive 95/46/EC and the GDPR shall apply to personal data processing activities carried out wholly or partly by automatic means or by non-automatic means forming or intended to form part of a data recording system.

- Personal Data Processed by the Data Transmitter must be Transmitted or Made Accessible in Another Way.

The data transmitter must either (i) transmit or (ii) make accessible the personal data in subject. For example, creating an account, granting access to an existing account, confirming an effective request for remote access, inserting a hard drive or sending a password to a file. Remote access from a third country (even if it only takes place through the display of personal data on a screen, e.g. in support situations, for troubleshooting or administration purposes) and/or storage in a cloud located cross-border offered by a service provider will also be considered a transaction, provided that these three elements are present. On the other hand, this element will not be satisfied where there is no data transmitter transmitting or making accessible the personal data to another controller or processor, such as when the personal data is transmitted directly by the data subject.

- The Data Controller or Processor to whom the Data is transactioned must be located in a Third Country, regardless of whether it is subject to the Law.

Accordingly, the data controller or processor to whom the data is transactioned must be geographically located in a third country.

As a result, the KVKK has been amended based on the relevant provisions of the GDPR and the systematics of cross-border data transaction has been reorganized and a three-tier structure has been created with Article 9 of the KVKK.

4. Data Transaction Based on Adequacy Decision

In the presence of one of the conditions specified in Articles 5 and 6 of the KVKK, it should be checked whether there is an adequacy decision about the country, sectors within the country or international organizations to which the transaction will be made in the first stage. In the previous version of Article 9 of the Law, it was essential to have an adequacy decision in the realization of the transaction activity, but with the amendment made, it is regulated to make an adequacy decision about the sector or international organizations within the country as well as the country.

The Board has not yet published an adequacy decision on its website.

5. Transactions Based on Appropriate Safeguards

In the absence of an adequacy decision, transaction based on appropriate safeguards is possible if one of the conditions specified in Articles 5 and 6 of the Law regulating the conditions for the processing of personal data and sensitive personal data is present and the data subject has the right to exercise his/her rights and to apply for effective legal remedies in the country of transaction.

In the presence of preconditions, (i) an agreement that is not an international treaty, (ii) binding corporate rules, (iii) standard contracts, and (iv) written undertakings are considered appropriate safeguards

6. Existence of One of the Occasional Case Conditions

In the absence of an adequacy decision and one of the appropriate safeguards, data may be transactioned cross-border, provided that it is occasional, one or several times and not continuous. For example, it is in compliance with the KVKK for a company in Türkiye to share information about its employees who will be in contact with the addressee company in terms of the commercial activity that it intends to carry out with a company cross-border on an occasional basis.

The exceptional cases are “explicit consent“, “it is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject“, “it is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject. “, “it is mandatory for an overriding public interest“, “the transaction of personal data is mandatory for the establishment, exercise or protection of a right“, “it is mandatory to transaction personal data for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid” and “the registry is open to the public or persons with a legitimate interest, provided that the conditions for accessing the registry are met in the relevant legislation and the person with a legitimate interest requests it.”

In this context, it should be emphasized that if there is a provision in the international treaty or other laws regarding the cross-border transaction, personal data may be transactioned cross-border in accordance with the said provisions; in fact, it is important to emphasize that it should be checked whether there is a provision in the international treaty or other laws at the first step of the transaction activity before there is an adequacy decision, appropriate safeguards or occasional transaction cases.

7. Conclusion

With the Guideline dated January 2, 2025, detailed explanations were provided regarding the reflections of the procedures and principles of data transaction cross-border in practice.

You can access the Agency’s summarized Foreign Data Transaction Table in the annex of this Bulletin.

Accordingly, in our subsequent articles, the procedures and principles of (i) Transaction Based on Adequacy Decision, (ii) Transaction Based on Appropriate Safeguards, (iii) Occasional Transaction will be evaluated separately and the Authority instructions will be conveyed in detail.

[1] You can access the Guide here: https://www.kvkk.gov.tr/Icerik/8143/Kisisel-Verilerin-Yurt-Disina-Aktarilmasi-Rehberi

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.

Bankaların Yeşil Varlık Oranı Hesaplaması Hakkında Tebliğ Yayımlandı

Türk Sermaye Piyasasındaki Son Gelişmeler – Nisan 2025

Pay Piyasalarına İlişkin Sermaye Piyasası Kurulu Tedbirlerinin Süresi Uzatıldı

Updated Thresholds for Independent Audit

Thresholds for the Determination of Companies Subject to Independent Audit Have Been Updated

Piercing the Corporate Veil, the Burden of Proof, and Its Reflection in Executive Proceedings

Two-minute Recap of Competition Law Matters in Türkiye - March 2025

Newsletter No.20 | Competition Market Overview

Two-minute Recap of Competition Law Matters Around the Globe - March 2025

Construction Law Wrap Up 2024

Construction Arbitration: Türkiye - Part 4

Construction Arbitration: Türkiye - Part 3

Kişisel Verileri Koruma Kurulu’nun Hizmet Ön Koşulu Olarak Findeks Raporu Talep Eden Araç Kiralama Şirketine Vermiş Olduğu İdari Para Cezası Kararının Türk Hukukuna Göre Değerlendirilmesi

Kurul Kararları Işığında: İşverenler Tarafından Edinilen İşçi Adayı Verilerinin Korunması

Assessment of the Personal Data Protection Board’s Decision Imposing an Administrative Fine on a Car Rental Company for Requesting a Findeks Credit Report as a Prerequisite for Service in Accordance with Turkish Law

Tüzel Kişilik Perdesinin Kaldırılmasında İspat Sorunu ve İcra Takibine Yansıması

Tam Yargı Davalarında Miktar Artırımı Yapılan Tutara da Dava Tarihinden İtibaren Faiz İşleyeceği Hususunda İçtihatlar Birleştirildi

Precedents Unified Regarding the Accrual of Interest on the Increased Amount in Full Remedy Actions as of the Date of the Initial Lawsuit

Uzaktan İletişim Araçları Yoluyla Piyasaya Arz Edilen Ürünlerin Piyasa Gözetimi ve Denetimi Yönetmeliği Yürürlüğe Girdi

New Era for E-marketplaces and E-sellers-providers in Turkey (Updated 28 March 25)

E-Ticaret Mevzuatında Meydana Gelen Gelişmeler (18.03.2025)

Elektrik Piyasasında Toplayıcılık Yönetmeliği Ne Getiriyor?

Kamuda Enerji Performans Sözleşmesi Uygulaması

Ulusal Taşıt Tanıma Sistemi Uygulama Genel Tebliği Hakkında Bilgilendirme

İklim Kanunu Teklifi TBMM Çevre Komisyonu'nda Kabul Edildi

Türkiye Sürdürülebilirlik Raporlama Standartları Uygulama Kapsamında Değişiklikler Yapıldı

Amendments to Türkiye Sustainability Reporting Standards

Guidelines on the Secondary Legislation on Crypto Asset Service Providers

Dijital Cüzdan ve BKM API Geçitine Uyum Süreleri Uzatıldı. Hesap Hizmeti Sağlayıcısı Tanımı Daraltıldı.

Kripto Varlıklara İlişkin Beklenen İkincil Düzenlemeler Yayımlandı!

Sigorta Şirketlerinin Sermaye Yükümlülükleri ve Mali Bünyelerinin Zayıflaması Halleri

Insurance Litigation 2025 in Turkey

Capital Obligations of Insurance Companies and Circumstances of Financial Weakening

Constitutional Court Decision No. 2024/176 E. and 2025/42 K. – Assessment Regarding Industrial Property Rights and the Option of Net Profit-Based Compensation

Kesinleşmemiş TÜRKPATENT Kararları Üzerinden Yapılan Yanıltıcılık ve Haksız Rekabet İlişkisi

Kısa Kelime Markalarında Benzerlik İncelemesi

U.S. Section 301 Strikes Back: Additional U.S. Port Service Fees on Vessels With China Nexus; Potential Far-Reaching Implications for Leaseback Arrangements

A New Era in Federal Sentencing: Updates to the Guidelines and the Elimination of Departures

Navigating New Compliance Challenges for Financial Institutions and Payment Processors: The U.S. Treasury’s Enhanced Terrorist Finance Tracking Program

İş Hukuku Güncel Gelişmeler I Ocak-Şubat-Mart 2025

Employment Law Newsletter I January-February-March 2025

Yabancılık Unsuru Taşıyan İş Sözleşmelerinde Hukuk Seçimi Anayasa’ya Aykırı Bulundu

Kozmetik Ürünlerin Reklamında Mevzuata Uyum: Reklam Kurulu Kararları Işığında Bir Değerlendirme

Sağlık Meslek Mensuplarının Serbest Meslek İcrası Hakkında Yönetmelik Yürürlükte: Denetim Süreçleri Belirlendi

Orphan Drugs: A Hope for Rare Diseases and Global Access Frameworks

İtibar mı, Ceza mı?: Sosyal Medyada Ticari Reklamın Hukuki Sınırları

Decisions Adopted at the Meeting No. 355 of the Advertisement Board

Advertising Board Takes Firm Action: Combating Counterfeit Goods and Deceptive Ads

M&A Essentials: A Practical Guide for Buyer, Seller, and Advisors

Legal Due Diligence in M&A Deals: Key Areas and Compliance Focus

The Power of Disclosure: How Disclosure Letters Shape Liability in M&A Transactions

Arsa Payı Karşılığı İnşaat Sözleşmeleri: Arsa Sahibinin Hak ve Yükümlülükleri

Construction Contract: Rights and Obligations of the Landowner

Kentsel Dönüşümde Mülkiyet Hakkı İhlalleri

İpoteğin Paraya Çevrilmesi Yolu İle İlamsız ve İlamlı İcra Takip Türleri ve İpotek Kat İhtarnamesi: Hukuki ve Uygulamalı Analiz

İcra ve İflas Kanunu Uyarınca Yapılacak Satışların İlanlarına İlişkin Parasal Limitlerin Güncellenmesi Hakkında Tebliğ Yayımlandı

Communiqué on the Update of Monetary Limits for Announcements of Sales to Be Made Under the Enforcement and Bankruptcy Law is Published

Startup Investments: A Handbook for Investors and Entrepreneurs

TEKMER (Teknoloji Geliştirme Merkezi) Nasıl Kurulur ve Girişimcilere Hangi Destekleri Sunar?

Ters Hak Ediş (Reverse Vesting) Nedir?

Pillar One – Amount B will not Apply to Transactions of Distributors, Sales Agents and Commissioners Operating in Türkiye

9487 Sayılı Cumhurbaşkanı Kararı ile Gelir Vergisi Kanunu Geçici 67. Maddesi Kapsamında Değişiklikler

Amendments Enacted Under Presidential Decree No. 9487 within the Scope of Provisional Article 67 of the Income Tax Law

A New Era for General-Purpose AI Models Such as ChatGPT, Gemini, and Claude

Yapay Zekada Ön Yargı: Riskler ve Çözüm Yolları

Bias in Artificial Intelligence: Risks and Solutions

Liability Regulations in Cargo Damage During Sea Transport: A Comparative Analysis of Turkish and English Maritime Law

Regulation on Pilotage and Towage Services Published

Limanlar Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

İç Soruşturmadan İş Akdi Feshine

From Internal Investigation to Prosecution in Türkiye: Part 2 – Legal Remedies Against Employee & Third-Party Fraud Under Turkish Law

İnsana Değen Yönetişim