Cross-border data transfers under Turkey’s KVKK

Executive summary

Turkey’s Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad -in force since 10 July 2024- (the "Regulation") has reshaped how organisations move personal data outside Turkey. It operationalises the amended Article 9 of the Law and embeds a three-tier framework: adequacy decisions, appropriate safeguards (including standard contractual clauses, binding corporate rules, undertakings, and certain non-treaty agreements), and limited occasional exceptions. Adequacy decisions are re-evaluated at least every four years. Where standard contractual clauses (SCCs) are used, they must be adopted as-is and notified to the Authority within five business days of signature. The Regulation also clarifies the responsibilities of data controllers and processors and empowers the Board to resolve uncertainties. Companies operating in or targeting Turkey should ensure their transfer tooling and documentation are aligned and kept under periodic review.

At a glance

• Effective framework: Implements the amended Article 9 and governs all transfers from Turkey.

• Adequacy decisions: Required where available; reviewed every four years and may be changed, suspended or revoked.

• Appropriate safeguards: Non-treaty agreements (subject to Board opinion/permission), BCRs (Board approval), SCCs (no edits, 5-day notification), or undertakings (Board permission).

• Occasional exceptions: A narrow set of fallback grounds when no adequacy or safeguards exist.

• Controller–processor: Processor must act on controller’s instructions; the controller remains responsible for ensuring measures.

• Board’s role: Resolves doubts and issues not expressly covered.

  
  

Context & background

Turkey amended Article 9 of the Personal Data Protection Law in March 2024, moving away from an explicit-consent-centric model and introducing a layered system for international transfers. The Regulation, published in the Official Gazette on 10 July 2024, provides the operational details for that system—what mechanisms can be used, how they must be implemented, and when exceptions apply. Together, the Law and the Regulation now require organisations to prioritise adequacy and appropriate safeguards over consent, and to adopt specific documentation and procedures when sending data abroad. The Authority has also published materials on the new framework and its implementation to support the market.

Key points explained

1) Adequacy decisions

Transfers may proceed on the basis of a Board adequacy decision for a country, one or more sectors within a country, or an international organisation. Adequacy decisions are re-evaluated at least every four years; the Board can change, suspend or revoke a decision prospectively if adequate protection is later found lacking. Businesses should monitor adequacy status and be prepared to switch to safeguards if adequacy changes.

2) Appropriate safeguards (when no adequacy applies)

If there is no adequacy decision, one of the following appropriate safeguards must be in place between the parties to the transfer:

• Non-treaty agreements between Turkish/foreign public bodies, professional bodies or international organisations: parties must seek the Board’s opinion during negotiation and obtain permission before transfer; the final text and required evidence must be submitted with the application.

• Binding corporate rules (BCRs): require Board approval prior to transfers.

• Standard contractual clauses (SCCs): must be used exactly as published by the Authority (no alterations) and notified to the Authority within five business days after signature, via KEP or other designated routes.

• Undertakings: signed by the parties with specified mandatory protections; Board permission is required before transfer starts.

  
  

These mechanisms are detailed across Articles 11–15 of the Regulation and together form the main operational pathway where adequacy is absent.

3) Occasional (exceptional) transfers

If neither adequacy nor appropriate safeguards is available, the Regulation permits transfers only in occasional situations and only where one of the narrow exceptions in Article 16 applies. These include:

• Explicit consent after informing the data subject of potential risks;

• Contract necessity (with the data subject) or pre-contractual steps at the data subject’s request;

• Contract in the data subject’s interest between the controller and another party;

• Overriding public interest;

• Establishment, exercise or defence of legal claims;

• Vital interests where the person cannot consent;

• Public registers open to those with a legitimate interest, subject to access conditions.These are last-resort grounds for ad-hoc scenarios, not routine transfers.

  
  

4) Controller–processor responsibilities

Where a processor transfers personal data abroad, it must do so only on the controller’s documented instructions and within the purpose and scope set by the controller. Critically, the controller remains responsible for compliance with the Law and the Regulation, including ensuring appropriate technical and organisational measures are taken by the processor. Contracting and oversight (e.g., DPAs, audits, security controls) therefore remain essential.

5) Board authority and guidance

The Board is expressly empowered to resolve doubts arising during application and to decide issues not explicitly addressed, within the legal framework. The Authority has also released materials relating to SCCs and BCRs to help organisations adopt the new tools.

6) Publication details and scope

The Regulation was published on 10 July 2024 and sets out procedures to implement Article 9 of the Law for all controllers and processors that transfer personal data from Turkey. It defines the Regulation’s purpose and scope and anchors the three-tier approach (adequacy → safeguards → exceptions).

Why it matters for businesses

For companies operating in or targeting Turkey, the Regulation brings clarity—but also operational discipline—to cross-border data flows. The priority is to assess whether an adequacy decision applies; if not, implement a recognised safeguard. If SCCs are chosen, ensure the Authority’s template is used verbatim and that notification is filed within five business days of signing—internal playbooks should reflect this timeline. For intra-group transfers, evaluate whether BCRs are a better long-term fit. Reserve the occasional exceptions for genuinely ad-hoc cases, not ongoing operations. Finally, update controller–processor arrangements and governance to reflect the controller’s continuing responsibility, and keep a watching brief on four-year adequacy reviews and further Board guidance. Taking these steps now will reduce future friction and the risk of non-compliance as enforcement matures.

Sources: “Standart Sözleşmeler ve Bağlayıcı Şirket Kurallarına İlişkin Dokümanlar Hakkında Kamuoyu Duyurusu” — Public Announcement on Documents Concerning Standard Contracts and Binding Corporate Rules (KVKK, 10 July 2024): https://www.kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu