Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey: Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad enter into force

On July 10, 2024, the Personal Data Protection Authority (KVKK) announced on LinkedIn that the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad No. 32598 (the Regulation) entered into force after being published in the Official Gazette on the same date. The Regulation aims to determine the procedures and principles regarding the implementation of Article 9 of the Personal Data Protection Law (the Law), which regulates the transfer of personal data abroad.

Obligations

The Regulation stipulates that personal data can only be transferred abroad by data controllers and data processors following the procedures and principles outlined in the Law and the Regulation. When a data processor transfers personal data, it must also comply with the data controller's instructions. The Regulation highlights that the provisions of other laws regarding the transfer of personal data abroad are reserved.

Procedures for transferring personal data abroad

The Regulation specifies that personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law is present and one of the following situations occurs:

  • there must be a qualification decision regarding the country to which the transfer will be made, the sectors within the country or international organizations; or
  • in the absence of an adequacy decision, the parties must provide one of the appropriate safeguards specified in Article 10 of the Law, provided that the person concerned has the opportunity to exercise their rights and to resort to effective legal remedies in the country where the transfer will take place.

If there is no adequacy decision and the parties cannot provide one of the appropriate safeguards specified in Article 10, the Regulation highlights that personal data may be transferred abroad by data controllers and data processors only in the event of the existence of one of the exceptional circumstances specified in Article 16 of the Law, provided that it is incidental.

Moreover, personal data may be transferred abroad only with the permission of the Personal Data Protection Board, after consulting the relevant public institution or organization, in cases where the interests of Turkey or the relevant person would be seriously harmed, without prejudice to the provisions of international agreements.

In addition, the Regulation outlines the procedures for the transfer of personal data abroad by data processors.

You can read the LinkedIn post here and the Regulation here.