The Turkish Data Protection Law Has Been Amended. What Has Changed in Cross-Border Transfers?

This morning, the highly anticipated amendments in the Law on Protection of Personal Data w. no. 6698 (“DPL”) has been published in the Official Gazette. These changes mentioned below will enter into force in June 1, 2024. You may find our article about the changes here:

With the so called “Small DPL Reform” amendments that published in the Official Gazette, three important provision of the DPL has changed, two of which were creating deadlocks on the daily operation of businesses. The amendments were related to:

  • Art. 6 of the DPL related to conditions for processing sensitive (special categories) personal data
  • Art. 9 of the DPL related to transfer of personal data out of Turkey and
  • Art. 18 of the DPL related to misdemeanors

In addition to the above, a provisional article (Prov. Art. 3) was introduced.

So, now that the changes have been published and are in force, what is the next step for compliance with the revised provisions for data controllers?

1- The Problem: Gridlock

Since the enactment of the DPL in 2016, the transfer of personal data outside Turkey has always been a problem for data controllers. Originally, Art. 9 of the DPL required explicit consent from the individual whose data is being transferred, as per the article’s initial clause.

Other alternatives were:
– signing the standart undertaking by importer and exporter and seeking approval of the Data Protection Authority (“Authority”),
– BCRs, and
– Transfer to an importer located within an adequate country.

To date the Authority has not published any adequacy decisions. Also, it could also be argued that BCR was stillborn due to complexities of the legislation and practice. Lastly the Authority has approved only a handful of written undertakings despite numerous applications.

Therefore, since its inception in 2016, the framework for data transfers outside Turkey has faced challenges and this led to creation of a risk based approach to be taken by controllers with the following options:

• sign the undertaking and apply to the Authority for approval (least desireable option due to low number of approvals by the Authority and approval may put the controller in Authority’s radar)
• force data subjects to provide explicit consent (risk the consent being invalid due to lack of free-will but prepare a defense as explicit consent is the last and only resort) or,
• have IGDTA or a similar mechanism signed between the importer and exporter and wait for a sensible reform to fix the broken mechanism
And now, after almost 8 years of waiting, we are happy to announce that the mechanism has been fixed in a sensible way with the reform.

2- The Solution: Goodbye Consent, Welcome SCCs

Art. 9 of the DPL is rewritten to amend the whole cross-border transfer mechanism. With the change, a threefold system is introduced that covers: i- adequacy decision, ii- appropriate safeguards and iii- incidental transfers. Before diving in to details, with the changes:

– explicit consent can no longer be basis for data transfers abroad (except for incidental cases).
– a mechanism similar to SCCs is introduced where importer and exporter can simply sign the SCC and notify the Authority within 5 days to transfer personal data.

Here is how the threefold mechanism will work:

i- Adequacy Decision

As explained above, the previous version of the provision only allowed the Authority to give adequacy decisions about third countries and required the Authority to take into consideration of the reciprocity. This prevented the Authority from giving and adequacy decisions.

With the changes, data transfer is possible if an adequacy decision is given about the country, international organization or sector within the country where the transfer will be made. This way with the addition of international organization or sector specific adequacy options, the Authority may be more flexible in deciding for adequacy.

As a result, if there is an adequacy decision given, provided that there is legal basis for data processing exists (i.e. Art. 5 or 6 of the DPL), it will be possible to transfer personal data.

It should be noted that any adequacy decision must be reviewed and renewed by the Authority every 4 years at the latest. Also, the following are the criteria that will be taken into account by the Authority while making the adequacy decision:

• The mutual agreement on data privacy regulations regarding the movement of personal information from Turkey to any foreign nations, specific sectors within those nations, or global organizations.
• The applicable laws and customary practices of the nation receiving the personal data, along with the policies that the international organization receiving the personal data adheres to.
• The presence of an autonomous and competent authority dedicated to data protection in the destination country or organization, along with available administrative and legal measures for recourse.
• The engagement level of the receiving country or international organization with international treaties focused on personal data protection, or their participation in relevant global bodies.
• The affiliation of the receiving country or organization with worldwide or regional groups that Turkey is also a part of.
• International agreements that Turkey is a signatory to.

ii- Appropriate Safeguards

In the absence of an adequacy decision, any of the newly introduced appropriate safeguards shown below can be used to facilitate transfers, provided that one of the conditions specified in Art. 5 and 6 is present in the absence of an adequacy decision, the data subject has the opportunity to exercise his rights and to apply for effective legal remedies in the target country:

• The existence of SCCs to be published by the Authority, which will include data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the recipient and additional measures taken for special categories of personal data,

• The existence of a written undertaking with provisions to ensure adequate protection and approval of the transfer by the Board,

• Existence of BCRs approved by the Authority, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with, or

• Existence of an agreement that is not in the nature of an international agreement between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of a public institution in Turkey and the Authority’s approval of the transfer.

It is important to note here that when SCCs are signed, there is no requirement to seek the approval of the Authority, however the SCCs must be notified to the Authority within 5 days signing.

iii- Incidental Transfers

In the absence of an adequacy decision and in the absence of any of the appropriate safeguards personal data may be transferred abroad only in one of the following cases, provided that it is incidental

• The data subject’s explicit consent to the transfer, provided that he/she is informed about the possible risks.

• The transfer is necessary for the performance of a contract between the data subject and the data controller or for the mandatory for the implementation of pre-contractual measures taken at the request of the person is in favour of the data subject.

• The transfer is made between the data controller and another natural or legal person for the benefit of the data subject is mandatory for the establishment or performance of a contract to be concluded between the parties.

• The transfer is mandatory for a superior public interest.

• The transfer of personal data is mandatory for the establishment, exercise or protection of a right.

• The transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

• Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

3- Next Steps For Controllers: Compliance

As mentioned above, the data controllers can be divided to three groups when it comes to what actions they have taken for data transfers: i- those that had to force data subjects to provide explicit consent for data transfers, ii- those that signed IGDTAs and applied a wait and see approach, and iii- those who applied to the Authority for approval of their data transfer undertaking. The actions that the data controller must take for compliance depends on this grouping.

i- Those That Relied on Consent
As mentioned above, consent can now be used only for incidental transfers. Therefore, controllers that (rightfully due to restrictons of the legislation) built all their data transfer operations on consent must now adopt any of the other mechanism that is being introduced. The provisional article 3 of the DPL provides a grace period until September 1, 2024 for these controllers and the consents obtained for transfers will be valid until this date.
As a result, the controllers in this category may wait for adequacy decision and in the meantime start making preparations for applying any of the appropriate safeguards (i.e SCCs) to comply with the new provision.

ii- Those That Signed IGDTAs and Applied a Wait & See Approach
Controller within this group do not rely on any legal basis to transfer personal data and with the new reform, it is now time to select any of the appropriate safeguards and legalize the transfers. Please note that there is no grace period for controllers in this group.

iii- Those That Applied to the Authority for Approval of Their Data Transfer Undertaking
The fate of the approved undertakings is not clear under the new mechanism, however since a similar approval mechanism is introduced, controllers that got approval from the Authority for their data transfer undertaking can wait until the announcement of secondary legislation by the Authority.
Controllers that have applied for approval however could not get approval from the Authority must immediately start preparations to apply any of the new safeguards to legalize transfers.


1- We are a foreign data controller with no establishment in Turkey. We collect data directly from data subjects. What is our position?

The amendments do not solve this issue since this question is related to the interpretation of the Authority rather than the legislation. As you may know, contrary to EDPBs direct collection opinion in Guidelines 05/2021, the Authority’s decision on WhatsApp (numbered 2021/891 and dated September 3, 2021) underlines that, after the initial collection of personal data, all kinds of processing activities conducted in servers located outside Turkey constitutes a cross-border transfer. If the Authority does not align its interpretation with the EDPB, this will continue to be a problem for many foreign controllers that directly collect personal data from data subjects since there will be no data exporters in Turkey to run the mechanisms (SCCs, undertaking, BCR etc.) in the legislation.
Therefore, we hope that the Authority will reconsider the interpretation of what a transfer is and will clarify that direct collection scenarios where there is no exporter of personal data is not a data transfer.

2- We are a group company with approved BCR from an authority in the EU. Can we rely on such BCR for the transfer from Turkey?

No, transfers from Turkey is subject to the DPL and pursuant to the DPL, BCRs must be approved by the Authority in Turkey.

3- We have signed EUs standard SCCs for transfers, can we rely on such for transfers from Turkey?

No, the SCCs mentioned above is the version that will be published by the Authority in Turkey. Therefore, unless the SCCs published by the Authority is exactly same with the EU version, separate SCCs published by the Authority must be signed.

4- We have signed a intra group data transfer agreement, can we rely on such mechanism for transfers from Turkey?

No, however if such agreement ensures adequate protections, it would be possible to apply to the Authority for approval with such IGDTAs. The secondary legislation, when published by the Authority, will provide a more clear response.

5- We are located in an EU country, can EU countries automatically be considered as adequate for transfers from Turkey?

No, in order for a country to be accepted as adequate, it must be published by the Authority.

6- What constitutes as incidental transfer?

The reasoning of the amendments explains the incidental as follows: Single or several times and in a non-continuous manner. For example; a company in Turkey sharing information about its employees who will be in contact with the addressee company in terms of the commercial activity that it intends to carry out with a company abroad on an incidental basis.