Critical Guideline on Cross-Border Transfers of Personal Data: What is Changing in Practice?

1. Purpose of the Guideline

Article 9 of the Law on the Protection of Personal Data No. 6698 (“Law”) titled “Cross-border transfer of personal data” was amended by the Official Gazette published on March 12, 2024. Subsequently, the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data (“Regulation”) was published in the Official Gazette dated July 10, 2024 and the definition of cross-border transfer of personal data was clarified. According to this definition, cross-border transfer of personal data means the transmission from or making accessible of personal data by a data controller or data processor, to a data controller or data processor located abroad.

In order to respond to the questions that have arisen during implementation, following the amendment of the Law and the Regulation, the Personal Data Protection Authority (“Authority”) published the Guideline on Cross-Border Transfers of Personal Data (“Guideline”) on January 2, 2025. While the Guideline explains the safeguard criteria expected by the Personal Data Protection Board (“Board”) in the cross-border transfer of personal data, it also serves as a guide for the implementation of the legislative rules in this field. The purpose of the Guideline is to ensure unity of practice in the cross-border transfer of personal data and to guide data controllers and data processors.

2. Definitions Provided by the Guideline

The Guideline provides definitions and explanations regarding the rules on the cross-border transfer of personal data.

3. Cross-Border Transfer of Personal Data

The Guideline emphasizes, as the first criterion, that an interpretation based on the principle of effect, rather than the principle of territoriality, must be adopted for cross-border transfers of personal data and that the data controller or data processor transferring the data must be subject to the Law.

The new Guideline, as the second criterion, specifies that for a transfer to qualify as a cross-border transfer of personal data, the data must be transmitted to or made accessible by a different data controller or data processor. This includes actions such as creating an account, granting access rights to an existing account, approving/accepting an effective request for remote access, installing a hard drive, or sharing a password to a file.

Additionally, the Guideline states that activities such as remote access from a third country (even if the data is only displayed on the screen, for purposes such as support, troubleshooting, or management) and/or storing personal data in a cloud environment located abroad will be considered cross-border transfers if the three specified criteria are met. However, personal data transmitted directly by the data subject will not be considered a cross-border transfer.

As the third criterion, the Guideline highlights that the data controller or data processor receiving the data must be located abroad, regardless of whether they are subject to the Law.

4. Transfers Based on Appropriate Safeguards

The Guideline provides detailed explanations regarding: (i) Ensuring Appropriate Safeguards Through Non-International Treaty Agreement, (ii) Ensuring Appropriate Safeguards Through Binding Corporate Rules, (iii) Ensuring Appropriate Safeguards Through Standard Contracts, and (iv) Ensuring Appropriate Safeguards Through Undertakings.

With respect to standard contracts, which often raise uncertainties in practice, the Guideline emphasizes that if standard contracts are prepared in bilingual format with a dual-column layout, the Turkish language version will prevail. It also provides clarifications regarding the annexes to standard contracts. Specifically, it outlines the following:

• When specifying “data categories” in the standard contract’s annexes, the Guideline also requires including “data types” as subcategories of these categories.
• If the retention period for personal data cannot be determined, the criteria used to define the retention period must be explained.
• The data receiver must specify the recipients to whom the personal data transferred from the data transferor under the standard contract, has been transferred. This section must remain updated throughout the term of the standard contract.
• Information provided by the data transferor, if acting as the data controller, must be consistent with VERBİS (Data Controllers’ Registry Information System) records.
• In cases where the data transferor acts as a data processor, the obligation to notify the Board can be fulfilled by the data processor without seeking instructions from the data controller.
• Following the submission of the standard contract to the Authority, any changes in the explanations or information provided by the transfer parties or upon termination of the contract must be reported to the Authority. Notification obligations for specific changes are outlined in the contract text. For instance: Under **SS-1**, recipient changes under the section titled “Subsequent Transfers” must be reported. In **SS-2** and **SS-3**, changes involving recipients and sub-processors must also be reported to the Authority.

5. Exceptional Transfers and Explicit Consent

The Guideline underlines that exceptional transfers, defined as those occurring under occasional circumstances, must be interpreted narrowly. Such transfers should only be relied upon as a last resort and only where no adequacy decision or appropriate safeguards are in place. The Guideline clarifies that exceptional

transfers based on occasional circumstances do not require the Board’s permission or approval and are not subject to any notification obligation under the Law or the Regulation.

The Guideline states that exceptional transfers must occur on a non-recurring basis and under unforeseen conditions, outside the regular course of operations. These transfers must not be continuous and should take place once or more than, once at irregular intervals. These transfers are distinguished from regular and systematic transfers, which are part of a systematic and continuous relationship between the data transferor and the data receiver. For example, granting direct access to a database would be considered a regular and systematic transfer and therefore would not fall under the scope of exceptional transfers.

The Guideline further notes that while exceptional transfers may occur more than once, they must not possess regular or continuous characteristics.

In cases where explicit consent is obtained from the data subject for exceptional transfers, provided that it is occasional, the Guideline emphasizes that such consent must be specific, informed, and freely given. It reiterates that the data subject must be informed about potential risks associated with the transfer. Moreover, explicit consent must be obtained prior to the cross-border transfer and cannot be valid for undefined future transfers. The data transferor must ensure explicit consent is obtained before the cross-border transfer takes place, even if the data collection activity occurred earlier.

According to the Guideline, the information provided before obtaining explicit consent must include:

(i) details about the identity of the data transferor, the purpose of the transfer, the types of data being transferred, and the right to withdraw consent, and

(ii) a clear statement that the legal basis for the transfer is explicit consent and that no adequacy decision has been issued by the Board for the destination country.

The information provided to data subjects about potential risks should address specific risks related to the lack of adequate protection in the recipient country and the absence of necessary security measures. For instance, the lack of a supervisory authority or insufficient data processing principles in the destination country may be highlighted.

6. Conclusion

The Guideline provides clarity about uncertainties in the practical application of cross-border transfers of personal data and examines the subject in detail. Its evaluations, particularly on the scope of cross-border transfers, exceptional transfers, the concept of occasional transfers, and explanations regarding standard contracts, serve as significant guidance for practitioners.