Cross-Border Data Transfers under the Turkish Data Protection Law: Changes with the 8th Judicial Package

​​​​​​​​​​​​​published on 25 March​ 2024 | reading time approx. 4 minutes

Data protection is increasingly becoming a major focus in Turkey. The collection, processing, and storage of personal data should not only comply with local regulations but also align with international standards. 

In this context, the Turkish Data Protection Law (KVKK), while ensuring the protection of individuals' personal data also establishes certain regulations on the transfer of such data abroad. The provisions of KVKK regarding cross-border data transfers aims to ensure the security and privacy of personal data in Turkey. In this context, KVKK requires that certain conditions be fulfilled for the transfer of personal data abroad and sets severe sanctions for breaches.

Generally, under KVKK, it is prohibited to transfer personal data abroad without the explicit consent of the data subject. Furthermore, the law stipulates that before the transfer of data abroad, (1) the Board shall declare the destination country as secure in the context that they have adequate data protection, and (2) if the destination country of the transfer has not been declared secure by the Board, the data controllers in Turkey and in the relevant foreign country shall undertake that there is adequate protection in the destination country by a commitment text, and in the latter the authorization of the Board is also sought. 

Since the adoption of KVKK in 2016, no countries with an adequate level of protection have been announced. As of today, only 6 data processors have been authorized to transfer personal data from Turkey among many requests for the Board to approve the data transfer.  The last authorization was granted to a subsidiary of Google on 17.08.2023. Consequently, while transferring personal data abroad, data controllers prefer to obtain the explicit consent of the data subjects.

As the existing regulations of KVKK are not sufficient and practical enough to regulate the cross-border data transfers in Turkey amendments in the related laws and regulations were already expected. With the adoption and publication of Law No. 7499 (known as the 8th Judicial Package) on 12.03.2024, amendments regarding cross-border data transfer as well as the processing of sensitive data were introduced. The amended provisions will come into effect on 01.06.2024 (except for the amendments on cross-border data transfers, which will come into effect on 01.09.2024), also a guideline regarding the implementation of such amendments is expected to be published by this date.

If supported by the guidelines as expected, the impact of this package on KVKK will be remarkable as it has the potential to align Turkey's data protection regulations with international standards and most importantly GDPR, especially with regards to cross-border data transfers. The amendments made by Law No. 7499 are outlined as follows:

1. The Board will declare which industries and institutions in various countries and destination countries have the necessary secure level for data protection. The related declaration regarding the secure countries, industries, or organizations shall be reviewed every 4 years by the Board;
   
2. Provided that the conditions stipulated in the law are met, and data transfer may still be carried out without a   declaration of the Board regarding the adequate data protection but due to reasons provided for in the law by data controllers and data processors. These conditions include the existence of data protection regulations within a group of companies that carry out a joint economic activity, which have been approved by the Board, conclusion of a standard agreement introduced by the Board, existence of a commitment text approved by the Board.  This regulation will come into effect on 01.09.2024 and the application of this provision will be clarified by the guidelines to be issued, hopefully before the enforcement date;
   
3. If the above conditions are not met, the law provides further, but one-time options. These include the possibility of carrying out cross-border data transfers with the explicit consent of the data subject. But the new wording of the law stipulates that the data subject must be explicitly informed of the risks.

To summarize, the Turkish Data Protection Law aims to protect individuals' privacy and ensure data security through strict regulations on the transfer of personal data abroad. Data controllers will no longer be able to transfer data legally by obtaining consent from the data subjects and must adhere to strict requirements. Further updates are expected with the publication of the Board's guidelines and the standard contract.​