Transfer of Personal Data Abroad

Before discussing about the Transfer of Personal Data Abroad, there are main issues that need to be addressed.

What is Personal Data?

In accordance with the Turkish Personal Data Protection Law No. 6698, personal data is defined as all kinds of information about an identified or identifiable natural person. Personal data is not only information such as the individual’s name, last name, date of birth, place of birth, but also it is accepted that it covers all situations related to the physical, family, economic and social characteristics of the person that enable the identification of the person. As pointed out, it does not even matter if the accuracy or authenticity of the information is proven, the reason is incorrect information that makes a person identifiable, is also personal data.

What is Special Categories of Personal Data?

These datas are more protected in our regulations compared to other datas. This special categories of personal data is due to the fact that is more related to the fundamental right and freedoms of the person. If the measures determined by the Board of Protection of Personal Data (Board) are not taken, it is accepted that the processing of this data is prohibited. This datas can be: Race and ethnic origin, political opinion, religion, sect and other beliefs, costume and clothing, health information, sexual life, criminal convictions and security measures, biometric data, genetic data…

Data Processor and Data Controller

The General Data Protection Regulation(GDPR) has imposed certain obligations on the data processor. The data processors are directly subject to certain responsibilities and supervision of the data protection authorities.

Data processor,

  • Keeping a record of all data processing performed on behalf of the data controller,
  • Ensuring the security of personal data,
  • To assist the data controller in certain matters
  • To inform the data controller and the data protection authorities about possible security vulnerabilities
  • Cooperating with data protection authorities
  • Appointing a representative to an EU data protection authority if located outside the EU

The code defines the data controller as a natural or legal person responsible for the establishment and management of a data recording system that determines the purposes and means of processing personal data.

Data controller,

  • Whether personal data will be processed and what is the purpose of processing
  • Which types of personal data will be processed
  • Whose personal data is required to be processed
  • Whether personal data can be transferred to third parties
  • To which third parties personal data will be transferred for what purpose
  • Who is authorized to access personal data
  • What is the period determined by the data controller or by law for the storage of personal data
  • What should be the method to be followed after the data Storage period expires (deletion-destruction-anonymization)

What is Explicit Consent?

The consent of the person is defined as the consent obtained freely and after briefing, which indicates the acceptance of the person concerned for the processing of personal data about. Consent for personal data, the explicit consent for specially categories of personal data is used in the Directive.

There are three conditions for explicit consent:

  1. Being related to a specific topic
  2. Rely on being informed
  3. Be explained by free will

There is no obligation for the explicit consent statement to be written or verbal. The consent text should be clear and written in simple speech. Explicit consent must be obtained before the data is processed and the data in question must comply with the principle of good faith and equity and also must be for specific, clear and legitimate purposes, the data must be kept in connection with the purpose for which are processed, accurate and up to date when necessary, and the data must be kept for the time required for the purpose. Regarding the issue of explicit consent, the person of interest can always withdraw the consent statement he/she has given for the processing of personal data.

How Does the Transfer of Personal Data Abroad Occur?

Turkish Personal Data Protection Law according to Article 9 is said that : “Personal data cannot be transferred abroad without the explicit consent of the person of interest.” Personal data is subject to article of the relevant code, Article 5/(2), and the existence of one of the conditions specified in Article 6/(3) and in the foreign country where the personal data will be transferred;

  • If the foreign country to whom personal data will be transferred has an adequate level of protection,
  • In case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists.

If the data is to be transferred to more than a country, it should be evaluated whether there is sufficient protection for each country, or if there are more than one recipient, a written commitment requirement should be provided for each recipient. In order to be able to talk about transferring abroad, it is sufficient for the data to be transferred outside the country’s borders, and it is not necessary to transfer it to the third party. It is adequate to accommodate the data in a foreign country.

The countries where there is adequate level of protection are determined and announced by the Board. (No announcement has been made by the Board yet, fort his reason the issue of whether there is adequate protection should be made in accordance with the criteria determined by the Board in its decision No. 2019/125.)

The possibility of obtaining explicit consent from the data subject in order for the data controller to the transfer data abroad has also been recognized by the Board. In addition to the general conditions of explicit consent to transfer to third countries, there are minimum elements that must be included:

  • Information that will be transferred abroad,
  • The country or countries to be transferred,
  • The purpose of the transfer,
  • For which purposes the data may be processed after transmission,
  • Whether the data can be transferred by the recipient to other persons.

In case of explicit consent from the data processing conditions, personal data can be transferred  directly  abroad. In the event of a transfer based on one of the other processing conditions other than explicit consent, it must be guaranteed that there is adequate protection in addition to the data processing condition.

Binding Corporate Rules

The Board stated that it has embraced the binding corporate rules with an announcement dated 2020. These rules are a step that facilitates the transfer of personal data abroad by multinational companies. In order for data transfer to be made in accordance with this method, the data controllers must determine the Binding Corporate Rules and have them approved by the Board. Binding Corporate Rules are a document that has the power of proof.

If the Binding Corporate Rules are to be examined in terms of Turkish Law, published by the Board:

  • Binding Corporate Rules For Data Controllers Application Form
  • An Auxiliary Document On The Basic Issues That Should Be Included In The Binding Corporate Rules For Data Controllers


If there is a resident center in Turkey for the person’s who can apply to the Binding Corporate Rules For Data Controllers Application Form, and if the group does not have a resident center in Turkey, a resident group member in Turkey should be authorized to protect personal data by applying by an Authorized Group Member. These applications are completed within a year.

In the Auxiliary Document On The Basic Issues That Should Be Included In The Binding Corporate Rules For Data Controllers, the differences and similarities between the binding corporate rules and the application form mentioned are stated. For instance, the rights and legal claims of the person of interest, the burden of proof on the company, an explanation about the scope of the rules in terms of location, an explanation of the data protection principles in a way that covers the transfer from Turkey or subsequent transfers…