top of page
Search

Turkish Personal Data Protection Law No. 6698 ("KVKK"): Cross-Border Data Transfers

  • Writer: Merih Okuyaz
    Merih Okuyaz
  • Jan 21
  • 3 min read

Updated: Jan 22

Who is this for?


  • Teams using overseas software/services (cloud, SaaS)

  • Companies sharing data among group entities

  • Businesses transferring customer or employee data from Turkey to abroad.


The framework at a glance


For transfers of personal data abroad, a staged regime applies:

  1. Adequacy decision by the Personal Data Protection Board (the “Board”) for the destination country/entity. (As of today, there is no announced adequacy decision, so you must rely on safeguards.)

  2. Appropriate safeguards where no adequacy exists: standard contract, binding corporate rules, or undertaking + Board approval.

  3. Exemptions for limited, non-routine cases where no adequacy or safeguard is used (e.g., explicit consent, performance of a contract, etc.).


Status summary (short & clear)


There is no adequacy decision currently in force. In practice you choose one of these (plus, where truly occasional, a derogation):

  • Standard contract (notification to the Authority within 5 business days of signature)

  • Binding corporate rules (for ongoing intra-group transfers)

  • Undertaking + Board approval (flexible but requires approval)

  • Derogations (one-off/occasional transfers; e.g., explicit consent)


How to choose the path


  • Is the transfer recurring? For regular/repeating flows, set a durable mechanism (standard contract, binding corporate rules, or undertaking + approval).

  • Need speed and a practical setup? The standard contract is usually the first choice.

  • Complex, multi-country group flows? Binding corporate rules can be cleaner long-term (but take longer to prepare/approve).

  • One-off need? Consider derogations, but they are not a permanent solution.


Path 1 — Standard Contract (most practical and widely used)


What it does: When no adequacy decision exists, it documents security and organisational measures between the parties, allowing the transfer without an additional permit.

Notification deadline: You must notify within 5 business days after signature. Notification can be physical filing, via KEP (registered e-mail), or through the Standard Contract Notification Module.

How it works (3 steps)

  1. Write roles clearly: Which party is the data controller, which is the data processor (and is there a sub-processor)?

  2. Complete the contract + annexes: Countries, data categories, purpose, retention; detail security measures in a separate annex.

  3. File the notification: Submit via Module/KEP/physical within 5 business days. (Include signature dates in the document.)

Common mistakes: Wrong role/template, empty security annex, not naming the destination country, missing signature/authority docs, and missing the 5-business-day deadline.


Path 2 — Binding Corporate Rules (intra-group, ongoing transfers)


What it does: Provides a single framework for frequent transfers among group companies in different countries. Guidance exists, but preparation/approval takes longer than a standard contract.

When it makes sense: Multi-country, multi-entity, long-term flows where you want standardised governance and audit under one set of rules.


Path 3 — Undertaking + Board approval


What it does: Parties assume appropriate safeguards by written undertaking and obtain Board approval before transfers.


Note: The application–review–approval process takes time; some recipients/flows may require separate applications.


Exemptions (for one-off/occasional transfers)


For non-routine, necessary, and limited cases: explicit consent, necessity for performance of a contract with the data subject, establishment/exercise/defence of legal claims, vital interests, etc.These do not replace a durable mechanism for regular transfers.


Implementation checklist


  •  Roles (controller / processor) and any sub-processor written clearly

  •  Countries, data categories, purpose, retention defined

  •  Security measures detailed in an annex (access, encryption, logs, audit)

  •  If using a standard contract: notification filed within 5 business days of signature

  •  For intra-group flows: consider binding corporate rules or an alternative

  •  If using an undertaking: timeline and document pack for approval prepared

  •  If you relied on a derogation: plan migration to a permanent mechanism


FAQs


  1. Does the Authority “approve” the standard contract?No approval—there is a notification requirement. File within 5 business days of signature (Module/KEP/physical).

  2. Why consider binding corporate rules?If you transfer regularly across many countries within a group, BCRs centralise governance and audits under one framework.

  3. Does undertaking + approval take long?Yes—due to preparation and the Board’s review. Separate applications may be needed per recipient/flow.


How can a lawyer help?


  • Help you choose the right path (frequency, speed, cost, audit needs).

  • Prepare the contract/annexes, notification, and an audit pack.

  • Align documents with your actual operations for clean, durable compliance.


This content is for general information only and does not constitute legal advice or an advertisement.

Comments

​Any content on this site is provided for informational purposes only and does not constitute advertising, offer or legal advice in any way.

The Turkish and English parts of the site may differ from each other.​ ​​​

All rights reserved.Okuyaz Legal & Consultancy Services 

bottom of page