Cross-Border Data Transfers Under Turkey's New KVKK Rules

If your company operates in Turkey but reports to a parent or affiliate abroad, you almost certainly send personal data across borders every day — payroll to a German HR system, customer records to a CRM hosted in Ireland, support tickets to a global helpdesk. Until recently, most of those cross-border data transfers ran on a single legal foundation: the explicit consent of every data subject. That changed in 2024. A major amendment to Turkey's Personal Data Protection Law (KVKK / Law No. 6698) introduced a new framework for sending personal data outside Turkey, modelled after — but not identical to — Europe's GDPR. Foreign-controlled companies operating in Turkey now have several legitimate routes for transferring data abroad, but each route carries documentation duties that did not exist before.

What the 2024 amendment actually changed

The 2024 amendment overhauled Article 9 of the KVKK, which governs cross-border data transfers. Under the old rules, you could only transfer personal data outside Turkey with the explicit consent of the data subject, unless the destination country was on a "safe countries list" that the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu, "KVKK Board") was supposed to publish. Because that list never materialised, businesses defaulted to consent — which is hard to obtain at scale and can be withdrawn at any time.

The new system replaces that binary with a three-tier structure: adequacy decisions, appropriate safeguards, and specific situations. Each tier has its own conditions, paperwork, and notification duties.

Tier 1: Adequacy decisions

The KVKK Board can now issue adequacy decisions (yeterlilik kararı) declaring that a specific country, sector, or international organisation provides a level of data protection equivalent to Turkey's. If your destination falls under such a decision, the transfer can proceed without further safeguards, much like a domestic processing operation.

In practice, the Board has so far been cautious about issuing adequacy decisions, so most transfers will rely on the next tier.

Tier 2: Appropriate safeguards

If no adequacy decision applies, you must put one of the following safeguards in place before transferring data:

• Standard contractual clauses approved by the KVKK Board, signed between the Turkish exporter and the foreign importer. The signed contract must be notified to the Board within five business days.
• Binding corporate rules for transfers within a multinational group, subject to Board approval.
• An international agreement between public authorities (relevant only for state-to-state transfers).
• A written undertaking by both parties with specific protective commitments, approved by the Board.

For most foreign-controlled companies in Antalya and elsewhere, standard contractual clauses are the practical workhorse. They look similar to GDPR SCCs but are not identical, so an EU template cannot simply be re-used.

Tier 3: Specific situations

The amendment also recognises a narrow set of exceptions for occasional transfers — for example, when the data subject has given explicit consent for that specific transfer, when the transfer is necessary to perform a contract with the data subject, when it is needed to protect someone's vital interests, or for the establishment, exercise or defence of legal claims. These exceptions are read narrowly. They are not a substitute for systematic transfers, which should rely on Tier 1 or Tier 2.

What this means for foreign-controlled companies

Most companies with parent entities, group HR systems, or shared cloud platforms abroad need to review their data flows and pick the right legal route for each one. A typical compliance project includes mapping every outbound flow, identifying the controller and processor for each, choosing the appropriate transfer mechanism, signing the right paperwork, and updating the privacy notice so that data subjects know where their information goes. Ongoing record-keeping is also required: the KVKK Board can ask to see the contracts and the data flow inventory at any time.

Failure to comply can lead to administrative fines from the KVKK Board, complaints from individual data subjects, and reputational fallout. For e-commerce sellers and SaaS providers, an enforcement decision can also disrupt customer onboarding. For a broader view of compliance basics, see our KVKK compliance guide and our e-commerce cookie policy article.

Frequently Asked Questions

Q: We already have GDPR-compliant SCCs with our European parent. Do we still need Turkish SCCs?

The two systems are similar but not equivalent. The KVKK Board's standard contract follows its own template and must be notified to the Board after signing. GDPR SCCs alone do not satisfy Turkish law for transfers out of Turkey.

Q: Does explicit consent still work as a transfer ground?

Yes, but only for occasional or specific transfers under Tier 3. It is not a sustainable basis for the routine flows of personal data that come with running a Turkish subsidiary inside a global group.

Q: Are there fines for getting this wrong?

Yes. The KVKK Board can impose administrative fines that scale with the seriousness of the breach. Repeat issues, large-scale processing, or sensitive personal data significantly increase exposure.

Q: What about employee data sent to a foreign HR system?

Employee data is one of the most common cross-border flows. It usually relies on standard contractual clauses or binding corporate rules, supported by an updated privacy notice and clear documentation of the legal route used.

How Mona Hukuk Can Help

Our Antalya-based team advises foreign-controlled companies on KVKK compliance, helps map and document data flows, drafts and notifies standard contractual clauses to the KVKK Board, and supports binding corporate rules projects across multinational groups. We work in Turkish and English, so that your in-house legal team and our law firm can collaborate efficiently.

Contact us at info@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.