Evaluation on the Guidelines on the Transfer of Personal Data Abroad

The Guideline on the Transfer of Personal Data Abroad (“Guideline”), which was prepared in order to systematize the application area regarding the transfer of data abroad within the scope of the Law on the Protection of Personal Data (“Law”) and to guide the practitioners, was published by the Personal Data Protection Authority (“Authority”) on January 2, 2025. The Guideline draws attention as a comprehensive document in order to eliminate the uncertainties arising from the amendments to the law and the Regulation that entered into force as of 2024. In this article, the prominent details of the Guidelines will be evaluated.

1. Distinguishing Direct Data Collection and Transfer

The Guideline makes it clear that the transfer of personal data directly by the data subject to a data controller abroad will not be considered as a data transfer. However, it is stated that if these directly collected data are transferred onward to another foreign data controller or processor, this transaction will be considered as an overseas data transfer within the scope of the Law.

2. Group Companies and Standard Contracts

The Guideline provides a limited description of the data processing processes of multinational companies. An example is given for subsidiaries in Turkey transferring employee data to the database of the parent company, and in this context:

• The data controller is deemed to be the Turkish subsidiaries,
• And the parent companies will be considered as data processors.

However, it is also emphasized that if the parent company processes this data for different and its own purposes, it may be considered as the data controller as well. This increases the complexity of the transfer processes between group companies. It is stated that the standard contracts used in the practices of multinational companies should be prepared both for the transfer from the data controller to the data processor and for the transfer from the data controller to the data controller in case of need. The Guidelines provide detailed information on the procedures to be followed in drafting these agreements, but do not fully meet the expectation of offering practical solutions in the context of the global systems of multinational companies.

3. Transfers Based on Appropriate Safeguards and Drafting Standard Contracts

The Guideline provides important details on the drafting and implementation of standardized contracts. In particular:

• No additions or deletions should be made to contract texts,
• Data types and relevant groups of people should be specified in detail,
• It is emphasized that the annexes to the contract must be compatible with VERBIS records.

However, the problems in practice regarding the effective date of standard contracts could not be completely eliminated due to the strict stance of the Guidelines on this point. In particular, the extent of the sanctions to be imposed on data controllers who fail to sign a standard contract within the deadline (post September 1, 2025) continues to pose a risk for enforcers.

4. Incidental Transfers

The Guideline emphasize that incidental transfers should be treated very narrowly. In the absence of an adequacy decision or appropriate safeguards, this method can be applied to data transfers that are not continuous and occur outside the ordinary course of business. It is stated that criteria such as the irregularity of the incidental transfer and its occurrence under unforeseen circumstances should be evaluated cumulatively in determining whether the transfer is exceptional. However, in practice, it is still unclear which scenarios will be considered incidental transfers.

5. Similarity between the Guidelines and the GDPR Guidelines

The Guideline on the Transfer of Personal Data Abroad provides a framework that is generally in line with the principles set out in the guidance documents of the European Union General Data Protection Regulation (“GDPR”). In particular, basic approaches such as adequacy decision in data transfer processes and transfers based on appropriate safeguards are handled in a similar systematic in both regulations. As with the GDPR guidelines, the Guideline take a parallel approach in assessing the risks of data transfer, setting out the detailed rules of standardized contracts and explaining the applicability of binding corporate rules. Nevertheless, the Guideline contain some differences specific to Turkey's legal and operational needs, indicating that the local context is taken into account in harmonization processes.

6. Conclusion and Assessment

The Guideline on the Transfer of Personal Data Abroad is important as a guiding document in data transfer processes. In particular, issues such as direct data acquisition, implementation of standard contracts and incidental transfers are clarified. However, guidance on data transfers between group companies and global data processing systems of multinational companies have raised new questions for practitioners. It is of great importance that the Guideline is updated in the future and, in particular, that the implementation principles are made more concrete with examples. In this context, it is critical that data controllers fulfill the obligations set out in the Guideline and make their processes transparent and compliant.