The end of 2024 and the beginning of 2025 were quite active in terms of legal developments regarding data protection legislation in Türkiye. Many of these developments, which have led to numerous questions and concerns on the application of Turkish Personal Data Protection Law No. 6698 (DPL) have been addressed through secondary legislation and explanatory guidelines issued by the Turkish Personal Data Protection Authority (Turkish DPA).

The Guidelines on Cross-Border Transfers of Personal Data published by the Turkish DPA in January 2025 (Guidelines) provide a definition of “cross-border data transfer” and a detailed analysis of the provisions of the DPL and the related regulation regarding the transfer of personal data outside Türkiye. The Guidelines outline a four-step approach to identifying an appropriate legal mechanism for the transfer of personal data, emphasizing that the legal provisions related to cross-border data transfers should be applied in accordance with this systematic framework. The Guidelines also further clarify the implementation of the standard contractual clauses (SCCs), which is one of the most encountered transfer method in practice, and exceptional cases for occasional data transfers.

The Turkish DPA has also published the amount of fines applicable for 2025. These have been subject to a 43.93% increase and now range from TRY 68,083 TRY to 13,620,402 (approx. EUR 1,870 to EUR 375,000).

Most recently, a new cooperation and information sharing protocol was signed between the Turkish DPA and the Turkish Capital Markets Board to facilitate enhanced cooperation and information exchange between these two public authorities in terms of data protection in capital markets.

Guidelines on cross-border data transfers

The publication of the Guidelines by the Turkish DPA was widely anticipated to clarify the provisions of the DPL and the related regulation regarding the transfer of personal data outside Türkiye. Considering the relatively recent amendments to the DPL regarding cross-border data transfers, concerns on the implementation of these provisions could only be relieved through an official and comprehensive roadmap provided by the Turkish DPA.

Definition of cross-border data transfers

The DPL does not expressly define the cross-border transfer of personal data. The Regulation on the procedures and principles applicable cross-border data transfers, on the other hand, defines a cross-border transfer as “the transmission of personal data by a data controller or data processor within the scope of DPL to a data controller or data processor located abroad, or making data accessible in some other way”. In this respect, the Guidelines indicate that the activity of “cross-border transfer of data” should be determined through the following three criteria:

• Transferring party subject to the DPL. The data controller or data processor (the transferring party) must be subject to the DPL for the relevant personal data processing activity. The Guidelines clarify the principle of territorial application and states that the application of the DPL must be interpreted through the “effect principle”. In other words, for a transfer of personal data to be considered under Turkish law, there must be a data controller or data processor operating within the scope of the DPL.
• Data transmission or accessibility. Personal data processed by the transferring party must be transmitted or made accessible. Furthermore, the transfer must be carried out by a data controller or data processor to another data controller or data processor located outside Türkiye. In this regard, if personal data is directly transmitted by the data subject, this would not constitute a cross-border transfer for the purpose of the DPL.
• Location of the data recipient. The data controller or data processor receiving the data must be located in a third country, regardless of whether it is subject to the DPL.

Step-by-step approach to cross-border transfers

As a first step, one should determine whether personal data may be transferred abroad without being subject to the rules set forth in the DPL, if this is expressly contemplated in international agreements or by other applicable laws. In the absence of such provisions, the Guidelines outline three further steps to identify an appropriate legal mechanism for the transfer of personal data, which should be complied in accordance with the conditions under Article 9 of the DPL. When determining the applicable method for transferring data abroad, this systematic, staged approach must be applied and the procedure outlined below should be followed:

• Adequacy decision. Personal data may be transferred outside Türkiye, if one of the conditions listed under Article 5 and Article 6 of the DPL, which regulate the conditions for processing personal data and sensitive personal data, applies and if an adequacy decision taken by the Turkish DPA with respect to a specific country, international organisation or sector is in place. No adequacy decision has been issued by the Turkish DPA to date.
• Appropriate safeguards. Absent an adequacy decision, personal data can still be transferred abroad in case one of the appropriate safeguards listed in the DPL exists. Along with the appropriate safeguards, the data subject must also have the ability to exercise their rights in the country to which the data is being transferred and have access to effective legal remedies. The appropriate safeguards provided in the DPL include the SCCs notified to the Turkish DPA as well as binding corporate rules, international agreements or written undertakings approved by the Turkish DPA.
• Occasional transfers. Occasional transfers refer to personal data transfers outside Türkiye that are irregular, occur only once or a few times, do not involve continuity, and are not part of the regular course of business activities. These kind of transfers are only possible where there is no adequacy decision and none of the appropriate safeguards is available. The exceptional cases for occasional cross-border transfers are exhaustively listed under the DPL. The Guidelines provide examples of occasional transfers, such as the transfer of personal data by an employer for the purpose of arranging meetings with clients abroad when a sales manager travels to visit different clients as part of their employment contract. The Guidelines further emphasize that in the exceptional case of occasional transfers based on explicit consent, it is necessary to inform the data subject about the potential risks associated with the transfer in addition to the general information obligation.

Implementation of SCCs

The Guidelines provide further clarification in relation to the implementation of SCCs. Accordingly, the Guidelines underline that except for optional or alternative clauses, no additions, deletions or changes can be made to the SCCs published by the Turkish DPA. The parties must choose the appropriate SCCs from the four templates published by the Turkish DPA, depending on their respective roles as data controller or data processor based on the relevant data flow. The SCCs may be prepared in multiple languages and submitted to the Turkish DPA in dual-column, but the Turkish version shall prevail.

As for the notification procedure, the SCCs must be notified to the Turkish DPA within five days from the date of signing, and failure to do so will result in an administrative fine. The party responsible for the notification may be specified in the SCCs and if there is no such determination, the data transferring party must carry out the notification process. The SCCs can be notified to the Turkish DPA (i) physically (e.g. by hand or by post); (ii) through Turkish registered electronic e-mail (KEP) address; or (iii) by other alternative methods to be determined by the Turkish DPA (such as the SCCs online notification module introduced by the Turkish DPA on 25 October 2024, which is accessible on the Turkish DPA’s website).

Pursuant to the Guidelines, the notification should include (i) the final execution version of the SCCs duly filled and signed by or on behalf of the parties; (ii) supporting documents evidencing the powers of the signatories to the SCCs; and (iii) a notarised translation of any documents provided in a foreign language. For the official documents issued by foreign authorities, the Turkish DPA will only accept the documents bearing apostille certification.

Updated fines for 2025

The administrative fines set forth under Article 18 of the DPL have been subject to a 43.93% increase to account for yearly inflation, and now range from TRY 68,083 TRY to 13,620,402 (approx. EUR 1,870 to EUR 373,750).

The fines that may be imposed by the Turkish DPA for 2025 are as follows:

• Failure to comply with information obligation: TRY 68,083 to 1,362,021 (approx. EUR 1,870 to 37,375)
• Failure to comply with data security obligations: TRY 204,285 to 13,620,402 (approx. EUR 5,600 to 373,750)
• Failure to comply with decisions of the Turkish DPA: TRY 340,476 to 13,620,402 (approx. EUR 8,360 to 373,750)
• Failure to comply with data controller registry (VERBIS) registration and notification obligation: TRY 272,380 to 13,620,402 (approx. EUR 7,480 to EUR 373,750)
• Failure to notify SCCs to the Turkish DPA within five business days of signing: TRY 71,965 to 1,439,300 (approx. EUR 1,975 to 39,510)

New cooperation protocol between Turkish DPA and Turkish Capital Markets Board

The Turkish DPA announced on 6 January 2025, through a statement published on its website, that a new cooperation and information sharing protocol has been signed between the Turkish DPA and the Turkish Capital Markets Board to facilitate enhanced cooperation and information exchange as well as effective cooperation between the two authorities in terms of data protection in capital markets.

This new cooperation protocol envisages the exchange of information and opinions on common issues within the responsibilities of both authorities. In this context, it is planned to carry out joint projects and initiatives on personal data protection, data privacy, and data security, to train professional staff, and to organize joint publications and awareness-raising activities.