A cross-border data transfer is the transmission of personal data across national borders — for example, to a cloud provider or group company abroad. Because the receiving country may offer weaker protection, data-protection laws permit such transfers only under defined safeguards.
Under the EU GDPR, transfers rely on adequacy decisions, Standard Contractual Clauses or binding corporate rules. In Türkiye, the KVKK regime — substantially amended in 2024 — now allows transfers based on an adequacy decision, appropriate safeguards (including standard contracts notified to the Authority) or specified exceptions, replacing the earlier explicit-consent-heavy model.
Türkiye’s 2024 cross-border transfer regime
Türkiye substantially overhauled its rules on transferring personal data abroad in 2024, moving much closer to the GDPR model. Transfers may now rely on one of three routes: (i) an adequacy decision for the destination country, sector or international organisation; (ii) appropriate safeguards — standard contractual clauses, binding corporate rules, or written undertakings approved by the Authority; or (iii) narrow, case-by-case derogations, including the data subject’s explicit consent for a specific transfer. This replaced the earlier framework that, in practice, pushed most exporters toward explicit consent or hard-to-obtain undertakings. Organisations sending data offshore should map their data flows, select and document the correct mechanism for each, and file standard contractual clauses with the Authority within the required period.