top of page
  • Writer's pictureAv. Lider Tanrıkulu

Transfer of Personal Data

Updated: Oct 14, 2023



One of the most significant and complicated challenges in numerous countries today is the protection of personal data in order to safeguard individuals' fundamental liberties and rights, particularly their right to privacy. Following the Directive on the Protection of Personal Data (Directive 95/46/EC), which was one of the first efforts in this field and implemented by the European Union in 1995, the General Data Protection Regulation ("GDPR"), which is a more comprehensive legislation that binds the collection and processing of personal data to certain rules, was approved by the European Parliament and put into effect in 2018. The GDPR regulates a wide range of complex concerns, including the obligations of people who process personal data, legal requirements, penalties, protections for international data transfers, and supervisory agencies. As a result of these studies on personal data in the international arena, domestic practices in order to be included in the status of reliable countries in terms of data processing have become very important. In our country, the concept of personal data, which is guaranteed by Article 20 of the Constitution, has been on the agenda since the early 2000s and the Law on the Protection of Personal Data ("KVKK") entered into force in 2016.

Processing of personal data as defined in Article 3 of the KVKK (Personal Data Protection Authority) consists of all kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, changing, rearranging, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, automatically or by non-automatic means, provided that it is part of any data recording system.

The fulfillment of at least one of the following requirements will enable the processing of personal data, as stated in Article 5 of the KVKK, which outlines the requirements for processing personal data.

  • Explicit consent of the person concerned,

  • Explicitly stipulated in the law,

  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,

  • It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract,

  • It is mandatory for the data controller to fulfill its legal obligation,

  • It has been made public by the person concerned,

  • Data processing is mandatory for the establishment, exercise or protection of a right,

  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The conditions for the processing of personal data listed in the Law, i.e. the cases of compliance with the law, are determined by enumeration (limited/sui generis) and these conditions cannot be expanded.



Although the processing of personal data domestically in accordance with the legislation does not mean that the data can be transferred directly; the existence of the conditions in Articles 5 and 6 of the Law is sought for the transfer. Within this framework, the issue of the domestic transfer of personal data is regulated by Article 8 of the Law on the Protection of Personal Data. In light of this, the first sentence of the article specifies that personal data cannot be processed without the person's explicit consent. Therefore, before processing any personal data, the data controller must first obtain explicit consent. In accordance with the Law's provisions, the data controller can transfer the relevant information domestically in the event of explicit consent without further permission. Therefore, the legislator has prevented the parties from extending the process by carrying out duplicate transactions by regulating the same terms for both the processing of personal data and the transfer of such data domestically. The circumstances under which personal data may be transferred to other parties without their express approval are governed by Article 8 second paragraph.


Sensitive personal data transfers within the country are subject to certain restrictions imposed by the law. So much so that, in order to transfer sensitive personal data domestically under the jurisdiction of the KVKK, one of the following requirements must exist;

  • In case the explicit consent of the data subject is obtained,

  • In case it is explicitly stipulated in the laws in terms of personal data of special nature other than health and sexual life,

  • In terms of personal data relating to health and sexual life, it may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In accordance with the Law, special categories of personal data shall be processed with the appropriate safeguards defined by the Board.



Pursuant to Article 9 of Law No. 6698, the existence of the explicit consent of the data subjects is determined as the main condition for the transfer of personal data abroad. However, in the second paragraph of this article, it is stipulated that personal data may be processed without the explicit consent of the data subject within the scope of Article 5 and that personal data may be transferred abroad without seeking the explicit consent of the data subject in the presence of situations where public interest is pursued within the scope of Article 6 and in the presence of adequate protection in the country where the data will be transferred. While the existence of the conditions specified in the Law is required for transfers to countries with adequate protection, which are deemed safe by the Board, the existence of other protection mechanisms signed between the two countries and the permission of the Board is mandatory for transfers to countries where adequate protection is not available.


When processing personal data, the Board determines whether the foreign country to which the data will be transmitted offers a sufficient degree of protection; this determination is based on the categorization provided in Article 9 fourth paragraph of the KVKK. The specific article also lists the requirements by which the Board will choose countries with adequate protection or the standards by which it will decide whether to approve protection mechanisms that require Board approval, with some exceptions made for data transfer abroad. As a result, the Board assesses the following factors and, if required, seeks the advice of appropriate officials and organizations to determine if there is enough protection in the other country.

a) International conventions to which Turkey is a party, b) The reciprocity status regarding data transfer between the country requesting personal data and Turkey, c) For each concrete personal data transfer, the nature of the personal data and the purpose and duration of processing, d) The relevant legislation and practice of the country to which the personal data will be transferred, e) Measures undertaken by the data controller in the country where the personal data will be transferred.

Pursuant to Article 9 of the KVKK, in addition to those listed above, the provisions of international agreements and the provisions of other laws on the subject are reserved in the process of transferring personal data abroad.

In this context, in the Board's Decision No. 2019/157, it was decided that keeping personal data in data centers located in many different countries on an international level through Google's G-mail accounts is considered as data transfer abroad, and therefore, such transfers should be carried out as regulated in Article 9 of the KVKK. With this decision of the Board, it is possible to speak of data transfer abroad in any case where personal data is transferred directly or indirectly outside the borders of Turkey as required by the work performed.

As can be seen, in order for the data to be transferred abroad in accordance with the Law No. 6698, it is regulated that the transfer can be made without the explicit consent of the data subject in the presence of the explicit consent of the data subject regarding the transfer or in the presence of other processing conditions.


Compared to the developments and regulations in the European Union, the entry into force of the Personal Data Protection Law in Turkey in April 2016 does not mean that there has not been any protection of personal data in our country before; however, there are various regulations regarding privacy of private life and protection of personal data within the framework of the Constitution, Criminal Code and Code of Obligations in areas such as health, banking, electronic communication before the entry into force of the KVKK.

The paragraph added to Article 20 of the Constitution with the amendment made by Law No. 5982 in 2010 is as follows;

"Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning him/her, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data shall be regulated by law."

In most of the countries that are recognized to provide more effective protection compared to Turkey, the protection of personal data is considered a constitutional right, but it is not separately and specifically regulated. In the relevant regulations, the protection of personal data is generally interpreted as a constitutional right within this framework by associating the protection of personal data with other constitutional rights such as the protection of private life and freedom of expression.

When we examine the legislative framework for the protection of personal data on a global scale, it becomes clear that Turkey is among the countries with limited protection, placing it in a better position than the countries with the least protection. The United States of America, where legislation serves as a model for liberal democracies, and the European Union and its member states are both thought to apply more restrictive protection requirements than Turkey does. In this time when the export of personal data across borders is unavoidable, the existence of international standards and their adoption by more nations have become crucial.

Author; Intern Atty. Öykü AKYÜZ

Translated by; Hasan ASGAROV


– Kişisel Verileri Koruma Kurumu, Kişisel Verilerin İşlenme Şartları, İçerik 4190

– ÇELİKEL, Serdar, Kişisel Verilerin İşlenmesinde, Açık Rıza Hukuka Uygunluk Nedeninin, 95/46 Sayılı Direktif ve GDPR’la Karşılaştırmalı Olarak İncelenmesi, 2021

– TÜRKMEN, Sevgi, Özel Nitelikli Kişisel Verilerin İşlenmesinde Açık Rızanın Aranmadığı Haller, 2019

– 6698 Sayılı Kişisel Verileri Koruma Kanunu, 2016

– HOŞNUT, Yasime, Uluslararası Düzenlemelerde ve Türkiye’de ̇Kişisel Verilerin Korunması,2019

– Kişisel Verileri Koruma Kurumu, Kişisel Verilerin Korunması Alanında Uluslararası ve Ulusal Düzenlemeler, İçerik 4183

– ANI, Nevzat Ali. Kişisel Verilerin İşlenmesi ve Açık Rıza. İstanbul Üniversites iSosyal Bilimler Enstitüsü Özel Hukuk Anabilim Dalı Yüksek Lisans Tezi. İstanbul: s.n., 2018. s. 128.

– AKÇALI GÜR, Berna, Uluslararası Hukuk ve AB Hukuku Boyutuyla Kişisel Verilerin Yurt Dışına Aktarılması, Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi • Cilt 25, Sayı 2, Prof. Dr. Ferit Hakan Baykal Armağanı, Aralık 2019

– DLA Piper, Data Protection Laws of the World, (Çevrimiçi) (Erişim Tarihi: Ocak 2018)

– Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Strasbourg, 28.I.1981

3 views0 comments


bottom of page