KVKK Article 9: Transfer of personal data abroad is possible under limited conditions.
Transfer Abroad
- Explicit consent (of the relevant person)
- Transfer to the country providing adequate protection
- If there is not sufficient protection, letter of commitment + Board permission
Sufficient Protected Country List
Adequate countries have not yet been declared by the KVKK Board. For this reason, either express consent or letter of undertaking/Board permission is required for every international transfer.
Letter of Commitment
- Between the data transferor and the data receiver
- Security commitment in compliance with KVKK
- Protection of the rights of the relevant person
- Signed or approved by the Board
Board Permission
- If the letter of undertaking is signed Application to the Board
- The Board evaluates the relevant interests
- Transfer can be made if permitted
Common Transfer Scenarios
- Cloud services (AWS, Azure, GCP)
- Offshore software/SaaS
- Marketing automation (HubSpot, Salesforce)
- Call center off-shore
- Backup servers
KVKK Board Decision
KVKK Board has imposed serious administrative fines on companies that transfer data abroad in recent years, and carries out strict inspections, especially for "transfers hidden within the service contract".
Practical Recommendations
- Checking the data storage location of suppliers
- Add a "data location" clause in cloud contracts
- Domestic alternatives may be considered
KVKK expert lawyer is recommended.