Cross-Border Transfers of Personal Data and Direct Collection: An Assessment within the Framework of EU and Turkish Law
Introduction
As a result of the globalised world economy, the acceleration of digitalisation, the increasing prevalence of multinational corporate structures, and the growing integration of technological tools into business processes, the cross-border flow of personal data has become an inevitable and continuous phenomenon. However, the procedures and principles governing cross-border transfers of personal data should not be regarded merely as a technical sub-category of data protection law. On the contrary, the rules governing such transfers perform a critical and strategic function in terms of economic growth, the investment environment, the flow of international trade, and competitiveness in digital markets. This is because the commercial use of personal data supports the development of digital trade and contributes to economic growth.[1]
As a matter of fact, to respond to the necessities arising from cross-border data flows, significant amendments were introduced to the Personal Data Protection Law No.6698 (the “Law”), by Law No. 7499, published in the Official Gazette on 12 March 2024, including amendments concerning the transfer of personal data abroad (the “Amendment Law”)[2]. Through these amendments, a system largely aligned with the cross-border transfer regime under the European Union’s (“EU”) General Data Protection Regulation No. 2016/679 (“GDPR”) was established. As indicated in the Guideline on the Transfer of Personal Data Abroad[3] published by the Personal Data Protection Authority (the “Authority”) in January 2025 (the “Guideline”), the general preamble underlying Law No. 7499 notes that, following the entry into force of the GDPR, the objective of aligning the Law with the GDPR has been included in various action plans, and that, in this context, the provisions governing the transfer of personal data abroad were amended as one of the priority areas requiring legislative change.
On the other hand, not every data flow involving a foreign element can automatically be characterized as a cross-border transfer of personal data. Particularly, where a controller established abroad directly collects personal data from a data subject in Türkiye, it should be underlined that such collection does not constitute a cross-border transfer. Nevertheless, in practice, many processing activities involving a foreign element tend to be treated as falling within the scope of cross-border transfers, and the distinction between the direct collection of personal data and the cross-border transfers is not often made accurately.
In this article, the concepts of cross-border transfer and direct collection of personal data, which are frequently treated interchangeably in practice, will be examined within the Turkish and EU regulatory framework.
The Legal Framework for Cross-Border Transfers of Personal Data under GDPR and the Law
The procedures and principles governing cross-border transfers of personal data introduced by the Amendment Law are regulated under Article 9 of the Law, in parallel with the layered structure adopted under GDPR, while the detailed provisions on cross-border transfers are set out in the Regulation on the Procedures and Principles For the Transfer of Personal Data Abroad[4] (the “Regulation”).
The cross-border transfer of personal data is defined as “the transmission of personal data from a data controller or data processor under the Law No.6698 to a data controller or data processor established abroad, or making such data accessible to them by any other means”. The Guideline provides further explanations regarding this definition set out in the Regulation, thereby clarifying the scope of the concept and adopting a broad interpretation of what constitutes a transfer.
The Guideline states that the following three elements must be present to qualify an activity as a cross-border transfer of personal data: (i) the data exporter must be subject to the Law in respect of the relevant personal data processing activity; (ii) the personal data processed by the data exporter must be transmitted or otherwise made accessible; and (iii) the data controller or data processor to whom the personal data is transferred must be located in a third country, irrespective of whether such recipient is subject to the Law. In addition, the Guideline provide more concrete examples of circumstances that may be regarded as cross-border personal data transfers. In this regard, as per the Guideline, operations such as creating an account for systems located in Türkiye, granting access rights to an existing account, approving or accepting a valid request for remote access, inserting a hard drive, or sharing the password to a file, as well as providing remote access from a third country to a system located in Türkiye, even where the personal data is only viewed on screen, are considered to be regarded as cross-border transfers of personal data.
The broad interpretation adopted in the Guideline with respect to the concept of cross-border data transfers is also reflected in the EU practice. In this regard, the European Data Protection Board’s (“EDPB”) Guideline on the Interplay between the Application of Article 3 of the GDPR and the Provisions on International Transfers under Chapter V of the GDPR[5] (the “EDPB Guideline”) states that a cross- border transfer occurs where the data exporter transmits personal data outside the EU or otherwise makes such data accessible from outside the EU. The EDPB also interprets the concept of making personal data accessible broadly; in this respect, remote access from outside the EU in the context of IT support or troubleshooting activities may fall within this concept, even where the personal data is merely viewed on screen. Accordingly, the approach adopted in the Guideline appears to be largely aligned with the practice and interpretation developed by the EDPB. In this regard, it can be said that the approach adopted by the Guideline, appears to be largely aligned with the practice and interpretation developed by the EDPB.
Where transfer of personal data exists in the sense described above, the rules governing cross-border transfers will apply under both Turkish legislation and the GDPR. In such case, the cross-border transfer of personal data must be assessed within the layered framework set out under Article 9 of the Law and Chapter V of the GDPR. Accordingly, provided that one of the legal bases for processing is present, personal data may be transferred abroad primarily on the basis of an adequacy decision issued by the Personal Data Protection Board (the “Board”) in respect of transfers from Türkiye or by the European Commission (the “Commission”) in respect of transfers from the EU, concerning the relevant country, international organization, or sectors within a country. In the absence of an adequacy decision, the transfers from Türkiye will require that data subject has the ability to exercise their rights and access effective remedies in the country of transfer, and that one of the appropriate safeguards provided under Article 9 of the Law, such as the execution of standard contractual clauses or the adoption of binding corporate rules is insured, whereas transfers from the EU must be based on the one of the appropriate safeguards set forth under Article 46 et seq. of the GDPR. If these conditions are not met, the transfer may only be carried out based on one of the exceptional and occasional transfer grounds exhaustively regulated under the Law.
The Distinction Between Direct Collection of Personal Data from Abroad and Cross-Border Transfers of Personal Data under the GDPR and Law
As explained in the previous section, where a cross-border transfer of personal data is at stake, the specific rules governing such transfers become applicable. Thus, it is of critical importance to distinguish cross-border transfers from situations that may resemble such transfers in practice but are not legally characterized as such.
In practice, cases involving the direct collection of personal data are often characterized as cross-border transfers, leading to erroneous application of measures applicable to such transfers. However, the Guideline expressly states that cases where data controllers or data processors located abroad collect personal data directly from data subjects are not to be regarded as transfers of personal data abroad within the meaning of Article 9 of the Law. For instance, in the examples provided in the Guideline, the Authority considers data subjects located in Türkiye directly entering their name, surname, and e-mail address into a form on an online shopping website operated by a company established abroad and targeting the Turkish market to constitute direct collection of personal data, and states that the cross-border transfer rules under Article 9 of the Law would not apply in such a case. Nevertheless, the Guideline further clarify that where the party directly collecting the data subsequently transmits such data to a processor outside Türkiye, this subsequent activity will be regarded as a cross-border transfer under the Law and the rules governing personal data transfers abroad will apply. Accordingly, with respect to subsequent transfers carried out by the party located outside Türkiye that directly collects personal data, one of the appropriate safeguards set out under Article 9/4 of the Law must be provided, such as execution of standard contractual clauses or, in the case of intra-group transfers, the adoption of binding corporate rules.
The approach adopted under Turkish law with respect to the direct collection of personal data from data subjects by a data controller established abroad is similarly recognized under EU law. Indeed, the EDPB Guideline states that cases involving the direct collection of personal data from the data subject are not subject to the rules and procedures on international transfers stipulated under Chapter 5 of the GDPR. In this regard, however, it should be borne in mind that the data controller established abroad, remains obligated to comply with the GDPR and continues to be accountable for its processing activities, irrespective of where such activities take place. In the online shopping example provided in the EDPB Guideline, a data subject residing in Italy directly entering her name, surname, and postal address into a form on a website operated by a third-country company that has no establishment in the EU but targets the EU market, does not constitute an international transfer within the meaning of Chapter 5 of the GDPR, since the personal data is not transmitted by a data exporter but is directly collected from the data subject by the data controller residing in a third-country. Nevertheless, as the processing activities of that company fall within the applicable territorial scope of the GDPR pursuant to Article 3/2, the company is not exempt from its compliance obligations under GDPR.
Conclusion
In conclusion, accurately distinguishing between the cross-border transfer of personal data and the direct collection of personal data from data subjects by a data controller abroad is significant for determining the applicable legal mechanisms. In practice, the erroneous characterization of direct collection scenarios as cross-border transfers may lead to the unnecessary implementation of transfer mechanisms. This may give rise to additional compliance risks, particularly in relation to standard contractual clauses, given the notification obligation to the Authority. In this regard, Turkish and EU regulatory frameworks and practices are substantially aligned. Under both approaches, cases where personal data is directly collected from data subjects by controllers established abroad, are not regarded as cross-border transfers based on similar criteria, while this does not relieve the relevant controller from its obligations under the applicable data protection legislation.
- Yakovleva, S. “Personal Data Transfers in International Trade and EU Law: A Tale of Two “Necessities”, Journal of World Investment & Trade (2020) 1-39, p.2-3.
- Law No. 6698 on the Amendment of the Code of Criminal Procedure and Certain Laws, including provisions on the Law on the Protection of Personal Data, was published in the Official Gazette dated 12.03.2024 and numbered 32487. The amendments entered into force on 01.06.2024 and existing first paragraph of Article 9, which regulates the procedures and principles regarding the transfer of personal data abroad, continued to be applied until 01.09.2024 with the amended version of the article.
- Personal Data Protection Authority, “Kişisel Verilerin Yurt Dışına Aktarılması Rehberi” (Date of Access: 20.04.2026).
- Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad published on the Official Gazette No. 32598 dated 10.07.2024
- European Data Protection Board, Guidelines 05/2021 on the Interplay Between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR (Date of Access: 20.04.2026)
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
In November 2025, the European Commission ("Commission") launched the EU Digital Omnibus Regulation Proposal ("Digital Omnibus"), a wide-ranging legislative initiative aimed at streamlining the EU's existing digital regulatory framework. Digital Omnibus…
As part of the 2020 European Data Strategy, the Regulation on harmonized rules on fair access to and use of data (Data Act or Act) aims to boost the European Union’s (EU) data economy by maximizing data access and data use in a competitive and fair environment.
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
