Cross-Border Transfers of Personal Data and Direct Collection: An Assessment within the Framework of EU and Turkish Law
Introduction
As a result of the globalised world economy, the acceleration of digitalisation, the increasing prevalence of multinational corporate structures, and the growing integration of technological tools into business processes, the cross-border flow of personal data has become an inevitable and continuous phenomenon. However, the procedures and principles governing cross-border transfers of personal data should not be regarded merely as a technical sub-category of data protection law. On the contrary, the rules governing such transfers perform a critical and strategic function in terms of economic growth, the investment environment, the flow of international trade, and competitiveness in digital markets. This is because the commercial use of personal data supports the development of digital trade and contributes to economic growth.[1]
As a matter of fact, to respond to the necessities arising from cross-border data flows, significant amendments were introduced to the Personal Data Protection Law No.6698 (the “Law”), by Law No. 7499, published in the Official Gazette on 12 March 2024, including amendments concerning the transfer of personal data abroad (the “Amendment Law”)[2]. Through these amendments, a system largely aligned with the cross-border transfer regime under the European Union’s (“EU”) General Data Protection Regulation No. 2016/679 (“GDPR”) was established. As indicated in the Guideline on the Transfer of Personal Data Abroad[3] published by the Personal Data Protection Authority (the “Authority”) in January 2025 (the “Guideline”), the general preamble underlying Law No. 7499 notes that, following the entry into force of the GDPR, the objective of aligning the Law with the GDPR has been included in various action plans, and that, in this context, the provisions governing the transfer of personal data abroad were amended as one of the priority areas requiring legislative change.
On the other hand, not every data flow involving a foreign element can automatically be characterized as a cross-border transfer of personal data. Particularly, where a controller established abroad directly collects personal data from a data subject in Türkiye, it should be underlined that such collection does not constitute a cross-border transfer. Nevertheless, in practice, many processing activities involving a foreign element tend to be treated as falling within the scope of cross-border transfers, and the distinction between the direct collection of personal data and the cross-border transfers is not often made accurately.
In this article, the concepts of cross-border transfer and direct collection of personal data, which are frequently treated interchangeably in practice, will be examined within the Turkish and EU regulatory framework.
The Legal Framework for Cross-Border Transfers of Personal Data under GDPR and the Law
The procedures and principles governing cross-border transfers of personal data introduced by the Amendment Law are regulated under Article 9 of the Law, in parallel with the layered structure adopted under GDPR, while the detailed provisions on cross-border transfers are set out in the Regulation on the Procedures and Principles For the Transfer of Personal Data Abroad[4] (the “Regulation”).
The cross-border transfer of personal data is defined as “the transmission of personal data from a data controller or data processor under the Law No.6698 to a data controller or data processor established abroad, or making such data accessible to them by any other means”. The Guideline provides further explanations regarding this definition set out in the Regulation, thereby clarifying the scope of the concept and adopting a broad interpretation of what constitutes a transfer.
The Guideline states that the following three elements must be present to qualify an activity as a cross-border transfer of personal data: (i) the data exporter must be subject to the Law in respect of the relevant personal data processing activity; (ii) the personal data processed by the data exporter must be transmitted or otherwise made accessible; and (iii) the data controller or data processor to whom the personal data is transferred must be located in a third country, irrespective of whether such recipient is subject to the Law. In addition, the Guideline provide more concrete examples of circumstances that may be regarded as cross-border personal data transfers. In this regard, as per the Guideline, operations such as creating an account for systems located in Türkiye, granting access rights to an existing account, approving or accepting a valid request for remote access, inserting a hard drive, or sharing the password to a file, as well as providing remote access from a third country to a system located in Türkiye, even where the personal data is only viewed on screen, are considered to be regarded as cross-border transfers of personal data.
The broad interpretation adopted in the Guideline with respect to the concept of cross-border data transfers is also reflected in the EU practice. In this regard, the European Data Protection Board’s (“EDPB”) Guideline on the Interplay between the Application of Article 3 of the GDPR and the Provisions on International Transfers under Chapter V of the GDPR[5] (the “EDPB Guideline”) states that a cross- border transfer occurs where the data exporter transmits personal data outside the EU or otherwise makes such data accessible from outside the EU. The EDPB also interprets the concept of making personal data accessible broadly; in this respect, remote access from outside the EU in the context of IT support or troubleshooting activities may fall within this concept, even where the personal data is merely viewed on screen. Accordingly, the approach adopted in the Guideline appears to be largely aligned with the practice and interpretation developed by the EDPB. In this regard, it can be said that the approach adopted by the Guideline, appears to be largely aligned with the practice and interpretation developed by the EDPB.
Where transfer of personal data exists in the sense described above, the rules governing cross-border transfers will apply under both Turkish legislation and the GDPR. In such case, the cross-border transfer of personal data must be assessed within the layered framework set out under Article 9 of the Law and Chapter V of the GDPR. Accordingly, provided that one of the legal bases for processing is present, personal data may be transferred abroad primarily on the basis of an adequacy decision issued by the Personal Data Protection Board (the “Board”) in respect of transfers from Türkiye or by the European Commission (the “Commission”) in respect of transfers from the EU, concerning the relevant country, international organization, or sectors within a country. In the absence of an adequacy decision, the transfers from Türkiye will require that data subject has the ability to exercise their rights and access effective remedies in the country of transfer, and that one of the appropriate safeguards provided under Article 9 of the Law, such as the execution of standard contractual clauses or the adoption of binding corporate rules is insured, whereas transfers from the EU must be based on the one of the appropriate safeguards set forth under Article 46 et seq. of the GDPR. If these conditions are not met, the transfer may only be carried out based on one of the exceptional and occasional transfer grounds exhaustively regulated under the Law.
The Distinction Between Direct Collection of Personal Data from Abroad and Cross-Border Transfers of Personal Data under the GDPR and Law
As explained in the previous section, where a cross-border transfer of personal data is at stake, the specific rules governing such transfers become applicable. Thus, it is of critical importance to distinguish cross-border transfers from situations that may resemble such transfers in practice but are not legally characterized as such.
In practice, cases involving the direct collection of personal data are often characterized as cross-border transfers, leading to erroneous application of measures applicable to such transfers. However, the Guideline expressly states that cases where data controllers or data processors located abroad collect personal data directly from data subjects are not to be regarded as transfers of personal data abroad within the meaning of Article 9 of the Law. For instance, in the examples provided in the Guideline, the Authority considers data subjects located in Türkiye directly entering their name, surname, and e-mail address into a form on an online shopping website operated by a company established abroad and targeting the Turkish market to constitute direct collection of personal data, and states that the cross-border transfer rules under Article 9 of the Law would not apply in such a case. Nevertheless, the Guideline further clarify that where the party directly collecting the data subsequently transmits such data to a processor outside Türkiye, this subsequent activity will be regarded as a cross-border transfer under the Law and the rules governing personal data transfers abroad will apply. Accordingly, with respect to subsequent transfers carried out by the party located outside Türkiye that directly collects personal data, one of the appropriate safeguards set out under Article 9/4 of the Law must be provided, such as execution of standard contractual clauses or, in the case of intra-group transfers, the adoption of binding corporate rules.
The approach adopted under Turkish law with respect to the direct collection of personal data from data subjects by a data controller established abroad is similarly recognized under EU law. Indeed, the EDPB Guideline states that cases involving the direct collection of personal data from the data subject are not subject to the rules and procedures on international transfers stipulated under Chapter 5 of the GDPR. In this regard, however, it should be borne in mind that the data controller established abroad, remains obligated to comply with the GDPR and continues to be accountable for its processing activities, irrespective of where such activities take place. In the online shopping example provided in the EDPB Guideline, a data subject residing in Italy directly entering her name, surname, and postal address into a form on a website operated by a third-country company that has no establishment in the EU but targets the EU market, does not constitute an international transfer within the meaning of Chapter 5 of the GDPR, since the personal data is not transmitted by a data exporter but is directly collected from the data subject by the data controller residing in a third-country. Nevertheless, as the processing activities of that company fall within the applicable territorial scope of the GDPR pursuant to Article 3/2, the company is not exempt from its compliance obligations under GDPR.
Conclusion
In conclusion, accurately distinguishing between the cross-border transfer of personal data and the direct collection of personal data from data subjects by a data controller abroad is significant for determining the applicable legal mechanisms. In practice, the erroneous characterization of direct collection scenarios as cross-border transfers may lead to the unnecessary implementation of transfer mechanisms. This may give rise to additional compliance risks, particularly in relation to standard contractual clauses, given the notification obligation to the Authority. In this regard, Turkish and EU regulatory frameworks and practices are substantially aligned. Under both approaches, cases where personal data is directly collected from data subjects by controllers established abroad, are not regarded as cross-border transfers based on similar criteria, while this does not relieve the relevant controller from its obligations under the applicable data protection legislation.
- Yakovleva, S. “Personal Data Transfers in International Trade and EU Law: A Tale of Two “Necessities”, Journal of World Investment & Trade (2020) 1-39, p.2-3.
- Law No. 6698 on the Amendment of the Code of Criminal Procedure and Certain Laws, including provisions on the Law on the Protection of Personal Data, was published in the Official Gazette dated 12.03.2024 and numbered 32487. The amendments entered into force on 01.06.2024 and existing first paragraph of Article 9, which regulates the procedures and principles regarding the transfer of personal data abroad, continued to be applied until 01.09.2024 with the amended version of the article.
- Personal Data Protection Authority, “Kişisel Verilerin Yurt Dışına Aktarılması Rehberi” (Date of Access: 20.04.2026).
- Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad published on the Official Gazette No. 32598 dated 10.07.2024
- European Data Protection Board, Guidelines 05/2021 on the Interplay Between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR (Date of Access: 20.04.2026)
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.