Overview
1.1 General Personal Data
Q: Can personal data be transferred abroad?
A: Yes, but under specific conditions. Before June 1, 2024, personal data could be transferred abroad only if explicit consent was obtained or if a legal basis other than consent existed. These legal bases were outlined under Article 5 of the Data Protection Law (DPL). However, the applicability of these bases was limited due to the absence of an official safe country list. Under the new amendments, explicit consent is no longer the primary requirement for cross-border transfers.
Q: What are the safeguards for data transfers?
A: The law specifies several mechanisms that can be used to ensure adequate protection for cross-border data transfers. These include: (i) agreements between correspondent authorities, where public institutions or professional organizations in Turkey and their counterparts abroad establish agreements for data transfer; (ii) Binding Corporate Rules (BCRs), which apply to multinational companies transferring personal data within the same corporate group; (iii) Undertakings, where the data exporter and importer prepare a written commitment ensuring compliance with the DPL and obtain Board approval; and (iv) Standard Contractual Clauses (SCCs), which must be pre-approved by the Board and notified within five business days of execution. In addition, cross-border transfers without explicit consent may be permitted in cases where they are required for legal claims or contract performance in exceptional cases.
1.2 General Sensitive Personal Data
Q: Are there additional restrictions for sensitive personal data?
A: Yes, the transfer of sensitive personal data abroad is subject to stricter conditions to ensure enhanced security. Article 9 of the DPL states that sensitive data, which includes information related to race, ethnicity, political opinions, religion, health, and biometric or genetic data, can only be transferred under specific conditions. These conditions require either an adequacy decision on the recipient country or sector or the implementation of appropriate safeguards, similar to those required for general personal data based on legal reasons.
2.1 Accounting and Tax Data
Q: Are there any residency requirements for accounting and tax data?
A: There are no general data localization requirements for accounting and tax data. However, cross-border transfers of such data must still comply with the broader rules established in Section 1.1. This means that data can only be transferred if an adequacy decision exists, or if the appropriate safeguards—such as undertakings, BCRs, or SCCs—are in place. Companies handling financial records must be particularly cautious in ensuring compliance with legal obligations related to financial transparency and reporting.
2.2 Employee Data
Q: Can employee data be stored abroad?
A: Yes, employee data can be stored abroad, provided that data transfers comply with the requirements outlined in Section 1.1. Employers must ensure that the receiving country has an adequacy decision in place or implement appropriate safeguards. Employers must also take additional measures to protect employee privacy, including data minimization and encryption, when processing data outside Turkey.
3.1 Financial Data
Q: Is financial data subject to localization requirements?
A: Yes. Banks, financial leasing companies, factoring firms, and other entities under the supervision of the Capital Markets Board are required to store primary and secondary system data within Turkey. This requirement extends to service providers that handle financial data, including cloud storage providers. Backup copies must also be kept in Turkey, and data cannot be transferred abroad without regulatory approval. Additionally, banks are required to retain customer records for a minimum of ten years under financial regulations.
3.2 Health Data
Q: Where must health data be stored?
A: Public institutions and enterprises providing critical infrastructure services must store health data within Turkey. The Presidential Circular on Information and Communication Security mandates that critical health records, including biometric and genetic data, be stored domestically. Some scholars argue that this requirement extends to prohibiting even temporary data transfers abroad. However, there is no direct penalty for private-sector non-compliance, except for critical infrastructure providers.
3.3 Telecommunications Data
Q: Is there a residency requirement for telecom data?
A: Yes. Traffic and location data must be stored in Turkey for national security reasons. However, telecom providers may transfer such data abroad with explicit consent from users. Additionally, e-SIM and remote programmable SIM technologies must be maintained within Turkey under regulations established by the Information and Communication Technologies Authority (BTK).
4.1 Government-Related Data
Q: Does government-related data have localization requirements?
A: Yes. Government-related critical data, including population, health, and communication records, must be stored within Turkey. Public institutions are prohibited from using foreign cloud storage services, except in specific cases where data is hosted on private or locally controlled platforms. The Information and Communication Security Guideline also reinforces these residency requirements.
4.2 Critical Infrastructure Operators
Q: What sectors are considered critical infrastructure?
A: Critical infrastructure includes electronic communications, energy, water management, transportation, finance, and essential public services. Operators in these sectors must ensure their primary and backup data systems remain in Turkey. The National Cyber Security Strategy and Action Plan (2024-2028) outlines additional cybersecurity measures for these operators.
5.1 User Data (Social Networks)
Q: Do social network providers need to store user data in Turkey?
A: Yes, social network providers with more than 1 million daily Turkish users must store Turkish user data within Turkey. Failure to comply can result in fines of up to 3% of global turnover, as outlined in Decision No. 2023/DK-İD/119.
5.2 Shared E-Scooter Data
Q: What are the data storage requirements for shared e-scooter services?
A: Operators must store their service-related data within Turkey. The data must be accessible to relevant public authorities for regulatory and security purposes. Compliance with these requirements is a condition for obtaining an operating license.
This summary provides a structured Q&A format with enhanced details on key residency and storage requirements for different data categories in Turkey.
Authors: