On 12 November 2025, the Turkish Personal Data Protection Authority (“KVKK”) announced that the Personal Data Protection Board (“Board”) has granted permission for a cross-border transfer of personal data based on a non-international agreement.

According to the announcement, an agreement executed between the Directorate General of Migration Management of the Ministry of Interior and the United Nations High Commissioner for Refugees (UNHCR)—serving as the legal basis for the transfer of personal data abroad—was evaluated by the Board under Article 11 of the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, and approval for the transfer was granted as of 21 October 2025.

This decision is significant as it demonstrates, for the first time, the practical application of non-international agreements—one of the “appropriate safeguard” mechanisms provided under Article 9 of the Personal Data Protection Law numbered 6698 (“Law”)—for data transfers to countries or international organizations that have not been granted an adequacy decision.

Legal Basis and Scope

Pursuant to Article 9 of the Law, personal data may be transferred abroad only if:

1. An adequacy decision has been issued by the Board for the relevant country or international organization, or
2. In the absence of such adequacy decision, appropriate safeguards are provided and the Board’s authorization has been obtained.

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, which entered into force on 10 July 2024, explicitly defines the available safeguard mechanisms. These include undertakings, binding corporate rules (BCRs), standard contractual clauses (SCCs), and non-international agreements.

The Board’s recent announcement constitutes one of the first practical examples of the latter mechanism and serves as an important implementation guideline for data transfer processes between public authorities and international organizations.

Assessment

This development provides greater clarity on how the Board’s authorization procedures will be applied in practice for cross-border data transfers carried out by both public institutions and private sector organizations.

Within the scope of their cross-border data transfer plans, data controllers and data processors should:

• Verify whether an adequacy decision exists for the relevant country or organization;
• In the absence of such decision, select one of the appropriate safeguard mechanisms provided under the Regulation and obtain the Board’s authorization;
• Ensure that the agreement clearly sets out the categories of data to be transferred, the purpose of transfer, legal basis, parties’ obligations, security measures, and audit mechanisms;
• Update the privacy notices and information texts provided to data subjects accordingly.

The Board’s approval marks an important milestone demonstrating that Türkiye’s cross-border data transfer framework continues to evolve in alignment with international practices, paving the way for similar future applications to be evaluated by the Authority.

Should you have any questions on this matter or require further information, please do not hesitate to contact us.

Best regards,
DT Law