OneTrust Data Guidance Turkey – Data Residency Update For 2025

Executive Summary: Data Residency in Turkey – Q&A
Format

1. Overview

Q: Can personal data be transferred abroad?

A: Yes, but under specific conditions. Before June 1, 2024,
personal data could be transferred abroad only if explicit consent
was obtained or if a legal basis other than consent existed. These
legal bases were outlined under Article 5 of the Data Protection
Law (DPL). However, the applicability of these bases was limited
due to the absence of an official safe country list. Under the new
amendments, explicit consent is no longer the primary requirement
for cross-border transfers.

Q: What are the safeguards for data
transfers?

A: The law specifies several mechanisms that can be used to
ensure adequate protection for cross-border data transfers. These
include: (i) agreements between correspondent authorities, where
public institutions or professional organizations in Turkey and
their counterparts abroad establish agreements for data transfer;
(ii) Binding Corporate Rules (BCRs), which apply to multinational
companies transferring personal data within the same corporate
group; (iii) Undertakings, where the data exporter and importer
prepare a written commitment ensuring compliance with the DPL and
obtain Board approval; and (iv) Standard Contractual Clauses
(SCCs), which must be pre-approved by the Board and notified within
five business days of execution. In addition, cross-border
transfers without explicit consent may be permitted in cases where
they are required for legal claims or contract performance in
exceptional cases.

Q: Are there additional restrictions for sensitive
personal data?

A: Yes, the transfer of sensitive personal data abroad is
subject to stricter conditions to ensure enhanced security. Article
9 of the DPL states that sensitive data, which includes information
related to race, ethnicity, political opinions, religion, health,
and biometric or genetic data, can only be transferred under
specific conditions. These conditions require either an adequacy
decision on the recipient country or sector or the implementation
of appropriate safeguards, similar to those required for general
personal data based on legal reasons.

2. Company Records

Q: Are there any residency requirements for accounting
and tax data?

A: There are no general data localization requirements for
accounting and tax data. However, cross-border transfers of such
data must still comply with the broader rules established in
Section 1.1. This means that data can only be transferred if an
adequacy decision exists, or if the appropriate
safeguards—such as undertakings, BCRs, or SCCs—are in
place. Companies handling financial records must be particularly
cautious in ensuring compliance with legal obligations related to
financial transparency and reporting.

Q: Can employee data be stored abroad?

A: Yes, employee data can be stored abroad, provided that data
transfers comply with the requirements outlined in Section 1.1.
Employers must ensure that the receiving country has an adequacy
decision in place or implement appropriate safeguards. Employers
must also take additional measures to protect employee privacy,
including data minimization and encryption, when processing data
outside Turkey.

3. Sectoral/Common Data Types

Q: Is financial data subject to localization
requirements?

A: Yes. Banks, financial leasing companies, factoring firms, and
other entities under the supervision of the Capital Markets Board
are required to store primary and secondary system data within
Turkey. This requirement extends to service providers that handle
financial data, including cloud storage providers. Backup copies
must also be kept in Turkey, and data cannot be transferred abroad
without regulatory approval. Additionally, banks are required to
retain customer records for a minimum of ten years under financial
regulations.

Q: Where must health data be stored?

A: Public institutions and enterprises providing critical
infrastructure services must store health data within Turkey. The
Presidential Circular on Information and Communication Security
mandates that critical health records, including biometric and
genetic data, be stored domestically. Some scholars argue that this
requirement extends to prohibiting even temporary data transfers
abroad. However, there is no direct penalty for private-sector
non-compliance, except for critical infrastructure providers.

Q: Is there a residency requirement for telecom
data?

A: Yes. Traffic and location data must be stored in Turkey for
national security reasons. However, telecom providers may transfer
such data abroad with explicit consent from users. Additionally,
e-SIM and remote programmable SIM technologies must be maintained
within Turkey under regulations established by the Information and
Communication Technologies Authority (BTK).

4. Government and Security

Q: Does government-related data have localization
requirements?

A: Yes. Government-related critical data, including population,
health, and communication records, must be stored within Turkey.
Public institutions are prohibited from using foreign cloud storage
services, except in specific cases where data is hosted on private
or locally controlled platforms. The Information and Communication
Security Guideline also reinforces these residency
requirements.

Q: What sectors are considered critical
infrastructure?

A: Critical infrastructure includes electronic communications,
energy, water management, transportation, finance, and essential
public services. Operators in these sectors must ensure their
primary and backup data systems remain in Turkey. The National
Cyber Security Strategy and Action Plan (2024-2028) outlines
additional cybersecurity measures for these operators.

5. Other Data Types

Q: Do social network providers need to store user data
in Turkey?

A: Yes, social network providers with more than 1 million daily
Turkish users must store Turkish user data within Turkey. Failure
to comply can result in fines of up to 3% of global turnover, as
outlined in Decision No. 2023/DK-İD/119.

Q: What are the data storage requirements for shared
e-scooter services?

A: Operators must store their service-related data within
Turkey. The data must be accessible to relevant public authorities
for regulatory and security purposes. Compliance with these
requirements is a condition for obtaining an operating license.

This summary provides a structured Q&A format with enhanced
details on key residency and storage requirements for different
data categories in Turkey.

This is a summary version of the original
article.

For the full content, please visit OneTrust Data Guidance.

First published by OneTrust Data Guidance in Feb 20,
2025.

 

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.