AC
Anasayfa Makaleler

Data Transfer Abroad (Cloud, SaaS): Insufficient Country and BCR Solutions

TL;DR

KVKK m.9 yurt dışı aktarımda "yeterli koruma" şartı; Türkiye listesi sınırlı, çoğu sağlayıcı için Standart Sözleşme veya açık rıza.

15 Şubat 2026 3 dk okuma 9 görüntülenme Son güncelleme: 9 Mayıs 2026

KVKK article 9 stipulates "adequate protection" in international data transfer. Türkiye's "qualified country" list is still very limited; For most cloud providers, Standard Contract (TR-SCC) or explicit consent is the only option.

KVKK article 9 — international transfer rule

  • Explicit consent of the data owner, or
  • Country that provides adequate protection (declares KVKK), or
  • If the country is not sufficient: Written undertaking between the data controller + recipient + KVKK permission.

Adequate country list (up to 2025)

KVKK has not yet published the official list. Practically, a separate letter of undertaking + KVKK permission is required for each transfer.

Common scenarios

  • AWS, Azure, GCP: Data in US/EU data centers — overseas.
  • Salesforce, HubSpot: US-based SaaS — overseas.
  • Google Workspace, M365: Data is global — abroad.
  • Stripe, PayPal: Payment processor — foreign + additional financial regulation.

3 solutions

  • Explicit consent: Separate consent from each data owner (practical if the number of users is small).
  • Standard Contract (TR-SCC): KVKK sample text + provider signature + do not wait for KVKK permission. Average duration is 4-6 months.
  • BCR (Binding Corporate Rules): For multinational intra-group transfer; KVKK approval + global compliance framework. Duration: 12-18 months.

    • Frequently asked questions

    There is AWS Türkiye region; Is this enough?

    The Istanbul AWS region provides local data storage; but backup can go to Frankfurt or Dublin. "Data Residency" must be clearly defined in the contract + technical configuration.

    It is very difficult to obtain consent from individual customers; alternative?

    Standard Contract + KVKK permission. EU SCC sample text Turkish translation + Board application with local improvements. KVKK permission comes within 4-6 months.

    We use Google Analytics; problem?

    In Europe, some DPAs issued warnings about GA4 (post Schrems II). For Türkiye: anonymous usage mode + IP anonymization + Standard Agreement recommended. Alternative: Plausible, Matomo (on own server).

    Is Schrems II implemented in Türkiye?

    Not directly; But KVKK takes it as an example. The CLOUD Act and FISA 702 risks in transfer to the USA were reflected in the Board's decisions. Additional security (encryption at rest, key management in Türkiye) is recommended.

    If violated, to which authority?

    If the Turkish data owner is affected, KVKK; If an EU data subject is affected, the relevant EU DPA. Most violations require parallel notification; Both institutions operate independently.

    Relevant legislation

    • KVKK no. 6698 article 12 — Data security obligation; notice of violation (art.12/5).
    • KVKK no. 6698 article 14 — Right to compensation.
    • KVKK no. 6698 article 18 — Administrative fine (up to 5 million TL).
    • GDPR Art. 33-34 — 72-hour infringement notification on EU cross-border transfer.
    • TCK art.135-136 — Unlawful recording/dissemination of personal data.
    Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case. Durations, rates and application are shaped by jurisprudence; Check the current legislation before applying.

    Kaynaklar ve referanslar

    Kaynaklar

    Yurt Dışına Veri Aktarımı (Cloud, SaaS): Yetersiz Ülke ve BCR Çözümleri içeriği hazırlanırken resmi mevzuat ve yüksek yargı kaynakları esas alınmıştır.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla