Bulletin on 2025 Administrative Fines under the Turkish Personal Data Protection Law and Guidelines on the Transfer of Personal Data Abroad
- Administrative Fines Applicable in 2025 under the Turkish Personal Data Protection Law
The administrative fine amounts under the Personal Data Protection Law (“KVKK”) for the year 2025 are as follows:
| Violation | 2025 Administrative Fine Amount | |
| Minimum | Maximum | |
| Failure to fulfil the obligation to inform | TRY 68.083 | TRY 1.362.021 |
| Failure to fulfil data security obligations | TRY 204.285 | TRY 13.620.402 |
| Failure to comply with decisions of the Board | TRY 340.476 | TRY 13.620.402 |
| Failure to comply with VERBIS registration and notification requirements | TRY 272.380 | TRY 13.620.402 |
| Failure to comply with Standard Contract notification requirements | TRY 71.965 | TRY 1.439.300 |
- Guidelines on the Transfer of Personal Data Abroad:
The Personal Data Protection Authority (“Authority”) published the Guidelines[1] on the Transfer of Personal Data Abroad (“Guidelines”) on its website on January 2, 2025.
The Guidelines mostly reiterate the principles stated in (i) the KVKK and (ii) the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”). However, they also include some additional details, which we summarize below. Matters already outlined in the legislation have not been repeated in this bulletin.
- About Standard Contract:
- Dual Format: It has been stated that standard contracts prepared in a dual format will also be acceptable[2]. Within this scope, (i) contracts may either be prepared in a dual format or (ii) signed separately in Turkish and English[3].
- Documents Related to Authorized Signatories: Standard contracts must be signed by the authorized signatories of the parties, and documents demonstrating these individuals’ signature authorities must also be submitted to the Authority. While the legislation states that a notarized translation of foreign documents is sufficient, the Guidelines specify that, in cases where the document is issued by foreign public/official authorities, an apostille certificate must be included.
- Subsequent transfers: The Guidelines do not provide a clear explanation regarding whether it is necessary to sign a standard contract with parties involved in subsequent transfers (or standard contract must be signed with parties involved in subsequent transfers). Instead, the provisions of the legislation have been reiterated in the Guidelines.
- Filling Out the Annexes of the Standard Contract: Additional information has been provided regarding how the annexes of the standard contract should be completed:
| The Relevant Provision in the Annex | Explanation |
| Activities of the Data Exporter and Data Importer Regarding the Personal Data Transferred Under the Standard Contract | Under this section, general explanations regarding the personal data transfer to be carried out based on the standard contract are provided. While making these explanations, the activities conducted by the parties to the transfer on the personal data subject to the transfer should be specified. |
| Data Subject Group or Groups Transferred | The specific data subject group or groups to which the personal data pertains should be specified on a per-data basis. |
| Transferred Personal Data Categories and (if any) Transferred Sensitive Categories of Personal Data | The categories of personal data subject to transfer (e.g. contact information) and their types (e.g. email address) should be specified. |
| Legal Basis for the Transfer | It should be specified which processing condition set forth in Articles 5 and 6 of the KVKK forms the basis for the transfer. |
| Frequency of the Transfer | Explanations should be provided regarding whether the transfer will be a one-time occurrence or conducted on an ongoing basis. |
| Nature of the Processing Activity | The type of personal data processing activity to be carried out on the personal data subject to transfer (e.g. storage, recording, publishing, combining, categorizing, etc.) should be explained. |
| Purposes of the Data Transfer and Subsequent Processing Activities | The purposes of the transfer to be carried out based on the standard contract and the subsequent personal data processing activities by the data importer (e.g. execution of bank payments, provision of customer support services, market research, etc.) should be explained. |
| Retention Period of Personal Data | The retention period of the personal data subject to transfer (e.g. five years) should be specified. If it is not possible to indicate a definite period, the criteria used to determine the retention period (e.g. the duration of the personal data processing agreement) should be explained. If different categories of personal data are subject to different retention periods, these periods should be specified separately. |
| Recipients or Recipient Groups | As part of subsequent transfers by the data importer, the recipients to whom the personal data (received from the data exporter) are transferred based on the standard contract should be specified. This section must be kept up to date throughout the duration of the standard contract. |
| Data Exporter’s Information in the Data Controllers’ Registry Information System (VERBİS) | If the data exporter, as the data controller, is required to register and notify in the Data Controllers’ Registry, the VERBİS information should be included under the relevant section of the contract. In this context, the information provided by the data exporter in the annexes of the standard contract must be consistent with the VERBİS records. |
| Subject, Nature and Duration of the Processing Activity in Transfers to (Sub-)Data Processors | In cases where the data importer, as the data processor, makes subsequent transfers to sub-processors, the relevant transfer and the processing activities carried out by the sub-processors should be explained under the corresponding section of the contract. |
- The Guidelines also provide additional information on other methods of transferring data abroad (e.g. binding corporate rules, commitments) in addition to the standard contract.
- Transfer between two companies in Turkey not considered as an international transfer: It has been clarified that a transfer between two companies in Turkey will not be deemed an international transfer, even if one of the parties’ servers is located abroad. However, if one party subsequently transfers this data abroad (e.g. due to its server being located abroad), that party and the recipient abroad will need to take action in accordance with the provisions on international transfers (e.g. signing a standard contract).
For example, from the Guidelines:
“Transmission of data by a data processor in Turkey to a sub-processor in a third country: If a data controller company based in Turkey appoints a Turkish company as its data processor and the Turkish data processor company transfers part of its processing activities to a sub-processor company located in a third country, the personal data processing activity conducted by the Turkish data controller and the Turkish data processor takes place within the scope of their operations in Turkey and is therefore subject to the Law. However, since the processing activity conducted by the sub-processor in the third country occurs outside of Turkey, the transmission of personal data by the Turkish data processor to the sub-processor in the third country constitutes a transfer of personal data, and the provisions on international data transfers under the Law will apply.”
- Temporary Transfer: In the case of temporary transfers, it is possible to transfer data abroad without the need for a standard contract or similar methods mechanisms, provided that the conditions specified in Article 6(b) of the KVKK are met. However, the concept of the temporary transfer was not entirely clear.
Temporary transfer is defined in the legislation as a transfer that occurs once or a few times, does not exhibit continuity, and is not part of the ordinary course of business activities. Examples of temporary transfer are included in the Guidelines:
- For example, the transfer of personal data of a sales manager traveling to visit different clients abroad as part of the performance of an employment contract, carried out by the employer for the purpose of arranging meetings with these clients, may be considered temporary.
- The transfer of personal data by a Turkish company to another company abroad for the purpose of fulfilling a payment request by the customer may be considered temporary, provided that the transfers between the two companies are not regular, occur only once or a few times, are not continuous, and are not part of the ordinary course of business operations.
- Conversely, it has been stated that the systematic transfer of personal data, such as the names, surnames, and job titles of employees, by a multinational company to a training centre abroad for organizing training courses cannot be considered temporary.
If you have any questions, please feel free to contact us.
[1] If you would like to review the Guidelines in detail, you can access it (in Turkish) via the following link:
https://www.kvkk.gov.tr/Icerik/8143/Kisisel-Verilerin-Yurt-Disina-Aktarilmasi-Rehberi
[2] We would like to remind you that even if prepared in a dual format, the content of the standard contract
cannot be altered.
[3] According to the relevant articles of the KVKK and the Regulation, the Turkish version shall prevail.
Batuhan Şahmay
Buyukdere Cad. No: 193/4, 34394 Levent, Istanbul, Türkiye