Data Sharing with Business Partners: Corporate Obligations under the Turkish Personal Data Protection Law (KVKK)
Authors: Atty. Ayça Berker & Atty. Deniz Nalbant
Introduction
The protection of personal data has become an increasingly critical aspect of companies’ day to day operations. In many sectors, data sharing among group companies, suppliers or external service providers is unavoidable. However, such practices give rise to significant obligations under the Turkish Law on the Protection of Personal Data No. 6698 (“KVKK”). Failure to properly assess the legal nature of data sharing may expose companies to substantial administrative fines as well as reputational damage.
Accordingly, it is essential to determine in which cases data sharing qualifies as a “data transfer,” when explicit consent is required or may be dispensed with, and which technical and organisational measures must be implemented by companies in practice.
1. Legal Basis for Data Sharing and the Requirement of Explicit Consent
Under the KVKK, the transfer of personal data to third parties is, as a rule, permitted only upon obtaining the data subject’s explicit consent. However, the exceptions set out under Articles 5 and 6 of the KVKK allow personal data to be processed or transferred without explicit consent in certain circumstances.
These include, inter alia, cases where processing is directly necessary for the establishment or performance of a contract, for compliance with a legal obligation of the data controller, for the establishment, exercise or protection of a right, or where the data controller has a legitimate interest, provided that fundamental rights and freedoms of the data subject are not harmed.
Within this framework, companies must identify a separate legal basis for each data sharing activity carried out within group structures or supplier relationships. For example, where personal data is shared with an external accounting firm for the provision of accounting services, such sharing is generally deemed to be carried out within the scope of a “data processor” relationship and does not require explicit consent. However, if the service provider begins to process the data for its own independent purposes, it assumes the status of a “data controller,” in which case the data transfer would require explicit consent or another valid legal ground.
In all cases involving data sharing, it is of critical importance to clearly determine the legal status of the parties involved (data controller, data processor or joint data controller). In its decisions, the Personal Data Protection Board (“Board”) has consistently emphasised that this distinction must be made based on factual control over the data, the purposes of processing and the means used for such processing.
2. Cross-Border Data Transfers and Corporate Obligations
The transfer of personal data abroad constitutes one of the most strictly regulated areas under the KVKK (see Article 9). With the amendments that entered into force in 2024, cross-border data transfers may now be carried out either to countries providing an “adequate level of protection” or on the basis of undertakings approved by the Board. These amendments aim to establish a framework more closely aligned with the European Union’s General Data Protection Regulation (“GDPR”).
As the list of countries deemed to provide adequate protection remains limited, companies are often required to rely on Board-approved standard contractual clauses or Binding Corporate Rules (“BCRs”). In this context, companies must carefully assess the categories of data to be transferred, the purpose of the transfer and the data protection standards of the recipient country. Furthermore, contractual arrangements governing data transfers must explicitly address these issues, and all technical and organisational measures taken must be properly documented.
In several decisions, the Board has imposed administrative fines on data controllers for failing to implement sufficient technical security measures, such as encryption, access controls and logging mechanisms, or for failing to adequately document cross-border transfer processes. Accordingly, data transfers must meet not only legal requirements but also an adequate level of technical security.
Conclusion: Key Considerations for Companies
While data sharing with business partners constitutes a natural component of many commercial activities, it necessitates strict compliance with the obligations set forth under the KVKK. Companies must clearly define the purpose, scope and legal basis of each data sharing activity, expressly allocate roles and responsibilities in contractual arrangements, and implement both organisational and technical safeguards throughout the transfer process. In particular, where cross-border data transfers are involved, Board approved undertakings or the list of countries providing adequate protection must be carefully taken into account.
Ultimately, data sharing is not only a matter of regulatory compliance but also a key factor in maintaining trust within business relationships. A well structured, transparent and lawful data sharing policy enables companies to mitigate the risk of administrative sanctions while fostering sustainable and reliable cooperation with their business partners.
For further information, please contact our expert team at info@berkerberker.com