Cross-Border Data Transfers
GlobalB Law advises on the legal mechanisms, contractual safeguards and regulatory requirements that govern the movement of personal data across borders, particularly in the Türkiye–EU–US triangle that most of our clients navigate.
Moving personal data across jurisdictions is one of the most technically intricate areas of modern privacy law. GDPR Chapter V restricts transfers of personal data to third countries unless specific conditions are met, adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or derogations. Meanwhile, Turkish KVKK imposes its own parallel transfer regime, and US privacy law adds a further layer of sectoral rules and state-level obligations. Getting this wrong does not merely create regulatory exposure; it can break product functionality and investor confidence overnight.
GlobalB Law advises clients on the transfer mechanism that fits their operational reality, not the theoretically correct answer that does not survive contact with their engineering or vendor landscape. For EU-Türkiye data flows, we navigate the current transition period following Türkiye's 2024 KVKK amendments and the Authority's evolving guidance on adequacy and safeguards. For EU-US flows, we advise on the EU-US Data Privacy Framework and the contractual backstops that prudent companies maintain regardless. For multi-jurisdiction flows, we design layered transfer frameworks that satisfy all relevant regulators simultaneously.
Common Scenarios We Handle
- SaaS products routing EU user data through US cloud infrastructure
- Turkish companies sending employee or customer data to group entities abroad
- US companies onboarding Turkish or EU users and storing data in US data centres
- Fintech and payment platforms subject to both GDPR and KVKK transfer rules
- HR platforms processing employee data across multiple countries
What we do
Services in this practice
常见问题
常见问题解答
We use AWS (US region) to host our EU users' data. What do we need to do?
You need a valid transfer mechanism in place between your EU entity (as controller) and AWS (as processor). AWS offers SCCs as part of its Data Processing Addendum, which most companies rely upon. However, you also need to complete a Transfer Impact Assessment documenting why you are satisfied that the SCCs provide adequate protection in light of US surveillance law, a step many companies skip and which has become a focus of EU supervisory authority enforcement.
Is Türkiye considered an 'adequate' country under GDPR?
No. The European Commission has not issued an adequacy decision for Türkiye under GDPR. This means transfers from an EU controller to a Turkish recipient require a valid transfer mechanism, most commonly SCCs or, within a corporate group, BCRs. Conversely, KVKK has its own adequacy list which does not mirror the EU list. We advise on both directions of the Türkiye–EU transfer equation.
What is a Transfer Impact Assessment (TIA) and when is it required?
A TIA is a documented analysis required, following the CJEU's Schrems II ruling, whenever you rely on SCCs to transfer data to a country that is not deemed adequate. It assesses whether the law and practice in the destination country would impair the effectiveness of the SCCs. The EDPB has published guidance on TIA methodology, but its practical application requires legal judgment about the specific data, parties and destination involved.
Our startup is based in Istanbul and all our infrastructure is in Türkiye. Do cross-border transfer rules apply to us?
They apply as soon as you collect data from users in the EU or store data using any non-Turkish service provider, which includes virtually every major cloud, analytics, CRM or support platform. Even if your servers are in Türkiye, your use of Google Analytics, Stripe, HubSpot or Intercom likely triggers GDPR transfer obligations. We often find that Istanbul-based tech companies underestimate their EU exposure in this respect.
开始咨询
预约咨询
向我们介绍您的事务,我们将为您匹配合适的律师。