KVKK Cross-Border Data Transfer 2026: Standard Contract Guide

If your company runs Microsoft 365, Google Workspace or any US-based cloud service, you are almost certainly transferring personal data abroad without thinking about it. Employee mailboxes, customer records, contact details inside your CRM — most of these sit on servers outside Türkiye. KVKK, Türkiye’s Personal Data Protection Law (Law No. 6698), rewrote Article 9 in 2024 to govern exactly this, and since 1 September 2024 the old “I’ll just collect consent and move on” approach no longer holds.

The awkward part is that many SMEs still treat this as a lawyer’s problem and postpone it. In practice the decision usually sits with IT — which cloud, which region, which contract.

Using the cloud and transferring data are the same gate

Under KVKK, writing personal data to a server physically located abroad counts as a transfer. Opening an email in Outlook, recording a Teams meeting or pasting a customer list into a SaaS dashboard — each one creates a cross-border data flow.

“But Microsoft opened a data centre in İstanbul, so I’m fine” is the usual reply. In reality most SME tenants are kept in a European region (often the Netherlands or Ireland), not the Türkiye region. So the data is abroad. You can check your region in the Microsoft 365 admin centre under data residency — if you are unsure, that is the very first thing to verify.

What changed with Law No. 7499?

Law No. 7499, published in the Official Gazette on 12 March 2024, rebuilt Article 9 of KVKK. The new provisions took effect on 1 June 2024, while the old regime ran in parallel through a transition period until 1 September 2024. After that date, everyone had to move to the new system.

Previously you had two practical options: collect explicit consent for every transfer, or apply to the Board (Kurul) for a one-by-one authorisation that could take months. The new structure is closer to the EU’s GDPR and far more predictable.

A three-tier system: which gate do you go through?

The new Article 9 ties any transfer to one of three routes, checked in order:

Tier	Condition	Reality for an SME
1. Adequacy decision	The Board has declared the country/sector “safe”	The Board has issued no adequacy decision for any country to date — this gate is effectively closed
2. Appropriate safeguards	Standard contract, binding corporate rules, or undertaking + Board authorisation	The most practical route for SMEs: the standard contract
3. Occasional cases	One-off, consent-based and other exceptional situations	Not suited to continuous, regular cloud use

The critical line is the first one. Because the Board has not yet published a single adequacy decision, you cannot lean on anything like “the US is on the safe list.” For a company using foreign cloud regularly, the only sustainable route in practice is tier two — the standard contract.

The standard contract and the 5-day rule

The Board approved the standard contract texts with its decision of 4 June 2024, and the detailed procedures arrived in the regulation published on 10 July 2024. There are four modules depending on the parties’ roles (controller-to-controller, controller-to-processor, and the other two). Picking the right module is step one.

The obligation most people miss: a signed standard contract must be filed with the Authority within 5 business days of signing. Filing can be done physically or via KEP (Türkiye’s registered electronic mail system). Signing the contract and dropping it in a folder is not enough; an unfiled contract is treated as if it never existed.

A short checklist:

• Map which services (email, CRM, accounting, backup) move data where
• Choose the correct standard contract module per vendor
• Sign the contract and file it with the Authority within 5 business days
• Keep the filing date and proof — it is the first thing asked for in an audit

What does skipping the filing cost?

For 2026, administrative fines were updated by the annual revaluation rate (about 25.5%). A few concrete figures:

• Breach of data security obligations: roughly 256,000 TL up to 17 million TL
• Failing to file a standard contract within 5 business days: roughly 90,000 TL up to 1.8 million TL

The numbers climb every year. More importantly, an ungrounded cross-border transfer is not just a fine — it brings a data breach notification and reputational risk too. Making the news because a customer’s data went abroad without basis hurts more than the penalty itself.

Frequently asked questions

If I move Microsoft 365 to the Türkiye region, does the transfer stop? If the data genuinely stays in the Türkiye region for that flow, it is not a transfer. But support, telemetry and some backup services may still go abroad — read your vendor’s data processing addendum carefully.

Isn’t explicit consent enough? Explicit consent is only a valid basis for occasional (one-off, irregular) cases. Relying on it for a cloud service you use continuously does not match the Board’s expectations.

As an SME, where do I start? Inventory first: which data, which service, which country. Then a standard contract for each critical vendor. Nail those two and you are halfway there.

To map your cross-border transfers and set up the standard contract process correctly, get in touch — we will review the cloud services you use together.

Sources

• KVKK — Transfer Abroad
• Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad (Official Gazette, 10 July 2024)
• KVKK — Administrative Fine Amounts under Law No. 6698 (2026)