Turkish marketing companies – legality of data transfer
Establishing an European company and including it in the privacy policy does not guarantee the possibility of bypassing GDPR regulations – according to experts
Establishing an European company (e.g. in Poland or in the UK) and including it in the privacy policy does not guarantee the possibility of bypassing GDPR regulations. Experts warn that the formal presence of an entity in the European Union does not exempt from the obligation to ensure an adequate level of data protection when transferring them to third countries, such as Turkey.
Segmentify and Insider – bypassing GDPR regulations
Insider is a company based in Istanbul with the official name Sosyo Plus Bilgi Bilişim Tekn. Dan. Hiz. Tic. A.Ş. Meanwhile, Segmentify is Segmentify Yazılım A.Ş. The use of tools originating from Turkey by users from Europe (EEA) involves the necessity to comply with regulations regarding the transfer of personal data.
GDPR applies to the processing of data of individuals residing in the EU regardless of the actual place of processing or the location of the decision-making body. Data transfer outside the European Economic Area is permissible only when there is an “adequate level of protection” — confirmed by a decision of the European Commission, or when legally binding safeguarding mechanisms are applied, such as standard contractual clauses (SCC) or binding corporate rules (BCR).
Turkey – no adequacy decision
Turkey is not currently on the list of countries for which the Commission has issued an adequacy decision. In practice, this means the need to implement additional legal and technical measures.
Following the “Schrems II” ruling and subsequent guidelines from the European Data Protection Board (EDPB), supervisory authorities focus not only on documents but also on the actual division of responsibilities and actual processing practices — the so-called substance over form. In other words: including an European company in the privacy policy is not enough if the decision-making center, data access, and infrastructure are located outside the EU.
Data transfer to Turkey – what to do?
Data protection specialists point to key obligations for companies planning to transfer data to Turkey:
- checking the current adequacy status and, in the absence of a Commission decision, implementing SCC or BCR;
- conducting a transfer risk assessment and, if necessary, a data protection impact assessment (DPIA), especially when it comes to sensitive data or mass profiling;
- entering into clear data processing agreements specifying technical and organizational safeguards;
- applying additional protective measures (e.g., encryption, data minimization, access restriction) in light of the third country’s law and state access practices.
- and of course, obtaining explicit user consent for data transfer to Turkey each time
The consequences of non-compliant transfers can be severe: administrative fines, orders to stop data transfers, and reputational damage. In practice, supervisory authorities will examine not only documents but also the actual course of operations — who makes decisions about processing, where systems are located, and who has access to raw data.
For companies planning to transfer data to headquarters outside the EU, recommended actions include implementing SCC, conducting DPIA, applying technical safeguards (encryption, access control), and consulting with a lawyer specialized in data protection law. Only a comprehensive approach — combining formal legal mechanisms with actual technical and organizational measures — can mitigate the risk of GDPR violations.
