One of the first questions Turkish companies ask when entering the European market usually concerns tax, incorporation costs, or operational convenience. However, in practice, one of the most critical questions often emerges later:

Will we have more GDPR liability if we establish a company in Europe, or if we provide services from Türkiye?

This is not merely a technical data protection issue. The legal structure through which a company conducts its commercial activities directly determines the scope of the GDPR, the nature of the obligations, and the overall compliance costs.

In our projects as KVKK and GDPR Consultant Çağrı Tuna, we frequently observe that these structural decisions are made without considering the data protection dimension, which later leads to costly and complex compliance efforts.

In this article, we examine two primary models for Turkish investors and group companies from a GDPR perspective.

The Territorial Scope of the GDPR: It Does Not Only Apply to European Companies

One of the most common misconceptions about the GDPR is that it applies only to companies established within the European Union. In reality, Article 3 of the GDPR sets a broad territorial scope.

The GDPR applies in two main situations:

1. Processing in the context of an EU establishment (Article 3(1))

If a company:

• Is established in the EU, or
• Has a branch, office, or subsidiary in the EU,

the GDPR applies directly.

2. Targeting individuals in the EU from outside the EU (Article 3(2))

Even if a company is not established in the EU, the GDPR still applies if it:

• Offers goods or services to individuals located in the EU, or
• Monitors their behavior.

The key point is this:

What matters is not where the company is incorporated, but whom it targets and how it operates.

Scenario 1: Operating from a Türkiye-Based Company and Serving the EU

Many Turkish companies adopt the following assumption to avoid GDPR liability:

“If we do not establish a company in the EU and operate from Türkiye, the GDPR will not apply to us.”

In most cases, this assumption is incorrect.

When does a Türkiye-based company fall under the GDPR?

For example:

• Selling products to EU customers via e-commerce
• Providing SaaS services to EU-based clients
• Targeting EU users through a website
• Accepting payments in EU currencies
• Running campaigns specifically aimed at EU markets

Such activities may qualify as “targeting” under the GDPR, meaning the company falls directly within its scope.

Key obligations in this model

• GDPR-compliant privacy notices
• Records of processing activities
• Appointment of an EU representative, where required
• Managing compliance with both KVKK and the GDPR

In this structure, companies often face a dual compliance regime:

• KVKK for Türkiye
• GDPR for the EU

One of the most common misconceptions we encounter is:

“Our servers are in Türkiye and our company is in Türkiye, so the GDPR does not apply.”

In practice, the location of the target audience often overrides this assumption.

Scenario 2: Operating Through a Company Established in the EU

In the second model, the Turkish investor or group company:

• Establishes a company in an EU country (such as Germany, the Netherlands, or Estonia), and
• Enters the European market through that entity.

In this case, the question of whether the GDPR applies is no longer debatable, because:

A company established in the EU is directly subject to the GDPR.

Key considerations in this model

• Direct supervision by EU data protection authorities
• Full GDPR compliance program
• Legal structuring of intra-group data flows

One particularly critical scenario is:

EU company → data transfer to the parent company in Türkiye

In this case:

• Türkiye is considered a third country under the GDPR
• A lawful transfer mechanism is required, such as:

Therefore, establishing a company in the EU does not eliminate GDPR obligations. On the contrary, it makes the responsibility more direct and visible.

Group Structures and Data Responsibility: The Most Critical Area

The most complex area for Turkish investors is the legal structuring of intra-group data relationships.

For example:

• A parent company in Türkiye
• A sales subsidiary in Germany
• A holding structure in the Netherlands

In such cases, the following questions become critical:

• Which company is the data controller?
• Which company is the data processor?
• Is there joint controllership?
• Which data is transferred to which country?

A poorly structured group setup may lead to:

• Violations under both the GDPR and KVKK
• Contractual liabilities
• Significant administrative fines

For this reason, data flows must be designed together with the corporate structure itself.

Executive Perspective: What Should Be Done in Each Model?

Model A: Serving the EU through a Türkiye-based company

Key actions:

• GDPR applicability assessment
• Evaluation of EU representative requirements
• Revision of website and contractual documents
• Creation of a KVKK–GDPR compliance roadmap

Model B: Operating through an EU-established company

Key actions:

• Full-scale GDPR compliance program
• Implementation of intra-group data transfer mechanisms
• Clear contractual definition of controller–processor roles

Conclusion: Corporate Structure Is Also a Data Protection Decision

Decisions about how to structure a company when entering the European market are not purely commercial or tax-related. They also determine:

• Which data protection regime will apply
• What type of liabilities will arise
• How high the compliance costs will be

In our projects as KVKK and GDPR Consultant Çağrı Tuna, we frequently see that structures designed without considering data protection requirements later require significant revisions.

The right structure is the one designed correctly from the beginning.
And today, data protection law is an inseparable part of that structure.

Dr. Çağrı Tuna

Attorney at Law | KVKK & GDPR Consultant