ARTICLE
12 July 2024

Standard Contract For International Transfer Of Personal Data – 2

YL
YAZICIOGLU Legal

Contributor

YAZICIOGLU Legal logo
Yazıcıoğlu Legal is an Istanbul based boutique law firm. The firm has a strong focus on legal matters related to TMT, Data Protection, Corporate, Commercial matters and Dispute Resolution. The firm is ranked by The Legal 500 on IT and Telecoms and by Chambers and Partners on TMT.
Explore
The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated March 24, 2016...
Turkey Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

SECTION ONE

General Provisions

Article 1- Purpose and Scope

(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated March 24, 2016 (hereinafter referred to as the "Law") and the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad, published in the Official Gazette dated June 10, 2024, and numbered 32598 (hereinafter referred to as the "Regulation") for the international transfer of personal data.

(b) The data controller transferring personal data abroad (hereinafter referred to as the "data exporter") and the data processor abroad receiving the personal data from the data exporter (hereinafter referred to as the "data importer") accept this standard contract (hereinafter referred to as the "Contract").

(c) This Contract applies to the international transfer of personal data detailed in Annex I.

(d) The annexes to this Contract (hereinafter referred to as the "Annexes") are an integral part of this Contract.

Article 2- Effect and Unchangeability of the Contract

(a) This Contract, without any additions, deletions, or changes, provides the appropriate safeguards for the international transfer of personal data as per the fourth paragraph of Article 9 of the Law and the Regulation, ensuring that data subjects can exercise their rights and seek effective legal remedies in the country where the data is transferred.

(b) This Contract does not prejudice the obligations of the data exporter under the Law, Regulation, and other relevant legislation.

Article 3- Third Party Beneficiary Rights

(a) Data subjects may enforce the provisions of this Contract against the data exporter and/or the data importer as third-party beneficiaries, except for the following exceptions:

i) Article 1, Article 2, Article 3, and Article 6.

ii) Article 7.1(b) and Article 7.9(a), (c), (d), and (e).

iii) Article 8(a), (c), (d), and (e).

iv) Article 11(a), (d), and (f).

v) Article 12.

(b) Paragraph (a) does not prejudice the rights of data subjects under the Law.

Article 4- Interpretation

(a) The terms used in this Contract have the meanings assigned to them in the Law, Regulation, and other relevant legislation.

(b) This Contract shall be interpreted in compliance with the Law, Regulation, and other relevant legislation. 

(c) This Contract cannot be interpreted in a manner that conflicts with the rights and obligations provided in the Law, Regulation, and other relevant legislation.

Article 5- Conflict Rule

In case of any conflict between the provisions of this Contract and the provisions of other relevant contracts existing at the time of acceptance of this Contract or coming into force thereafter, the provisions of this Contract shall prevail.

Article 6- Details of the Transfer

The categories of personal data to be transferred, the legal basis for the transfer, and the purpose(s) of the transfer, among other details, are specified in Annex I.

SECTION TWO

Obligations of the Parties

Article 7- Safeguards for the Protection of Personal Data

The data exporter undertakes to use reasonable efforts to ensure that the data importer is capable of fulfilling its obligations under this Contract by taking appropriate technical and administrative measures.

Article 7.1- Instructions

(a) The data importer processes personal data only according to the instructions of the data exporter. The data exporter may give such instructions to the data importer throughout the period the data importer processes personal data on behalf of the data exporter.

(b) The data importer shall inform the data exporter immediately if it is unable to comply with these instructions.

Article 7.2- Purpose Limitation

The data importer processes personal data only for the purpose(s) specified in Annex I and to the extent necessary.

Article 7.3- Accuracy and Updates

The data importer shall inform the data exporter immediately if it becomes aware that the transferred personal data is inaccurate or outdated. In such cases, the data importer shall cooperate with the data exporter to correct or delete the personal data.

Article 7.4- Duration of Processing and Destruction or Return of Personal Data

The data importer may process personal data only for the duration specified in Annex I. Upon termination of the data importer's processing activities on behalf of the data exporter, the data importer shall, at the data exporter's choice, return all personal data processed on behalf of the data exporter, including backups, or delete the personal data entirely. The data importer undertakes to continue complying with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the personal data transferred, and continue processing only to the extent and duration required by legislation, even if there are 3 provisions in the legislation that prevent the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.

Article 7.5- Transparency Obligations

The data exporter shall provide a copy of this Contract, including the Annexes filled in by the Parties, to the data subject free of charge upon request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data exporter may redact portions of the Annexes in the copy provided to the data subject. However, if such redactions render the content unintelligible or prevent the data subject from exercising their rights, the data exporter shall provide a meaningful summary to the data subject. The Parties shall inform the data subject of the reasons for the redactions without disclosing the redacted information, to the extent possible. The data exporter's obligations under Article 10 of the Law and the Communiqué on Principles and Procedures for the Fulfillment of the Obligation to Inform, published in the Official Gazette dated March 10, 2018, and numbered 30356, remain reserved.

Article 7.6- Data Security

(a) The data importer and the data exporter during transfer shall take all necessary technical and administrative measures to ensure an appropriate level of security for personal data, considering the nature of the personal data, to prevent unlawful processing, unlawful access, accidental loss, destruction, or damage of personal data. The level of security shall be determined by considering the state of technological development, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the rights and freedoms of data subjects. The data importer shall, at a minimum, take the technical and administrative measures specified in Annex II to fulfill its obligations under this paragraph. The data importer shall conduct regular checks to confirm that these measures provide an appropriate level of security.

(b) The data importer shall limit the access of its personnel to personal data to the extent and scope necessary for the performance of the data processing activities carried out on behalf of the data exporter and shall ensure that only authorized personnel have access to the personal data. The data importer shall ensure that the individuals authorized to access personal data do not disclose the personal data to third parties or use the personal data for purposes other than processing, as stipulated in this Contract.

(c) In case of unlawful access to personal data processed under this Contract, the data importer shall take necessary measures to mitigate the potential adverse effects of the breach. Additionally, the data importer shall notify the data exporter without delay. The notification shall be made using the "Data Breach Notification Form" determined by the Personal Data Protection Board (hereinafter referred to as the "Board") and published on the official website of the Personal Data Protection Authority (hereinafter referred to as the "Authority"). If it is not possible to provide the information in the form simultaneously, the information shall be provided progressively without delay.

(d) The data importer shall cooperate with the data exporter and assist the data exporter in fulfilling its obligations under the Law, including notification to the Board and data subjects, by considering the nature of the data processing activity and the information it possesses.

To view the full article click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
YAZICIOGLU Legal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More