SECTION ONE
General Provisions
Article 1- Purpose and Scope
(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated March 24, 2016 (hereinafter referred to as the "Law") and the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad, published in the Official Gazette dated June 10, 2024, and numbered 32598 (hereinafter referred to as the "Regulation") for the international transfer of personal data.
(b) The data processor transferring personal data abroad (hereinafter referred to as the "data exporter") and the data controller abroad receiving the personal data from the data exporter (hereinafter referred to as the "data importer") accept this standard contract (hereinafter referred to as the "Contract").
(c) This Contract applies to the international transfer of personal data detailed in Annex I.
(d) The annexes to this Contract (hereinafter referred to as the "Annexes") are an integral part of this Contract.
Article 2- Effect and Unchangeability of the Contract
(a) This Contract, without any additions, deletions, or changes, provides the appropriate safeguards for the international transfer of personal data as per the fourth paragraph of Article 9 of the Law and the Regulation, ensuring that data subjects can exercise their rights and seek effective legal remedies in the country where the data is transferred.
(b) This Contract does not prejudice the obligations of the data exporter under the Law, Regulation, and other relevant legislation.
Article 3- Third Party Beneficiary Rights
(a) Data subjects may enforce the provisions of this Contract against the data exporter and/or the data importer as third-party beneficiaries, except for the following exceptions:
i) Article 1, Article 2, Article 3, and Article 6.
ii) Article 7.1 (b) and Article 7.3 (b).
iii) Article 16.
(b) Paragraph (a) does not prejudice the rights of data subjects under the Law.
Article 4- Interpretation
(a) The terms used in this Contract have the meanings assigned to them in the Law, Regulation, and other relevant legislation.
(b) This Contract shall be interpreted in compliance with the Law, Regulation, and other relevant legislation.
(c) This Contract cannot be interpreted in a manner that conflicts with the rights and obligations provided in the Law, Regulation, and other relevant legislation.
Article 5- Conflict Rule
In case of any conflict between the provisions of this Contract and the provisions of other relevant contracts existing at the time of acceptance of this Contract or coming into force thereafter, the provisions of this Contract shall prevail.
Article 6- Details of the Transfer
The categories of personal data to be transferred, the legal basis for the transfer, and the purpose(s) of the transfer, among other details, are specified in Annex I.
SECTION TWO
Obligations of the Parties
Article 7- Safeguards for the Protection of Personal Data
The data exporter undertakes to use reasonable efforts to ensure that the data importer is capable of fulfilling its obligations under this Contract by taking appropriate technical and administrative measures.
Article 7.1- Instructions
(a) The data exporter processes personal data only according to the instructions of the data importer, who acts as the data controller.
(b) The data exporter shall inform the data importer immediately if it is unable to comply with these instructions, including when the instructions violate the Law, Regulation, or other relevant legislation.
(c) The data importer shall avoid any actions that would prevent the data exporter from fulfilling its obligations under the Law, including cooperation with the Personal Data Protection Authority (hereinafter referred to as the "Authority").
(d) Upon the termination of personal data processing activities carried out by the data exporter on behalf of the data importer, the data exporter undertakes to return all personal data processed on behalf of the data importer, including backups, or to completely destroy all personal data processed on behalf of the data importer, depending on the data importer's preference. The data exporter shall document the destruction of the personal data for the data importer.
Article 7.2- Data Security
(a) The Parties shall take all necessary technical and administrative measures to ensure the appropriate level of security for personal data, considering the nature of the personal data, to prevent unlawful processing, unlawful access, accidental loss, destruction, or damage of personal data. The level of security shall be determined by considering the state of technological development, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the rights and freedoms of data subjects.
(b) The data exporter shall assist the data importer in taking all necessary technical and administrative measures to ensure the appropriate level of security for personal data under paragraph (a). If the personal data processed by the data exporter under this Contract is unlawfully accessed by others, the data exporter shall notify the data importer without delay and assist the data importer in taking necessary measures to mitigate the potential adverse effects of the breach.
(c) The data exporter shall ensure that the individuals authorized to access the personal data do not disclose the personal data to third parties or use the personal data for purposes other than processing, as stipulated in this Contract.
Article 7.3- Documentation and Compliance
(a) The Parties shall be able to demonstrate compliance with their obligations under this Contract.
(b) The data exporter shall provide the data importer with all necessary information and documentation to demonstrate compliance with its obligations under this Contract and shall allow audits and support this process.
Article 8- Data Subject Rights
The Parties shall assist each other in responding to questions and requests from data subjects, as per the local law applicable to the data importer or the Law applicable to the data exporter residing in Turkey, regarding the processing activities.
Article 9- Methods of Redress
In the event of a dispute between a data subject and the data importer regarding third-party beneficiary rights under this Contract, the data subject may submit their claims to the data importer. The data importer shall inform the data subjects about the designated contact point for handling their claims in a transparent and easily accessible format, either through direct notification or by publishing it on its website. The data importer shall promptly address the data subjects' claims.
[Based on the Parties' preference, the contract may include: The data importer agrees that data subjects may also lodge complaints with an independent dispute resolution body free of charge. The data importer shall inform the data subjects about the existence of such a method of redress and that it is not mandatory to use this method before seeking other legal remedies.]
Article 10- Liability
(a) Each Party shall be liable to the other Party for any damages arising from any breach of this Contract.
(b) Each Party shall be liable to the data subject. The data subject shall have the right to seek compensation for any material or non-material damages caused by the breach of third-party beneficiary rights under this Contract by either Party. This does not prejudice the liability of the data exporter under the Law.
(c) If both Parties are liable for any damages caused to the data subject due to a breach of this Contract, they are jointly and severally liable to the data subject, and the data subject has the right to seek redress from either Party.
(d) If one Party fully compensates the data subject for the damages under paragraph (c), it has the right to seek redress from the other Party to the extent of its fault.
To view the full article click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.