PART ONE
General Provisions
Article 1- Purpose and Scope
(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as "the Law") and the Regulation on the Procedures and Principles for Transferring Personal Data Abroad, published in the Official Gazette No. 32598 dated 10/6/2024 (hereinafter referred to as "the Regulation") regarding the transfer of personal data abroad. (b) The data processor transferring personal data abroad (hereinafter referred to as "data exporter") and the overseas data processor receiving personal data from the data exporter (hereinafter referred to as "data importer") have accepted this standard contract (hereinafter referred to as "the Contract"). (c) This Contract applies to the transfer of personal data abroad as detailed in Annex I. (d) The annexes to this Contract (hereinafter referred to as "Annexes") form an integral part of this Contract.
Article 2- Effect and Immutability of the Contract
(a) Provided that no additions, deletions, or changes are made, this Contract provides the appropriate safeguards for transferring personal data abroad as stipulated in Article 9(4) of the Law and the Regulation, including ensuring that the data subject has the ability to exercise their rights and seek effective legal remedies in the country where the transfer is made. (b) This Contract does not prejudice the obligations of the data exporter under the Law, the Regulation, and other relevant legislation.
Article 3- Third-Party Beneficiary Rights
(a) Data subjects may assert the provisions of this Contract against the data exporter and/or data importer as third-party beneficiaries, except for the following exceptions: i) Article 1, Article 2, Article 3, and Article 6. ii) Article 7.1(a), (c), and (d) and Article 7.9(a), (c), (d), (e), (f), and (g). iii) Article 8(a), (c), (d), and (e) iv) Article 11(a), (d), and (f). v) Article 12. (b) Paragraph (a) does not prejudice the rights of data subjects under the Law.
Article 4- Interpretation
(a) Terms defined in the Law, the Regulation, and other relevant legislation shall have the same meaning when used in this Contract. (b) This Contract shall be interpreted in accordance with the Law, the Regulation, and other relevant legislation. (c) This Contract cannot be interpreted in a manner that contradicts the rights and obligations stipulated in the Law, the Regulation, and other relevant legislation.
Article 5- Conflict Rule
In the event of any conflict between the provisions of this Contract and any other agreements existing between the Parties on the date of acceptance of this Contract or entered into thereafter, the provisions of this Contract shall prevail.
Article 6- Details of the Transfer
The details of the transfer of personal data abroad under this Contract, including the categories of personal data being transferred, the legal basis for the transfer, and the purpose(s) of the transfer, are specified in Annex I.
PART TWO
Obligations of the Parties
Article 7- Safeguards for the Protection of Personal Data
The data exporter undertakes to make reasonable efforts to determine that the data importer has sufficient capabilities to fulfill the obligations arising from this Contract by taking appropriate technical and administrative measures.
Article 7.1- Instructions
(a) The data exporter shall inform the data importer before starting the processing activity that it is acting as a data processor in accordance with the instructions of the data controller(s) specified by the data exporter. (b) The data importer shall process personal data only according to the instructions of the data controller and the additional instructions of the data exporter as communicated by the data exporter. These additional instructions cannot conflict with the instructions of the data controller. The data controller or data exporter may issue such instructions throughout the period the data importer processes personal data on behalf of the data exporter. (c) If the data importer cannot comply with these instructions, it shall inform the data exporter without delay. If the data importer cannot comply with the instructions given by the data controller, the data exporter shall inform the data controller without delay. (d) The data exporter undertakes that the data importer shall assume the data protection obligations assumed by the data exporter on behalf of the data controller in carrying out the personal data processing activities
Article 7.2- Purpose Limitation, Proportionality, and Minimization
The data importer processes personal data only for the purpose(s) specified in Annex I, in a manner that is relevant, limited, and proportionate to those purposes.
Article 7.3- Accuracy and Keeping Data Up-to-Date
If the data importer becomes aware that the transferred personal data are inaccurate or outdated, it shall inform the data exporter without delay. In such cases, the data importer shall cooperate with the data exporter to erase or rectify the personal data.
Article 7.4- Duration of Processing Activity and Complete Erasure or Return of Personal Data
The data importer may process personal data only for the duration specified in Annex I. When the processing activity on behalf of the data exporter ends, the data importer, at the data exporter's discretion, shall either return all personal data, including backups, to the data exporter or erase them completely. The data importer shall continue to comply with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the transferred personal data, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. Article 13 remains reserved. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.
Article 7.5- Duty to Inform
Upon request, the data exporter shall provide a copy of this Contract, including the Annexes completed by the Parties, to the data subject free of charge. To the extent necessary to protect trade secrets or other confidential information, the data exporter may redact parts of the Annexes before sharing them with the data subject. However, if redaction would render the content incomprehensible or prevent the exercise of the data subject's rights, the data exporter shall provide a meaningful summary to the data subject. Upon request, the Parties shall explain the reasons for any redactions without revealing the redacted information.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.