Public Announcement on Key Considerations for Standard Contracts in Cross-Border Personal Data Transfers Issued

On 5 February 2025, the Personal Data Protection Authority (“Authority”) published the Public Announcement on Key Considerations for Standard Contracts in Cross-Border Personal Data Transfers (“Public Announcement”) on its official website.

The Authority, through the Public Announcement, has shared its findings and key considerations regarding the Standard Contracts (“SCCs”) submitted for the transfer of personal data abroad under Article 9/5 of the Personal Data Protection Law No. 6698 (DP Law). Accordingly,

1. The SCCs must bear the signatures of the parties involved in the transfer or the authorized representatives who have the authority to bind the parties; otherwise, it is deemed invalid.

2. The signatures must adhere to the signature requirements stipulated in the Turkish Code of Obligations No. 6098.

3. If the SCCs is executed in a foreign language, both the data exporter and the data recipient must sign the Turkish version.. In the case of a dual-column format, both parties must sign the Turkish column.

4. Evidence proving the signatories’ authorization must be submitted to the Authority along with the SCCs. If the documents do not include the names of the signatories, the SCCs is deemed signed by unauthorized people and considered invalid.

5. The names of the parties in the SCCs must be complete and must not differ from the names stated in the documents.

6. The SCCs must be submitted to the Authority within five business days after the completion of signatures, either by post, via a Registered Electronic Mail (KEP) address or through the Standard Contract Notification Module. To verify compliance with the notification deadline, both parties must indicate their respective signing dates on the SCCs.

7. The addresses, contact details, names of the signatories, and similar information of the parties must be clearly stated in the SCCs.

8. The submitted SCCs must be complete, with no missing text or pages.

9. When submitting foreign official documents to the Authority, the authenticity of the signature, the title of the signatory, and the seal/stamp must be verified. Normally, this verification is conducted by Turkey’s consulates; however, under the Apostille Convention, an apostille certification is sufficient for documents issued by member states. For documents from non-member states or those without an exemption, the necessary certification must be completed by the relevant authorities before submission.

10. Evidence and foreign-language documents submitted to the Authority must be accompanied by a notarized Turkish translation.

11. The SCCs cannot include provisions stating effect from a date preceding the signing date.

12. Within the scope of personal data transfer, after selecting the appropriate type of SCCs, the parties may only modify optional or alternative clauses; no changes can be made to the other provisions of the SCCs.

You can access the full version of the Public Announcement here. (Only available in Turkish)

For more details on the transfer of personal data abroad, you can access our Guide on Cross-Border Transfers of Personal Data here.