The Important Notes Regarding the Standard Contracts Used in Personal Data Abroad

The Personal Data Protection Authority (“Authority”) has clarified the use of standard contracts for the cross-border transfer of personal data. In its 5 February 2025 announcement, the Authority reiterated that standard contracts must be submitted to them within five business days of signature and emphasized compliance with the following:

Signatures

»  Standard contracts must be signed by the parties to the data transfer or by persons authorized to represent and sign on behalf of these same parties. Contracts without valid signatures will be considered invalid.

»  Signatures must comply with the provisions of the Turkish Code of Obligations No. 6098 regarding signatures.

»  In bilingual contracts both the data importer and the data exporter must sign the Turkish contract text.

Authorization Documents

»  Documents that prove the persons signing the standard contract are authorized to represent and sign must be submitted to the Authority with the contract.

»  If the names of the signatories are not included in the authorization documents the contract will be considered invalid. There should be no discrepancies between the names of the parties in the authorization documents and the contract itself.

Notification Obligation

»  Standard contracts must be notified to the Authority within five business days of signing. This can be done physically, via registered electronic mail, or via the Standard Contract Notification Module.

»  The signature dates of both parties to the transfer must be indicated in the contract text to determine if the notification obligation has been fulfilled on time.

Address and Contact Information

» The addresses, contact points, names of signatories, or similar information regarding the parties to the transfer must be clearly stated in the standard contract text.

Official Foreign Documents

» Official foreign documents submitted alongside standard contracts must be apostilled or certified by the relevant country’s authorities.

Notarized Translations

» Supporting documents and every document in a foreign language must be submitted with a notarized Turkish translation.

Prohibition of Retroactivity Clauses

» Contractual clauses indicating the contract will take effect retroactively, even where signatures are completed at a later date, are prohibited.

Prohibition of Changes in the Contract Text

» No additions, deletions, or changes should be made to the standard contract texts except for optional or alternative clauses.

In conclusion, standard contracts for the transfer of personal data abroad must be meticulously prepared and duly notified to the Authority ensuring adherence to the points mentioned above. It is critical that data controllers and data processors adhere to the clarifications.