STANDARD CONTRACT TO BE USED FOR TRANSFERRING PERSONAL DATA ABROAD – 1

(FROM DATA CONTROLLER TO DATA CONTROLLER)

PART ONE 
General Provisions

Article 1 - Purpose and Scope

(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as "the Law") and the Regulation on the Procedures and Principles for Transferring Personal Data Abroad, published in the Official Gazette No. 32598 dated 10/6/2024 (hereinafter referred to as "the Regulation").

(b) The data controller transferring personal data abroad (hereinafter referred to as "data exporter") and the overseas data controller receiving personal data from the data exporter (hereinafter referred to as "data importer") have accepted this standard contract (hereinafter referred to as "the Contract").

(c) This Contract applies to the transfer of personal data abroad as detailed in Annex I.

(d) The annexes to this Contract (hereinafter referred to as "Annexes") form an integral part of this Contract.

Article 2 - Effect and Immutability of the Contract

(a) Provided that no additions, deletions, or changes are made, this Contract provides the appropriate safeguards for transferring personal data abroad as stipulated in Article 9(4) of the Law and the Regulation, including ensuring that the data subject has the ability to exercise their rights and seek effective legal remedies in the country where the transfer is made.

(b) This Contract does not prejudice the obligations of the data exporter under the Law, the Regulation, and other relevant legislation.

Article 3 - Third-Party Beneficiary Rights

(a) Data subjects may assert the provisions of this Contract against the data exporter and/or data importer as third-party beneficiaries, except for the following exceptions:

i) Article 1, Article 2, Article 3, and Article 6. ii) Article 7.5(e) and Article 7.9(b). iii) Article 10(a) and (d). iv) Article 11.

(b) Paragraph (a) does not prejudice the rights of data subjects under the Law.

Article 4 - Interpretation

(a) Terms defined in the Law, the Regulation, and other relevant legislation shall have the same meaning when used in this Contract.

(b) This Contract shall be interpreted in accordance with the Law, the Regulation, and other relevant legislation.

(c) This Contract cannot be interpreted in a manner that contradicts the rights and obligations stipulated in the Law, the Regulation, and other relevant legislation.

Article 5 - Conflict Rule

In the event of any conflict between the provisions of this Contract and any other agreements existing between the Parties on the date of acceptance of this Contract or entered into thereafter, the provisions of this Contract shall prevail.

Article 6 - Details of the Transfer

The details of the transfer of personal data abroad under this Contract, including the categories of personal data being transferred, the legal basis for the transfer, and the purpose(s) of the transfer, are specified in Annex I.

PART TWO 
Obligations of the Parties

Article 7 - Safeguards for the Protection of Personal Data

The data exporter undertakes to make reasonable efforts to determine that the data importer has sufficient capabilities to fulfill the obligations arising from this Contract by taking appropriate technical and administrative measures.

Article 7.1- Purpose Limitation, Proportionality, and Minimization

The data importer shall process personal data only for the purpose(s) specified in Annex I, in a manner that is relevant, limited, and proportionate to those purposes.

Article 7.2- Accuracy and Keeping Data Up-to-Date

(a) Each Party shall ensure that personal data are accurate and, where necessary, kept up to date. The data importer shall take reasonable steps to promptly erase or rectify inaccurate personal data, considering the purpose(s) for which they are processed.

(b) Each Party shall promptly inform the other Party if it becomes aware that the personal data transferred are inaccurate or outdated.

Article 7.3- Storage Limitation

The data importer shall retain personal data only for as long as necessary to fulfill the purpose(s) for which they were processed. To fulfill this obligation, the data importer must take all necessary technical and administrative measures to erase, destroy, or anonymize the personal data and all backups.

Article 7.4- Duty to Inform

(a) The data importer, directly or through the data exporter, must inform the data subjects about: i) Its identity and contact information, ii) The categories of personal data processed, iii) The right to obtain a copy of this Contract, iv) In cases where personal data may be transferred to a third party or parties, the identity or categories of recipients and the purpose of such onward transfer according to Article 7.7. (b) Upon request, the Parties shall provide a copy of this Contract, including the Annexes completed by them, to the data subject free of charge. To the extent necessary to protect trade secrets or other confidential information, the Parties may redact parts of the Annexes before sharing them with the data subject. However, if redaction would render the content incomprehensible or prevent the exercise of the data subject's rights, the Parties shall provide the data subject with a meaningful summary. Upon request, the Parties shall explain the reasons for any redactions without revealing the redacted information. (c) The obligations of the data exporter under Article 10 of the Law and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Inform, published in the Official Gazette No. 30356 dated 10/3/2018, remain unaffected.

Article 7.5- Data Security

(a) The data importer and the data exporter during the transfer shall take all necessary technical and administrative measures to ensure an appropriate level of security for personal data, considering the nature of the data, to prevent unlawful processing, unauthorized access, accidental loss, destruction, or damage. When determining these measures, factors such as technological advancements, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the fundamental rights and freedoms of data subjects shall be considered.

(b) The Parties agree on the technical and administrative measures specified in Annex II. The data importer shall conduct regular reviews to confirm that these measures continue to ensure an adequate level of security.

(c) The data importer shall ensure that authorized individuals do not disclose personal data to third parties or use the data for purposes other than processing.

(d) If the personal data processed by the data importer under this Contract are unlawfully obtained by others, the data importer shall take necessary measures to address the data breach and mitigate its potential adverse effects.

(e) If the personal data processed by the data importer under this Contract are unlawfully obtained by others, the data importer shall promptly notify the data exporter and the Personal Data Protection Board (hereinafter referred to as "the Board") within 72 hours at the latest. The notification shall be made using the Data Breach Notification Form determined by the Board and published on the official website of the Personal Data Protection Authority (hereinafter referred to as "the Authority"). If it is not possible to provide the information required in the form at the same time, this information shall be provided in stages without delay.

(f) If the personal data processed by the data importer under this Contract are unlawfully obtained by others, the data importer shall notify the data subjects of the breach. The notification to the data subjects shall be made in clear and simple language and shall at least include: i) The date of the personal data breach, ii) The categories of personal data affected by the breach (distinguishing between personal data and special categories of personal data), iii) The possible consequences of the personal data breach, iv) The measures taken or proposed to mitigate the adverse effects of the breach, v) The names and contact details of the contact persons or the full address of the data importer's website, call center, etc., through which the data subjects can obtain information about the breach.

(g) The data importer shall record information about the data breach, its effects, and the measures taken and keep these records available for review by the Board.

Article 7.6- Special Categories of Personal Data

(a) The data importer shall take additional technical and administrative measures appropriate to the sensitive nature of special categories of personal data. (b) The processing of special categories of personal data requires the additional measures specified by the Board.

Article 7.7- Onward Transfers

(a) Personal data transferred to the data importer may be transferred to a third party located abroad (in the same country as the data importer or another country) only in the following cases: i) The onward transfer is made to a country that has an adequacy decision under Article 9(1) of the Law. ii) The third party to whom the onward transfer is made provides one of the appropriate safeguards specified in Article 9(4) of the Law. iii) The transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim in the context of specific administrative or judicial proceedings. iv) The transfer of personal data is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent. v) In the absence of the above cases, with the explicit consent of the data subject obtained after being informed by the data importer about the purpose(s) of the transfer, the identity of the third party to whom the onward transfer is made, and the potential risks of such a transfer due to the lack of appropriate data protection safeguards. The data importer shall inform the data exporter about the onward transfer and provide a copy of the information provided to the data subject upon request.

(b) In any onward transfer, the data importer shall comply with all other safeguards specified in this Contract, including the principles of purpose limitation, proportionality, and minimization.

(c) Before notifying the Authority of this Contract, if the recipients of onward transfers are known, these recipients or recipient groups shall be specified in Annex I. After notifying the Authority, any changes in the recipients or recipient groups of onward transfers shall be updated in Annex I and notified to the Authority.

Article 7.8- Processing under the Authority of the Data Importer

The data importer shall ensure that individuals acting under its authority, including processors, process personal data only in accordance with its instructions.

Article 7.9- Documentation and Compliance

(a) Each Party shall be able to demonstrate compliance with its obligations under this Contract. The data importer is responsible for keeping and maintaining records of information, documents, and records relating to the processing activities under its responsibility.

(b) The data importer shall provide such documents to the Board upon request.

Article 8- Rights of the Data Subject

(a) The data importer, with the assistance of the data exporter if necessary, shall respond to questions and requests from data subjects regarding the processing of their personal data and the exercise of their rights under this Contract within thirty days of receiving the request or question. The data importer shall take appropriate measures to respond to these questions and requests and to facilitate the exercise of data subject rights. All information provided to the data subject shall be understandable and easily accessible, and the notification shall be made in clear and simple language.

(b) The data subject may contact the data importer to: i) Find out whether personal data concerning them are being processed, ii) Request information about the processing if personal data have been processed and obtain a copy of the information in Annex I, iii) Learn the purpose of processing personal data and whether they are used in accordance with this purpose, iv) Know the third parties to whom personal data are transferred and the basis for onward transfer under Article 7.7, v) Request the correction of incomplete or inaccurate personal data, vi) Request the deletion or destruction of personal data under Article 7.3, vii) Request notification of the actions taken under paragraphs (v) and (vi) to the third parties to whom the personal data have been transferred, viii) Object to any adverse outcome resulting from the processing of personal data exclusively through automated systems, ix) Claim compensation for damages caused by the processing of personal data in violation of this Contract.

(c) The data importer shall accept or reject the request and explain its reasons in writing or electronically to the data subject. The response shall inform the data subject of the right to file a complaint with the Board under Article 9(c). If the request is accepted, the data importer shall implement it.

(d) The data importer shall fulfill the data subject's request free of charge. However, if the request requires additional costs, the data importer may charge the fee specified in the tariff determined by the Board. If the request is due to the data importer's fault, the data importer shall refund the fee to the data subject.

Article 9- Remedies

(a) If a dispute arises between the data subject and the data importer regarding the thirdparty beneficiary rights under this Contract, the data subject may address their claims to the data importer. The data importer shall inform the data subjects about the designated contact point authorized to resolve claims, either directly or by publishing it on its website. The data importer shall address the data subjects' claims without delay. [Optional: The data importer accepts that data subjects may also file a complaint with an independent dispute resolution body free of charge. The data importer shall inform the data subjects about the existence of such a remedy and that it is not mandatory to first use or exclusively use this remedy.]

(b) If a dispute arises between the Parties regarding compliance with this Contract, the relevant Party shall make every effort to resolve the issue amicably and as quickly as possible. The Parties shall inform each other about such disputes and cooperate in resolving them to the extent appropriate.

(c) If the data subject invokes a third-party beneficiary right under Article 3, the data importer accepts that the data subject has the right to file a complaint with the

Board and to bring a claim before the competent and authorized courts under Article 17.

(d) The data importer undertakes to comply with binding decisions under Turkish law.

(e) The data importer acknowledges that the exercise of the above remedies by the data subject does not prejudice any other rights the data subject may have under applicable law.

Article 10- Liability

(a) Each Party is liable to the other Party for any damage arising from a breach of this Contract.

(b) Each Party is liable to the data subject. The data subject has the right to claim compensation for material or non-material damage caused by a breach of this Contract by the Parties. This does not prejudice the liability of the data exporter under the Law.

(c) If both Parties are liable for any damage caused to the data subject as a result of a breach of this Contract, they are jointly and severally liable to the data subject, and the data subject has the right to seek redress from either Party.

(d) If one Party fully compensates the data subject for the damage under paragraph (c), it has the right to seek redress from the other Party to the extent of its fault.

(e) The data importer cannot escape liability by claiming that the processor or sub-processor is at fault.

Article 11- Supervision

The data importer agrees to cooperate with the Authority in all matters related to ensuring compliance with this Contract, to submit to the authority of the Board, and to comply with the decisions of the Board. The data importer specifically agrees to provide the information and documents requested by the Board concerning the subject of the investigation, to allow onsite inspections if necessary, and to comply with the instructions given by the Board to remedy any detected legal violations. The data importer shall send the information and documents proving that the instructions have been carried out to the Board. 

PART THREE 
Obligations in Case of Access by National Authorities and National Law

Article 12- National Laws and Practices Affecting Compliance with the Contract The data importer declares and undertakes that there are no national regulations or practices that conflict with this Contract regarding the personal data to be transferred under this Contract. If any legislative or practice changes that may affect the data importer's ability to fulfill the commitments in this Contract occur during the term of this Contract, the data importer shall immediately inform the data exporter. In such a case, the data exporter shall have the right to suspend data transfers or terminate this Contract.

Article 13- Obligations of the Data Importer in Case of Access by Public Authorities The data importer shall immediately notify the data exporter if it receives any requests from administrative or judicial authorities regarding the personal data transferred under this Contract or becomes aware of direct access by such authorities to the personal data transferred under this Contract. In such cases, the data exporter shall have the right to suspend data transfers or terminate this Contract, depending on the nature of the request or access.

PART FOUR

Final Provisions

ARTICLE 14- Non-Compliance and Termination

(a) The data importer shall immediately inform the data exporter if it is unable to comply with this Contract for any reason.

(b) If the data importer breaches this Contract or fails to comply with this Contract, the data exporter shall suspend the transfer of personal data to the data importer until compliance is restored or the Contract is terminated. Articles 12 and 13 are reserved.

(c) The data exporter has the right to terminate the Contract to the extent that it relates to the processing of personal data under the following conditions: i) The data exporter has suspended the transfer of personal data to the data importer under paragraph (b), and compliance has not been restored within a reasonable time and, in any case, within one month from the suspension. ii) The data importer significantly or continuously breaches this Contract. iii) The data importer fails to comply with the decisions of the competent court or the Board regarding its obligations under this Contract. In such cases, the data exporter shall inform the Board.

(d) If the Contract is terminated under paragraph (c), the data importer shall, at the data exporter's option, return all personal data subject to the transfer, along with any copies, to the data exporter or destroy all personal data entirely. The data importer shall continue to comply with this Contract and take necessary technical and administrative measures to ensure the confidentiality of the personal data subject to the transfer, even if there are provisions in the legislation preventing the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or entirely destroyed.

Article 15- Notification of the Contract to the Authority (Optional Provision)

[Data exporter/Data importer] shall notify the Authority of this Contract within five business days of completing the signatures.

Article 16- Governing Law

This Contract is subject to Turkish law.

Article 17- Competent and Authorized Court

(a)  Any dispute arising from this Contract shall be resolved by the Turkish courts.

(b)  General provisions regarding jurisdiction and competence shall apply. (c) The Parties accept the jurisdiction of the Turkish courts.

Data Exporter:

Address:

Name, Surname, Title, and Contact Information of Contact Person:

Name, Surname, and Title of Signatory: Signature and Date:

Data Importer:

Address:

Name, Surname, Title, and Contact Information of Contact Person:

Name, Surname, and Title of Signatory: Signature and Date:

ANNEXES

ANNEX I  DETAILS OF THE TRANSFER

Activities of the Data Exporter Regarding the Personal Data Transferred Under This Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Activities of the Data Importer Regarding the Personal Data Transferred Under This Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Group or Groups of Data Subjects

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

(If any) Categories of Special Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Legal Basis for the Transfer

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Frequency of the Transfer

(For example, whether the data will be transferred on a one-off or continuous basis)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Nature of the Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………………… 

Purpose(s) of the Data Transfer and Subsequent Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Retention Period of the Personal Data

(Indicate the retention period for the transferred personal data. If it is not possible to specify this period, explain the criteria used to determine the retention period.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………………… …………………………………………………………………………………………………

Recipients or Categories of Recipients

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Data Exporter's Registration Information in the Data Controllers Registry Information System (VERBIS)

(If registration is required)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

ANNEX II  TECHNICAL AND ADMINISTRATIVE MEASURES

(If special categories of personal data are transferred, specify the technical and administrative measures taken for these types of data.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………