Turkiye - ENG (Machine Translation) - Standard Contract-2 (C2P)
Contents
- SECTION ONE General Provisions
- SECTION TWO Obligations of the Parties
- SECTION THREE Obligations in Case of Access by National Authorities
- SECTION FOUR Final Provisions
Standard Contract for International Transfer of Personal Data – 2
(From Data Controller to Data Processor)
SECTION ONE
General Provisions
Article 1- Purpose and Scope
(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated March 24, 2016 (hereinafter referred to as the "Law") and the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad, published in the Official Gazette dated June 10, 2024, and numbered 32598 (hereinafter referred to as the "Regulation") for the international transfer of personal data.
(b) The data controller transferring personal data abroad (hereinafter referred to as the "data exporter") and the data processor abroad receiving the personal data from the data exporter (hereinafter referred to as the "data importer") accept this standard contract (hereinafter referred to as the "Contract").
(c) This Contract applies to the international transfer of personal data detailed in Annex I.
(d) The annexes to this Contract (hereinafter referred to as the "Annexes") are an integral part of this Contract.
Article 2- Effect and Unchangeability of the Contract
(a)This Contract, without any additions, deletions, or changes, provides the appropriate safeguards for the international transfer of personal data as per the fourth paragraph of Article 9 of the Law and the Regulation, ensuring that data subjects can exercise their rights and seek effective legal remedies in the country where the data is transferred.
(b)This Contract does not prejudice the obligations of the data exporter under the Law, Regulation, and other relevant legislation.
Article 3- Third Party Beneficiary Rights
(a) Data subjects may enforce the provisions of this Contract against the data exporter and/or the data importer as third-party beneficiaries, except for the following exceptions:
i)Article 1, Article 2, Article 3, and Article 6.
ii)Article 7.1(b) and Article 7.9(a), (c), (d), and (e).
iii)Article 8(a), (c), (d), and (e). iv) Article 11(a), (d), and (f). v) Article 12.
(b) Paragraph (a) does not prejudice the rights of data subjects under the Law.
Article 4- Interpretation
(a)The terms used in this Contract have the meanings assigned to them in the Law, Regulation, and other relevant legislation.
(b)This Contract shall be interpreted in compliance with the Law, Regulation, and other relevant legislation.
(c)This Contract cannot be interpreted in a manner that conflicts with the rights and obligations provided in the Law, Regulation, and other relevant legislation.
Article 5- Conflict Rule
In case of any conflict between the provisions of this Contract and the provisions of other relevant contracts existing at the time of acceptance of this Contract or coming into force thereafter, the provisions of this Contract shall prevail.
Article 6- Details of the Transfer
The categories of personal data to be transferred, the legal basis for the transfer, and the purpose(s) of the transfer, among other details, are specified in Annex I.
SECTION TWO
Obligations of the Parties
Article 7- Safeguards for the Protection of Personal Data
The data exporter undertakes to use reasonable efforts to ensure that the data importer is capable of fulfilling its obligations under this Contract by taking appropriate technical and administrative measures.
Article 7.1- Instructions
(a)The data importer processes personal data only according to the instructions of the data exporter. The data exporter may give such instructions to the data importer throughout the period the data importer processes personal data on behalf of the data exporter.
(b)The data importer shall inform the data exporter immediately if it is unable to comply with these instructions.
Article 7.2- Purpose Limitation
The data importer processes personal data only for the purpose(s) specified in Annex I and to the extent necessary.
Article 7.3- Accuracy and Updates
The data importer shall inform the data exporter immediately if it becomes aware that the transferred personal data is inaccurate or outdated. In such cases, the data importer shall cooperate with the data exporter to correct or delete the personal data.
Article 7.4- Duration of Processing and Destruction or Return of Personal Data
The data importer may process personal data only for the duration specified in Annex I. Upon termination of the data importer's processing activities on behalf of the data exporter, the data importer shall, at the data exporter's choice, return all personal data processed on behalf of the data exporter, including backups, or delete the personal data entirely. The data importer undertakes to continue complying with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the personal data transferred, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.
Article 7.5- Transparency Obligations
The data exporter shall provide a copy of this Contract, including the Annexes filled in by the Parties, to the data subject free of charge upon request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data exporter may redact portions of the Annexes in the copy provided to the data subject. However, if such redactions render the content unintelligible or prevent the data subject from exercising their rights, the data exporter shall provide a meaningful summary to the data subject. The Parties shall inform the data subject of the reasons for the redactions without disclosing the redacted information, to the extent possible. The data exporter's obligations under Article 10 of the Law and the Communiqué on Principles and Procedures for the Fulfillment of the Obligation to Inform, published in the Official Gazette dated March 10, 2018, and numbered 30356, remain reserved.
Article 7.6- Data Security
(a)The data importer and the data exporter during transfer shall take all necessary technical and administrative measures to ensure an appropriate level of security for personal data, considering the nature of the personal data, to prevent unlawful processing, unlawful access, accidental loss, destruction, or damage of personal data. The level of security shall be determined by considering the state of technological development, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the rights and freedoms of data subjects. The data importer shall, at a minimum, take the technical and administrative measures specified in Annex II to fulfill its obligations under this paragraph. The data importer shall conduct regular checks to confirm that these measures provide an appropriate level of security.
(b)The data importer shall limit the access of its personnel to personal data to the extent and scope necessary for the performance of the data processing activities carried out on behalf of the data exporter and shall ensure that only authorized personnel have access to the personal data. The data importer shall ensure that the individuals authorized to access personal data do not disclose the personal data to third parties or use the personal data for purposes other than processing, as stipulated in this Contract.
(c)In case of unlawful access to personal data processed under this Contract, the data importer shall take necessary measures to mitigate the potential adverse effects of the breach. Additionally, the data importer shall notify the data exporter without delay. The notification shall be made using the "Data Breach Notification Form" determined by the Personal Data Protection Board (hereinafter referred to as the "Board") and published on the official website of the Personal Data Protection Authority (hereinafter referred to as the "Authority"). If it is not possible to provide the information in the form simultaneously, the information shall be provided progressively without delay.
(d)The data importer shall cooperate with the data exporter and assist the data exporter in fulfilling its obligations under the Law, including notification to the Board and data subjects, by considering the nature of the data processing activity and the information it possesses.
Article 7.7- Special Categories of Personal Data
(a)The data importer shall take additional technical and administrative measures specified in Annex II to protect the sensitive nature of special categories of personal data.
(b)The processing of special categories of personal data shall also require the implementation of adequate safeguards determined by the Board.
Article 7.8- Onward Transfers
(a) Personal data transferred to the data importer may be transferred to a third party located abroad (in the same country as the data importer or another country) only with the data exporter's instructions and in the following cases:
i)The onward transfer is made to a country that has been determined to provide adequate protection under the first paragraph of Article 9 of the Law.
ii)The third party receiving the onward transfer provides one of the appropriate safeguards specified in the fourth paragraph of Article 9 of the Law.
iii)The transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim. iv) The transfer of personal data is necessary to protect the vital interests of the data subject or another person who is physically or legally incapable of giving consent.
(b)In any onward transfer, the data importer shall comply with all safeguards in this Contract, including the principle of purpose limitation.
(c)Before notifying the Authority of this Contract, if the specific third parties or groups of third parties to whom the personal data will be transferred are known, they shall be listed in Annex I. If there are changes in the third parties or groups of third parties to whom the personal data will be transferred after notifying the Authority of this Contract, Annex I shall be updated, and the Authority shall be notified of the changes.
Article 7.9- Documentation and Compliance
(a)The data importer shall respond to any inquiries from the data exporter promptly and sufficiently regarding the data processing activities carried out under this Contract.
(b)The Parties must be able to demonstrate compliance with this Contract. The data importer is responsible for maintaining and storing information, documents, and records related to the data processing activities conducted on behalf of the data exporter.
(c)The data importer shall provide all necessary information and documents to demonstrate compliance with this Contract to the data exporter. The data importer shall allow and support audits of the data processing activities conducted under this Contract, either at regular intervals or in cases of suspected non-compliance.
(d)The data exporter may conduct the audit itself or appoint an independent auditor. The audit may include inspections of the data importer's premises or physical facilities. Where appropriate, reasonable notice of the audit shall be given.
(e)The Parties shall provide the results of the audits, including the information specified in paragraphs (b) and (c), to the Board upon request.
Article 8- Sub-processors
(The option chosen by the Parties shall be specified in the Contract.)
[Option 1: Specific Authorization:
(a) The data importer may not delegate any of its data processing activities carried out on behalf of the data exporter to a sub-processor without the specific prior written consent of the data exporter. The data importer shall provide the data exporter with the information necessary for evaluating the sub-processor's authorization request at least [specify period] before appointing the sub-processor. The list of subprocessors authorized by the data exporter shall be included in Annex III. If there are changes in the sub-processors after notifying the Authority of this Contract, Annex III shall be updated, and the Authority shall be notified of the changes.]
[Option 2: General Authorization:
(a) The data importer may delegate data processing activities carried out on behalf of the data exporter to sub-processors listed in a pre-approved list by the data exporter. The data importer shall inform the data exporter in writing at least [specify period] before replacing or adding sub-processors and shall give the data exporter sufficient time to object to such changes. The data importer shall provide the data exporter with the information necessary to exercise its right to object. The list of sub-processors authorized by the data exporter shall be included in Annex III. If there are changes in the subprocessors after notifying the Authority of this Contract, Annex III shall be updated, and the
Authority shall be notified of the changes.]
(b)If the data importer delegates specific personal data processing activities to a subprocessor, it shall enter into a written contract with the sub-processor. The contract must include, at a minimum, the safeguards in this Contract, including third-party beneficiary rights for data subjects. The Parties shall acknowledge that the data importer has fulfilled its obligations under Article 7.8 if such a contract is concluded. The data importer shall ensure that the sub-processor complies with the obligations of this Contract.
(c)Upon the request of the data exporter, the data importer shall provide a copy of the subprocessing contract and any subsequent amendments. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may redact portions of the copy provided.
(d)The data importer shall be fully responsible to the data exporter for the sub-processor's compliance with the sub-processing contract. If the sub-processor fails to fulfill its obligations under the sub-processing contract, the data importer shall inform the data exporter. (e) The data importer shall include a third-party beneficiary clause in the sub-processing contract, allowing the data exporter to terminate the sub-processing contract and require the sub-processor to return or destroy the personal data transferred, including any copies, in case of the data importer's insolvency or termination of legal personality.
Article 9- Data Subject Rights
(a)The data importer shall promptly notify the data exporter of any requests received from data subjects. Unless authorized by the data exporter, the data importer shall not respond to such requests.
(b)The data importer shall assist the data exporter in fulfilling its obligations to respond to data subject requests under the Law. The Parties shall specify the appropriate technical and administrative measures in Annex II, considering the nature of the data processing activity and the required assistance.
(c)The data importer shall comply with the data exporter's instructions regarding its obligations under paragraphs (a) and (b).
Article 10- Remedies
(a)If a dispute arises between a data subject and the data importer regarding third-party beneficiary rights under this Contract, the data subject may address their concerns to the data importer. The data importer shall inform data subjects in a transparent and easily accessible format about the designated contact point for handling such requests, either through direct communication or on its website. The data importer shall promptly address data subject requests.
[Optional clause based on the Parties' preference: The data importer acknowledges that data subjects may also file complaints with an independent dispute resolution body free of charge. The data importer shall inform data subjects about the availability of this remedy and clarify that it is not mandatory for data subjects to first resort to this remedy.]
(b)If a dispute arises between the Parties regarding compliance with this Contract, the concerned Party shall make every effort to resolve the issue amicably and as quickly as possible. The Parties shall inform each other of such disputes and cooperate to resolve them appropriately.
(c)If a data subject asserts a third-party beneficiary right under Article 3, the data importer acknowledges the data subject's right to lodge a complaint with the Board and file a lawsuit with the competent and authorized courts under Article 18.
(d)The data importer undertakes to comply with binding decisions under Turkish law. (e)The data importer acknowledges that data subjects' resort to any of the remedies specified above does not prejudice their other rights under the applicable law.
Article 11- Liability
(a)Each Party shall be liable to the other Party for any damages arising from the breach of this Contract.
(b)The data importer is liable to the data subject. The data subject has the right to compensation for any material or non-material damages caused by the data importer's or subprocessor's violation of third-party beneficiary rights under this Contract.
(c)Without prejudice to paragraph (b), the data exporter is liable to the data subject. The data subject has the right to compensation for any material or non-material damages caused by the data exporter or data importer (or sub-processor) due to a violation of third-party beneficiary rights under this Contract. This does not affect the data exporter's liability under the Law.
(d) If the data exporter fully compensates the data subject for damages caused by the data importer (or sub-processor) under paragraph (c), the data exporter reserves the right to seek redress from the data importer to the extent of the latter's fault.
(e)If both Parties are liable for damages caused to a data subject due to the breach of this Contract, they shall be jointly and severally liable to the data subject, and the data subject may file a lawsuit against either Party.
(f)If one Party fully compensates the data subject for damages under paragraph (e), that Party reserves the right to seek redress from the other Party to the extent of the latter's fault.
(g)The data importer cannot evade liability by claiming that the sub-processor was at fault.
Article 12- Supervision
The data importer agrees to cooperate with the Authority in all matters related to compliance with this Contract and submit to the Authority's jurisdiction and decisions. The data importer especially agrees to provide information and documents requested by the Board, allow on-site inspections when necessary, and comply with the Board's instructions to rectify identified violations. The data importer shall provide evidence of compliance with these instructions to the Board.
SECTION THREE
Obligations in Case of Access by National Authorities
Article 13- National Laws and Practices Affecting Compliance with the Contract
The data importer declares that there are no national laws or practices that conflict with its obligations under this Contract concerning the personal data to be transferred. The data importer shall promptly inform the data exporter of any changes in laws or practices that may affect its ability to fulfill its obligations under this Contract during the Contract's term. The data exporter reserves the right to suspend data transfers or terminate this Contract in such cases.
Article 14- Obligations of the Data Importer in Case of Access by Public Authorities The data importer shall promptly notify the data exporter of any requests from administrative or judicial authorities regarding the personal data transferred under this Contract or if it becomes aware of direct access to the personal data by such authorities. In such cases, the data exporter reserves the right to suspend data transfers or terminate this Contract, depending on the nature of the request or access.
SECTION FOUR
Final Provisions
Article 15- Non-compliance and Termination
(a)The data importer shall promptly inform the data exporter if it is unable to comply with this Contract for any reason.
(b)If the data importer breaches this Contract or is unable to comply, the data exporter shall suspend the transfer of personal data to the data importer until compliance is restored or the Contract is terminated. Articles 13 and 14 are reserved.
(c)The data exporter shall have the right to terminate this Contract in the following cases: i) The data exporter has suspended the transfer of personal data to the data importer under paragraph (b) and compliance is not restored within a reasonable time, and in any case, within one month of the suspension. ii) The data importer significantly or persistently breaches this Contract. iii) The data importer fails to comply with a binding decision of a competent court or the Board regarding its obligations under this Contract.
In such cases, the data exporter shall inform the Board.
(d)If the Contract is terminated under paragraph (c), the data importer shall, at the data exporter's choice, return all personal data transferred under this Contract, including backups, to the data exporter or delete the personal data entirely. The data importer undertakes to continue complying with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the personal data transferred, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.
Article 16- Notification to the Authority
(The option chosen by the Parties shall be specified in the Contract.)
[The data exporter/data importer] shall notify the Authority of this Contract within five business days of its completion.
Article 17- Applicable Law
This Contract is governed by Turkish law.
Article 18- Competent and Authorized Court
(a)Any disputes arising from this Contract shall be resolved by Turkish courts.
(b)General provisions regarding jurisdiction and competence apply.
(c) The Parties accept the jurisdiction of Turkish courts.
DATA EXPORTER:
Address:
Contact Person's Name, Surname, Title, and Contact Information:
Signatory's Name, Surname, and Title: Signature and Date:
DATA IMPORTER:
Address:
Contact Person's Name, Surname, Title, and Contact Information:
Signatory's Name, Surname, and Title: Signature and Date:
ANNEXES
ANNEX I
DETAILS OF THE TRANSFER
Activities of the Data Exporter Involving Personal Data Transferred Under this Contract
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Activities of the Data Importer Involving Personal Data Transferred Under this Contract
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Data Subject Group(s)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Categories of Personal Data Transferred
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
(If any) Categories of Special Categories of Personal Data Transferred
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Legal Basis for the Transfer
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Frequency of the Transfer
(For example, whether the data will be transferred once or continuously)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Nature of the Processing Activity
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Purpose(s) of the Data Transfer and Subsequent Processing
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Retention Period of Personal Data
(The retention period of the personal data transferred should be specified.
If it is not possible to specify the retention period, the criteria used to determine the retention period should be explained.)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
ANNEX II
TECHNICAL AND ADMINISTRATIVE MEASURES
(In case of transfer of special categories of personal data, the technical and administrative measures taken for such data should be specified separately.)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
ANNEX III
LIST OF SUB-PROCESSORS
The data exporter has authorized the following sub-processors:
The data exporter has authorized the following sub-processors:
1.
Name:
Address:
Contact Person's Name, Title, and Contact Information:
Details of Processing Activities:
(In case of authorization of multiple sub-processors, responsibilities should be clearly specified.)
2.
.………
Successful