Turkiye - ENG (Machine Translation) - Standard Contract-3 (P2P)
Contents
- PART ONE General Provisions
- PART TWO Obligations of the Parties
- PART THREE Obligations in Case of Access by National Authorities and National Law
- PART FOUR Final Provisions
- ANNEX I DETAILS OF THE TRANSFER
- ANNEX II TECHNICAL AND ADMINISTRATIVE MEASURES
Standard Contract to Be Used for Transferring Personal Data Abroad – 3
(From Data Processor to Data Processor)
PART ONE
General Provisions
Article 1- Purpose and Scope
(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as "the Law") and the Regulation on the Procedures and Principles for Transferring Personal Data Abroad, published in the Official Gazette No. 32598 dated 10/6/2024 (hereinafter referred to as "the Regulation") regarding the transfer of personal data abroad. (b) The data processor transferring personal data abroad (hereinafter referred to as "data exporter") and the overseas data processor receiving personal data from the data exporter (hereinafter referred to as "data importer") have accepted this standard contract (hereinafter referred to as "the Contract"). (c) This Contract applies to the transfer of personal data abroad as detailed in Annex I. (d) The annexes to this Contract (hereinafter referred to as "Annexes") form an integral part of this Contract.
Article 2- Effect and Immutability of the Contract
(a) Provided that no additions, deletions, or changes are made, this Contract provides the appropriate safeguards for transferring personal data abroad as stipulated in Article 9(4) of the Law and the Regulation, including ensuring that the data subject has the ability to exercise their rights and seek effective legal remedies in the country where the transfer is made. (b) This Contract does not prejudice the obligations of the data exporter under the Law, the Regulation, and other relevant legislation.
Article 3- Third-Party Beneficiary Rights
(a) Data subjects may assert the provisions of this Contract against the data exporter and/or data importer as third-party beneficiaries, except for the following exceptions: i) Article 1, Article 2, Article 3, and Article 6. ii) Article 7.1(a), (c), and (d) and Article 7.9(a), (c), (d), (e),
(f), and (g). iii) Article 8(a), (c), (d), and (e) iv) Article 11(a), (d), and (f). v) Article 12. (b) Paragraph (a) does not prejudice the rights of data subjects under the Law.
Article 4- Interpretation
(a) Terms defined in the Law, the Regulation, and other relevant legislation shall have the same meaning when used in this Contract. (b) This Contract shall be interpreted in accordance with the Law, the Regulation, and other relevant legislation. (c) This Contract cannot be interpreted in a manner that contradicts the rights and obligations stipulated in the Law, the Regulation, and other relevant legislation.
Article 5- Conflict Rule
In the event of any conflict between the provisions of this Contract and any other agreements existing between the Parties on the date of acceptance of this Contract or entered into thereafter, the provisions of this Contract shall prevail.
Article 6- Details of the Transfer
The details of the transfer of personal data abroad under this Contract, including the categories of personal data being transferred, the legal basis for the transfer, and the purpose(s) of the transfer, are specified in Annex I.
PART TWO
Obligations of the Parties
Article 7- Safeguards for the Protection of Personal Data
The data exporter undertakes to make reasonable efforts to determine that the data importer has sufficient capabilities to fulfill the obligations arising from this Contract by taking appropriate technical and administrative measures.
Article 7.1- Instructions
(a) The data exporter shall inform the data importer before starting the processing activity that it is acting as a data processor in accordance with the instructions of the data controller(s) specified by the data exporter. (b) The data importer shall process personal data only according to the instructions of the data controller and the additional instructions of the data exporter as communicated by the data exporter. These additional instructions cannot conflict with the instructions of the data controller. The data controller or data exporter may issue such instructions throughout the period the data importer processes personal data on behalf of the data exporter. (c) If the data importer cannot comply with these instructions, it shall inform the data exporter without delay. If the data importer cannot comply with the instructions given by the data controller, the data exporter shall inform the data controller without delay. (d) The data exporter undertakes that the data importer shall assume the data protection obligations assumed by the data exporter on behalf of the data controller in carrying out the personal data processing activities.
Article 7.2- Purpose Limitation, Proportionality, and Minimization
The data importer processes personal data only for the purpose(s) specified in Annex I, in a manner that is relevant, limited, and proportionate to those purposes.
Article 7.3- Accuracy and Keeping Data Up-to-Date
If the data importer becomes aware that the transferred personal data are inaccurate or outdated, it shall inform the data exporter without delay. In such cases, the data importer shall cooperate with the data exporter to erase or rectify the personal data.
Article 7.4- Duration of Processing Activity and Complete Erasure or Return of Personal Data
The data importer may process personal data only for the duration specified in Annex I. When the processing activity on behalf of the data exporter ends, the data importer, at the data exporter's discretion, shall either return all personal data, including backups, to the data exporter or erase them completely. The data importer shall continue to comply with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the transferred personal data, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. Article 13 remains reserved. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.
Article 7.5- Duty to Inform
Upon request, the data exporter shall provide a copy of this Contract, including the Annexes completed by the Parties, to the data subject free of charge. To the extent necessary to protect trade secrets or other confidential information, the data exporter may redact parts of the Annexes before sharing them with the data subject. However, if redaction would render the content incomprehensible or prevent the exercise of the data subject's rights, the data exporter shall provide a meaningful summary to the data subject. Upon request, the Parties shall explain the reasons for any redactions without revealing the redacted information.
Article 7.6- Data Security
(a) The data importer and the data exporter during the transfer shall take all necessary technical and administrative measures to ensure an appropriate level of security for personal data, considering the nature of the data, to prevent unlawful processing, unauthorized access, accidental loss, destruction, or damage. When determining these measures, factors such as technological advancements, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the fundamental rights and freedoms of data subjects shall be considered. The data importer shall at least take the technical and administrative measures specified in Annex II. The data importer shall conduct regular reviews to confirm that these measures continue to ensure an adequate level of security. (b) The data importer shall limit its personnel's access to the transferred personal data to the extent and scope necessary for the processing activities on behalf of the data exporter and ensure that only relevant personnel can access these personal data. The data importer shall ensure that authorized individuals do not disclose personal data to third parties or use the data for purposes other than processing. (c) If the personal data processed by the data importer under this Contract are unlawfully obtained by others, the data importer shall take necessary measures to address the data breach and mitigate its potential adverse effects. Additionally, the data importer shall notify the data exporter and, to the extent appropriate, the data controller without delay. The notification shall be made using the Data Breach Notification Form determined by the Personal Data Protection Board (hereinafter referred to as "the Board") and published on the official website of the Personal Data Protection Authority (hereinafter referred to as "the Authority"). If it is not possible to provide the information required in the form at the same time, this information shall be provided in stages without delay. (d) The data importer shall cooperate with and assist the data exporter in fulfilling its obligations under the Law, including notifications to the Board and data subjects, considering the nature of the personal data processing activity and the information known to the data importer.
Article 7.7- Special Categories of Personal Data
(a) The data importer shall take additional technical and administrative measures specified in Annex II, appropriate to the sensitive nature of special categories of personal data. (b) The processing of special categories of personal data requires the additional measures specified by the Board.
Article 7.8- Onward Transfers
(a) Personal data transferred to the data importer may be transferred to a third party located abroad (in the same country as the data importer or another country) only under the instructions of the data controller as communicated by the data exporter and in the following cases: i) The onward transfer is made to a country that has an adequacy decision under Article 9(1) of the Law. ii) The third party to whom the onward transfer is made provides one of the appropriate safeguards specified in Article 9(4) of the Law. iii) The transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim in the context of specific administrative or judicial proceedings. iv) The transfer of personal data is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent. (b) In any onward transfer, the data importer shall comply with all other safeguards specified in this Contract, including the principles of purpose limitation, proportionality, and minimization. (c) Before notifying the Authority of this Contract, if the recipients of onward transfers are known, these recipients or recipient groups shall be specified in Annex I. After notifying the Authority, any changes in the recipients or recipient groups of onward transfers shall be updated in Annex I and notified to the Authority.
Article 7.9- Documentation and Compliance
(a) The data importer shall promptly and adequately respond to questions from the data exporter or the data controller regarding the processing activity under this Contract. (b) The Parties shall be able to demonstrate compliance with this Contract. The data importer shall keep and maintain records of information, documents, and records relating to the processing activities on behalf of the data controller. (c) The data importer shall provide the necessary information and documents to demonstrate compliance with this Contract to the data exporter, who will then forward such information to the data controller. (d) The data importer shall allow for audits of the processing activities under this Contract at reasonable intervals or if there are indicators of non-compliance, or if the data exporter requests an audit based on the instructions of the data controller. The data importer shall support the audit process. (e) If the audit is conducted based on the instructions of the data controller, the data exporter shall communicate the results of the audit to the data controller. (f) The data exporter may conduct the audit itself or appoint an independent auditor. Inspections may be carried out at the data importer's premises or physical facilities. If appropriate, reasonable advance notice of the audit shall be given. (g) The Parties shall provide the Board with the information specified in paragraphs (b) and (c), including the results of audits conducted at the data importer, upon request.
Article 8- Sub-Processor
(The option chosen by the Parties is included in the contract.)
[1. OPTION: SPECIFIC AUTHORIZATION: (a) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under this Contract without the prior specific written consent of the data controller. The data importer shall provide the data controller with the request for specific authorization, including the necessary information for the data controller's evaluation of the authorization, at least [Specify the period] before appointing the sub-processor. The data importer shall inform the data exporter about the inclusion of the sub-processor. The list of sub-processors authorized by the data controller shall be included in Annex III. Any changes to the sub-processors after notifying the Authority of this Contract shall be updated in Annex III and notified to the Authority.] [2. OPTION: GENERAL AUTHORIZATION: (a) The data importer may subcontract the processing operations performed on behalf of the data exporter under this Contract to a subprocessor(s) listed in a list pre-approved by the data controller. The data importer shall inform the data controller in writing at least [Specify the period] in advance of any intended changes to the list of sub-processors, including the addition or replacement of subprocessors, and shall provide sufficient time for the data controller to object to such changes before including the new sub-processor(s). The data importer shall provide the necessary information to the data controller to exercise the right to object. The data importer shall inform the data exporter about the inclusion of new sub-processors. The list of subprocessors authorized by the data controller shall be included in Annex III. Any changes to the sub-processors after notifying the Authority of this Contract shall be updated in Annex III and notified to the Authority.]
(b) When subcontracting any specific personal data processing operations, the data importer shall enter into a written agreement with the sub-processor that includes at least the safeguards provided in this Contract, including third-party beneficiary rights for the data subjects. The Parties agree that entering into such an agreement shall be deemed to fulfill the data importer's obligations under Article 7.8. The data importer shall ensure that the subprocessor complies with the obligations to which the data importer is subject under this Contract. (c) The data importer shall provide the data exporter or the data controller, upon request, with a copy of the sub-processing agreement and any subsequent changes. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may redact parts of the sub-processing agreement before sharing it. (d) The data importer shall be fully liable to the data exporter for the performance of the subprocessor's obligations under the sub-processing agreement. The data importer shall notify the data exporter if the sub-processor fails to fulfill its obligations under the sub-processing agreement. (e) The data importer shall include in the sub-processing agreement a third-party beneficiary clause in favor of the data exporter, allowing the data exporter to terminate the sub-processing agreement and require the return or complete destruction of the personal data by the sub-processor in the event of the data importer's legal personality ceasing or insolvency.
Article 9- Data Subject Rights
(a) The data importer shall promptly notify the data exporter and, where appropriate, the data controller of any request received from a data subject without responding to that request unless authorized to do so by the data controller. (b) Where appropriate, the data importer shall assist the data controller in fulfilling its obligation to respond to data subjects' requests to exercise their rights under the Law, in cooperation with the data exporter. In this context, the Parties shall specify in Annex II the appropriate technical and administrative measures, considering the nature of the processing activity and the scope of the assistance required. (c) The data importer shall comply with the data controller's instructions as communicated by the data exporter in fulfilling its obligations under paragraphs (a) and (b).
Article 10- Methods of Redress
(a) In the event of a dispute between a data subject and the data importer regarding thirdparty beneficiary rights under this Contract, the data subject may submit their claims to the data importer. The data importer shall inform the data subjects about the designated contact point for handling their claims in a transparent and easily accessible format, either through direct notification or by publishing it on its website. The data importer shall promptly address the data subjects' claims. [The contract may include the following provision based on the Parties' preference: The data importer agrees that data subjects may also lodge complaints with an independent dispute resolution body free of charge. The data importer shall inform the data subjects about the existence of such a method of redress and that it is not mandatory to use this method before seeking other legal remedies.] (b) In the event of a dispute between the Parties regarding compliance with this Contract, the Parties shall use their best efforts to resolve the issue amicably and as soon as possible. The Parties shall inform each other about such disputes and cooperate to resolve them to the extent appropriate. (c) If the data subject asserts a third-party beneficiary right under Article 3, the data importer acknowledges that the data subject has the right to lodge a complaint with the Board and to seek judicial remedies before the competent and authorized courts under Article 18. (d) The data importer undertakes to comply with the binding decisions of Turkish courts. (e) The data importer acknowledges that recourse to any of the methods of redress mentioned above by the data subject shall not prejudice the data subject's other rights under the applicable law.
Article 11- Liability
(a) Each Party shall be liable to the other Party for any damages arising from any breach of this Contract. (b) The data importer shall be liable to the data subject. The data subject shall have the right to seek compensation for any material or non-material damages caused by the data importer's or sub-processor's breach of third-party beneficiary rights under this Contract. (c) Without prejudice to paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall have the right to seek compensation for any material or nonmaterial damages caused by the breach of third-party beneficiary rights under this Contract by the data exporter, data importer, or sub-processor. This does not prejudice the liability of the data exporter and the data controller under the Law. (d) If the data exporter fully compensates the data subject for the damages caused by the data importer (or subprocessor) under paragraph (c), it has the right to seek redress from the data importer to the extent of its fault. (e) If both Parties are liable for any damages caused to the data subject due to a breach of this Contract, they are jointly and severally liable to the data subject, and the data subject has the right to seek redress from either Party. (f) If one Party fully compensates the data subject for the damages under paragraph (e), it has the right to seek redress from the other Party to the extent of its fault. (g) The data importer cannot escape liability by claiming that the sub-processor is at fault.
Article 12- Supervision
The data importer agrees to cooperate with the Authority in all matters related to ensuring compliance with this Contract, to submit to the authority of the Board, and to comply with the decisions of the Board. The data importer specifically agrees to provide the information and documents requested by the Board concerning the subject of the investigation, to allow onsite inspections if necessary, and to comply with the instructions given by the Board to remedy any detected legal violations. The data importer shall send the information and documents proving that the instructions have been carried out to the Board.
PART THREE
Obligations in Case of Access by National Authorities and National Law
Article 13- National Laws and Practices Affecting Compliance with the Contract The data importer declares and undertakes that there are no national regulations or practices that conflict with this Contract regarding the personal data to be transferred under this Contract. If any legislative or practice changes that may affect the data importer's ability to fulfill the commitments in this Contract occur during the term of this Contract, the data importer shall immediately inform the data exporter. The data exporter shall inform the data controller of this notification. The data importer acknowledges that, in such cases, the data exporter shall have the right to suspend data transfers or terminate this Contract.
Article 14- Obligations of the Data Importer in Case of Access by Public Authorities The data importer shall immediately notify the data exporter if it receives any requests from administrative or judicial authorities regarding the personal data transferred under this Contract or becomes aware of direct access by such authorities to the personal data transferred under this Contract. The data exporter shall inform the data controller of this notification. The data importer acknowledges that, in such cases, the data exporter shall have the right to suspend data transfers or terminate this Contract, depending on the nature of the request or access.
PART FOUR
Final Provisions
Article 15- Non-Compliance and Termination
(a) The data importer shall immediately inform the data exporter if it is unable to comply with this Contract for any reason. (b) If the data importer breaches this Contract or fails to comply with this Contract, the data exporter shall suspend the transfer of personal data to the data importer until compliance is restored or the Contract is terminated. Articles 13 and 14 remain reserved. (c) The data exporter has the right to terminate the Contract to the extent that it relates to the processing of personal data under the following conditions: i) The data exporter has suspended the transfer of personal data to the data importer under paragraph (b), and compliance has not been restored within a reasonable time and, in any case, within one month from the suspension. ii) The data importer significantly or continuously breaches this Contract. iii) The data importer fails to comply with the decisions of the competent court or the Board regarding its obligations under this Contract. In such cases, the data exporter shall inform the Board and the data controller. (d) In the event of termination of the Contract under paragraph (c), the data importer shall, at the discretion of the data exporter, either return all personal data transferred, including any copies, to the data exporter or destroy all personal data. The data importer undertakes to continue to comply with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the personal data transferred, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.
Article 16- Notification to the Authority
(The contract may include the following provision based on the Parties' preference.) [The data exporter/data importer] shall notify the Authority of this Contract within five business days from the completion of the signatures.
Article 17- Applicable Law
This Contract is governed by Turkish law.
Article 18- Competent and Authorized Court
(a) Any dispute arising from this Contract shall be resolved by Turkish courts. (b) General provisions apply to jurisdiction and competence. (c) The Parties agree to recognize the jurisdiction of Turkish courts.
Data Exporter:
Address:
Contact Person's Name, Title, and Contact Information:
Signatory's Name, Title: Signature and Date:
Data Importer:
Address:
Contact Person's Name, Title, and Contact Information:
Signatory's Name, Title: Signature and Date:
ANNEXES
ANNEX I
DETAILS OF THE TRANSFER
Activities of the Data Exporter Related to the Transferred Personal Data under this Contract:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Activities of the Data Importer Related to the Transferred Personal Data under this Contract:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Data Subject Group or Groups:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Categories of Transferred Personal Data:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
(Special Categories of Personal Data, if any):
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Legal Basis for the Transfer:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Frequency of Transfer:
(For example, whether the data will be transferred once or on a continuous basis)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
………………………………………………………………………………………
Nature of Processing Activity:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Purposes of Data Transfer and Subsequent Processing Activity:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Retention Period for Personal Data:
(The retention period for the transferred personal data shall be specified.
If it is not possible to specify the retention period, the criteria used to determine the retention period shall be explained.)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
(Processing Activity Subject, Nature, and Duration in Case of Transfers to Sub-Processors)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Recipients or Recipient Groups:
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
Data Exporter's Data Controllers Registry Information System (VERBIS) Information:
(In case of registration obligation)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
ANNEX II
TECHNICAL AND ADMINISTRATIVE MEASURES
(In case of transferring special categories of personal data, the technical and administrative measures taken for such data shall be specified separately.)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
ANNEX III LIST OF SUB-PROCESSORS
The data controller has authorized the following sub-processors:
1. Name:
Address:
Contact Person's Name, Title, and Contact Information:
Details of Processing Activity:
(In case multiple sub-processors are authorized, the responsibilities shall be clearly specified.)
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
2. ………………………………………………………………………………………………
Successful