Standard Contract for International Transfer of Personal Data – 4

(From Data Processor to Data Controller)

SECTION ONE 
General Provisions

Article 1- Purpose and Scope

(a) The purpose of this standard contract is to ensure compliance with the provisions of the Personal Data Protection Law No. 6698 dated March 24, 2016 (hereinafter referred to as the "Law") and the Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad, published in the Official Gazette dated June 10, 2024, and numbered 32598 (hereinafter referred to as the "Regulation") for the international transfer of personal data.

(b) The data processor transferring personal data abroad (hereinafter referred to as the "data exporter") and the data controller abroad receiving the personal data from the data exporter (hereinafter referred to as the "data importer") accept this standard contract (hereinafter referred to as the "Contract").

(c) This Contract applies to the international transfer of personal data detailed in Annex I.

(d) The annexes to this Contract (hereinafter referred to as the "Annexes") are an integral part of this Contract.

Article 2- Effect and Unchangeability of the Contract

(a) This Contract, without any additions, deletions, or changes, provides the appropriate safeguards for the international transfer of personal data as per the fourth paragraph of Article 9 of the Law and the Regulation, ensuring that data subjects can exercise their rights and seek effective legal remedies in the country where the data is transferred. (b) This Contract does not prejudice the obligations of the data exporter under the Law, Regulation, and other relevant legislation.

Article 3- Third Party Beneficiary Rights

(a) Data subjects may enforce the provisions of this Contract against the data exporter and/or the data importer as third-party beneficiaries, except for the following exceptions: i) Article 1, Article 2, Article 3, and Article 6.

ii) Article 7.1 (b) and Article 7.3 (b). iii) Article 16.

(b) Paragraph (a) does not prejudice the rights of data subjects under the Law.

Article 4- Interpretation

(a)            The terms used in this Contract have the meanings assigned to them in the Law, Regulation, and other relevant legislation.

(b)            This Contract shall be interpreted in compliance with the Law, Regulation, and other relevant legislation.

(c)            This Contract cannot be interpreted in a manner that conflicts with the rights and obligations provided in the Law, Regulation, and other relevant legislation.

Article 5- Conflict Rule

In case of any conflict between the provisions of this Contract and the provisions of other relevant contracts existing at the time of acceptance of this Contract or coming into force thereafter, the provisions of this Contract shall prevail.

Article 6- Details of the Transfer

The categories of personal data to be transferred, the legal basis for the transfer, and the purpose(s) of the transfer, among other details, are specified in Annex I.

SECTION TWO 
Obligations of the Parties

Article 7- Safeguards for the Protection of Personal Data

The data exporter undertakes to use reasonable efforts to ensure that the data importer is capable of fulfilling its obligations under this Contract by taking appropriate technical and administrative measures.

Article 7.1- Instructions

(a)            The data exporter processes personal data only according to the instructions of the data importer, who acts as the data controller.

(b)            The data exporter shall inform the data importer immediately if it is unable to comply with these instructions, including when the instructions violate the Law, Regulation, or other relevant legislation.

(c)            The data importer shall avoid any actions that would prevent the data exporter from fulfilling its obligations under the Law, including cooperation with the Personal Data Protection Authority (hereinafter referred to as the "Authority").

(d)            Upon the termination of personal data processing activities carried out by the data exporter on behalf of the data importer, the data exporter undertakes to return all personal data processed on behalf of the data importer, including backups, or to completely destroy all personal data processed on behalf of the data importer, depending on the data importer's preference. The data exporter shall document the destruction of the personal data for the data importer.

Article 7.2- Data Security

(a) The Parties shall take all necessary technical and administrative measures to ensure the appropriate level of security for personal data, considering the nature of the personal data, to prevent unlawful processing, unlawful access, accidental loss, destruction, or damage of personal data. The level of security shall be determined by considering the state of technological development, implementation costs, the nature, scope, context, and purposes of the data processing activity, and the risks to the rights and freedoms of data subjects. (b) The data exporter shall assist the data importer in taking all necessary technical and administrative measures to ensure the appropriate level of security for personal data under paragraph (a). If the personal data processed by the data exporter under this Contract is unlawfully accessed by others, the data exporter shall notify the data importer without delay and assist the data importer in taking necessary measures to mitigate the potential adverse effects of the breach.

(c) The data exporter shall ensure that the individuals authorized to access the personal data do not disclose the personal data to third parties or use the personal data for purposes other than processing, as stipulated in this Contract.

Article 7.3- Documentation and Compliance

(a)            The Parties shall be able to demonstrate compliance with their obligations under this Contract.

(b)            The data exporter shall provide the data importer with all necessary information and documentation to demonstrate compliance with its obligations under this Contract and shall allow audits and support this process.

Article 8- Data Subject Rights

The Parties shall assist each other in responding to questions and requests from data subjects, as per the local law applicable to the data importer or the Law applicable to the data exporter residing in Turkey, regarding the processing activities.

Article 9- Methods of Redress

In the event of a dispute between a data subject and the data importer regarding third-party beneficiary rights under this Contract, the data subject may submit their claims to the data importer. The data importer shall inform the data subjects about the designated contact point for handling their claims in a transparent and easily accessible format, either through direct notification or by publishing it on its website. The data importer shall promptly address the data subjects' claims.

[Based on the Parties' preference, the contract may include: The data importer agrees that data subjects may also lodge complaints with an independent dispute resolution body free of charge. The data importer shall inform the data subjects about the existence of such a method of redress and that it is not mandatory to use this method before seeking other legal remedies.]

Article 10- Liability

(a)            Each Party shall be liable to the other Party for any damages arising from any breach of this Contract.

(b)            Each Party shall be liable to the data subject. The data subject shall have the right to seek compensation for any material or non-material damages caused by the breach of thirdparty beneficiary rights under this Contract by either Party. This does not prejudice the liability of the data exporter under the Law.

(c)            If both Parties are liable for any damages caused to the data subject due to a breach of this Contract, they are jointly and severally liable to the data subject, and the data subject has the right to seek redress from either Party.

(d)            If one Party fully compensates the data subject for the damages under paragraph (c), it has the right to seek redress from the other Party to the extent of its fault.

(e)            The data importer cannot escape liability by claiming that the data processor or subprocessor is at fault.

SECTION THREE 
Obligations in Case of Access by National Authorities and National Law

(This section is included in the contract if the data processor combines the personal data received from the data controller with the personal data obtained from Turkey.)

Article 11- National Laws and Practices Affecting Compliance with the Contract The data importer declares and undertakes that there are no national regulations or practices that conflict with this Contract regarding the personal data to be transferred under this Contract. If any legislative or practice changes that may affect the data importer's ability to fulfill the commitments in this Contract occur during the term of this Contract, the data importer shall immediately inform the data exporter, who shall inform the data controller. The data importer acknowledges that, in such cases, the data exporter shall have the right to suspend data transfers or terminate this Contract.

Article 12- Obligations of the Data Importer in Case of Access by Public Authorities The data importer shall immediately notify the data exporter if it receives any requests from administrative or judicial authorities regarding the personal data transferred under this Contract or becomes aware of direct access by such authorities to the personal data transferred under this Contract. The data exporter shall inform the data controller of this notification. The data importer acknowledges that, in such cases, the data exporter shall have the right to suspend data transfers or terminate this Contract, depending on the nature of the request or access.

SECTION FOUR 
Final Provisions

Article 13- Non-Compliance and Termination

(a)            The data importer shall immediately inform the data exporter if it is unable to comply with this Contract for any reason.

(b)            If the data importer breaches this Contract or fails to comply with this Contract, the data exporter shall suspend the transfer of personal data to the data importer until compliance is restored or the Contract is terminated. Articles 11 and 12 remain reserved.

(c)            The data exporter has the right to terminate the Contract to the extent that it relates to the processing of personal data under this Contract in the following cases:

i)               The data exporter has suspended the transfer of personal data to the data importer under paragraph (b) and compliance is not restored within a reasonable time, and in any case, within one month of the suspension.

ii)              The data importer significantly or persistently breaches this Contract. iii) The data importer fails to comply with a court decision regarding its obligations under this Contract.

In such cases, the data exporter shall inform the Personal Data Protection Board.

(d) In the event of termination of the Contract under paragraph (c), the data importer shall, at the discretion of the data exporter, either return all personal data transferred, including any copies, to the data exporter or destroy all personal data. The data importer undertakes to continue to comply with this Contract, take necessary technical and administrative measures to ensure the confidentiality of the personal data transferred, and continue processing only to the extent and duration required by legislation, even if there are provisions in the legislation that prevent the fulfillment of this obligation. The data importer shall document the destruction of the data for the data exporter. The data importer shall continue to comply with this Contract until the data is returned or completely destroyed.

Article 14- Notification to the Authority

(The contract may include the following provision based on the Parties' preference.) [The data exporter/data importer] shall notify the Authority of this Contract within five business days from the completion of the signatures.

Article 15- Applicable Law

This Contract is governed by the law of _____ [specify country] that recognizes third-party beneficiary rights.

Article 16- Competent and Authorized Court

Any dispute arising from this Contract shall be resolved by the courts of _____ [specify country].

Data Exporter:

Address:

Contact Person's Name, Title, and Contact Information:

Signatory's Name, Title: Signature and Date:

Data Importer:

Address:

Contact Person's Name, Title, and Contact Information:

Signatory's Name, Title: Signature and Date:

ANNEXES

ANNEX I 
DETAILS OF THE TRANSFER

Activities of the Data Exporter Related to the Transferred Personal Data under this Contract:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Activities of the Data Importer Related to the Transferred Personal Data under this Contract:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Data Subject Group or Groups:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Categories of Transferred Personal Data:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

(Special Categories of Personal Data, if any):

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Legal Basis for the Transfer:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Frequency of Transfer:

(For example, whether the data will be transferred once or on a continuous basis)

………………………………………………………………………………………………… …………………………………………………………………………………………………

………………………………………………………………………………………………… ………………………………………………………………………………………

Nature of Processing Activity:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Purposes of Data Transfer and Subsequent Processing Activity:

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

Retention Period for Personal Data:

(The retention period for the transferred personal data shall be specified.

If it is not possible to specify the retention period, the criteria used to determine the retention period shall be explained.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………