Türkçe
English
Русский
Deutsch
Français
العربية
KVKK-Hinweis
KVKK TEXT
SECTION ONE
General Provisions
Article 1- Purpose and Scope
(a) The purpose of this standard contract is to ensure that the transfer of personal data abroad is carried out in accordance with the Personal Data Protection Law No. 6698 dated March 24, 2016 (hereinafter referred to as the “Law”) and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, published in the Official Gazette No. 32598 dated July 10, 2024 .
(b) The data controller transferring personal data abroad (hereinafter referred to as the “data exporter”) and the data controller abroad receiving personal data from the data exporter (hereinafter referred to as the “data importer”) have accepted this standard contract (hereinafter referred to as the “Contract”).
(c) This Agreement applies to the transfer of personal data abroad, as detailed in Annex I.
(d) The annexes to this Agreement (hereinafter referred to as the “Annexes”) form an integral part of this Agreement.
Article 2 - Effect and Irrevocability of the Agreement
(a) Subject to no additions, deletions, or amendments being made, this Agreement provides for appropriate safeguards for the transfer of personal data abroad, including the right of the data subject to exercise their rights and seek effective legal remedies in the country to which the transfer is made, in accordance with the fourth paragraph of Article 9 of the Law and the Regulation.
(b) This Agreement shall not affect the obligations to which the data exporter is subject under the Law, the Regulation, and other relevant legislation.
Article 3 - Third-Party Beneficiary Rights
(a) Data subjects may invoke the provisions of this Agreement against the data exporter and/or data importer as third-party beneficiaries, except in the following cases: i) Articles 1, 2, 3, and 6. ii) Article 7.5(e) and Article 7.9(b). iii) Article 10(a) and (d). iv) Article 11.
(b) Paragraph (a) shall not prejudice the rights of the relevant persons under the Law.
Article 4 - Interpretation
(a) Where terms used in this Agreement are also used in the Law, the Regulation, and other relevant legislation, the definitions in the relevant legislation shall apply.
(b) This Agreement shall be interpreted in accordance with the Law, the Regulation, and other relevant legislation. ,
(c) This Agreement shall not be interpreted in a manner that conflicts with the rights and obligations provided for in the Law, the Regulation, and other relevant legislation.
Article 5 - Conflict Rule
In the event of any conflict between the provisions of this Agreement and the provisions of any other relevant agreements existing between the Parties on the date of acceptance of this Agreement or subsequently entering into force, the provisions of this Agreement shall prevail.
Article 6 - Details of the Transfer
The details of the transfer of personal data abroad to be carried out within the framework of this Agreement, including the categories of personal data subject to transfer, the legal basis for the transfer, and the purpose or purposes of the transfer, are as specified in Annex I.
CHAPTER TWO
Obligations of the Parties
Article 7 - Safeguards for the Protection of Personal Data
The data exporter undertakes to make reasonable efforts to determine that the data importer has the capacity to fulfill its obligations under this Agreement by taking appropriate technical and administrative measures.
Article 7.1 - Purpose-Related, Limited, and Proportionate Processing
The data recipient shall process personal data in a manner that is purpose-related, limited, and proportionate to the purpose(s) specified in Annex I.
Article 7.2 - Accuracy and Timeliness
(a) Each Party shall ensure that personal data is accurate and, where necessary, kept up to date. The data recipient shall take reasonable steps without delay to ensure that inaccurate personal data is destroyed or rectified, taking into account the purpose(s) of processing.
(b) Each party shall promptly notify the other party if it becomes aware that the transferred personal data is inaccurate or no longer up-to-date.
Article 7.3- Storage for a Limited Period
The data recipient shall retain personal data only for as long as necessary for the purpose for which it is processed. The data recipient shall be obliged to take all necessary technical and administrative measures to delete, destroy, or anonymize personal data and all backups in order to fulfill this obligation.
Article 7.4 - Duty to Inform
(a) The data recipient shall, in accordance with Article 8, provide the relevant individuals, either directly or through the data transmitter, with the following information to enable them to effectively exercise their rights: i) Identity and contact details, ii) Categories of personal data processed, iii) The right to obtain a copy of this Agreement, iv) Where personal data may be transferred to a third party or parties, the recipients or categories of recipients and the purpose of such onward transfer, as well as the basis pursuant to Article 7.7.
(b) The Parties shall, upon request, provide the data subject with a copy of this Agreement, including any Annexes completed by them, free of charge. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Parties may modify the Annexes included in the copy shared with the data subject and omit part of the text. However, in cases where the content cannot be understood or the rights of the relevant person cannot be exercised otherwise, the Parties shall provide the relevant person with a meaningful summary. Upon request, the Parties shall, to the extent possible, inform the relevant person of the reasons for the changes made without disclosing the information that has been removed.
(c) The obligations of the data transferor under Article 10 of the Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, published in the Official Gazette dated 10/3/2018 and numbered 30356, shall remain reserved.
Article 7.5 - Data Security
(a) The data recipient and the data transmitter during the transfer phase shall take all necessary technical and administrative measures to ensure an appropriate level of security commensurate with the nature of the personal data, in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, ensure the protection of personal data, and prevent the accidental loss, destruction, or damage of personal data. In determining the measures in question, the level of technological advancement, the cost of implementation, the nature, scope, context, and purposes of the personal data processing activity, and the risks to the fundamental rights and freedoms of the individuals concerned shall be taken into account.
(b) The parties have agreed on the technical and administrative measures specified in Annex II. The data recipient shall conduct regular checks to confirm that the technical and administrative measures specified in Annex II continue to provide an adequate level of security.
(c) The data recipient shall ensure that the natural persons it has authorized to access personal data do not disclose the personal data they have learned to third parties in violation of this Agreement and do not use it for purposes other than processing.
(d) In the event that personal data processed by the data recipient under this Agreement is obtained by others through unlawful means, the data recipient shall take the necessary measures to remedy this personal data breach and its potential adverse effects.
(e) If personal data processed by the data recipient under this Agreement is obtained by others through unlawful means, the data recipient shall notify the data transferor and the Personal Data Protection Board (hereinafter referred to as the “Board”) of this situation without delay and within 72 hours at the latest. The notification shall be made using the “Data Breach Notification Form” determined by the Board and published on the official website of the Personal Data Protection Authority (hereinafter referred to as the “Authority”). If it is not possible to provide all the information in the form at the same time, this information shall be provided in stages without delay.
(f) If personal data processed by the data recipient under this Agreement is obtained by others through unlawful means, the data recipient shall notify the relevant person of this situation. The breach notification to be made by the data recipient to the relevant person shall be made in clear and plain language and shall include at least: i) When the personal data breach occurred, ii) Which personal data categories (distinguishing between personal data and special categories of personal data) were affected by the breach, iii) The possible consequences of the personal data breach, iv) Measures taken or recommended to mitigate the negative effects of the personal data breach, v) The names and contact details of the contact persons who will provide the relevant persons with information about the personal data breach, or the full address of the data recipient's website, call center, etc.
(g) The data recipient shall record information about the data breach, its effects, and the measures taken, and keep it ready for review by the Board.
Article 7.6- Special Category Personal Data
(a) The data recipient shall take additional technical and administrative measures appropriate to the sensitive nature of special category personal data.
(b) In the processing of special category personal data, it is also mandatory to take the sufficient measures determined by the Board.
Article 7.7 - Subsequent Transfers
(a) Personal data transferred to the data recipient may be transferred by the data recipient to a third party established abroad (in the same country as the data recipient or in another country) only in the following cases: i) The subsequent transfer is made to a country that has been deemed adequate pursuant to the first paragraph of Article 9 of the Law. ii) The third party to whom the subsequent transfer is made provides one of the appropriate safeguards set out in the fourth paragraph of Article 9 of the Law. iii) The transfer of personal data is necessary for the establishment, exercise, or defense of a right in the context of specific administrative or judicial proceedings. iv) The transfer of personal data is necessary to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or of another person. v) In the absence of the above circumstances, the purpose(s) of the transfer, the identity of the third party to whom the subsequent transfer will be made, and the potential risks of such a transfer due to the absence of appropriate data protection safeguards, provided that the data recipient obtains the explicit consent of the data subject for the subsequent transfer and informs the data exporter and, upon request, provides the data exporter with a copy of the information provided to the data subject.
(b) In any subsequent transfer, the data recipient shall be obligated to act in accordance with all other safeguards under this Agreement, primarily the principle of purpose limitation, proportionality, and necessity.
(c) If the recipients of subsequent transfers are specified prior to the notification of this Agreement to the Authority, such recipients or groups of recipients shall be listed in Annex I. Following the notification of this Agreement to the Authority, Annex I shall be updated in the event of any changes to the recipients or groups of recipients of subsequent transfers, and such changes shall be notified to the Authority.
Article 7.8 - Processing Under the Authority of the Data Recipient
The data recipient shall ensure that persons acting under its authority, including data processors, process personal data only in accordance with the instructions received from it.
Article 7.9 - Documentation and Compliance
(a) Each Party shall be able to demonstrate compliance with its obligations under this Agreement. The data recipient shall be responsible for maintaining and retaining information, documentation, and records relating to processing activities carried out under its responsibility.
(b) The data recipient shall provide such documentation to the Board upon request.
Article 8 - Rights of the Data Subject
(a) The data recipient shall respond to any questions or requests from the data subject regarding the processing of their personal data and the exercise of their rights under this Agreement, with the assistance of the data exporter if necessary, within thirty days of receiving the question or request. The data recipient shall take appropriate measures to respond to these questions and requests and to ensure that the rights of the data subject are exercised. Any information provided to the data subject shall be understandable and easily accessible, and the language used in the information shall be clear and plain.
(b) The data subject may apply to the data recipient to: i) learn whether personal data concerning them is being processed, ii) request information regarding the processing of personal data and request a copy of the information listed in Annex I, iii) learn the purpose of the processing of personal data and whether it is being used for its intended purpose, iv) To know the third parties to whom the personal data has been transferred and the basis for subsequent transfer in accordance with Article 7.7, v) To request the correction of personal data if it has been processed incompletely or incorrectly, vi) To request the deletion or destruction of personal data within the framework of Article 7.3, vii) To request that the actions taken in accordance with clauses (v) and (vi) be communicated to the third parties to whom the personal data has been transferred, to third parties to whom the personal data has been transferred, viii) To object to the emergence of a result against the person through the analysis of the processed data exclusively by means of automated systems, ix) To request compensation for damages suffered due to the processing of personal data in violation of this Agreement.
(c) The data recipient shall accept the request or reject it by explaining the reasons and notify the relevant person of its response in writing or electronically. In the response, the relevant person shall be informed of their right to lodge a complaint with the Board in accordance with Article 9(c). If the request in the application is accepted, the data recipient shall comply with it.
(d) The data recipient shall process the data subject's request free of charge. However, if the process incurs additional costs, the data recipient may charge the fee specified in the tariff determined by the Board. If the request is due to the data subject's own error, the data recipient shall refund the fee to the data subject.
Article 9 - Methods of Seeking Rights
(a) In the event of a dispute arising between the data subject and the data recipient regarding the rights of third-party beneficiaries under this Agreement, the data subject may submit their requests regarding this matter to the data recipient. The data recipient shall inform the relevant persons about an authorized contact point for resolving their requests by notifying them personally in a transparent and easily accessible format or by publishing it on its website. The data recipient shall address the relevant persons' requests without delay. [May be included in the contract at the parties' discretion: The data recipient acknowledges that the data subjects may also lodge a complaint with an independent dispute resolution body free of charge. The data recipient shall inform the data subjects, as specified in paragraph (a), of the existence of such a remedy and that recourse to it is not mandatory or that recourse to it is not mandatory as a first step.]
(b) In the event of a dispute arising between the relevant person and one of the Parties regarding compliance with this Agreement, the relevant Party shall make every effort to resolve the issue amicably and as soon as possible. The Parties shall inform each other of such disputes and cooperate to the extent appropriate in resolving them.
(c) If the data subject exercises a third-party beneficiary right pursuant to Article 3, the data recipient acknowledges that the data subject has the right to lodge a complaint with the Board and to apply to the competent courts within the scope of Article 17.
(d) The data recipient undertakes to comply with decisions that are binding under Turkish law.
(e) The data recipient acknowledges that the data subject's exercise of any of the above-mentioned rights shall not prejudice any other rights that the data subject may assert under applicable law.
Article 10 - Liability
(a) Each Party shall be liable to the other Party for any damages arising from any breach of this Agreement.
(b) Each Party shall be liable to the relevant person. The relevant person shall have the right to claim compensation for any material or non-material damage caused to them by the Parties' breach of the third-party beneficiary rights under this Agreement. This shall not affect the data exporter's liability under the Act.
(c) Where both Parties are liable for any damage caused to the relevant person as a result of a breach of this Agreement, both Parties shall be jointly and severally liable to the relevant person, and the relevant person shall have the right to seek legal recourse against either Party.
(d) If one of the Parties fully compensates the relevant person for their damage in accordance with paragraph (c), the right to seek recourse from the other Party in proportion to their fault is reserved.
(e) The data recipient cannot escape liability by claiming that the data processor or sub-processor is at fault.
Article 11 - Supervision
The data recipient agrees to cooperate with the Authority in all matters and procedures related to ensuring compliance with this Agreement, to be subject to the Authority's jurisdiction, and to comply with the decisions issued by the Authority. In particular, the data recipient agrees to send the information and documents requested by the Board in relation to the subject of the investigation, to allow on-site inspections to be carried out when necessary, and to comply with the instructions given by the Board to remedy any identified legal violations. The data recipient shall send the Board the information and documents proving that the instructions in question have been complied with.
CHAPTER THREE
Obligations in the Event of Access by National Law and Public Authorities
Article 12 - National Law and Practices Affecting Compliance with the Agreement
The data recipient acknowledges, declares, and undertakes that there are no national regulations or practices contrary to this Agreement regarding the personal data to be transferred under this Agreement. During the term of this Agreement, if there is a change in legislation or practice that is likely to affect the data recipient's ability to fulfill its commitments under this Agreement, it shall immediately notify the data exporter of this situation and accepts that in such a case, the data exporter shall have the right to suspend the data transfer or terminate this Agreement.
Article 13 - Obligations of the Data Recipient in the Event of Access by Public Authorities
The data recipient shall immediately notify the data transferor in the event that it becomes aware of any requests from administrative or judicial authorities regarding personal data transferred under this Agreement or of any direct access to personal data transferred under this Agreement by administrative or judicial authorities. In such a case, the data recipient acknowledges that the data exporter has the right to suspend the data transfer or terminate this Agreement, depending on the nature of the request or access.
CHAPTER FOUR
Final Provisions
ARTICLE 14 - Non-Compliance with the Agreement and Termination
(a) If the data recipient is unable to comply with this Agreement for any reason, it shall immediately notify the data transferor.
(b) In the event that the data recipient breaches this Agreement or fails to comply with it, the data transferor shall suspend the transfer of personal data to the data recipient until compliance is restored or the Agreement is terminated. The provisions of Articles 12 and 13 remain reserved.
(c) The data exporter shall have the right to terminate this Agreement to the extent it relates to the processing of personal data under this Agreement in the following circumstances: 8 i) The data exporter has suspended the transfer of personal data to the data recipient pursuant to paragraph (b) and compliance with this Agreement has not been achieved within a reasonable period of time and, in any event, within one month of the suspension. ii) The data recipient has materially or persistently breached this Agreement. iii) The data recipient has failed to comply with the decisions of the competent court or the Board regarding its obligations under this Agreement. In such cases, the data exporter shall notify the Board.
(d) In the event of termination of the contract under paragraph (c), the data recipient shall, at the discretion of the data exporter, either return the personal data subject to transfer, together with any backups, to the data exporter or permanently destroy the personal data. The data recipient undertakes to continue to comply with this Agreement even if the legislation contains provisions preventing it from fulfilling this obligation, to take the necessary technical and administrative measures to ensure the confidentiality of the personal data subject to transfer, and to continue processing activities only to the extent and for the duration required by the legislation. The data recipient shall provide documentation to the data transferor confirming that the data has been destroyed. The data recipient shall continue to comply with this Agreement until the data is returned or completely destroyed.
Article 15 - Notification of the Agreement to the Institution
The data recipient shall notify the Institution of this Agreement within five business days of the completion of the signatures.
Article 16 - Applicable Law
This Agreement shall be governed by Turkish law.
Article 17 - Competent and Authorized Court
(a) Any dispute arising from this Agreement shall be heard by Turkish courts.
(b) General provisions regarding jurisdiction and authority shall apply.
(c) The Parties agree to recognize the jurisdiction of Turkish courts.
