Translation provided by Ozdagistanli Ekici Attorney Partnership for general information purposes only. Does not constitute legal advice.

Regulation on the Data Controllers Registry

Purpose

Controllers Registry, which will be maintained publicly by the Presidency under the supervision

of the Board in accordance with the Personal Data Protection Law No. 6698 dated March 24,

2016, and to determine the procedures and principles regarding the entries to be made in the

Data Controllers Registry and ensure their implementation.

Scope

purposes and means of processing personal data and who are responsible for the establishment

and management of the data recording system.

Legal Basis

Article 16 and subparagraphs (d) and (e) of the first paragraph of Article 22 of Law No. 6698.

Definitions

a) Recipient group: The category of natural or legal persons to whom personal data is transferred

by the data controller,

b) President: The President of the Personal Data Protection Authority,

c) Presidency: The Presidency of the Personal Data Protection Authority,

ç) (Amended: OG-28/4/2019-30758) Contact person: The natural person designated during

registration in the Registry by the data controller for natural and legal persons established in

Türkiye, and by the data controller’s representative for natural and legal persons not established

in Türkiye, for the purpose of facilitating communication with the Authority regarding

obligations under the Law and secondary regulations issued pursuant to this Law,

d) Law: The Law on the Protection of Personal Data No. 6698,

e) Registration: The notification made by data controllers subject to the registration obligation

in accordance with the procedures and principles set forth in the Regulation,

f) Registration Obligation: The obligation regarding the registration required to be carried out

in accordance with the Regulation,

g) Registered electronic mail (KEP) address: The qualified form of electronic mail that provides

legal evidence regarding the use of electronic communications, including their transmission and

delivery,

ğ) Personal data: Any information relating to an identified or identifiable natural person,

h) (Amended: OG-28/4/2019-30758) Personal data processing inventory: The inventory

created by data controllers by linking the personal data processing activities they carry out in

accordance with their business processes; the purposes and legal basis of personal data

processing, data categories, the group of recipients to whom data is transferred, and the group

of data subjects to whom the data relates; and which details the maximum retention period

necessary for the purposes for which personal data is processed, personal data intended for

transfer to foreign countries, and the measures taken regarding data security,

ı) Personal data retention and destruction policy: The policy relied upon by data controllers to

determine the maximum retention period necessary for the purposes of processing personal

data, as well as for the processes of deletion, destruction, and anonymization,

i) Processing of personal data: Any operation performed on personal data, such as collection,

recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making

available, classification, or restriction of use, whether fully or partially automated or carried out

by non-automated means as part of a data recording system,

j) Board: The Personal Data Protection Board,

k) Institution: The Personal Data Protection Institution, consisting of the Board and the

Presidency,

l) Registry: The Registry of Data Controllers maintained by the Presidency,

m) Data category: The class of personal data belonging to a group or groups of data subjects,

grouped according to the common characteristics of the personal data,

n) Data subject group: The category of individuals whose personal data is processed by data

controllers,

o) Data Controllers Registry Information System (VERB IS): The information system created

and managed by the Presidency, accessible via the internet, which data controllers will use when

applying to the Registry and for other related procedures,

ö) Data controller: A natural or legal person who determines the purposes and means of

processing personal data and is responsible for the establishment and management of the data

recording system,

p) (Amended: OG-28/4/2019-30758) Data controller representative: A legal entity established

in Türkiye or a natural person who is a citizen of the Republic of Türkiye, authorized to provide

minimum representation for data controllers not established in Türkiye regarding the matters

specified in the third paragraph of Article 11 of this Regulation,

(2) For definitions not included in this Regulation, the definitions in the Law shall apply.

Principles, Procedures, and Guidelines

the establishment, administration, and supervision of the Registry:

a) Data controllers must register with the Registry before commencing the processing of

personal data.

b) Data controllers not established in Türkiye must register with the Registry through a data

controller representative before commencing data processing.

c) The Registry shall be maintained in a publicly accessible manner. The Board has the authority

to determine the scope and exceptions of this principle, provided that the principle of public

accessibility is ensured.

ç) (Amended: OG-28/4/2019-30758) Data controllers required to register with the Registry are

obligated to prepare a Personal Data Processing Inventory. The information to be disclosed in

Registry applications is prepared based on the Personal Data Processing Inventory.

d) In fulfilling the information obligation for data controllers specified in Article 10 of the Law,

in responding to requests from data subjects specified in Article 13 of the Law, and in

determining the scope of the explicit consent to be provided by dat a subjects, the information

submitted to the Registry and published in the Registry based on the Personal Data Processing

Inventory shall serve as the basis.

e) Data controllers are responsible for ensuring that the information submitted to the Registry

and published therein is complete, accurate, up- to-date, and in compliance with the law.

Registration in the Registry does not relieve data controllers of their other obligations under the

Law.

f) Subject to the exceptions set forth in Article 28 of the Law, the fact that data controllers

meeting certain conditions based on the objective criteria specified in Article 16 of the

Regulation are not required by the Board to register in the Registry does not relieve such data

controllers of their obligations under the Law.

g) Procedures related to the Registry are carried out by data controllers via VERBIS.

ğ) (Amended:OG-28/4/2019-30758) The maximum retention period for personal data

submitted to the Registry by data controllers and published therein, which is necessary for the

purpose for which the data is processed, shall serve as the basis for fulfilling the data controllers’

obligations regarding erasure, destruction, or anonymization as set forth in Article 7 of the Law.

Establishment, Management, and Supervision of the Registry

necessary technical and administrative measures for the establishment, management,

maintenance, and preservation of the Registry, as well as for the establishment and operation of

VERBIS.

(2) The department responsible for the establishment and administration of the Registry is the

Directorate General of Data Management.

(3) Supervision of the Registry is carried out by the Board. An activity report prepared by the

Directorate General of Data Management on a quarterly basis, the scope of which is determined

by the Board, is submitted to the Board.

Access to the Registry

to the public through appropriate methods to be determined in accordance with the Board’s

decisions.

(2) The following information contained in the Data Controllers Registry is disclosed to the

public:

a) (Amended: OG-28/4/2019-30758) The data controller, the data controller’s representative

(if any), the address, and the KEP address (if available),

b) The purposes for which personal data may be processed,

c) The group(s) of data subjects and the categories of data pertaining to such individuals,

ç) The recipients and groups of recipients to whom personal data may be transferred,

d) Personal data intended for transfer to foreign countries,

e) The date of registration in the registry and the date of termination of the registration,

f) Measures taken regarding the security of personal data,

g) The maximum period necessary for the processing of personal data for the specified purpose.

VERBIS, Registration Application, Renewal and Deletion of the Registration

Commencement of the Registration Obligation

before commencing the processing of personal data.

(2) Data controllers who are not subject to the registration obligation but subsequently become

subject to it must register with the Registry within thirty days of becoming subject to the

obligation.

(3) Data controllers subject to the registration obligation may request an extension from the

Authority to fulfill their registration obligations, provided they submit a written application to

the Authority within seven business days of the date such impos sibility arises and state the

grounds for the request, in the event that their registration obligations cannot be fulfilled due to

any factual, technical, or legal impossibility. The Authority may grant an extension of time,

limited to a single instance and in no case exceeding thirty days.

Information To Be Submitted Under The Registration Obligation

information:

a) Information regarding the identity and address details of the data controller, the data

controller’s representative (if any), and the contact person, as specified in the application form

determined by the Board,

b) The purpose for which personal data will be processed,

c) Explanations regarding the group or groups of data subjects and the categories of data

pertaining to such individuals,

ç) The recipients or groups of recipients to whom personal data may be transferred,

d) Personal data intended for transfer to foreign countries,

e) Measures taken in accordance with the criteria established by the Board under Article 12 of

the Law,

f) The maximum retention period for personal data as prescribed by law or as necessary for the

purpose of processing.

(2) The information to be disclosed to the Registry by data controllers pursuant to

subparagraphs (b), (c), (ç), and (d) of the first paragraph shall be transmitted to the Registry via

VERBIS using the headings specified in VERB IS based on the Personal Data Processing

Inventory.

(3) Information to be disclosed to the Registry by data controllers pursuant to paragraph (1)(e)

shall be transmitted to the Registry via VERBIS using the headings specified in VERBIS, in a

manner covering the matters specified in Article 12 of the Law.

(4) Information regarding the maximum retention period for personal data to be disclosed to

the Registry by data controllers pursuant to paragraph (f) of the first paragraph—as prescribed

by legislation or as necessary for the purpose of processing—is repo rted to the Registry by

matching it with the relevant data categories. The processing purposes of the data categories

reported to the Registry by the data controller and the maximum retention periods necessary for

their processing based on these purposes may differ from the periods prescribed by law. In such

cases, if the law prescribes a maximum retention period, that period shall be used; if not, the

longest of these periods shall be taken as the basis for reporting this data category to the

Registry. Whe n determining the maximum retention period necessary for the purpose of

processing personal data:

a) The period generally accepted as standard practice in the sector in which the data controller

operates, within the scope of the processing purpose of the relevant data category,

b) The duration for which the legal relationship established with the data subject will continue,

which necessitates the processing of the personal data in the relevant data category,

c) The period during which the data controller’s legitimate interest, based on the purpose of

processing the relevant data category, remains valid in accordance with the law and principles

of good faith,

d) The period during which the risks, costs, and liabilities arising from the retention of the

relevant data category will continue to exist under the law,

d) Whether the maximum period to be determined is suitable for ensuring that the relevant data

category is accurate and, where necessary, kept up to date,

e) The period during which the data controller is required to retain personal data falling within

the relevant data category pursuant to its legal obligations,

f) The statute of limitations period established by the data controller for asserting a right related

to personal data within the relevant data category, shall be taken into account.

(5) Data controllers shall prepare a personal data retention and destruction policy to determine

the maximum period necessary for the purposes for which personal data is processed, ensure

the consistency of these periods with the information specified in t he personal data processing

inventory, and monitor whether the maximum period has been exceeded, and shall ensure the

implementation of this policy.

(6) If the headings and content specified within VERBIS do not fully cover the activities carried

out by the data controller and the information that must be reported to the Registry, the data

controller shall complete the notification to the Registry by entering this information separately

into the “Other” sections designated for this purpose within VERBIS.

Registration Application

by uploading the information specified in Article 9 to VERBIS.

(2) Data controllers who have been granted an extension by the Authority as specified in the

third paragraph of Article 8 must complete their registration application before the expiration

of this extension.

Obligations of the Data Controller, Data Controller Representative, and Contact Person

established in Türkiye, the data controller obligations under the Law are fulfilled through the

body authorized to represent and bind the legal entity, or the person or persons specified in the

relevant legislation. The body authorized to represent the legal entity may designat e one or

more persons to fulfill the obligations required for the application of the Law. Such designation

does not relieve the legal entity of its liability under the provisions of the Law.

(2) A certified copy of the decision regarding the appointment of a data controller

representative, taken by the authorized body or person of the data controller not established in

Türkiye, shall be submitted to the Authority by the data controller representative at the time of

the registration application.

(3) The decision to appoint a data controller representative shall be drafted to include, at a

minimum, the following matters:

a) Receiving or accepting notifications or correspondence from the Authority on behalf of the

data controller,

b) Forwarding requests addressed to the data controller by the Authority to the data controller,

and forwarding the data controller’s response to the Authority,

c) Unless the Board has established otherwise, receiving applications directed to the data

controller by data subjects pursuant to the first paragraph of Article 13 of the Law on behalf of

the data controller and forwarding them to the data controller,

ç) Unless otherwise determined by the Board, communicating the data controller’s response to

data subjects in accordance with the third paragraph of Article 13 of the Law,

d) To perform matters and procedures related to the Registry on behalf of the data controller.

(4) (Amended: OG-28/4/2019-30758) Data controller representatives acting on behalf of data

controllers established in Türkiye and those not established in Türkiye shall enter the contact

person’s information into the Registry during the registration process. The contact person is not

authorized to represent the data controller in accordance with the provisions of the Law and the

Regulation.

(5) (Amended: OG-28/4/2019-30758) In public institutions and organizations, the contact

person is a department head or higher -ranking manager designated by a senior executive

responsible for coordination to facilitate communication with the Authority and registered in

the Registry.

Establishment of Communication

controller regarding the implementation of the Law;

a) For legal entities established in Türkiye, through the identity, address, or KEP address

information reported to the Registry, with the relevant legal entity,

b) For natural persons established in Türkiye, through the relevant natural person using the

identity, address, or KEP address information reported to the Registry,

c) For data controllers not established in Türkiye, through the data controller’s representative

as reported to the Registry.

Changes to Registration Information

Authority of any changes to the information registered in the Registry via VERBIS within seven

days of the date the change occurs.

Deletion of Registry Entry

regarding the deletion of the registry entry.

(2) If the activity requiring registration ceases or is discontinued, the registry entry shall be

deleted. Such records shall be retained in a manner that allows access upon request but prevents

any further modifications.

(3) The deletion of the registry record does not relieve the data controller of its obligations for

the period during which it was registered in the Registry.

Cases Where Exceptions Apply

personal data processing activities in the Registry:

a) Where the processing of personal data is necessary for the prevention of a crime or for a

criminal investigation.

b) The processing of personal data that has been made public by the data subject themselves.

c) Where the processing of personal data is necessary for the performance of supervisory or

regulatory duties, or for disciplinary investigations or prosecutions, by public institutions and

organizations, or professional organizations with the status of public institutions, acting

pursuant to the authority granted by law.

d) The processing of personal data is necessary for the protection of the State’s economic and

financial interests regarding budgetary, tax, and financial matters.

Exemption Criteria

taking the following criteria into account:

a) The nature of the personal data.

b) The volume of personal data.

c) The purpose of processing the personal data.

ç) The area of activity in which the personal data is processed.

d) Whether personal data is transferred to third parties.

e) The legal basis for the processing of personal data.

f) The retention period for personal data.

g) The group of data subjects or categories of data.

ğ) (Amendment: OG-28/4/2019-30758) Information regarding the data controller’s annual

number of employees or total annual financial balance sheet.

(2) The Board has the authority to make decisions to determine the scope of the exceptions

established within the framework of the criteria listed in the first paragraph, as well as the

procedures and principles for their application. The Board publishes t hese decisions through

appropriate methods to make them public.

Administrative Sanctions

of Article 18 of the Law shall be imposed on those who act in violation of the obligation to

register and report to the Data Controller Registry.

(2) If the act of violating the obligation to register and notify the Data Controllers Registry is

committed within public institutions and organizations or professional organizations with the

status of a public institution, upon notification by the Board, disciplinary proceedings shall be

initiated against the civil servants and other public officials employed in the relevant public

institution or organization, as well as those employed in professional organizations with the

status of a public institution, in accordance with disciplinary regulations, and the outcome shall

be reported to the Board.

Resolution of Ambiguities

implementation of this Regulation and to address any shortcomings in its application; to guide

the implementation; to establish principles and standards; to make necessary regulations to

ensure uniformity of application; to request any necessary information and documents in this

regard; and to make decisions on matters not covered by this Regulation in accordance with the

provisions of relevant legislation.

Entry into Force

Implementation

Regulation on the Erasure, Destruction, or Anonymization of Personal Data

Purpose

regarding the erasure, destruction, or anonymization of personal data processed fully or partially

by automated means or by non-automated means provided that such processing forms part of a

data recording system.

Scope

with Article 7 of the Personal Data Protection Law No. 6698 dated March 24, 2016.

Legal Basis

of Article 7 and subparagraph (e) of the first paragraph of Article 22 of Law No. 6698.

Definitions

a) Recipient group: The category of natural or legal persons to whom personal data is transferred

by the data controller;

b) Relevant user: Persons processing personal data within the data controller’s organization or

acting in accordance with the authority and instructions received from the data controller,

excluding the person or unit responsible for the technical storage, protection, and backup of the

data,

c) Destruction: The erasure, destruction, or anonymization of personal data,

ç) Law: The Law on the Protection of Personal Data No. 6698 dated March 24, 2016,

d) Data storage medium: Any medium containing personal data processed either fully or

partially by automated means, or by non-automated means provided that it forms part of a data

recording system,

e) Personal data processing inventory: A record created by data controllers by associating the

personal data processing activities they carry out in accordance with their business processes;

which they create by associating the purposes of processing personal data, data categories, the

group of recipients to whom data is transferred, and the group of data subjects, and which they

detail by specifying the maximum period necessary for the purposes for which personal data is

processed, personal data intended f or transfer to foreign countries, and the measures taken

regarding data security,

f) Personal data retention and destruction policy: The policy relied upon by data controllers to

determine the maximum period necessary for the purposes for which personal data is processed,

as well as for the processes of deletion, destruction, and anonymization,

g) Board: The Personal Data Protection Board,

ğ) Periodic destruction: The process of deleting, destroying, or anonymizing personal data, to

be carried out automatically at regular intervals as specified in the personal data retention and

destruction policy, in cases where all conditions for the processing of personal data set forth in

the Law have ceased to exist,

h) Registry: The registry of data controllers maintained by the Presidency of the Personal Data

Protection Authority,

ı) Data recording system: A recording system in which personal data is processed according to

specific criteria,

i) Data controller: A natural or legal person who determines the purposes and means of

processing personal data and is responsible for the establishment and management of the data

recording system,

(2) For definitions not included in this Regulation, the definitions in the Law shall apply.

Principles Regarding the Personal Data Retention and Destruction Policy

pursuant to Article 16 of the Law are obligated to prepare a personal data retention and

destruction policy in accordance with the personal data processing inventory.

(2) The preparation of a personal data retention and destruction policy does not imply that

personal data is stored, deleted, destroyed, or anonymized in a manner compliant with the Law

and the Regulation.

(3) Data controllers not subject to the obligation to prepare a personal data retention and

destruction policy remain subject to the obligations to store, delete, destroy, or anonymize

personal data in accordance with the Law and this Regulation.

Scope of the Personal Data Retention and Destruction Policy

include:

a) The purpose of preparing the personal data retention and destruction policy,

b) The data storage and destruction policy’s regulated data storage media,

c) Definitions of the legal and technical terms used in the personal data retention and destruction

policy,

ç) An explanation of the legal, technical, or other reasons requiring the retention and destruction

of personal data,

d) The technical and administrative measures taken to ensure the secure storage of personal data

and to prevent its unlawful processing and unauthorized access,

e) Technical and administrative measures taken to ensure the lawful disposal of personal data,

f) The titles, departments, and job descriptions of those involved in the storage and destruction

processes of personal data,

g) A table showing retention and destruction periods,

ğ) Periodic destruction schedules,

h) Information regarding any updates made to the current personal data retention and

destruction policy,

Principles

and 6 of the Law cease to exist, the data controller must delete, destroy, or anonymize the

personal data either on its own initiative or upon the request of the data subject.

(2) When erasing, destroying, or anonymizing personal data, it is mandatory to act in

accordance with the general principles set forth in Article 4 of the Law, the technical and

administrative measures required under Article 12, the provisions of relevant legislation, the

decisions of the Authority, and the personal data retention and destruction policy.

(3) All operations related to the erasure, destruction, and anonymization of personal data must

be recorded, and such records must be retained for at least three years, except where other legal

obligations apply.

(4) The data controller is obligated to describe the methods it applies regarding the erasure,

destruction, and anonymization of personal data in its relevant policies and procedures.

(5) Unless the Authority decides otherwise, the data controller selects the appropriate method

for the erasure, destruction, or anonymization of personal data. Upon the data subject’s request,

the data controller selects the appropriate method and explains the rationale for the selection.

Deletion of Personal Data

inaccessible and unusable for relevant users in any way.

(2) The data controller is obligated to take all necessary technical and administrative measures

to ensure that the deleted personal data is inaccessible and cannot be reused by the relevant

users.

Destruction of personal data

inaccessible, irrecoverable, and unusable by anyone in any way.

(2) The data controller is obligated to take all necessary technical and administrative measures

regarding the destruction of personal data.

Anonymization of personal data

data incapable of being associated with any identifiable or identifiable natural person, even if

matched with other data.

(2) For personal data to be considered anonymized, it must be rendered incapable of being

associated with an identified or identifiable natural person, even through the use of appropriate

technical methods —such as data restoration or matching with other da ta—by the data

controller, recipient, or groups of recipients, taking into account the data storage medium and

the relevant operational context.

(3) The data controller is obligated to take all necessary technical and administrative measures

regarding the anonymization of personal data.

Timeframes for the voluntary deletion, destruction, or anonymization of personal data

destruction policy shall delete, destroy, or anonymize personal data during the first periodic

destruction process following the date on which the obligation to delete, destroy, or anonymize

personal data arises.

(2) The timeframe for conducting periodic destruction is determined by the data controller in

the personal data retention and destruction policy. This period may not exceed six months under

any circumstances.

(3) A data controller not subject to the obligation to prepare a personal data retention and

destruction policy shall delete, destroy, or anonymize personal data within three months

following the date on which the obligation to delete, destroy, or anonymize personal data arises.

(4) The Authority may shorten the periods specified in this article if irreparable or impossible -

to-compensate harm arises and there is a clear violation of the law.

Timeframes for erasure and destruction upon the data subject’s request

data by applying to the data controller pursuant to Article 13 of the Law;

a) If all conditions for processing personal data have ceased to exist, the data controller shall

delete, destroy, or anonymize the personal data in question. The data controller shall resolve the

data subject’s request within thirty days at the latest and notify the data subject.

b) If all conditions for processing personal data have ceased to exist and the personal data in

question has been transferred to third parties, the data controller notifies the third party of this

situation and ensures that the necessary actions are taken under this Regulation with respect to

the third party.

c) If all conditions for processing personal data have not ceased to exist, this request may be

rejected by the data controller in accordance with the third paragraph of Article 13 of the Law,

with the grounds for rejection explained, and the rejection not ice is communicated to the data

subject in writing or electronically within thirty days at the latest.

Resolution of Ambiguities

implementation of this Regulation and to address any operational shortcomings, to guide

implementation, to establish principles and standards, to make necessary regulations to ensure

uniform application, to request any necessary information and documents in this regard, and to

make decisions on matters not covered by this Regulation within the framework of relevant

legislation.

Entry into Force

Implementation

Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad

Purpose

regarding the implementation of Article 9 of the Personal Data Protection Law No. 6698 dated

March 24, 2016, which regulates the transfer of personal data abroad.

Scope

involved in the transfer of personal data abroad pursuant to Article 9 of Law No. 6698.

Legal Basis

of Article 9 and subparagraph (e) of the first paragraph of Article 22 of Law No. 6698.

Definitions

a) President: The President of the Personal Data Protection Authority,

b) Data Subject: The natural person whose personal data is processed,

c) Law: The Personal Data Protection Law No. 6698 dated March 24, 2016,

ç) Personal data: Any information relating to an identified or identifiable natural person,

d) Processing of personal data: Any operation performed on personal data, such as collection,

recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making

available, classification, or restriction of use, whether fully or partially automated or carried out

by non-automated means as part of a data recording system,

e) Transfer of personal data abroad: The transmission of personal data by a data controller or

data processor subject to Law No. 6698 to a data controller or data processor abroad, or making

such data accessible in any other manner,

f) Board: The Personal Data Protection Board,

g) Authority: The Personal Data Protection Authority,

ğ) Data exporter: A data controller or data processor that transfers personal data abroad,

h) Data recipient: A data controller or data processor located outside the country that receives

personal data from the data exporter,

ı) Data processor: A natural or legal person who processes personal data on behalf of the data

controller based on the authority granted by the data controller,

i) Data controller: A natural or legal person who determines the purposes and means of

processing personal data and is responsible for the establishment and management of the data

recording system.

(2) For definitions not included in this Regulation, the definitions set forth in the Law and

relevant legislation shall prevail.

Transfer of Personal Data Abroad

processor only in accordance with the procedures and principles set forth in the Law and this

Regulation. In cases where personal data is transferred by the data processor, compliance with

the data controller’s instructions is also mandatory.

(2) The provision of the first paragraph also applies to subsequent transfers of personal data

transferred abroad and to transfers to international organizations.

(3) Provisions in other laws regarding the transfer of personal data abroad remain reserved.

Procedures for the Transfer of Personal Data Abroad

processors if one of the conditions specified in Articles 5 and 6 of the Law is met and one of

the following circumstances occurs:

a) The existence of an adequacy decision regarding the country to which the transfer will be

made, sectors within that country, or international organizations.

b) In the absence of an adequacy decision, provided that the data subject has the opportunity to

exercise their rights and seek effective legal remedies in the country to which the transfer is

made, one of the appropriate safeguards specified in Article 10 is provided by the parties.

(2) In the absence of an adequacy decision and where the parties cannot provide one of the

appropriate safeguards specified in Article 10, personal data may be transferred abroad by data

controllers and data processors only on an ad hoc basis and solely in the presence of one of the

exceptional circumstances specified in Article 16.

(3) Subject to the provisions of international treaties, personal data may be transferred abroad

only with the permission of the Board, following consultation with the relevant public

institution or organization, in cases where the interests of Türkiye or the data subject would be

seriously harmed.

Transfer of Personal Data Abroad by the Data Processor

data processor acts on behalf of the data controller and in accordance with the instructions

provided by the data controller, within the scope and for the purposes determined by the data

controller. The data processor shall take all necessary technical and administrative measures to

ensure an appropriate level of security, commensurate with the nature of the personal data, in

order to prevent the unlawful processing of personal data, prevent unlawful access to personal

data, and ensure the protection of personal data.

(2) The transfer of personal data abroad by the data processor does not relieve the data controller

of its responsibility regarding compliance with the procedures and principles set forth in the

Law and this Regulation, nor does it eliminate the need to pr ovide safeguards. The data

controller is obligated to ensure that the data processor implements the technical and

administrative measures specified in the first paragraph.

(3) If the data processor is obligated to notify the standard contract pursuant to the fifth

paragraph of Article 14, the data processor shall fulfill this notification obligation without

requiring instructions from the data controller.

Adequacy Decision

or an international organization provides an adequate level of protection regarding the transfer

of personal data abroad. When issuing an adequacy decision, the following factors are primarily

taken into account:

a) The reciprocity of personal data transfers between Türkiye and the country, sectors within

the country, or international organizations to which personal data will be transferred.

b) The relevant legislation and practices of the country to which personal data will be

transferred, and the rules to which the international organization to which personal data will be

transferred is subject.

c) The existence of an independent and effective data protection authority in the country to

which personal data will be transferred or to which the international organization is subject, as

well as the availability of administrative and judicial remedies.

ç) Whether the country or international organization to which personal data will be transferred

is a party to international treaties on the protection of personal data or a member of such

international organizations.

d) Whether the country or international organization to which personal data will be transferred

is a member of global or regional organizations of which Türkiye is a member.

e) International treaties to which Türkiye is a party.

(2) The Board is authorized to determine additional matters beyond those specified in the first

paragraph.

(3) In its assessment regarding the adequacy decision, the Board shall seek the opinions of

relevant institutions and organizations if deemed necessary.

(4) Adequacy decisions issued by the Board are published in the Official Gazette and on the

Authority’s website.

Review of the Eligibility Decision

relevant adequacy decision shall clearly specify the review periods. If, as a result of the review,

the Committee determines that the relevant country, one or more sectors within the country, or

an international organization does not provide an adequate level of protection, it may amend,

suspend, or revoke its decision with prospective effect.

(2) The Committee may, at its discretion and without being bound by the reassessment period

specified in paragraph (1), review the adequacy decision and amend, suspend, or revoke it with

prospective effect.

(3) The Board may consult with the competent authorities of the relevant country or

international organization to address the circumstances that led to the amendment, suspension,

or revocation of the adequacy decision pursuant to the first or second paragraph.

(4) Decisions regarding the amendment, suspension, or revocation of the eligibility decision

shall be published in the Official Gazette and on the Agency’s website.

Means of Providing Appropriate Safeguards

decision only if one of the conditions specified in Articles 5 and 6 of the Law is met, provided

that the data subject has the opportunity to exercise their rights and seek effective legal remedies

in the country to which the transfer is made, and provided that one of the appropriate safeguards

listed below is provided by the parties to the transfer:

a) The existence of an agreement —not constituting an international treaty —between public

institutions and organizations abroad or international organizations and public institutions and

organizations in Türkiye or professional associations with public institution status, and the

Board’s authorization of the transfer.

b) The existence of binding corporate rules approved by the Board, which contain provisions

regarding the protection of personal data and to which companies within a group of

undertakings engaged in joint economic activities are bound.

c) The existence of a standard contract published by the Board, containing provisions such as

data categories, the purposes of data transfer, recipients and recipient groups, technical and

administrative measures to be taken by the data recipient, and addi tional measures taken for

special categories of personal data.

ç) The existence of a written commitment containing provisions ensuring adequate protection

and the Board’s authorization of the transfer.

Ensuring Adequate Safeguards Through Agreements Not Constituting International

Treaties

public institutions and organizations in Türkiye, professional organizations with the status of

public institutions, and public institutions and organizations in foreign countries or international

organizations, through provisions regarding the protection of personal data included in an

agreement that does not constitute an international treaty. The agreement is concluded between

the parties to the personal data transfer.

(2) The Board’s opinion shall be sought during the negotiation process of the agreement.

(3) The provisions regarding the protection of personal data to be included in the agreement

shall specifically cover the following matters:

a) The purpose, scope, nature, and legal basis of the personal data transfer.

b) Definitions of key terms in accordance with the Law and relevant legislation.

c) A commitment to comply with the general principles set forth in Article 4 of the Law.

ç) Procedures and principles regarding the provision of information to data subjects about the

agreement and the personal data transfer to be carried out under the agreement.

d) A commitment to ensure that data subjects whose personal data is transferred may exercise

the rights specified in Article 11 of the Law, and the procedures and principles regarding

applications made for the exercise of these rights.

e) A commitment to take all necessary technical and administrative measures to ensure an

appropriate level of data security.

f) A commitment to implement the adequate safeguards determined by the Board in the event

of the transfer of special category personal data.

g) Restrictions on the subsequent transfer of personal data.

ğ) Remedies available to the data subject in the event of a breach of the provisions regarding

the protection of personal data included in the agreement.

h) A monitoring mechanism regarding the implementation of the provisions on the protection

of personal data to be included in the agreement.

ı) A provision stating that the data exporter shall have the right to suspend the data transfer and

terminate the agreement if the data importer fails to comply with the provisions regarding the

protection of personal data included in the agreement.

i) A commitment by the data recipient that, in the event of termination of the agreement or the

expiration of its term, the data recipient will, at the data exporter’s discretion, either return the

personal data subject to the transfer —along with its backups —to the data exporter or

completely destroy the personal data.

(4) To enable the cross -border transfer of personal data pursuant to the agreement, the data

exporter must submit an application for authorization to the Board. As part of this application,

the final version of the agreement and other information and docum ents necessary for the

Board’s evaluation must be submitted to the Board. The transfer of personal data may

commence only after authorization is granted by the Board.

Ensuring Adequate Safeguards Through Binding Corporate Rules

ensured through binding corporate rules to which companies within a group of undertakings

engaged in joint economic activities are bound. To transfer personal data abroad based on

binding corporate rules, an application for approval must be submitted to the Board.

(2) As part of the application, the text of the binding corporate rules and other information and

documents necessary for the Board’s evaluation shall be submitted to the Board. A notarized

translation of any document submitted in a foreign language as part of the application regarding

the binding corporate rules shall be attached to the application. If the text of the binding

corporate rules is also drafted in a foreign language, the Turkish text shall serve as the basis.

(3) When approving the binding corporate rules, the Board shall take the following matters into

particular consideration:

a) That the binding corporate rules are legally binding and enforceable for all relevant members

within the group of undertakings engaged in joint economic activities, including employees.

b) The binding corporate rules must include a commitment that the rights of the data subjects

may be exercised.

c) The binding corporate rules must, at a minimum, include the matters specified in Article 13.

(4) The transfer of personal data shall commence after the binding corporate rules have been

approved by the Board.

Required Elements Of Binding Corporate Rules

a) The organizational structure and contact information of each member of the group of

undertakings engaged in joint economic activities.

b) Matters related to transfers to be carried out under the binding corporate rules, including

personal data categories, processing activities and purposes, the group or groups of data

subjects, and the country or countries to which the transfer will be made.

c) A commitment that the binding corporate rules are legally binding both within the internal

relationships of the group of undertakings engaged in joint economic activities and in their other

legal relationships.

ç) Data protection measures, including compliance with the general principles set forth in

Article 4 of the Law, the conditions for processing personal data, the conditions for processing

special category personal data, technical and administrative measures to ensure data security,

adequate safeguards to be taken in the processing of special category personal data, and

restrictions on the subsequent transfer of personal data.

d) A commitment to ensure that data subjects whose personal data is transferred are able to

exercise the rights set forth in Article 11 of the Law and the right to file a complaint with the

Board in accordance with the procedures and principles stipulated in Article 14 of the Law,

along with the procedures and principles regarding the exercise of these rights.

e) A commitment that, in the event of a violation of the binding corporate rules by any member

not established in Türkiye, a data controller and/or data processor established in Türkiye will

assume liability for the violation.

f) Explanations regarding how information will be provided to data subjects on matters related

to the binding corporate rules—including, but not limited to, those specified in subparagraphs

(c), (d), and (e)—in addition to the topics covered under the duty to inform pursuant to Article

10 of the Law.

g) Explanations regarding the training to be provided to employees on the protection of personal

data.

ğ) The duties of the persons or units responsible for monitoring compliance with the group’s

binding corporate rules, including activities related to the resolution of data subject requests.

h) Mechanisms for monitoring and verifying compliance with binding corporate rules within

the enterprise group—including data protection audits and methods aimed at ensuring

corrective actions to protect the rights of data subjects —and a commitment that th e results of

such mechanisms will be submitted to the person or unit specified in subparagraph (ğ), the

board of directors of the controlling company within the relevant enterprise group, and, upon

request, to the Board.

ı) Mechanisms for reporting and recording changes to binding corporate rules and for notifying

the Board of such changes.

i) The obligation of the members of the enterprise group to cooperate with the Authority to

ensure compliance with the binding corporate rules, including, in particular, the submission of

the results of the monitoring and verification activities specified in subparagraph (h).

j) A commitment regarding personal data to be transferred under the binding corporate rules,

stating that there are no national regulations in the country or countries to which the transfer

will be made that conflict with the safeguards provided by the binding corporate rules, and

mechanisms to notify the Board in the event of a legislative change that is likely to have a

negative impact on such safeguards.

k) A commitment to provide appropriate data protection training to personnel who have

continuous or regular access to personal data.

(2) The Board is authorized to determine additional matters beyond those specified in the first

paragraph. The documents to be used in the application for binding corporate rules shall be

determined by the Board.

Ensuring Appropriate Safeguards Through Standard Contractual Clauses

containing provisions such as data categories, the purposes of data transfer, recipients and

groups of recipients, technical and administrative measures to be taken by the data recipient,

and additional measures taken for special categories of personal data.

(2) The standard contract is determined and published by the Board.

(3) The text of the standard contract must be used without any modifications. If the standard

contract is concluded in a foreign language, the Turkish text shall prevail.

(4) The standard contract is concluded between the parties to the personal data transfer. The

standard contract must be signed by the parties to the transfer or by persons authorized to

represent and sign on behalf of the parties.

(5) The standard contract must be notified to the Authority within five business days of the

completion of signatures, either in physical form or via a registered electronic mail (KEP)

address or other methods determined by the Board. The parties to the tr ansfer may specify in

the standard contract which party is responsible for fulfilling the notification obligation. If no

such specification is made, the standard contract is notified to the Authority by the data exporter.

(6) The notification must be accompanied by documents evidencing the authority of the

signatories to the standard contract, as well as notarized translations of any documents in a

foreign language.

(7) If changes are made to the text of the standard contract published by the Board, or if the

standard contract lacks the valid signature of one or both of the parties to the transfer, an

investigation is conducted by the Board in accordance with Article 15 of the Law.

(8) In the event of a change in the parties to the standard contract or in the information and

explanations provided by the parties in the content of the standard contract, or in the event of

the termination of the standard contract, a notification shall be made to the Authority in

accordance with the procedure specified in the fifth paragraph.

Providing Adequate Safeguards Through a Written Undertaking

protection of personal data included in a written undertaking to be concluded between the

parties to the transfer.

(2) The provisions regarding the protection of personal data to be included in the commitment

letter shall specifically cover the following matters:

a) The purpose, scope, nature, and legal basis of the personal data transfer.

b) Definitions of key terms in accordance with the Law and relevant legislation.

c) A commitment to comply with the general principles set forth in Article 4 of the Law.

d) Procedures and principles regarding the provision of information to data subjects about the

undertaking and the personal data transfer to be carried out under the undertaking.

d) A commitment to ensure that data subjects whose personal data is transferred may exercise

the rights specified in Article 11 of the Law, and the procedures and principles regarding

applications made for the exercise of these rights.

e) A commitment to take all necessary technical and administrative measures to ensure an

appropriate level of data security.

f) A commitment to implement the adequate safeguards determined by the Board in the event

of the transfer of special category personal data.

g) Restrictions on the subsequent transfer of personal data.

ğ) Remedies available to the data subject in the event of a breach of this commitment.

h) A commitment that the data recipient will comply with the Board’s decisions and opinions

regarding the processing of the personal data subject to the transfer.

ı) A commitment that there is no national regulation that would prevent the data recipient from

complying with the commitment letter, and that the data recipient will notify the data exporter

of any potential legislative changes that could lead to such non-compliance as soon as possible,

along with a provision stating that in such a case, the data exporter has the right to suspend the

data transfer and terminate the commitment letter.

i) A provision stating that, in the event the data recipient fails to comply with the commitment,

the data exporter shall have the right to suspend the data transfer and terminate the commitment.

j) A commitment by the data recipient that, in the event of the termination of the undertaking or

the expiration of its term, the data recipient will, at the discretion of the data exporter, either

return the personal data subject to the transfer —along with any backups—to the data exporter

or completely destroy the personal data.

k) A provision stating that the undertaking is governed by Turkish law and that Turkish courts

have jurisdiction and authority in the event of a dispute, along with a commitment by the data

recipient to accept the jurisdiction of Turkish courts.

(3) To enable the transfer of personal data abroad based on the Undertaking, the data exporter

must submit an application for authorization to the Board. As part of the application, the text of

the Undertaking and other information and documents necessary for the Board’s evaluation are

submitted to the Board. If the Undertaking is executed in a foreign language, the Turkish text

shall prevail. The transfer of personal data may commence only after authorization is granted

by the Board.

Cases of Exceptional Transfers

that none of the adequacy decisions exist and none of the appropriate safeguards provided for

in Article 10 can be ensured, and only if one of the exceptional transfer cases spec ified in the

second paragraph applies. Transfers that are irregular, occur once or a few times, lack continuity,

and do not fall within the ordinary course of business are considered occasional.

(2) The exceptional transfer cases are as follows:

a) The data subject’s explicit consent to the transfer, provided that the data subject has been

informed of the potential risks.

b) The transfer is necessary for the performance of a contract between the data subject and the

data controller or for the implementation of pre-contractual measures taken at the data subject’s

request.

c) The transfer is necessary for the conclusion or performance of a contract between the data

controller and another natural or legal person for the benefit of the data subject.

d) The transfer is necessary for an overriding public interest.

d) The transfer of personal data is necessary for the establishment, exercise, or defense of a

legal claim.

e) The transfer of personal data is necessary to protect the life or physical integrity of the data

subject or another person, where the data subject is unable to express consent due to actual

impossibility or where legal validity is not recognized for their consent.

f) The transfer of personal data from a public registry or a registry accessible to persons with a

legitimate interest, provided that the conditions required by relevant legislation for accessing

the registry are met and the person with a legitimate interest request such access.

(3) In transfers made pursuant to paragraph (f) of the second paragraph, the following

procedures and principles shall be followed:

a) The transfer may not encompass all personal data or categories of personal data contained in

the registers.

b) Transfers from registers open to persons with a legitimate interest may only be made to such

persons or upon their request.

(4) Subparagraphs (a), (b), and (c) of the second paragraph do not apply to the activities of

public institutions and organizations governed by public law.

Resolution of Ambiguities

implementation of this Regulation and to make decisions on matters not covered by this

Regulation within the framework of relevant legislation.

Entry into Force

Implementation

Personal Data Protection Authority.

1

STANDARD CONTRACT - 1

FOR

THE TRANSFER OF PERSONAL DATA ABROAD

(FROM CONTROLLER TO CONTROLLER)

(a) The purpose of this standard contract is to ensure compliance with the provisions of Personal

Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as ‘the Law’) and the

By-Law on Procedures and Principles for the Transfer of Personal Data Abroad (hereinafter

referred to as ‘ the By-Law), which entered into force following its publication in the Official

Gazette dated 10/7/2024 and numbered 32598.

(b) The data controller transferring personal data abroad (hereinafter referred to as ‘data

exporter’) and the data controller in a foreign country receiving personal data from the data

exporter (hereinafter referred to as ‘data importer ’) have agreed to this standard contract

(hereinafter referred to as ‘the Contract’).

(c) This Contract applies with respect to the tra nsfer of personal data abroad as specified in

Annex I.

(d) The Appendix to this Contract containing the annexes (hereinafter referred to as ‘Annexes’)

forms an integral part of this Contract.

(a) This Contract sets out appropriate safeguards for the transfer of personal data abroad,

including enforceable data subject rights and effective legal remedies in the country receiving

the transfer as well, in accordance with Article 9(4) of the Law, and the By-Law, provided that

no additions, deletions, or modifications are made.

(b) This Contract is without prejudice to obligations to which the data exporter is subj ect by

virtue of the Law, the By-Law, and other relevant legislation.

(a) Data subjects may invoke the clauses of this Contract as third-party beneficiaries against the

data exporter and/or data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, and Clause 6.

ii) Clause 7.5(e) and Clause 7.9(b).

iii) Clause 10(a) and (d).

iv) Clause 11.

2

(b) Paragraph (a) is without prejudice to rights of data subjects under the Law.

(a) Where this Contract uses terms that are defined in the Law, the By-Law, and other relevant

legislation, the definitions provided in the respective regulations shall apply.

(b) This Contract shall be interpreted in accordance with the Law, the By-Law, and other

relevant legislation.

(c) This Contract shall not be interpreted in a way that conflicts with rights and obligations

provided for in the Law, the By-Law, and other relevant legislation.

In the event of a contradiction between the clauses of this Contract and the provisions of other

relevant agreements between the Parties, existing at the time this Contract is agreed or entered

into thereafter, the clauses of this Contract shall prevail.

The details of the transfer of personal data abroad to be carried out under this Contract, and in

particular the categories of personal data to be transferred, the legal basis for the transfer, and

the purpose or purposes of the transfer, are specified in Annex I.

The data exporter warrants that it has used reasonable efforts to determine that the data importer

is competent, through the implementation of appropriate technical and organisational measures,

to satisfy its obligations under this Contract.

The data importer shall process the personal data in a manner that is relevant, limited, and

proportionate to the purpose/purposes specified in Annex I.

(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to

date. The data importer shall take every reasonable step to ensure that personal data that is

inaccurate, having regard to the purpose/purposes of processing, is destroyed or rectified

without delay.

(b) Each Party shall inform the other Party without delay if it becomes aware that the personal

data transferred is inaccurate or has become outdated.

The data importer shall retain the personal data for no longer than necessary for the purposes

for which it is processed. To ensure compliance with this obligation, the data importer shall put

3

in place all necessary technical and organisational measures to erase, destroy, or anonymize

personal data and all its back-ups.

(a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 8, the

data importer shall inform them, either directly or through the data exporter:

i) of its identity and contact details,

ii) of the categories of personal data processed,

iii) of the right to obtain a copy of this Contract,

iv) where it intends to onward transfer the personal data to any third party or parties, of

the recipient or categories of recipients, the purpose of such onward transfer and the

grounds for it pursuant to Clause 7.7.

(b) On request, the Parties shall make a copy of this Contract , including the Annexes as

completed by them, available to the data subject free of charge. To the extent necessary to

protect business secrets or other confidential information, including personal data, the Parties

may redact the Annexes included in the copy provided to the data subject and exclude certain

portions of the text. However, the Parties shall provide a meaningful summary where the data

subject would otherwise not be able to understand its content or exercise his/her rights . On

request, the Parties shall provide the data subject with the reasons for the redactions, to the

extent possible without revealing the redacted information.

(c) The obligations of the data exporter under Article 10 of the Law and the Communiqué on

Procedures and Principles to Be Followed in Fulfilment of the Obligation to Inform, published

in the Official Gazette dated 10/3/2018 and numbered 30356, are reserved.

(a) The data importer and, during transmission, also the data exporter shall implement all

necessary technical and organisational measures to ensure an appropriate level of security

corresponding to the nature of personal data, aiming to prevent unlawful processing of personal

data, unlawful access to personal data, to ensure protection of personal data, and to safeguard

personal data against accidental loss, destruction or damage . In determining such measures ,

they shall take due account of the state of the art, the costs of implementation, the nature, scope,

context and purposes of processing and the risks involved in the processing to the fundamental

rights and freedoms of data subjects.

(b) The Parties have agreed on the technical and organisational measures set out in Annex II.

The data importer shall carry out regular checks to ensure that these measures continue to

provide an appropriate level of security.

(c) The data importer shall ensure that natural persons authorised by it to access personal data

do not disclose the personal data they have learned to third parties in breach of this Contract

and do not use the data for purposes other than those for which it was processed.

(d) In the event that personal data processed by the data importer under this Contract is obtained

by others through unlawful means, the data importer shall take appropriate measures to address

the data breach and mitigate its potential adverse effects.

(e) In the event that personal data processed by the data importer under this Contract is obtained

by others through unlawful means, the data importer shall notify both the data exporter and the

Personal Data Protection Board (hereinafter referred to as ‘the Board’) without undue delay and

within 72 hours at the latest. Such notification shall use the ‘Data Breach Notification Form’

4

determined by the Board and published on the official website of the Personal Data Protection

Authority (hereinafter referred to as ‘the Authority’). To the extent it is not possible for the data

importer to provide all the information at the same time, it may do so in phases without undue

further delay.

(f) In the event that personal data processed by the data importer under this Contract is obtained

by others through unlawful means, the data importer shall notify the data subjects of the breach.

The breach notification to the data subject shall be communicated in clear and plain language

and include at least the following:

i) when the personal data breach occurred,

ii) which personal data are affected by the breach on the basis of the categories of

personal data (distinguishing between personal data/sensitive personal data),

iii) likely consequences of the personal data breach,

iv) the measures taken or proposed to be taken to mitigate the adverse effects of the

personal data breach,

v) name and contact details of the contact persons or the full address of the data

importer’s website, call centre, etc., where data subjects can obtain information about

the breach.

(g) The data importer shall document all relevant facts relating to the data breach, its effects

and any measures taken, and keep this documentation readily available for examination by the

Board.

(a) The data importer shall take additional technical and organisational measures appropriate to

the nature of the sensitive personal data.

(b) In the processing of sensitive personal data, adequate measures as determined by the Board

shall also be taken.

(a) Personal data transferred to the data importer may be further transferred by the data importer

to a third party located abroad ( either in the same country as the data importer or in another

country) only under the following circumstances:

i) it is to a country benefitting from an adequacy decision pursuant to Article 9(1) of the

Law,

ii) the third party to which the onward transfer will be made provides one of the

appropriate safeguards outlined in Article 9(4) of the Law,

iii) transfer of personal data is mandatory for the establishment, exercise or protection

of any right in the context of specific administrative or judicial proceedings,

iv) transfer of personal data is necessary for the protection of life or physical integrity

of a person himself/herself or of any other person who is unable to provide consent due

to actual impossibility or whose consent is not legally valid,

v) where none of the conditions listed above apply; the data importer has obtained the

explicit consent of the data subject for an onward transfer, provided that it has informed

the data subject about the purpose/purposes of the transfer, the identity of the third party

recipient and the possible risks of such transfer to him/her due to the lack of appropriate

data protection safeguards, and also the data importer has informed the data exporter

5

and, on request, it transmits to the data exporter a copy of the information provided to

the data subject.

(b) In any onward transfer, the data importer shall comply with all the other safeguards under

this Contract , in particular the principle of relevance, limitation, and proportionality with

respect to the purposes.

(c) In cases where the recipients of onward transfers have been identified before notification of

this Contract to the Authority, these recipients or recipient groups shall be specified in Annex

I. In the event of a change to the recipients or recipient groups of onward transfer, Annex I shall

be updated accordingly, and the Authority shall be notified.

The data importer shall ensure that persons acting under its authority, including data processors,

process the personal data only and solely on its instructions.

(a) Each Party shall be able to demonstrate compliance with its obligations under the Contract.

The data importer is obliged to keep and maintain information, documents, and records related

to the processing activities carried out under its responsibility.

(b) The data importer shall make such documentation available to the Board on request.

(a) The data importer, where relevant with the assistance of the data exporter, shall respond to

any enquiries and requests it receives from a data subject relating to the processing of his/her

personal data and the exercise of his/her rights under the Contract at the latest within thirty days

of the receipt of the enquiry or request. The data importer shall take appropriate measures to

respond to such enquiries, requests and to ensure the exercise of data subject rights. Any

information provided to the data subject shall be in an intelligible and easily accessible form,

using clear and plain language.

(b) In particular, by making a request to the data importer, the data subject has the following

rights concerning to himself/herself:

i) To learn whether personal data concerning him/her is being processed,

ii) Where this is the case, to request information relating to this processing and a copy

of the information specified in Annex I,

iii) To learn the purpose of the processing of personal data and whether the data is used

in accordance with that purpose,

iv) To learn the third parties to which the personal data has been transferred and the

basis for such onward transfers pursuant to Clause 7.7

v) To request rectification of incomplete or inaccurate personal data,

vi) To request erasure or destruction of personal data within the scope of Clause 7.3,

vii) To request notification of operations conducted under subparagraphs (v) and (vi) to

third parties to whom the personal data has been transferred,

viii) To object to the occurrence of a result against the person himself/herself as a result

of analysing the data processed solely through automated systems,

6

ix) To claim compensation for the damage s arising from the unlawful processing of

personal data in violation of this Contract.

(c) The data importer shall act on the request or refuse it together with justified grounds and

communicate its response to the data subject in writing or by electronic means. In the response,

the data subject shall be informed of their right to lodge a complaint with the Board pursuant to

importer accordingly.

(d) The data impor ter shall finalise the data subject’s request free of charge. However, if the

process requires an additional cost, the data importer may charge a fee according to the tariff

set by the Board. If the request arises due to the data importer’s own fault, the data importer

shall refund the fee to the data subject.

(a) In case of a disput e between a data subject and a data importer concerning third -party

beneficiary rights under this Contract, the data subject may submit his/her requests to the data

importer regarding the matter. The data importer shall inform data subjects in a transparent and

easily accessible format, through individual notice to the data subjects or on its website, of a

contact point authorised to handle requests. The data importer shall promptly address any

requests it receives from data subjects.

[Optional provision at the parties’ discretion: The data importer agrees that data subjects may

also lodge a complaint with an independent dispute resolution body at no cost to the data

subject. The data importer shall inform the data subjects, in the manner set out in paragraph (a),

of such redress mechanism and that they are not required to use it, or initially use it in seeking

redress.]

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with

this Contract, that Party shall use its best efforts to resolve the issue amicably in the shortest

time possible . The Parties shall keep each other informed about such disputes and, where

appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data

importer shall accept the right of the data subject to lodge a complaint with the Board and to

refer the dispute to the competent courts within the meaning of Clause 17.

(d) The data importer undertakes to abide by decisions that are legally binding under Turkish

law.

(e) The data importer agrees that the data subject’s exercise of any of the aforementioned

methods to seek redress will not prejudice any other rights that the data subject may assert in

accordance with applicable legislation.

(a) Each Party shall be liable to the other Party for any damages arising from any breach of this

Contract.

(b) Each Party shall be liable to the data subject. The data subject shall be entitled to receive

compensation, for any material or non-material damages that the Parties cause the data subject

by breaching the third-party beneficiary rights under this Contract. This is without prejudice to

the liability of the data exporter under the Law.

7

(c) Where both Parties are responsible for any damage caused to the data subject as a result of

a breach of this Contract, all responsible Parties shall be severally liable, and the data subject is

entitled to bring an action in court against any of these Parties.

(d) If one Party fully compensates the data subject for the damage under paragraph (c), it

reserves the right of recourse against the other party in proportion to its fault.

(e) The data importer may not invoke the conduct of a processor or sub -processor to avoid its

own liability.

The data importer agrees to cooperate with the Authority in any and all procedures at ensuring

compliance with this Contract, to submit itself to the jurisdiction of the Board, and to comply

with any decisions issued by the Board. In particular, the data importer agrees to provide the

information and documents requested by the Board concerning the subject matter of the

examination, to allow on-site examination when necessary, and to comply with the Board's

instructions to rectify an y identified violations. It shall submit to the Board information and

documents certifying the fulfilment of the instructions.

The data importer agrees, declares and undertakes that there are no national regulations or

practices in conflict with this Contract regarding the personal data to be transferred under this

Contract. In the event of changes in legislation or practices that may impact the data importer’s

ability to fulfil its obligations under this Contract during its term, the data importer shall notify

the data exporter promptly, and in such a case , the data importer agrees that the data exporter

reserves the right to suspend the data transfer or terminate this Contract.

The data importer shall notify the data exporter promptly of any requests from administrative

or judicial authorit ies regarding the personal data transferred under this Contract , or if it

becomes aware of any direct access by administrative or judicial authorities to personal data

transferred pursuant to this Contract . In such a case, the data importer agrees that the data

exporter shall have the right to suspend the data transfer or terminate this Contract, depending

on the nature of the request or access.

CLAUSE 14- Non-compliance with the Contract and Termination

8

(a) The data importer shall promptly inform the data exporter if it is unable to comply with this

Contract, for whatever reason.

(b) In the event that the data importer is in breach of this Contract or unable to comply with this

Contract, the data exporter shall suspend the transfer of personal data to the data importer until

compliance is again ensured or the Contract is terminated. Provisions of Clause 12 and Clause

13 are reserved.

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the

processing of personal data under this Contract, where:

i) the data exporter has suspended the transfer of personal data to the data importer

pursuant to paragraph (b) and compliance with t his Contract is not restored within a

reasonable time and, in any event, within one month of suspension,

ii) the data importer is in substantial or persistent breach of this Contract,

iii) the data importer fails to comply with the decisions of a competent court or the Board

regarding its obligations under this Contract.

In these cases, the data exporter shall inform the Board.

(d) In the event that the contract is terminated pursuant to paragraph (c), the data importer, at

the choice of the data exporter, shall either return the personal data subject to transfer together

with its backups to the data exp orter or ensure the complete destruction of the personal data.

The data importer warrants that, even if there are legislative provisions that may prevent it from

fulfilling this obligation, it will continue to ensure compliance with this Contract, take necessary

technical and organisational measures to safeguard the confidentiality of the personal data

subject to transfer, and continue to processing activity only to the extent and for the duration

required by legislation. The data importer shall certify the destruction of the data for the data

exporter. Until the data is returned or completely destroyed, the data importer shall continue to

ensure compliance with this Contract.

discretion.)

[Data exporter/data importer] shall notify the Authority of this Contract within five business

days following the finalisation of all signatures.

This Contract shall be governed by Turkish law.

(a) Any dispute arising from this Contract shall be resolved by Turkish courts.

(b) General provisions shall apply in terms of competence.

(c) The Parties agree to submit themselves to the jurisdiction of Turkish courts.

9

Data Exporter:

Address:

Contact Person’s Full Name , Title and

Contact Details:

Signatory’s Full Name and Title:

Signature and Date:

Data Importer:

Address:

Contact Person’s Full Name , Title and

Contact Details:

Signatory’s Full Name, Surname and Title:

Signature and Date:

DESCRIPTION OF TRANSFER

Activities of the Data Exporter Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Activities of the Data Importer Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Group or Groups of Data Subjects

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Sensitive Personal Data Transferred (if applicable)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

10

…………………………………………………………………………………………………

………………………………………………………………………………………

Legal Basis for the Transfer

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Frequency of the Transfer

(e.g. whether the data is transferred on a one-off or continuous basis)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Nature of the Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Purposes of the Data Transfer and Further Processing

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Personal Data Retention Period

(Specify the period for which the personal data will be retained. If that is not possible, provide

the criteria used to determine the retention period)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Recipients or Recipient Groups

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Data Controller Registry Information System (VERBIS) Details of the Data Exporter

(If subject to registration obligation)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

11

TECHNICAL AND ORGANISATIONAL MEASURES

(In the event of the transfer of sensitive personal data, the technical and organisational measures

implemented for such data must be specified separately.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

1

STANDARD CONTRACT - 2

FOR

THE TRANSFER OF PERSONAL DATA ABROAD

(FROM CONTROLLER TO PROCESSOR)

(a) The purpose of this standard contract is to ensure compliance with the provisions of Personal

Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as ‘the Law’) and the

By-Law on Procedures and Principles for the Transfer of Personal Data Abroad (hereinafter

referred to as ‘the By-Law’), which entered into force following its publication in the Official

Gazette dated 10/7/2024 and numbered 32598.

(b) The data controller transfer ring personal data abroad (hereinafter referred to as ‘data

exporter’) and the data processor in a foreign country receiving personal data from the data

exporter (hereinafter referred to as ‘data importer’) have agreed to this standard contract

(hereinafter referred to as ‘the Contract’).

(c) This Contract applies with respect to the transfer of personal data abroad as specified in

Annex I.

(d) The Appendix to this Contract containing the annexes (hereinafter referred to as ‘Annexes’)

forms an integral part of this Contract.

(a) This Contract sets out appropriate safeguards for the transfer of personal data abroad,

including enforceable data subject rights and effective legal remedies in the country receiving

the transfer as well, in accordance with Article 9(4) of the Law and the By-Law, provided that

no additions, deletions, or modifications are made.t

(b) This Contract is without prejudice to obligations to which the data exporter is subject by

virtue of the Law, the By-Law, and other relevant legislation.

(a) Data subjects may invoke the clauses of this Contract, as third -party beneficiaries, against

the data exporter and/or data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, and Clause 6.

ii) Clause 7.1(b) and Clause 7.9(a), (c), (d), (e).

iii) Clause 8(a), (c), (d), (e).

iv) Clause 11(a), (d), (f).

2

v) Clause 12.

(b) Paragraph (a) is without prejudice to rights of data subjects under the Law.

(a) Where this Contract uses terms that are defined in the Law, the By-Law, and other relevant

legislation, the definitions provided in the respective regulations shall apply.

(b) This Contract shall be interpreted in accordance with the Law, the By-Law, and other

relevant legislation.

(c) This Contract shall not be interpreted in a way that conflicts with rights and obligations

provided for in the Law, the By-Law, and other relevant legislation.

In the event of a contradiction between the clauses of this Contract and the provisions of other

relevant agreements between the Parties, existing at the time this Contract is agreed or entered

into thereafter, the clauses of this Contract shall prevail.

The details of the transfer of personal data abroad to be carried out under this Contract, and in

particular the categories of personal data to be transferred, the legal basis for the transfer, and

the purpose or purposes of the transfer, are specified in Annex I.

The data exporter warrants that it has used reasonable efforts to determine that the data importer

is competent, through the implementation of appropriate technical and organisational measures,

to satisfy its obligations under this Contract.

(a) The data importer shall process the personal data only in accordance with the instructions

of the data exporter. The data exporter may give such instructions during the period in which

the data importer carries out personal data processing on behalf of the data exporter.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those

instructions.

The data importer shall process the p ersonal data in a manner that is relevant, limited, and

proportionate to the purpose/purposes specified in Annex I.

3

If the data importer becomes aware that the personal data transferred is inaccurate, or has

become outdated, it shall inform the data exporter without undue delay. In this case , the data

importer shall cooperate with the data exporter to destroy or rectify the personal data.

The data importer may only process personal data for the duration specified in Annex 1. After

the end of the processing activities by the data importer on behalf of the data exporter, the data

importer shall, at the choice of the data exporter, return all personal data processed on its behalf,

together with its back -ups, or ensure the complete destruction of personal data. The data

importer warrants that, even if there are legislative provisions that may prevent it from fulfilling

this obligation, it will continue to ensure compliance with this Contract to take necessary

technical and organisational measures to safeguard the confidentiality of the personal data

subject to transfer, and to continue to processing activity only to the extent and for the duration

required by legislation. Clause 13 is reserved. The data importer shall certify the destruction of

the data for the data exporter. Until the data is returned or completely destroyed, the data

importer shall continue to ensure compliance with this Contract.

On request, the data exporter shall provide a copy of this Contract, including the Annexes

completed by the Parties, to the data subject free of charge. To the extent necessary to protect

business secrets or other confidential information, including the measures specified in Annex

II and personal data, the data exporter may redact the Annexes included in the copy provi ded

to the data subject and exclude certain portions of the text . However, the data exporter shall

provide a meaningful summary where the data subject would otherwise not be able to

understand its content or exercise his/her rights. On request, the Parties shall provide the data

subject with the reasons for the redactions, to the extent possible without revealing the redacted

information. The obligations of the data exporter under Article 10 of the Law and the

Communiqué on Procedures and Principles to Be F ollowed in Fulfilment of the Obligation to

Inform, published in the Official Gazette dated 10/3/2018 and numbered 30356, are reserved.

(a) The data importer and, during transmission, also the data exporter shall implement all

necessary technical and organisational measures to ensure an appropriate level of security

corresponding to the nature of personal data, aiming to prevent unlawful processing of personal

data, unlawful access to personal data, to ensure protection of personal data, and to safeguard

personal data against accidental loss, destruction or damage. In determining such measures ,

they shall take due account of the state of the art, the costs of implementation, the nature, scope,

context and purposes of processing and the risks involved in the processing to the fundamental

rights and freedoms of data subjects. The data importer shall implement, at a minimum,

technical and organisational measures set out in Annex II while fulfilling its obligations under

this paragraph. The data importer shall carry out regular checks to ensure that these measures

continue to provide an appropriate level of security.

(b) The data importer shall restrict its personnel’s access to the pers onal data subject to the

transfer only to the extent and scope strictly necessary for carrying out the processing activities

on behalf of the controller, and ensure that such personal data can only be accessed by the

relevant personnel. The data importer shall ensure that natural persons authorised by it to access

personal data do not disclose the personal data they have learned to third parties in breach of

this Contract and do not use the data for purposes other than those for which it was processed.

4

(c) In the event that personal data processed by the data importer under this Contract is obtained

by others through unlawful means, the data importer shall take appropriate measures to address

the data breach and mitigate its potential adv erse effects. The data importer shall also notify,

without undue delay, the data exporter of this breach. Such notification shall use the ‘Data

Breach Notification Form’ determined by the Board and published on the official website of

the Personal Data Protection Authority (hereinafter referred to as ‘the Authority’). To the extent

it is not possible for the data importer to provide all the information at the same time, it may do

so in phases without undue further delay.

(d) The data import er shall cooperat e with and assist the data exporter to en able the data

exporter to fulfil its obligations under the Law, in particular to notify the Board and data

subjects, taking into account the nature of the personal data processing activity and the

information available to the data importer.

(a) The data importer shall take additional technical and organisational measures specified

in Annex II, appropriate to the nature of the sensitive personal data.

(b) In the processing of sensitive personal data, adequate measures as determined by the

Board shall also be implemented.

(a) Personal data transferred to the data importer may be further transferred by the data importer

to a third party located abroad (in the same country as the data importer or in another country)

only with the instruction of the data exporter and under the following circumstances:

i) it is to a country benefitting from an adequacy decision pursuant to Article 9(1) of the

Law,

ii) the third party to which the onward transfer will be made provides one of the

appropriate safeguards set out in Article 9(4) of the Law,

iii) transfer of personal data is mandatory for the establishment, exercise or protection

of any right in the context of specific administrative or judicial proceedings,

iv) transfer of personal data is necessary for the protection of life or phy sical integrity

of a person himself/herself or of any other person who is unable to provide consent due

to actual impossibility or whose consent is not legally valid,

(b) In any onward transfer, the data importer is obliged to comply with all the other safeguards

under this Contract, in particular the principle of relevance, limitation, and proportionality with

respect to the purposes.

(c) In cases where the recipients of onward transfers have been identified before notification of

this Contract to the Authority, these recipients or recipient groups shall be specified in Annex

I. In the event of a change to the recipients or recipient groups of onward transfer, Annex I shall

be updated accordingly, and the Authority shall be notified.

(a) The data importer shall promptly and adequately respond to enquiries from the data exporter

that relate to the processing under this Contract.

(b) The Parties shall be able to demonstrate compliance with this Contract. The data importer

is obliged to keep and maintain information, documents, and records related to the processing

activities carried out on behalf of the data exporter.

5

(c) The data importer shall make available to the data exporter all information and documents

necessary to demonstrate compliance with the obligations set out in this Contract and at the data

exporter’s request, allow for and contribute to audits of the processing activities covered by this

Contract, at reasonable intervals, or if there are indications of non-compliance.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent

auditor. Audits may include inspections at the premises or physical facilities of the data

importer. Where appropriate, audits shall be carried out with reasonable notice.

(e) The Parties shall provide the information referred to in paragraphs (b) and (c), including the

results of the audit conducted at the data importer, to the Board on request.

(The option selected by the Parties shall be included in the contract.)

[OPTION 1: SPECIFIC AUTHORISATION] (a) The data importer shall not sub -contract any

of its processing activities performed on behalf of the data exporter under this Contract to a

sub-processor without prior specific written authorisation of the data exporter . The data

importer shall submit the request for specific authorisation at least [Specify time period] prior

to the assignment of the sub-processor, together with the information necessary to enable the

data exporter to decide on the authorisation. The list of sub -processors authorised by the data

exporter shall be provided in Annex III. In the event of a change to sub -processors after

notification of this Contract to the Authority, Annex III shall be updated accordingly, and the

Authority shall be notified thereof.]

[OPTION 2: GENERAL AUTHORISATION (a) The data importer may sub -contract its

processing activities performed on beha lf of the data exporter under this Contract to sub-

processor(s) included in a list to which the data exporter has grante d prior consent. The data

importer shall inform the data exporter in writing of any intended changes to that list through

the addition or replacement of sub-processors at least [Specify time period] in advance, thereby

giving the data exporter sufficient time to be able to object to such changes prior to the

engagement of the sub-processor(s). The data importer shall provide the data exporter with the

information necessary to enable the data exporter to exercise its right to object. The list of sub-

processors authorised by the data exporter shall be provided in Annex III. In the event of a

change to sub-processors after notification of this Contract to the Authority, Annex III shall be

updated accordingly, and the Authority shall be notified thereof.]

(b) Where the data importer sub-contracts its specific processing activities (on behalf of the

data exporter), it shall conclude a written contract with the sub-processor. The contract shall

provide for, at a minimum, the same data protection safeguards set out in this Contract,

including third-party beneficiary rights for data subjects. The Parties agree that, by concluding

such a contract, the data importer fulfils its obligations under Clause 7.8. The data importer

shall ensure that the sub-processor complies with the obligations to which the data importer is

subject pursuant to this Contract.

(c) At the data exporter’s request, the data importer shall provide, a copy of such a sub-processor

contract and any subsequent amendments to it to the data exporter. To the extent necessary to

protect business secrets or other confidential inform ation, including personal data, the data

importer may redact the copy to be shared by removing the relevant parts.

(d) The data importer shall remain fully responsible to the data exporter for the performance of

the sub-processor’s obligations under its contract with the data importer. The data importer shall

6

notify the data exporter of any failure by the sub -processor to fulfil its obligations under that

contract.

(e) The data importer shall agree with the sub -processor to include a third-party beneficiary

clause in the contract for the benefit of the data exporter, which grants the data exporter – in the

events such as the data importer has ceased to exist in law or has become insolvent – the right

to terminate the sub-processor contract and to instruct the sub-processor to completely destroy

or return the personal data together with its backups.

(a) The data importer shall promptly notify the data exporter of any request it has received from

a data subject. It shall not respond to that request itself unless it has been authorised to do so by

the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to the

data subjects’ requests for the exercise of their rights under the Law. In this regard, the Parties

shall set out in Annex II the appropriate technical and organisational measur es, taking into

account the nature of the processing, by which the assistance shall be provided, as well as the

scope of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with

the instructions from the data exporter.

a) In case of a dispute between a data subject and a data importer as regards third-party

beneficiary rights under this Contract, the data subject may submit his/her requests to the data

importer regarding the matter. The data importer shall inform data subjects in a transparent and

easily accessible format, through individual notice to the data subjects or on its website, of a

contact point authorised to handle requests. The data importer shall promptly address any

requests it receives from data subjects.

[Optional provision at the parties’ discretion: The data importer agrees that data subjects may

also lodge a complaint with an independent dispute resolution body at no cost to the data

subject. The data importer shall inform the data subjects, in the manner set out in paragraph (a),

of such redress mechanism and that they are not required to use it, or initially use it in seeking

redress.]

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with

this Contract, that Party shall use its best efforts to resolve the issue amicably in the shortest

time possible. The Parties shall keep each other informed about such disputes and, where

appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data

importer shall accept the right of the data subject to lodge a complaint with the Board and to

refer the dispute to the competent courts within the meaning of Clause 18.

(d) The data importer undertakes to abide by decisions that are legally binding under Turkish

law.

(e) The data importer agrees that the data subject’s use of any of the aforementioned methods

to seek redress will not prejudice any other rights the data subject may assert in accordance with

applicable legislation.

7

(a) Each Party shall be liable to the other Party for the damages arising from any breach of this

Contract.

(b) The data importer shall be liable to the data subject. The data subject shall be entitled to

receive compensation, for any material or non -material damages that the data importer or its

sub-processor causes the data subject by breaching the third-party beneficiary rights under this

Contract.

(c) Without prejudice to paragraph (b), the data exporter shall be liable to the data subject, and

the data subject shall be entitled to receive compensation, for any material or non -material

damages the data exporter or the data importer (or its sub-processor) causes the data subject by

breaching the third-party beneficiary rights under this Contract. This is without prejudice to the

liability of the data exporter under the Law.

(d) If the data exporter fully compensates the data subject for the damage caused by the data

importer (or its sub-processor) under paragraph (c), it reserves the right of recourse against the

other party in proportion to its fault.

(e) Where both Parties are responsible for any damage caused to the data subject as a result of

a breach of this Contract, all responsible Parties shall be severally liable, and the data subject is

entitled to bring an action in court against any of these Parties.

(f) If one Party fully compensates the data subject for the damage caused under paragraph (e),

it reserves the right of recourse against the other party in proportion to its fault.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

The data importer agrees to cooperate with the Authority in any and all procedures at ensuring

compliance with this Contract, to submit itself to the jurisdiction of the Board , and to comply

with any decisions issued by the Board. In particular, the data importer agrees to provide the

information and documents requested by the Board concerning the subject matter of the

examination, to allow on-site examination when necessary, and to comply with the Board's

instructions to rectify an y identified violations. It shall submit to the Board information and

documents certifying the fulfilment of the instructions.

The data importer agrees, declares and undertakes that there are no national regulations or

practices in conflict with this Contract regarding the personal data to be transferred under this

Contract. In the event of changes in legislation or practices that may impact the data importer’s

ability to fulfil its obligations under this Contract during its term, the data importer shall notify

the data exporter promptly, and in such a case, the data importer agrees that the data exporter

reserves the right to suspend the data transfer or terminate this Contract.

8

The data importer shall notify the data exporter promptly of any requests from administrative

or judicial authorities regarding the personal data transferred under this Contract, or if it

becomes aware of any direct access by administrative or judicial authorities to personal data

transferred pursuant to this Contract. In such a case, the data importer agrees that the data

exporter shall have the right to suspend the data transfer or terminate this Contract, depending

on the nature of the request or access.

CLAUSE 15- Non-compliance with the Contract and Termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with this

Contract, for whatever reason.

(b) In the event that the data importer is in breach of this Contract or unable to comply with this

Contract, the data exporter shall suspend the transfer of personal data to the data importer until

compliance is again ensured or the Contract is terminated. Provisions of Clause 13 and Clause

14 are reserved.

(c) The data exporter shall be entitled to terminate the co ntract, insofar as it concerns the

processing of personal data under this Contract, where:

i) the data exporter has suspended the transfer of personal data to the data importer

pursuant to paragraph (b) and compliance with this Contract is not restored wi thin a

reasonable time and, in any event, within one month of suspension,

ii) the data importer is in substantial or persistent breach of this Contract,

iii) the data importer fails to comply with the decisions of a competent court or the Board

regarding its obligations under this Contract.

In these cases, the data exporter shall inform the Board.

(d) In the event that the contract is terminated pursuant to paragraph (c), the data importer, at

the choice of the data exporter, shall either return the personal data subject to transfer together

with its backups to the data exporter or ensure the complete destruction of the personal data.

The data importer warrants that, even if there are legislative provisions that prevent it from

fulfilling this obligation, it will continue to ensure compliance with this Contract, take necessary

technical and organisational measures to safeguard the confidentiality of the personal data

subject to transfer, and continue to processin g activity only to the extent and for the duration

required by legislation. The data importer shall certify the destruction of the data for the data

exporter. Until the data is returned or completely destroyed, the data importer shall continue to

ensure compliance with this Contract.

discretion.)

[Data exporter/data importer] shall notify the Authority of this Contract within five business

days following the finalisation of all signatures.

9

This Contract shall be governed by Turkish law.

(a) Any dispute arising from this Contract shall be resolved by Turkish courts.

(b) General provisions shall apply in terms of competence.

(c) The Parties agree to submit themselves to the jurisdiction of Turkish courts.

Data Exporter:

Address:

Contact Person’s Full Name, Title and

Contact Details:

Signatory’s Full Name and Title:

Signature and Date:

Data Importer:

Address:

Contact Person’s Full Name, Title and

Contact Details:

Signatory’s Full Name, Surname and Title:

Signature and Date:

10

DESCRIPTION OF TRANSFER

Activities of the Data Exporter Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Activities of the Data Importer Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Group or Groups of Data Subjects

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Sensitive Personal Data Transferred (if applicable)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Legal Basis for the Transfer

…………………………………………………………………………………………………

…………………………………………………………………………………………………

11

…………………………………………………………………………………………………

………………………………………………………………………………………

Frequency of the Transfer

(e.g. whether the data is transferred on a one-off or continuous basis)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Nature of the Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Purposes of the Data Transfer and Further Processing

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Personal Data Retention Period

(Specify the period for which the personal data will be retained. If that is not possible, provide

the criteria used to determine the retention period)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Subject Matter, Nature and Duration of the Processing for Transfers to (Sub-)

Processors

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Recipients or Recipient Groups

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Data Controller Registry Information System (VERBIS) Details of the Data Exporter

(If subject to registration obligation)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

12

TECHNICAL AND ORGANISATIONAL MEASURES

(In the event of the transfer of sensitive personal data, the technical and organisational measures

implemented for such data must be specified separately.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

13

LIST OF SUB-PROCESSORS

The data controller has authorised the following sub-processors:

1. Name:

Address:

Contact Person’s Full Name, Title and Contact Details:

Details of the Processing Activity:

(a clear delimitation of responsibilities shall be provided in case several sub-processors are

authorised)

………………………………………………………………………………………………

………………………………………………………………………………………………

………………………………………………………………………………………………

………………………………………………………………………………………………

2. ………………………………………………………………………………………………

1

STANDARD CONTRACT - 3

FOR

THE TRANSFER OF PERSONAL DATA ABROAD

(FROM PROCESSOR TO PROCESSOR)

(a) The purpose of this standard contract is to ensure compliance with the provisions of Personal

Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as ‘the Law’) and the

By-Law on Procedures and Principles for the Transfer of Personal Data Abroad (hereinafter

referred to as ‘the By-Law’), which entered into force following its publication in the Official

Gazette dated 10/7/2024 and numbered 32598.

(b) The data processor transferring personal data abroad (hereinafter referred to as ‘data

exporter’) and the data processor in a foreign country receiving personal data from the data

exporter (hereinafter referred to as ‘data importer’) have agreed to this standard contract

(hereinafter referred to as ‘the Contract’).

(c) This Contract applies with respect to the transfer of personal data abroad as specified in

Annex I.

(d) The Appendix to this Contract containing the annexes (hereinafter referred to as ‘Annexes’)

forms an integral part of this Contract.

(a) This Contract sets out appropriate safeguards for the transfer of personal data abroad,

including enforceable data subject rights and effective legal remedies in the country receiving

the transfer as well, in accordance with Article 9(4) of the Law and the By-Law, provided that

no additions, deletions, or modifications are made.

(b) This Contract is without prejudice to obligations to which the data exporter is subject by

virtue of the Law, the By-Law and other relevant legislation.

(a) Data subjects may invoke the clauses of this Contract, as third -party beneficiaries, against

the data exporter and/or data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, and Clause 6.

ii) Clause 7.1(a), (c), (d) and Clause 7.9(a), (c), (d), (e), (f), (g).

iii) Clause 8(a), (c), (d), (e).

iv) Clause 11(a), (d), (f).

2

v) Clause 12.

(b) Paragraph (a) is without prejudice to rights of data subjects under the Law.

(a) Where this Contract uses terms that are defined in the Law, the By-Law, and other relevant

legislation, the definitions provided in the respective regulations shall apply.

(b) This Contract shall be interpreted in accordance with the Law, the By-Law, and other

relevant legislation.

(c) This Contract shall not be interpreted in a way that conflicts with rights and obligations

provided for in the Law, the By-Law, and other relevant legislation.

In the event of a contradiction between the clauses of this Contract and the provisions of other

relevant agreements between the Parties, existing at the time this Contract is agreed or entered

into thereafter, the clauses of this Contract shall prevail.

The details of the transfer of personal data abroad to be carried out under this Contract, and in

particular the categories of personal data to be transferred, the legal basis for the transfer, and

the purpose or purposes of the transfer, are specified in Annex I.

The data exporter warrants that it has used reasonable efforts to determine that the data importer

is competent, through the implementation of appropriate technical and organisational measures,

to satisfy its obligations under this Contract.

(a) The data exporter shall inform the data importer that it acts as data processor under the

instructions of the data controller/controllers , which the data exporter has notified the data

importer prior to the processing activity.

(b) The data importer shall process the personal data only on instructions from the controller,

as communicated to the data importer by the data exporter, and any additional instructions from

the data exporter. Such additional instructions shall not conflict w ith the instructions from the

controller. The controller or data exporter may give such instructions regarding the data

processing throughout the entire duration during which the data importer processes personal

data on behalf of the data exporter.

3

(c) The data importer shall immediately inform the data exporter if it is unable to follow those

instructions. Where the data importer is unable to follow the instructions given by the controller,

the data exporter shall immediately notify the controller.

(d) The data exporter warrants that the data importer will undertake the same data protection

obligations as those undertaken by the data exporter in relation to the personal data processing

activities the data exporter carries out on behalf of the controller.

The data importer shall process the personal data in a manner that is relevant, limited, and

proportionate to the purpose/purposes specified in Annex I.

If the data importer becomes aware that the personal data transferred i s inaccurate, or has

become outdated, it shall inform the data exporter without undue delay. In this case, the data

importer shall cooperate with the data exporter to destroy or rectify the personal data.

The data importer may only process personal data for the duration specified in Annex 1. After

the end of the processing activities by the data importer on behalf of the data exporter, the data

importer shall, at the choice of the data exporter, return all personal data processed on its behalf

together with its back -ups, or ensure the complete destruction of personal data. The data

importer warrants that, even if there are legislative provisions that may prevent it from fulfilling

this obligation, it will continue to ensure compliance with this Contra ct, take necessary

technical and organisational measures to safeguard the confidentiality of the personal data

subject to transfer, and continue to processing activity only to the extent and for the duration

required by legislation. Clause 13 is reserved. The data importer shall certify the destruction of

the data for the data exporter. Until the data is returned or completely destroyed , the data

importer shall continue to ensure compliance with this Contract.

On request, the data exporter shall provide a copy of this Contract, including the Annexes

completed by the Parties, to the data subject free of charge. To the extent necessary to protect

business secrets or other confidential information, including personal data, th e data exporter

may redact the Annexes included in the copy provided to the data subject and exclude certain

portions of the text. However, the data exporter shall provide a meaningful summary where the

data subject would otherwise not be able to understand its content or exercise his/her rights. On

request, the Parties shall provide the data subject with the reasons for the redactions, to the

extent possible without revealing the redacted information.

(a) The data importer and, during transmission, also the data exporter shall implement all

necessary technical and organisational measures to ensure an appropriate level of security

corresponding to the nature of personal data, aiming to prevent unlawful processing of personal

data, unlawful access to personal data, to ensure protection of personal data, and to safeguard

personal data against accidental loss, destruction or damage . In determining such measures,

they shall take due account of the state of the art, the costs of implementation, the nature, scope,

context and purposes of processing and the risks involved in the processing to the fundamental

rights and freedoms of data subjects. The data importer shall i mplement, at a minimum,

technical and organisational measures set out in Annex II while fulfilling its obligations under

4

this paragraph. The data importer shall carry out regular checks to ensure that these measures

continue to provide an appropriate level of security.

(b) The data importer shall restrict its personnel’s access to the personal data subject to the

transfer only to the extent and scope strictly necessary for carrying out the processing activities

on behalf of the controller , and ensure that such personal data can only be accessed by the

relevant personnel. The data importer shall ensure that natural persons authorised by it to access

personal data do not disclose the personal data they have learned to third parties in breach of

this Contract and do not use the data for purposes other than those for which it was processed.

(c) In the event that personal data processed by the data importer under this Contract is obtained

by others through unlawful means, the data importer shall take appropriate measures to address

the data breach and mitigate its potential adverse effects. The data importer shall also notify,

without undue delay, the data exporter and, where appropriate, the controller. Such notification

shall use the ‘Data Breach Notification Form’ determined by the Board and published on the

official website of the Personal Data Protection Authority (hereinafter referred to as ‘the

Authority’). To the extent it is not possible for the data importer to provide all the information

at the same time, it may do so in phases without undue further delay.

(d) The data import er shall cooperate with and assist the data exporter to en able the data

exporter to comply with its obligations under the Law, in particular to notify its controller , on

whose behalf it carries out processing activity, so that the controller may in turn notify the

Board and the data subjects, taking into account the nature of processing and the information

available to the data importer.

(a) The data importer shall implement specific technical and organisational measures set out in

Annex II, appropriate to the nature of the sensitive personal data.

(b) In the processing of sensitive personal data, adequate measures as determined by the Board

shall also be implemented.

(a) Personal data transferred to the data importer may be further transferred by the data importer

to a third party located abroad (in the same country as the data importer or in another country)

only with the instruction of the data exporter and under the following circumstances:

i) it is to a country benefitting from an adequacy decision pursuant to Article 9(1) of the

Law,

ii) the third party to which th e onward transfer will be made provides one of the

appropriate safeguards set out in Article 9(4) of the Law,

iii) transfer of personal data is mandatory for the establishment, exercise or protection

of any right in the context of specific administrative or judicial proceedings,

iv) transfer of personal data is necessary for the protection of life or physical integrity

of a person himself/herself or of any other person who is unable to provide consent due

to actual impossibility or whose consent is not legally valid,

(b) In any onward transfer, the data importer is obliged to comply with all the other safeguards

under this Contract, in particular the principle of relevance, limitation, and proportionality with

respect to the purposes.

5

(c) In cases where the recipients of onward transfers are identified before notification of this

Contract to the Authority, these recipients or recipient groups shall be specified in Annex I. In

the event of a change to the recipients or recipient groups of onward transfer, Annex I shall be

updated accordingly and the Authority shall be notified.

(a) The data importer shall promptly and adequately respond to enquiries from the data exporter

or the controller that relate to the processing under this Contract.

(b) The Parties shall be able to demonstrate compliance with this Contract. The data importer

is obliged to keep and maintain information, documents, and records related to the processing

activities carried out on behalf of the controller.

(c) The data importer shall provide the data exporter with all information and documents

necessary to demonstrate compliance with the obligations set out in this Contract . The data

exporter shall then forward this information to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the

processing activities covered by this Contract, at reasonable intervals or if there are indications

of non -compliance with this Contr act, or where the data exporter requests an audit on

instructions of the controller.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall

communicate the result of the audit to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent

auditor. Audits m ay include inspections at the premises or physical facilities of the data

importer. Where appropriate, audits shall be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c) , including the

results of the audit conducted at the data importer, available to the Board on request.

(The option selected by the Parties shall be included in the contract.)

[OPTION 1: SPECIFIC AUTHORISATION] (a) The data importer shall not sub -contract any

of its processing activities performed on behalf of the data exporter under this Contract to a

sub-processor without prior specific written authorisation of the controller. The data importer

shall submit the request for specific authorisation to the controller at least [Specify time period]

prior to the assignment of the sub-processor, together with the information necessary to enable

the controller to decide on the authorisation. The data importer shall inform the data exporter

of the engagement of sub-processor. The list of sub-processors authorised by the controller shall

be provided in Annex III. In the event of a change to sub -processors after notification of this

Contract to the Authority, Annex III shal l be updated accordingly, and the Authority shall be

notified thereof.]

[OPTION 2: GENERAL AUTHORISATION (a) The data importer may sub -contract its

processing activities performed on behalf of the data exporter under this Contract to sub -

processor(s) included in a list to which the controller has granted prior consent. The data

importer shall inform the controller in writing of any intended changes to that list through the

addition or replacement of sub -processors at least [Specify time period ] in advance, thereby

giving the controller sufficient time to be able to object to such changes prior to the engagement

of the sub -processor(s). The data importer shall provide the controller with the information

necessary to enable the controller to exercise its right to object. The data importer shall inform

the data exporter of the engagement of new sub -processors. The list of sub -processors

6

authorised by the controller shall be provided in Annex III. In the event of a change to sub -

processors after notification of this Contract to the Authority, Annex III shall be updated

accordingly, and the Authority shall be notified thereof.]

(b) Where the data importer sub -contracts its specific processing activities (on behalf of the

controller), it shall conclude a written contract with the sub-processor. The contract shall

provide for, at a minimum, the same data protection safeguards set out in this Contract,

including third-party beneficiary rights for data subjects. The Parties agree that, by concluding

such a contract, the data importer fulfils its obligations under Clause 7.8. The data importer

shall ensure that the sub-processor complies with the obligations to which the data importer is

subject pursuant to this Contract.

(c) At the request of the data exporter or controller, the data importer shall provide a copy of

such a sub-processor contract and any subsequent amendments to it to the data exporter or the

controller. To the extent necessary to protect business secrets or other confidential information,

including personal data, the data importer may redact the copy to be shared by removing the

relevant parts.

(d) The data importer shall remain fully responsible to the data exporter for the performance of

the sub-processor’s obligations under its contract with the data importer. The data importer shall

notify the data exporter of any failure by the sub -processor to fulfil its obligations under that

contract.

(e) The data importer shall agree with the sub -processor to include a third-party beneficiary

clause in the contract for the benefit of the data exporter, which grants the data exporter – in the

events such as the data importer has ceased to exist in law or has become insolvent – the right

to terminate the sub-processor contract and to instruct the sub-processor to completely destroy

or return the personal data together with its backups.

(a) The data importer shall promptly notify the data exporter and, where appropriate, the

controller of any request it has received from a data subject, without responding to that request

unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the

controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of

their rights under the Law. In this regard, the Parties shall set out in Annex II the appropriate

technical and organisational measures, taking into account the nature of the processing activity,

by which the assistance shall be provided, as well as the scope of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with

the instructions from the controller, as communicated by the data exporter.

a) In case of a dispute between a data subject and a data importer as regards third-party

beneficiary rights under this Contract, the data subject may submit his/her requests to the data

importer regarding the matter. The data importer shall inform data subjects in a transparent and

easily accessible format, through individual notice to the data subjects or on its website, of a

contact point authorised to handle requests. The data importer shall p romptly address any

requests it receives from data subjects.

7

[Optional provision at the parties’ discretion: The data importer agrees that data subjects may

also lodge a complaint with an independent dispute resolution body at no cost to the data

subject. The data importer shall inform the data subjects, in the manner set out in paragraph (a),

of such redress mechanism and that they are not required to use it, or initially use it in seeking

redress.]

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with

this Contract, that Party shall use its best efforts to resolve the issue amicably in the shortest

time possible. The Parties shall keep each other informed about such disputes and, where

appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data

importer shall accept the right of the data subject to lodge a complaint with the Board and to

refer the dispute to the competent courts within the meaning of Clause 18.

(d) The data importer undertakes to abide by decisions that are legally binding under Turkish

law.

(e) The data importer agrees that the data subject’s use of any of the aforementioned methods

to seek redress will not prejudice any other rights the data subject may assert in accordance with

applicable legislation.

(a) Each Party shall be liable to the other Party for the damages arising from any breach of this

Contract.

(b) The data importer shall be liable to the data subject. The data subject shall be entitled to

receive compensation, for any material or non-material damages that the data importer or its

sub-processor causes the data subject by breaching the third-party beneficiary rights under this

Contract.

(c) Without prejudice to paragraph (b), the data exporter shall be liable to the data subject, and

the data subject shall be entitled to receive compensation , for any material or non -material

damages the data exporter or the data importer (or its sub-processor) causes the data subject by

breaching the third-party beneficiary rights under this Contract. This is without prejudice to the

liability of the data exporter and the controller under the Law.

(d) If the data exporter fully compensates the data subject for the damage caused by the data

importer (or its sub-processor) under paragraph (c), it reserves the right of recourse against the

other party in proportion to its fault.

(e) Where both Parties are responsible for any damage caused to the data subject as a result of

a breach of this Contract, all responsible Parties shall be severally liable and the data subject is

entitled to bring an action in court against any of these Parties.

(f) If one Party fully compensates the data subject for the damage caused under paragraph (e),

it reserves the right of recourse against the other party in proportion to its fault.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

The data importer agrees to cooperate with the Authority in any and all procedures at ensuring

compliance with this Contract, to submit itself to the jurisdiction of the Board , and to comply

8

with any decisions issued by the Board . In particular, the data importer agrees to provide the

information and documents requested by the Board concerning the subject matter of the

examination, to allow on-site examination when necessary, and to comply with the Board' s

instructions to rectify any identified violations. It shall submit to the Board information and

documents certifying the fulfilment of the instructions.

The data importer agrees, declares and undertakes that there are no national regulations or

practices in conflict with this Contract regarding the personal data to be transferred under this

Contract. In the event of changes in legislation or practices that may impact the data importer’s

ability to fulfil its obligations under this Contract during its term, the data importer shall notify

the data exporter promptly. The data exporter provides this notification to the controller. In such

a case, the data importer agrees that the data exporter reserves the right to suspend the data

transfer or terminate this Contract.

The data importer shall notify the data exporter promptly of any requests from administrative

or judicial authorities regarding the personal data transferred under this Contract, or if it

becomes aware of any direct access by such authorities to personal data transferred pursuant to

this Contract. The data exporter provides this notification to the controller. In such a case, the

data importer agrees that the data exporter shall have the right to suspend the data transfer or

terminate this Contract, depending on the nature of the request or access.

CLAUSE 15- Non-compliance with the Contract and Termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with this

Contract, for whatever reason.

(b) In the event that the data importer is in breach of this Contract or unable to comply with this

Contract, the data exporter shall suspend the transfer of personal data to the data importer until

compliance is again ensured or the Contract is terminated. Provisions of Clause 13 and Clause

14 are reserved.

(c) The data exporter shall be entitled to terminate the contract, inso far as it concerns the

processing of personal data under this Contract, where:

i) the data exporter has suspended the transfer of personal data to the data importer

pursuant to paragraph (b) and compliance with this Contract is not restored within a

reasonable time and, in any event, within one month of suspension,

ii) the data importer is in substantial or persistent breach of this Contract,

9

iii) the data importer fails to comply with the decisions of a competent court or the Board

regarding its obligations under this Contract.

In these cases, the data exporter shall inform the Board and the controller.

(d) In the event that the contract is terminated pursuant to paragraph (c), the data importer, at

the choice of the data exporter, shall either return the personal data subject to transfer together

with its backups to the data exporter or ensure the complete destruction of the personal data.

The data importer warrants that, even if there are legislative provisions that prevent it from

fulfilling this obligation, it will continue to ensure compliance with this Contract, take necessary

technical and organisational measures to safeguard the confidentiality of the personal data

subject to transfer, and continue to processing activity only to the extent and for the duration

required by legislation. The data importer shall certify the destruction of the data for the data

exporter. Until the data is returned or completely destroyed, the data importer shall continue to

ensure compliance with this Contract.

discretion.)

[Data exporter/data importer] shall notify the Authority of this Contract with in five business

days following the finalisation of all signatures.

This Contract shall be governed by Turkish law.

(a) Any dispute arising from this Contract shall be resolved by Turkish courts.

(b) General provisions shall apply in terms of competence.

(c) The Parties agree to submit themselves to the jurisdiction of Turkish courts.

Data Exporter:

Address:

Contact Person’s Full Name, Title and

Contact Details:

Signatory’s Full Name and Title:

Signature and Date:

Data Importer:

Address:

Contact Per son’s Full Name, Title and

Contact Details:

Signatory’s Full Name, Surname and Title:

Signature and Date:

10

DESCRIPTION OF TRANSFER

Activities of the Data Exporter Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Activities of the Data Importer Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Group or Groups of Data Subjects

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Sensitive Personal Data Transferred (if applicable)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Legal Basis for the Transfer

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Frequency of the Transfer

(e.g. whether the data is transferred on a one-off or continuous basis)

11

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Nature of the Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Purposes of the Data Transfer and Further Processing

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Personal Data Retention Period

(Specify the period for which the personal data will be retained. If that is not possible, provide

the criteria used to determine the retention period)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Subject Matter, Nature and Duration of the Processing for Transfers to (Sub-)

Processors

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Recipients or Recipient Groups

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

12

TECHNICAL AND ORGANISATIONAL MEASURES

(In the event of the transfer of sensitive personal data, the technical and organisational measures

implemented for such data must be specified separately.)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

13

LIST OF SUB-PROCESSORS

The data controller has authorised the following sub-processors:

1. Name:

Address:

Contact Person’s Full Name, Title and Contact Details:

Details of the Processing Activity:

(a clear delimitation of responsibilities shall be provided in case several sub -processors are

authorised)

………………………………………………………………………………………………

………………………………………………………………………………………………

………………………………………………………………………………………………

………………………………………………………………………………………………

2. ………………………………………………………………………………………………

1

STANDARD CONTRACT - 4

FOR

THE TRANSFER OF PERSONAL DATA ABROAD

(FROM PROCESSOR TO CONTROLLER)

(a) The purpose of this standard contract is to ensure compliance with the provisions of Personal

Data Protection Law No. 6698 dated 24/3/2016 (hereinafter referred to as ‘ the Law’) and the

By-Law on Procedures and Principles for the Transfer of Personal Data Abroad (hereinafter

referred to as ‘the By-Law’), which entered into force following its publication in the Official

Gazette dated 10/7/2024 and numbered 32598.

(b) The data processor transferring personal data abroad (hereinafter referred to as ‘data

exporter’) and the data controller in a foreign country receiving personal data from the data

exporter (hereinafter referred to as ‘data importer ’) have agreed to this standard contract

(hereinafter referred to as ‘the Contract’).

(c) This Contract applies with respect to the transfer of personal data abroad as specified in

Annex I.

(d) The Appendix to this Contract containing the annexes (hereinafter referred to as ‘Annexes’)

forms an integral part of this Contract.

(a) This Contract sets out appropriate safeguards for the transfer of p ersonal data abroad,

including enforceable data subject rights and effective legal remedies in the country receiving

the transfer as well, in accordance with Article 9(4) of the Law and the By-Law, provided that

no additions, deletions, or modifications are made.

(b) This Contract is without prejudice to obligations to which the data exporter is subject by

virtue of the Law, the By-Law, and other relevant legislation.

(a) Data subjects may invo ke the clauses of this Contract, as third -party beneficiaries, against

the data exporter and/or data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, and Clause 6.

ii) Clause 7.1(b) and Clause 7.3(b).

iii) Clause 16

(b) Paragraph (a) is without prejudice to the rights of data subjects under the Law.

2

(a) Where this Contract uses terms that are defined in the Law, the By-Law, and other relevant

legislation, the definitions provided in the respective regulations shall apply.

(b) This Contract shall be interpreted in accordance with the Law, the By-Law, and other

relevant legislation.

(c) This Contract shall not be interpreted in a way that conflicts with rights and obligations

provided for in the Law, the By-Law, and other relevant legislation.

In the event of a contradiction between the clauses of this Contract and the provisions of other

relevant agreements between the Parties, existing at the time this Contract is agreed or entered

into thereafter, the clauses of this Contract shall prevail.

The details of the transfer of personal data abroad to be carried out under this Contract, and in

particular the categories of personal data to be transferred, the legal basis for the transfer, and

the purpose or purposes of the transfer, are specified in Annex I.

The data exporter warrants that it has used reasonable efforts to determine that the data importer

is competent, through the implementation of appropriate technical and organisational measures,

to satisfy its obligations under this Contract.

(a) The data exporter shall process the personal data only in accordance with the instructions

from the data importer acting as its controller for whom the data exporter carries out processing

activities.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those

instructions, including if such instructions infringe the Law, the By-Law, and other relevant

legislation.

(c) The data importer shall refrain from any action that would prevent the data exporter from

fulfilling its obligations under the Law, including in the context of sub-processing or as regards

cooperation with the Personal Data Protect ion Authority (hereinafter referred to as ‘the

Authority’).

(d) After the end of data processing activities of the data exporter performed on behalf of the

data importer; the data exporter warrants that, at the choice of the data importer, it will either

return the personal data together with its backups to the data importer or ensure the complete

destruction of the personal data processed on its behalf . The data exporter shall certify the

destruction of the data for the data exporter.

3

(a) The Parties shall implement all necessary technical and organisational measures, including

during transmission, to ensure an appropriate level of security corresponding to the nature of

personal data , aiming to prevent unlawful processing of personal data, unlawful access to

personal data, to ensure the protection of personal data, and to safeguard personal data against

accidental loss, destruction or damage . In determining such measures, they shall t ake due

account of the state of the art, the costs of implementation, the nature, scope, context , and

purposes of processing and the risks involved in the processing to the fundamental rights and

freedoms of data subjects.

(b) The data exporter shall assis t the data importer in taking all technical and organisational

measures to ensure appropriate security of the personal data in accordance with paragraph (a).

In the event that the personal data processed by the data exporter under this Contract is obtained

by others through unlawful means , the data exporter shall notify the data importer without

undue delay after becoming aware of the breach and assist the data importer in taking necessary

measures to mitigate possible adverse effects of the breach.

(c) The data exporter shall ensure that natural persons authorised to access the personal data do

not disclose the personal data they have learned to third parties in breach of this Contract, and

do not use the data for any purposes other than those for which it was processed.

(a) The Parties shall be able to demonstrate compliance with this Contract.

(b) The data exporter shall make available to the data importer all information and documents

necessary to demonstrate compliance with its obligations under this Contract, and allow for and

contribute to audits.

The Parties shall assist each other in responding to the enquiries and requests made by data

subjects under the local law applicable to the data importer, or for data processing activities of

the data exporter residing in Türkiye, under the Law.

In case of a dispute between a data subject and a data importer concerning third -party

beneficiary rights under this Contract, the data subject may submit his/her requests to the data

importer regarding the matter. The data importer shall inform data subjects in a transparent and

easily accessible format, through individual notice to the data subjects or on its website, of a

contact point authorised to handle requests. The data importer shall promptly address any

requests it receives from data subjects.

[Optional provision at the parties’ discretion: The data importer agrees that data subjects may

also lodge a complaint with an independent dispute resolution body at no cost to the data

subject. The data importer shall inform the data subjects, in the manner as specified above, of

such redress mechanism and that they are not required to use it, or initially use it in seeking

redress.]

4

(a) Each Party shall be liable to the other Party for the damages arising from any breach of this

Contract.

(b) Each Party shall be liable to the data subject. The data subject shall be entitled to receive

compensation, for any material or non-material damages that the Parties cause the data subject

by breaching the third-party beneficiary rights under this Contract. This is without prejudice to

the liability of the data exporter under the Law.

(c) Where both Parties are responsible for any damage caused to the data subject as a result of

a breach of this Contract, all responsible Parties shall be severally liable, and the data subject is

entitled to bring an action in court against any of these Parties.

(d) If one Party fully compensates the data subject for the damage under paragraph (c), it

reserves the right of recourse against the other party in proportion to its fault.

(e) The data importer may not invoke the conduct of a processor or sub -processor to avoid its

own liability.

(This section shall be included in the contract where the processor, transferring data,

combines the personal data received from the controller, receiving data, with personal data

collected in Türkiye)

The data importer agrees, declares , and undertakes that there are no national regulations or

practices in conflict with this Contract regarding the personal data to be transferred under this

Contract. In the event of changes in legislation or practices that may impact the data importer’s

ability to fulfil its obligations under this Contract during its term, the data importer shall notify

the data exporter promptly, and in such a case, the data importer agrees that the data exporter

reserves the right to suspend the data transfer or terminate this Contract.

The data importer shall notify the data exporter promptly of any requests from administrative

or judicial authorities regarding the personal data transferred under this Contrac t, or if it

becomes aware of any direct access by administrative or judicial authorities to personal data

transferred pursuant to this Contract. In such a case, the data importer agrees that the data

exporter shall have the right to suspend the data transfer or terminate this Contract, depending

on the nature of the request or access.

5

CLAUSE 13- Non-Compliance with the Contract and Termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with this

Contract, for whatever reason.

(b) In the event that the data importer is in breach of this Contract or unable to comply with

this Contract, the data exporter shall suspend the transfer of personal data to the data importer

until compliance is again ensured or the Contract is terminated. Provisions of Clause 11 and

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the

processing of personal data under this Contract, where:

i) the data exporter has suspended the transfer of pers onal data to the data importer

pursuant to paragraph (b) and compliance with this Contract is not restored within a

reasonable time and, in any event, within one month of suspension,

ii) the data importer is in substantial or persistent breach of this Contract,

iii) the data importer fails to comply with the decisions of a competent court regarding

its obligations under this Contract.

In these cases, the data exporter shall inform the Personal Data Protection Board.

(d) In the event that the contract is terminated pursuant to paragraph (c), the data importer shall

completely destroy all personal data collected by the data exporter in Türkiye and transferred,

including its backups. The data importer warrants that , even if there are legislative provisions

that may prevent it from fulfilling this obligation, it will continue to ensure compliance with

this Contract , take necessary technical and organisational measures to safeguard the

confidentiality of the personal data subject to transfer, and continue to processing activity only

to the extent and for the duration required by legislation. The data importer shall certify the

destruction of the data for the data exporter. Until the data is returned or completely destroyed,

the data importer shall continue to ensure compliance with this Contract.

discretion.)

[Data exporter/data importer] shall notify the Authority of this Contract within five business

days following the finalisation of all signatures.

This Contract shall be governed by the law of ______ [specify country], which recognizes third-

party beneficiary rights.

Any dispute arising from this Contract shall be resolved by the courts of ______ [ specify

country].

6

Data Exporter:

Address:

Contact Person’s Full Name, Title and

Contact Details:

Signatory’s Full Name and Title:

Signature and Date:

Data Importer:

Address:

Contact Person’s Full Name, Title and

Contact Details:

Signatory’s Full Name, Surname and Title:

Signature and Date:

DESCRIPTION OF TRANSFER

Activities of the Data Exporter Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Activities of the Data Importer Regarding the Personal Data Transferred Under This

Contract

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Group or Groups of Data Subjects

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Personal Data Transferred

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Categories of Sensitive Personal Data Transferred (if applicable)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

7

…………………………………………………………………………………………………

………………………………………………………………………………………

Legal Basis for the Transfer

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Frequency of the Transfer

(e.g. whether the data is transferred on a one-off or continuous basis)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Nature of the Processing Activity

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Purposes of the Data Transfer and Further Processing

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Personal Data Retention Period

(Specify the period for which the personal data will be retained. If that is not possible, provide

the criteria used to determine the retention period)

…………………………………………………………………………………………………

…………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………

Communiqué on the Procedures and Principles for

Submitting Requests to the Data Controller

Purpose and Scope

principles regarding requests submitted to the data controller and the fees to be charged if the

processing involves additional costs.

Legal Basis

first paragraph of Article 22, subparagraphs (e) and (g) of the Personal Data Protection Law

No. 6698 dated March 24, 2016.

Definitions

a) Application: An application made under Article 13 of the Law,

b) Secure Electronic Signature: An electronic signature created using a secure electronic

signature creation device exclusively linked to and under the sole control of the signatory, which

verifies the signatory’s identity based on a qualified electronic certificate and enables the

detection of any subsequent alterations to the signed electronic data,

c) Data Subject: A natural person whose personal data is processed,

d) Law: Personal Data Protection Law No. 6698 dated March 24, 2016,

e) Data medium: Any medium containing personal data processed fully or partially by

automated means or by non- automated means provided that it forms part of a data recording

system,

e) Registered electronic mail (KEP) address: The qualified form of electronic mail that provides

legal evidence regarding the use of electronic messages, including their transmission and

delivery,

f) Board: The Personal Data Protection Board,

g) Authority: The Personal Data Protection Authority,

ğ) Mobile signature: An electronic signature created using a mobile device

(2) For definitions not included in this Communiqué, the definitions in the Law shall apply.

Right to File a Request

request with the data controller.

(2) Data subjects may exercise this right provided that their requests are submitted in Turkish.

Procedure for Filing a Request

specified in Article 11 of the Law to the data controller in writing or by using a registered

electronic mail (KEP) address, a secure electronic signature, a mobile signature, or an electronic

mail address previously notified by the data subject to the data controller and registered in the

data controller’s system, or through software or an application developed for the purpose of the

request.

(2) The request must include:

a) First name, last name, and, if the request is in writing, a signature,

b) For Turkish citizens, the Turkish Republic ID number; for foreigners, nationality, passport

number, or, if available, an ID number,

c) The residential or business address for service of notice,

ç) If available, the email address, telephone number, and fax number to be used for notifications,

d) The subject of the request.

(3) Relevant information and documents regarding the matter shall be attached to the

application.

(4) In written applications, the date on which the documents are served to the data controller or

their representative is the date of the application.

(5) For applications made by other methods, the date the application reaches the data controller

is the application date.

Response to the Application

technical measures to resolve applications made by the data subject under this Communiqué in

an effective, lawful, and fair manner.

(2) The data controller shall either accept the request or reject it by providing a justification.

(3) The data controller shall notify the data subject of the response in writing or electronically.

(4) The response shall include:

a) Information regarding the data controller or its representative,

b) The applicant’s: first and last name, Turkish ID number for Turkish citizens, nationality,

passport number, or ID number (if applicable) for foreigners, residential or business address for

service of process, email address (if applicable), and telephone and fax numbers,

c) The subject of the request,

d) The data controller’s explanations regarding the request.

(5) The data controller shall process the requests contained in the application free of charge

within the shortest possible time and no later than thirty days, depending on the nature of the

request. However, if the process entails additional costs, the fe e specified in Article 7 may be

charged. If the request is due to an error by the data controller, the fee collected shall be refunded

to the data subject.

(6) If the data subject’s request is accepted, the data controller shall fulfill the request as soon

as possible and inform the data subject.

Fee

charged for up to ten pages. A processing fee of 1 Turkish Lira may be charged for each page

exceeding ten pages.

(2) If the response to the request is provided on a storage medium such as a CD or flash drive,

the fee that may be charged by the data controller shall not exceed the cost of the storage

medium.

Entry into Force

Implementation

of the Personal Data Protection Authority.