Turkiye: Closed consultation on Personal Data Protection Board's Draft Document on Standard Contract for the Transfer of Personal Data Abroad From Data Controller to Data Controller

On 27 May 2024, the Personal Data Protection Board (PDPB) closes the public consultation on the draft Document on the Standard Contract for the Transfer of Personal Data Abroad From Data Controller to Data Controller. The contract follows the consultation on the draft regulation implementing Article 9 of the Personal Data Protection Law No. 6698, amended by Law No. 7499, which specifies the mechanisms data processors can use to transfer data to other jurisdictions. The contract focuses on a data controller transferring personal data abroad (data exporter) and a data controller receiving personal data abroad (data importer). The contract obligates both parties to ensure that personal data is accurate and up-to-date, promptly rectifying or deleting inaccuracies. Furthermore, the data importer must retain data only as long as necessary and then delete, destroy, or anonymise it. Data subjects must be informed about the processing, including the data importer's identity, contact details, data categories, the right to obtain the contract, and any third-party transfers. In addition, both parties must implement and regularly verify measures to protect data from unlawful processing, unauthorised access, and accidental loss or damage. In the event of a data breach, the data importer must mitigate adverse effects, notify the data exporter and the Personal Data Protection Board within 72 hours, and inform affected data subjects clearly. Furthermore, transfers to third parties abroad require appropriate safeguards or explicit consent. The data importer must ensure authorised personnel process data only as instructed. In addition, both parties must demonstrate compliance, maintain records, and provide them to the Board upon request. The data importer, with the data exporter's assistance, must respond to data subject inquiries and requests within thirty days, facilitating rights like access, correction, deletion, and objection to automated decisions. Moreover, the data importer must handle data subject claims, comply with Turkish law decisions, and notify the data exporter of any legislative changes affecting compliance. The data exporter can suspend or terminate the contract if the data importer cannot comply. Upon termination, the data importer must return or destroy the data. The contract is governed by Turkish law, with disputes resolved by Turkish courts.