Turkiye: Closed consultation on Personal Data Protection Board's Draft Document on Standard Contract for the Transfer of Personal Data Abroad From Data Controller to Data Processor

On 27 May 2024, the Personal Data Protection Board (PDPB) closes the public consultation on the draft Document on the Standard Contract for the Transfer of Personal Data Abroad From Data Controller to Data Processor. The contract follows the consultation on the draft regulation implementing Article 9 of the Personal Data Protection Law No. 6698, amended by Law No. 7499, which specifies the mechanisms data processors can use to transfer data to other jurisdictions. The contract focuses on a data controller transferring personal data abroad (data exporter) and a data processor receiving personal data abroad (data importer). The contract mandates data importers to process personal data only as instructed by the data exporter, ensuring relevance, accuracy, and timely updates. Data shall be retained only for the specified duration, after which it must be returned or destroyed. Furthermore, the contract obligates both parties to implement appropriate technical and administrative measures to protect data from unauthorised access, loss, or damage. The data importer must notify the data exporter and authorities of any breaches and ensure that sub-processors adhere to similar security standards. In addition, data subjects can assert their rights under the contract, with mechanisms for resolving disputes and seeking compensation for damages due to contract breaches. Additionally, the contract obligates the data importer to agree to cooperate with Turkish authorities, provide necessary information, and allow inspections to verify compliance. Non-compliance by the data importer can lead to suspension or termination of data transfers. The contract is governed by Turkish law, with disputes resolved by Turkish courts.