Turkiye: Opened consultation on Personal Data Protection Board's Draft Document on Standard Contract for the Transfer of Personal Data Abroad From Data Processor to Data Controller

On 17 May 2024, the Personal Data Protection Board (PDPB) opened a public consultation on the draft Personal Data Protection Board's Draft Document on the Standard Contract for the Transfer of Personal Data Abroad From Data Processor to Data Controller until 27 May 2024. The contract follows the consultation on the draft regulation implementing Article 9 of the Personal Data Protection Law No. 6698, amended by Law No. 7499, which specifies the mechanisms data processors can use to transfer data to other jurisdictions. The contract focuses on a data processor transferring personal data abroad (data exporter) and a data controller receiving personal data abroad (data importer). The contract mandates the data exporter to process data only as per the data importer's instructions. Any non-compliance must be immediately reported to the data importer. Furthermore, upon termination of processing, data must be returned or destroyed and documented accordingly. In addition, necessary technical and administrative measures must be taken to ensure data security during transfer and processing. The contract further obligates both parties to demonstrate compliance with the contract, and the data exporter must provide necessary information for audits and support the audit process. In addition, both parties must assist each other in responding to data subject inquiries and requests and are liable for any damages arising from breaches of the contract. Additionally, they are jointly and severally liable to the data subject for any harm caused. If the data processor combines data received from the data controller with data obtained from Turkiye, they must notify any changes in legislation or practices that affect compliance. In addition, the data importer must notify the data exporter of any administrative or judicial authority requests, allowing the data exporter to suspend or terminate the contract. Immediate notification is required if the data importer cannot comply with the contract. Moreover, the data exporter can suspend or terminate the contract if the data importer fails to restore compliance or consistently breaches the contract. The contract is governed by Turkish law, with disputes resolved by Turkish courts.