Turkiye: Adopted Personal Data Protection Board's Document on Standard Contract for the Transfer of Personal Data Abroad From Data Processor to Data Processor

On 10 July 2024, the Personal Data Protection Board (PDPB) adopted the Document on the Standard Contract for the Transfer of Personal Data Abroad From Data Processor to Data Processor. The contract follows the adoption of regulation implementing Article 9 of the Personal Data Protection Law No. 6698, amended by Law No. 7499, which specifies the mechanisms data processors can use to transfer data to other jurisdictions. The contract focuses on a data processor transferring personal data abroad (data exporter) and a data processor receiving personal data abroad (data importer). The contract mandates that data must be accurate and kept up-to-date. Inaccuracies should be corrected or deleted promptly. Furthermore, the contract obligates both parties to implement and regularly verify technical and administrative measures to protect data against unauthorised access and breaches. In case of a data breach, the data importer must notify the data exporter and the relevant authority within 72 hours and take measures to mitigate adverse effects. In addition, data subjects must be informed about data processing activities, their rights to access, correct, or delete data, and how to object to processing. Data processors must facilitate these rights. Moreover, data should only be retained for as long as necessary for processing purposes and must be deleted, destroyed, or anonymised afterwards. The contract further mentions that a data importer can only delegate processing to sub-processors with prior specific or general authorisation from the data controller and must ensure that sub-processors comply with the same obligations. In addition, both parties must maintain records demonstrating compliance, respond to audits, and provide necessary documentation to the data exporter or relevant authorities. Each party is liable for damages resulting from breaches of the contract, with provisions for joint liability and the right to recover damages from the other party based on their fault. The data importer must cooperate with the Turkish Data Protection Authority, comply with its decisions, and facilitate inspections and audits. Upon contract termination, the data importer must return or destroy all personal data and ensure continued compliance with confidentiality obligations. The data importer must also notify the data exporter of any legal changes affecting compliance and report any requests for data access by public authorities. The contract is governed by Turkish law, with disputes resolved by Turkish courts.