News Detail

APPLICATION OF STANDARD CONTRACTS FOR TRANSFERRING DATA ABROAD

As known, the transfer of personal data abroad has been regulated and provided a more systematic and monitorable framework through the amendments made to Article 9 of the Personal Data Protection Law No. 6698 ("KVKK") in Türkiye and secondary regulations related to these changes. Significant regulations regarding the transfer of data abroad have been introduced with the "Regulation on Procedures and Principles for Transferring Personal Data Abroad" ("Regulation"). Given the recent developments, the absence of an announced list of countries providing adequate protection by the Authority and the complexity of alternative measures such as binding corporate rules (“BCR”), non-binding international agreements, and undertakings compared to standard contracts, standard contracts have become a more accessible and practical solution for transferring personal data abroad. Therefore, this article focuses closely on standard contracts and their application.

Pursuant to the fifth paragraph of Article 9 of the Law, standard contracts must be reported to the Personal Data Protection Authority (“Authority”) within five business days following their signing. Moreover, the fifth paragraph of Article 14 of the Regulation stipulates that these notifications can be submitted physically, via registered electronic mail (“KEP”) addresses, or through other methods determined by the Board.

On July 10, 2024, the Authority published standard contract texts for various data flow scenarios. According to Article 14/3 of the Regulation, the draft text of the standard contract published by the Authority must be used without any alterations. If the standard contract is also executed in a foreign language, the Turkish version takes precedence as determined by the Authority.

In this context, with the Personal Data Protection Board’s decision dated October 17, 2024, numbered 2024/1793, the "Standard Contract Notification Module" was introduced to enable data controllers and data processors to fulfill their notification obligations faster and more efficiently.

A. Data Flow Scenarios for Standard Contracts

Under KVKK, standard contracts are prepared in different forms based on the roles of the parties in the data flow and the type of data transfer. These contracts are designed according to the following data flow scenarios:

1-From Data Controller to Data Controller

This type of contract is used when a data controller transfers personal data to another data controller located abroad.

2-From Data Controller to Data Processor

When a data controller transfers personal data to a data processor abroad (e.g., a service provider), this type of contract is prepared.

3-From Data Processor to Data Processor

This contract is used when a data processor transfers data to another data processor abroad (e.g., a subcontractor).

4-From Data Processor to Data Controller

When a data processor transfers data to a data controller located abroad, this type of contract is utilized.


On July 10, 2024, the Authority released the standard contract texts, binding corporate rules application forms, and guides containing essential elements for transferring personal data abroad. These documents are accessible via
the announcement on the Authority's official website. This development aims to simplify the compliance of data controllers and processors with legal requirements in their data transfer processes abroad.

B. How to Use the Module?

As mentioned in the Board’s decision dated October 17, 2024, numbered 2024/1793, the "Standard Contract Notification Module" was introduced to help data controllers and processors fulfill their notification obligations regarding personal data transfers abroad more quickly, efficiently, and reliably.

The Guide provides information on how to:

  1. Create an Account and Log In:
  2. Add Authorized Persons:
    • Authorized persons should be added to the system. These individuals are responsible for uploading contracts.
    • Their information and authorization documents must be entered accurately.
  3. Add Contracts:
    • Select "Contracts" from the left menu to upload a new contract.
    • Party information, roles, the date of signing, and the contract file must be uploaded to the system.
  4. Notification and Submission:
    • Uploaded contracts can be reported to the Personal Data Protection Authority via the "Send to the Authority" option.
    • Once the notification is completed, the contract is reviewed.

This innovation increases transparency in the processes of transferring personal data abroad while enabling the Authority to track notifications more effectively. Interested parties can refer to the Guide published on the Authority's website for detailed information.