18 November 2024
Standard Contract Notification Obligation and Penalties
×
Significant amendments to Law No. 6698 on the Protection of Personal Data ("KVKK") regarding the transfer of personal data abroad were introduced through Law No. 7499, published in the Official Gazette dated March 12, 2024, No. 32487. Additionally, the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad ("By-Law") was published in the Official Gazette dated July 10, 2024, No. 32598 and entered into force.
These developments establish clear procedures and principles for the transfer of personal data abroad, a topic that has sparked considerable debate. Under Article 9 of the KVKK and the By-Law, standard contracts have become one of the primary tools for data transfers abroad. Previously, transfers based on explicit consent under the KVKK were deemed valid until September 1, 2024, after which such transfers without alternative safeguards would no longer be permissible. As a result, data controllers and processors must ensure compliance with the recent legislation amendments.
Standard contracts outline the obligations of the parties involved in data transfers and are defined by the Personal Data Protection Board. These contracts are intended to provide adequate safeguards between data controllers and data processors.
The standard contracts published by the Board are available on the official website of the Personal Data Protection Authority in both Turkish and English. However, as per the By-Law, the Turkish version will prevail in case of discrepancies. The contracts must specify the categories of personal data transferred, purposes of the transfer, recipient groups, and the technical and administrative measures implemented by the recipient. Additionally, for special categories of personal data (e.g., health data, association membership), further protective measures must be included. Data controllers are expected to identify such data and incorporate relevant details into the standard contracts.
It is important to note that modifications to standard contracts are not permitted. If the Authority determines that changes have been made or the contracts have not been duly signed by authorized representatives, it may initiate an investigation ex officio.
Standard contracts must be submitted to the Authority within 5 (five) business days of signing. Notifications can be made through: (i) physical submission, (ii) KEP (Registered Electronic Mail), or (iii) other methods designated by the Board. On October 25, 2024, the Board announced the launch of the Standard Contract Notification Module, which enables submissions via an online interface.
In conclusion, following these legal amendments, data controllers and processors must comply with the detailed conditions outlined in the By-Law for the transfer of personal data abroad. Non-compliance with the notification requirements for international data transfers may result in administrative fines ranging from 50,000 TRY to 1,000,000 TRY in 2024.
You can access the standard contracts announced by the board here.
You can find frequently asked questions and answers about standard contracts here.
You can access our professional consultancy services here to ensure legal compliance in your company's standard contract processes.
Should you have any queries or need further details, please contact us.
Notification!
