Key Issues to be Considered in Standard Contracts

On February 5, 2025, the Turkish Data Protection Authority (“Authority”) issued the Public Announcement on Matters to be Considered in Standard Contracts for the Transfer of Personal Data Abroad (“Announcement”). The Announcement follows significant amendments made under the Turkish Data Protection Law No. 6698 (“DPL”) in 2024, where novel cross-border personal data transfer regimes are introduced, including the standard contracts (“SCCs”). In addition, the Regulation on Procedures and Principles on the Transfer of Personal Data Abroad (“Regulation”) and the Guidelines on the Transfer of Personal Data Abroad have been published by the authority, providing the details on the novel rules on cross-border data transfers.

Subsequently, the Authority published the Announcement to offer resolutions to any lingering questions, where the following issues are determined:

Signature Requirements

Article 14/4 of the Regulation foresees that the SCCs must be concluded between the parties of a transfer, where the signatories of the SCCs must be duly authorized to represent the parties and sign on their behalf. In this regard, it is stipulated that the SCCs may only be concluded between a data exporter and a data importer and therefore cannot be executed on a multilateral basis.

In this regard, the Announcements states that all signatures must adhere to the relevant provisions of the Turkish Code of Obligations Law No. 6098, where a wet signature is required for the execution of a written contract. The Announcement further underlines that in the absence of valid signatures from one or both parties, the SCCs will be deemed invalid.

Notification Process and Timing

Pursuant to Article 14/5 of the Regulation, the SCCs must be notified to the DPA (i) physically, (ii) via registered electronic mail address (KEP) or (iii) via the online module within 5 business days of the finalization of its signatures. In this regard, the Announcement states that the signature dates must be clearly indicated under the SCCs, to verify that the notification is made within the required time frame.

Additionally, the Announcements states that key details of the parties, including their addresses, contact points, and the names of the signatories must be explicitly stated under the SCCs.

Language Specifications

While Article 14/3 of the Regulation foresees that Turkish text of the SCCs will prevail, in cases where the SCCs are concluded in a foreign language; the Announcement highlights that the parties must also sign the Turkish text. Similarly, when the SCCs are formatted in a dual-column layout (with Turkish alongside another language), it is mandatory that both parties’ signatures appear in the column containing the Turkish text.

Submission of Supporting Documents

In line with Article 14/6 of the Regulation, the Announcement underlines that the documents supporting the authority of the signatories, with the notarized translation of any foreign documents, must be notified to the Authority with the SCCs. Accordingly, if such supporting documents do not list the names of the signatories, the SCCs will be considered to have been executed by unauthorized individuals and, consequently, will be deemed invalid. In addition, the Announcement requires the names of the parties stated in the SCCs to exactly match those in the supporting documents.

Handling Foreign Official Documents

In cases where notifications include official documents issued by foreign authorities, the authenticity of these documents need to be verified. According to the Announcements, for official documents from countries that are party to the Foreign Official Documents Authentication Exemption Agreement, the presence of an apostille annotation is sufficient for the verification. However, for documents issued by countries that are neither party to the said Agreement nor eligible for any exemption, the documents must be fully authenticated by the respective foreign authorities before submission.

Limitation on Modifications

The Announcement highlights the parties are only allowed to modify the optional or alternative clauses included in the SCCs. Accordingly, the SCCs published by the Authority are deemed to provide adequate safeguards for cross-border data transfers and no further additions, deletions, or modifications should be made to the texts.

Moreover, it is underlined that the SCCs must not include any clauses that would imply the SCCs take effect retroactively, even if the signatures are completed at a later date.

Authors: Burak Ozdagistanli , Begüm Alara ?ahinkaya , Ceren Ely?ld?r?m