Providing appropriate safeguards with non-international agreements
(1) Appropriate safeguards may be provided by provisions to be inserted into agreements, not classified as an international convention, for the transfer of personal data between public institutions and organisations, or professional organisations with public institution status in Türkiye, and public institutions, organisations, or international organisations abroad. The agreement shall be concluded between the parties to the personal data transfer.
(2) The Board’s opinion shall be sought during the negotiation process of the agreement.
(3) The provisions on personal data protection included in the agreement shall specifically address the following:
- a) The purpose, scope, nature, and legal basis of the personal data transfer;
- b) Definitions of key concepts in accordance with the Law and relevant legislation;
- c) A commitment to comply with the general principles outlined in Article 4 of the Law,
- ç) Procedures and principles for providing information to data subjects about the agreement and the personal data transfer to be carried out under that agreement;
- d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
- e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
- f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
- g) Restrictions on the onward transfer of personal data; ğ) A redress mechanism available to data subjects in the event of a breach of the data protection provisions to be included in the agreement;
- h) An auditing mechanism to ensure compliance with the data protection provisions to be included the agreement;
- ı) A provision granting the data exporter the right to suspend the data transfer and terminate the agreement if the data importer cannot comply with the data protection provisions to be included in the agreement;
- i) A commitment from the data importer, upon termination or expiration of the agreement, to either return the personal data transferred, including all backups, to the data exporter or to completely destroy such data, at the choice of the data exporter;
(4) To transfer the personal data abroad based on the agreement, the data exporter shall apply to the Board for permission. As part of the application, the final version of the agreement text and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. The transfer of personal data may only commence after the Board has granted the permission.