Providing appropriate safeguards with a commitment letter
(1) Appropriate safeguards for the protection of personal data may be provided through provisions included in a written commitment letter to be concluded between the parties involved in the transfer.
(2) The provisions related to the protection of personal data in the commitment letter shall specifically include the following:
- a) The purpose, scope, nature, and legal basis of the personal data transfer;
- b) Definitions of key concepts in accordance with the Law and relevant legislation;
- c) A commitment to comply with the general principles specified in Article 4 of the Law;
- ç) Procedures and principles for informing data subjects about the commitment letter and the personal data transfer to be made under its scope;
- d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
- e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
- f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
- g) Restrictions on the onward transfers of personal data;
- ğ) A redress mechanism available to data subjects in the event of a breach of the commitment letter;
- h) A commitment by the data importer to comply with the Board’s decisions and opinions regarding the processing of personal data subject to the transfer;
- ı) A provision stating that there is no national regulation that will cause the data importer to fail to comply with the commitment letter, and a commitment to notify the data exporter as soon as possible of any potential legislative changes that may lead to such a failure, and in such a case the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
- i) A provision confirming that if the data importer fails to ensure compliance with the commitment letter, the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
- j) A commitment that if the commitment letter is terminated or its term expires, the data importer shall, at the choice of the data exporter, either return the personal data with its backups to the data exporter or completely destroy the personal data;
- k) A commitment confirming that the commitment letter is subject to Turkish law and, in case of a dispute, Turkish courts shall have jurisdiction, and that the data importer agrees to recognise the jurisdiction of Turkish courts.
(3) To transfer personal data abroad based on the commitment letter, data exporter shall apply to the Board for permission. As part of the application, the commitment text and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. If the commitment is also concluded in a foreign language, the Turkish text shall prevail. The transfer of personal data may only commence after the Board has granted permission.