SECTION ONE General Provisions Article 1 – Purpose and Scope (a) The purpose of this standard contract is to ensure compliance with the provisions of the Law on the Protection of Personal Data No. 6698 dated 24 March 2016 (hereinafter referred to as the “Law”) and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, which entered into force following its publication in the Official Gazette dated 10 July 2024 and numbered 32598 (hereinafter referred to as the “Regulation”), during the transfer of personal data abroad. (b) The data controller transferring personal data abroad (hereinafter referred to as the “data exporter”) and the data controller located abroad receiving personal data from the data exporter (hereinafter referred to as the “data importer”) accept this standard contract (hereinafter referred to as the “Contract”). (c) This Contract shall apply with respect to the transfer of personal data abroad, the details of which are provided in Annex I. (d) The annexes to this Contract (hereinafter referred to as the “Annexes”) constitute an integral part of this Contract. Article 2 – Effect and Invariability of the Contract (a) Provided that no additions, removals, or amendments are made, this Contract provides for appropriate safeguards for the transfer of personal data abroad, including the ability of the data subject to exercise their rights and access effective legal remedies in the recipient country, as stipulated in Article 9(4) of the Law and the Regulation. (b) This Contract shall not prejudice the obligations of the data exporter under the Law, the Regulation, or any other applicable legislation. Article 3 – Third-Party Beneficiary Rights (a) Data subjects may invoke the provisions of this Contract against the data exporter and/or the data importer as third-party beneficiaries, except in the following cases: i. Articles 1, 2, 3, and 6; ii. Articles 7.5(e) and 7.9(b); iii. Articles 10(a) and 10(d); iv. Article 11. (b) Paragraph (a) shall not prejudice the rights of data subjects under the Law. Article 4 – Interpretation (a) When terms defined in the Law, the Regulation, or other relevant legislation are used in this Contract, the definitions as set out in such legislation shall apply. (b) This Contract shall be interpreted in accordance with the Law, the Regulation, and other relevant legislation. (c) This Contract shall not be interpreted in a manner that contradicts the rights and obligations set out in the Law, the Regulation, or other relevant legislation. Article 5 – Rule of Conflict In the event of a conflict between the provisions of this Contract and any other agreements existing between the Parties on the date of acceptance of this Contract or which come into effect thereafter, the provisions of this Contract shall prevail. Article 6 – Details of the Transfer The categories of personal data to be transferred, the legal basis for the transfer, and the purpose(s) of the transfer under this Contract are set out in Annex I. SECTION TWO Obligations of the Parties Article 7 – Safeguards for the Protection of Personal Data The data exporter undertakes to make reasonable efforts to determine that the data importer has the capacity to fulfill its obligations under this Contract by implementing appropriate technical and organizational measures. Article 7.1 – Data Must Be Relevant, Limited and Proportional to Purpose The data importer shall process personal data only in connection with, and limited to, the purpose(s) specified in Annex I. Article 7.2 – Accuracy and Keeping Data Up to Date (a) Each Party shall ensure that the personal data are accurate and, where necessary, kept up to date. Taking into account the purpose(s) of processing, the data importer shall take reasonable steps, without delay, to erase or rectify inaccurate personal data. (b) If either Party becomes aware that transferred personal data are inaccurate or outdated, it shall inform the other Party without delay. Article 7.3 – Storage Limitation The data importer shall retain the personal data only for as long as necessary for the purposes for which they are processed. To fulfill this obligation, the data importer shall take all necessary technical and organizational measures to erase, destroy, or anonymize the personal data and all backups. Article 7.4 – Information Obligation (a) The data importer shall, either directly or through the data exporter, inform the data subjects in a manner that allows them to effectively exercise their rights under Article 8, including: i. The identity and contact details of the data importer; ii. The categories of personal data being processed; iii. The right to obtain a copy of this Contract; iv. In cases where personal data may be transferred to third parties, information regarding the recipients or recipient categories, the purpose of such further transfers, and the legal basis in accordance with Article 7.7. (b) Upon request, the Parties shall provide a copy of this Contract, including the completed Annexes, to the data subject free of charge. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Parties may redact parts of the Annexes shared with the data subject. However, if such redaction would render the content incomprehensible or prevent the data subject from exercising their rights, the Parties shall provide a meaningful summary. Upon request, the Parties shall explain the reasons for any redactions, without disclosing the redacted content. (c) The data exporter’s obligations under Article 10 of the Law and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Inform, published in the Official Gazette dated 10 March 2018 and numbered 30356, shall remain unaffected. Article 7.5 – Data Security (a) During the transfer and at the recipient side, the data exporter and data importer shall implement all necessary technical and organizational measures appropriate to the nature of the personal data to: Prevent unlawful processing, Prevent unauthorized access, Ensure data retention, Prevent accidental loss, destruction, or damage. In determining such measures, the Parties shall consider technological capabilities, implementation costs, the nature, scope, context, and purposes of processing, as well as the potential risks to the fundamental rights and freedoms of the data subjects. (b) The Parties agree to implement the technical and organizational measures specified in Annex II. The data importer shall regularly verify that these measures continue to provide an adequate level of protection. (c) The data importer shall ensure that any natural persons authorized to access the personal data do not disclose such data to third parties or use them for purposes other than those specified in this Contract. (d) In the event of unlawful access or acquisition of the personal data by third parties, the data importer shall take all necessary measures to mitigate any adverse effects of such a data breach. (e) In the event of a data breach, the data importer shall notify the data exporter and the Personal Data Protection Board (hereinafter “the Board”) without undue delay and at the latest within 72 hours. Such notification shall be made using the “Data Breach Notification Form” published on the official website of the Personal Data Protection Authority (hereinafter “the Authority”). If it is not possible to provide all required information at once, it shall be submitted in phases without delay. (f) In the event of a personal data breach, the data importer shall also notify the affected data subjects. Such notification must be clear and understandable, and shall at minimum include: i. The date of the breach; ii. Categories of personal data affected, distinguishing between general and special categories; iii. Potential consequences of the breach; iv. Measures taken or suggested to reduce the negative effects; v. Contact information of persons or entities available to provide additional information, such as the website or call center of the data importer. (g) The data importer shall keep records of all information related to the breach, its effects, and the remedial measures taken, and shall make such records available for inspection by the Board. Article 7.6 – Special Categories of Personal Data (a) The data importer shall implement additional technical and organizational measures appropriate to the sensitive nature of special categories of personal data. (b) The processing of special categories of personal data shall also be subject to the adequate safeguards determined by the Board. Article 7.7 – Onward Transfers (a) The personal data transferred to the data importer may only be transferred by the data importer to a third party located abroad (in the same country or another country) under the following conditions: i. The onward transfer is to a country for which an adequacy decision has been issued under Article 9(1) of the Law. ii. The third-party recipient ensures one of the appropriate safeguards stipulated in Article 9(4) of the Law. iii. The transfer is necessary for the establishment, exercise, or defense of a legal claim in the context of specific administrative or judicial proceedings. iv. The transfer is necessary to protect the life or physical integrity of the data subject or another person where the data subject is incapable of giving consent due to physical impossibility or lacks legal validity to provide consent. v. In the absence of the above, the data subject's explicit consent is obtained by the data importer after informing them about the purpose(s) of the transfer, the identity of the recipient, and the risks due to the absence of appropriate safeguards. The data importer shall notify the data exporter and provide a copy of the information shared with the data subject upon request. (b) In any onward transfer, the data importer shall comply with all safeguards under this Contract, especially the principles of purpose limitation, data minimization, and proportionality. (c) If the recipients or categories of recipients of any onward transfer are known before this Contract is notified to the Authority, they shall be listed in Annex I. After such notification, if there are any changes in recipients or categories of recipients, Annex I shall be updated and the Authority shall be notified accordingly. Article 7.8 – Processing Under the Authority of the Data Importer The data importer shall ensure that any persons operating under its authority, including processors, process personal data only in accordance with its instructions and solely for the purposes specified by the data importer. Article 7.9 – Documentation and Compliance (a) Each Party shall be able to demonstrate compliance with its obligations under this Contract. The data importer shall keep and maintain records, documents, and evidence related to the processing activities carried out under its responsibility. (b) The data importer shall, upon request, provide such documentation to the Board. Article 8 – Rights of the Data Subject (a) The data importer, with assistance from the data exporter where necessary, shall respond to any questions or requests from the data subject regarding the processing of their personal data and the exercise of their rights under this Contract within thirty days from receipt. The data importer shall take appropriate measures to respond to such questions or requests and to facilitate the exercise of data subject rights. Any information provided to the data subject shall be clear, easily accessible, and written in plain and intelligible language. (b) The data subject may contact the data importer and, in particular, exercise the following rights: i. To learn whether their personal data are being processed; ii. If processed, to request information about such processing and to obtain a copy of the information contained in Annex I; iii. To learn the purpose of processing and whether the data are used in accordance with that purpose; iv. To be informed about third-party recipients of the data and the legal basis of any onward transfers under Article 7.7; v. To request rectification of personal data that are incomplete or inaccurate; vi. To request the deletion or destruction of personal data in accordance with Article 7.3; vii. To request notification of the actions taken under items (v) and (vi) to third parties to whom the data were transferred; viii. To object to decisions made solely through automated processing that produce legal or similarly significant effects; ix. To request compensation for damages incurred due to the unlawful processing of personal data in violation of this Contract. (c) The data importer shall either accept or reject the request and provide its response to the data subject in writing or electronically, explaining the reason in case of rejection. The response shall include information on the data subject’s right to file a complaint with the Board under Article 9(c). If the request is accepted, the data importer shall fulfill the necessary actions. (d) The data importer shall respond to the data subject’s request free of charge. However, if the request incurs additional costs, the data importer may charge a fee based on the tariff determined by the Board. If the costs arise due to the data importer’s fault, the fee shall be refunded to the data subject. Article 9 – Legal Remedies (a) In the event of a dispute between the data subject and the data importer regarding the third-party beneficiary rights under this Agreement, the data subject may submit their claims to the data importer. The data importer shall inform data subjects of a point of contact, authorized to handle such claims, either personally or by publishing it on its website in a transparent and easily accessible format. The data importer shall address the data subjects’ claims without undue delay. [Optional clause depending on parties' preference: The data importer agrees that data subjects may also file complaints free of charge with an independent dispute resolution body. The data importer shall inform data subjects of the existence of such redress mechanisms and clarify that using or preferring such mechanisms is not mandatory.] (b) If a dispute arises between the data subject and one of the Parties concerning the compliance with this Agreement, the respective Party shall use its best efforts to resolve the issue amicably and as swiftly as possible. The Parties shall inform each other of such disputes and cooperate where appropriate to resolve them. (c) Where a data subject exercises a third-party beneficiary right under Article 3, the data importer accepts that the data subject may file a complaint with the Board (KVKK) and may bring the matter before the competent courts pursuant to Article 17. (d) The data importer agrees to comply with any binding decisions under Turkish law. (e) The data importer acknowledges that the data subject's use of the above redress mechanisms does not prejudice any other rights or remedies available under applicable legislation. Article 10 – Liability (a) Each Party shall be liable to the other Party for any damages resulting from any breach of this Agreement. (b) Each Party shall also be liable to the data subject. The data subject shall have the right to obtain compensation for any material or non-material damages caused by a violation of third-party beneficiary rights under this Agreement. This does not prejudice the data exporter’s liability under the Law. (c) If both Parties are responsible for the same damage suffered by the data subject due to a breach of this Agreement, they shall be jointly and severally liable, and the data subject shall be entitled to bring a claim against either Party. (d) If one Party fully compensates the data subject, that Party shall have the right to claim back from the other Party the share of the compensation corresponding to that other Party’s responsibility. (e) The data importer cannot escape liability by claiming that the data processor or sub-processor was at fault. Article 11 – Audits The data importer agrees to cooperate with the Authority (KVKK) in all matters related to the enforcement of this Agreement and submits to the jurisdiction of the Board. In particular, the data importer agrees to provide any requested information and documentation during the Board’s review, to facilitate on-site inspections if necessary, and to comply with any corrective instructions issued by the Board. The data importer shall provide evidence to the Board proving that the instructions have been fulfilled. ARTICLE 12 – National Laws and Practices Affecting Contract Compliance The data importer declares, represents, and undertakes that there is no national regulation or practice contrary to this Agreement regarding the personal data to be transferred under this Agreement. In the event of a legislative or practice change that may affect the data importer’s ability to fulfill its commitments under this Agreement during the term of the Agreement, the data importer shall promptly notify the data exporter. In such a case, the data exporter shall have the right to suspend the data transfer or terminate this Agreement. ARTICLE 13 – Obligations of the Data Importer in Case of Access by Public Authorities The data importer shall immediately notify the data exporter in the event of any request from an administrative or judicial authority concerning the personal data transferred under this Agreement or in the event the data importer becomes aware of direct access by any such authority to the personal data. In such a case, the data exporter shall have the right to suspend the data transfer or terminate this Agreement, depending on the nature of the request or access. CHAPTER FOUR Final Provisions ARTICLE 14 – Non-Compliance and Termination (a) The data importer shall immediately inform the data exporter if, for any reason, it is unable to comply with this Agreement. (b) In the event of the data importer’s breach of this Agreement or inability to comply, the data exporter shall suspend the transfer of personal data to the data importer until compliance is re-established or the Agreement is terminated. Articles 12 and 13 remain unaffected. (c) The data exporter shall have the right to terminate this Agreement regarding the processing of personal data under the following conditions: i) If compliance is not re-established within a reasonable period, and in any case within one month following the suspension of data transfer under paragraph (b), ii) If the data importer significantly or continuously breaches this Agreement, iii) If the data importer fails to comply with the decisions of the competent court or the Board regarding its obligations under this Agreement. In these cases, the data exporter shall inform the Board. (d) Upon termination of this Agreement under paragraph (c), the data importer shall, at the discretion of the data exporter, return the transferred personal data and all backups to the data exporter or completely destroy them. Even if legislation prevents the data importer from fulfilling this obligation, the data importer shall continue to comply with this Agreement, take the necessary technical and administrative measures to ensure the confidentiality of the transferred personal data, and process such data only to the extent and for the duration required by law. The data importer shall certify the destruction of the data to the data exporter. The data importer shall continue to comply with this Agreement until the data is either returned or destroyed. ARTICLE 15 – Notification to the Authority The data importer shall notify the Authority of this Agreement within five business days after its signature. ARTICLE 16 – Governing Law This Agreement shall be governed by the laws of the Republic of Türkiye. ARTICLE 17 – Competent Courts (a) Any dispute arising out of this Agreement shall be resolved by Turkish courts. (b) General provisions regarding jurisdiction and competence shall apply. (c) The Parties agree to recognize the jurisdiction of Turkish courts