March 2025 – The Personal Data Protection Authority (“DPA”) issued an announcement on February 6, 2025, outlining key considerations for the preparation and signing processes of Standard Contracts (“SCC”) to address common errors encountered in practice.
According to the announcement, SCC must be prepared in compliance with the specified requirements and submitted to the DPA within five business days after signing. It was emphasized that SCCs failing to meet these criteria will not be considered valid.
Following the review of Standard Contracts submitted to the DPA the key considerations to be considered have been identified as follows:
Signature requirement: The SCC must be signed by the data transfer parties or their authorized representatives. If any signature is missing, the SCC will be deemed invalid.
Compliance with signature regulations: The signatures must comply with the signature provisions set forth under Turkish Code of Obligations. In this context, the rules is that that signatures be affixed by the parties either in handwritten form or using a secure electronic signature.
Language requirements: If the SCC is drafted in a foreign language, both the data exporter and the data importer must sign the Turkish version. If the contract is bilingual in a dual-column format, both parties must sign the Turkish text column.
Authority verification: Documents proving that the signatories are authorized to sign on behalf of the parties (e.g., signature circular, authorization letter) must be submitted to DPA. If these documents do not list the signatories' names, the SCC will be considered invalid.
Accuracy of party information: The names of the contracting parties must be complete and consistent across the SCC and supporting documents.
Notification deadline: The SCC must be submitted to DPA within five business days after all signatures are completed, either physically, via Registered Electronic Mail (KEP), or through the Standard Contract Notification Module.
Clarity of contact information: The SCC must clearly specify the addresses, contact points, and names of signatories.
Complete document notification: The SCC must be fully included in the notification, ensuring no pages are missing.
Foreign official documents: If official documents from foreign authorities are submitted, apostille certification or authentication by the relevant country’s authorities may be required.
Translation requirement: Any foreign language document must be submitted along with a notarized Turkish translation.
No retroactive effect: The SCC must not include a statement for retroactive effective dates, even if signatures were completed at a later date.
No unauthorized modifications: Parties can only modify optional or alternative clauses stipulated in the SCC texts, but cannot add, remove, or alter the contract text beyond what is published by DPA.
Failure to comply with these requirements may result in the SCC being deemed invalid or rejected by the DPA.