ADDITIONAL PROTOCOL ON PROTECTION OF PERSONAL DATA
This additional protocol is drawn up together with the agreements executed by and between Inforte Bilişim Anonim Şirketi (hereinafter referred to as the “Data Controller”) and ………………………………(hereinafter referred to as the “Data Processor”) to supplement such agreements.
The Data Controller and the Data Processor shall hereinafter be referred to together as the “Parties” and individually as a “Party”.
Clause 1. The Subject of the Agreement
The subject of this protocol is the regulation of the obligations of the Data Processor about personal data in line with the Personal Data Protection Law numbered 6698 (hereinafter referred to as the “PDPL”), second-ary legislation, and the decisions by the Personal Data Protection Board.
Clause 2. Provisions about the Personal Data Protection Law numbered 6698:
i. Each of the parties agrees and undertakes that, under this Agreement, it shall process the personal data transferred between each other following the fundamental principles and conditions for processing stipulated in the PDPL numbered 6698.
ii. The data processor company shall store the personal data shared by the data controller company for the duration foreseen in the legislation and regulations, based on which such personal data is processed, and ultimately for the duration required for processing following the PDPL numbered 6698. Following the expiry of the duration specified in the relevant legislation and regulations and the cease of the purpose of processing, the data processor company shall transfer all of the personal data processed by it and destroy the originals and all back-ups thereof in all of its physical and electronic systems to the Data Controller. The procedure for such destruction shall be conducted by the data processor company and the report of destruction shall be conveyed in writing to the data controller.
iii. The data processor company shall personally undertake that its employees shall act following all the obligations in this agreement about the processing of personal data and shall receive from its employees’ undertakings that they will act following the obligations in this agreement.
iv. In case the data processor company engages a subcontractor, contractor, or other data processors about the processing of such personal data, it shall inform in writing the data controller in advance and shall undertake for such personal data that all obligations in this agreement shall be fulfilled in terms of the sub-processing of data activity and shall receive undertakings from the subcontractor, contractor or other data processor engaged by it. The data processor company, which is a party to this agreement, shall be responsible for such sub-processing of data activity in line with all provisions in this agreement.
v. The data processor company shall take the technical and administrative measures in a manner, which is outlined in PDPL numbered 6698 and ensure the security of the personal data, which it processes, and in case there is any breach of data it shall immediately notify this issue to the data controller in writing.
vi. The data processor company shall consider the data, which it processes, as confidential information and shall be obliged for an indefinite term not to disclose, not to share, not to publish, and not the process and use except for the specified purposes and periods.
vii. The data processor company accepts that the data controller company shall be entitled to conduct an audit and control the reports and procedures in respect of the processing of the relevant personal data at any time limited to the subject and scope of this agreement. The data processor company undertakes that if the data controller company determines any deficiency and/or flaw in this respect, it shall fulfill the requirements immediately.
viii. The data processor company shall be responsible for ensuring that its employees and the employees of the contractor, from which services are received under a sub-contractor relationship, procure the security of the personal data that they keep on behalf of the Data Controller company. In that respect, the data processor company accepts and undertakes that it shall be liable for the damages caused by its employees or the employees of the contractor, from which it receives services under a sub-contractor relationship and it shall immediately pay all the damages incurred by the Data Controller company in that respect in cash.
ix. The data controller company’s right to recourse to the data processor company for the legal, administrative, and criminal sanctions, with which the data controller company may encounter as a result of the violation of this agreement or the legislation in effect by the data processor company or due to reasons that are attributable to the employees, sub-contractors, contractors or business partners of the data processor company or third parties, to which the data processor company transfers personal data, is reserved. The data processor company accepts and undertakes that if the data controller company makes a claim based on these reasons, it shall indemnify the data controller company for all the direct and indirect damages suffered by the data controller company immediately, in cash and fully.
Clause 3. Other Provisions
i. All the rights and obligation of the Parties, which are not governed by this Additional Protocol, shall continue to be valid as they are governed by the Agreement and the Parties reached an agreement in this respect.
ii. The terms and conditions of the Agreement shall be valid in respect of and apply to, as they are, the matters, which are not foreseen in this Additional Protocol. This protocol has been executed by the Parties in 2 (two) copies on ……………… and entered into effect.