The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad Has Been Published
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad Has Been Published
A. INTRODUCTION
Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws ("Law No. 7499"), which contains the long-awaited and needed amendments to the Law No. 6698 on the Protection of Personal Data (“PDP Law”), was published in the Official Gazette dated 12 March 2024 and numbered 32487. This law was published in the Official Gazette dated March 12, 2024, and numbered 32487. The Amending Law introduced significant amendments on the conditions for processing special categories of personal data, the transfer of personal data abroad, and the competent courts for appeals against decisions of the Personal Data Protection Board (“Board”), aiming to align with the European Union General Data Protection Regulation (“GDPR”).
With Article 34 of Law No. 7499, Article 9 of the PDP Law, which regulates the transfer of data abroad, has been substantially amended and it has been stated that the procedures and principles regarding the implementation of the new version of the article will be regulated by a regulation to be issued later. In this context, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (‘Regulation’) prepared by the Board entered into force after being published in the Official Gazette dated 10 July 2024 and numbered 32598.
B. GENERAL OVERVIEW OF THE AMENDMENTS ON DATA TRANSFER ABROAD
In the first version of Art. 9 of the PDP Law, for the transfer of personal data abroad, it was required that (i) the explicit consent of the data subject or (ii) one of the exceptions listed in Art. 5/2 and Art. 6/3 of Article 5/2 and n. 6/3 of the PDP Law and the country to be transferred must be one of the countries deemed safe by the Board, or if it is not one of the countries deemed safe, the transfer must be authorised by the Board. However, the fact that the safe countries were not published by the Board and the Board's authorisation process was long and cumbersome made it almost impossible to transfer personal data abroad without the explicit consent of the data subject. Law No. 7499 introduced important amendments to Article 9 of the PDP Law to facilitate the transfer of personal data abroad in order to eliminate the problems caused by this situation in commercial life.
According to the final version of Article 9 of the PDP Law amended by Law No. 7499, personal data may be transferred abroad based on one of the following situations;
The existence of a qualification decision issued by the Board on the country, sectors within the country or international organisations to which the transfer will be made,
Provision of one of the following appropriate assurances, existence of an agreement that is not an international convention and authorisation of the transfer by the Board,
Adoption of binding corporate rules, approved by the Board, to be complied with by companies within the group of undertakings engaged in joint economic activity,
Signing the standard contract announced by the Board,
Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board,
The transfer of data abroad temporarily for a single or several times under the conditions specified in the law.
The Regulation stipulates detailed regulations to explain the implementation of the said provisions regarding the transfer of personal data abroad.
C. REGULATIONS ON TRANSFER ABROAD
In Article 6 of the Regulation, in parallel with Article 9 of the PDP Law, the procedures for transfer abroad are divided into three as (i) Transfer Based on Qualification Decision, (ii) Transfer Based on Appropriate Assurances and (iii) Exceptional Transfers, and detailed regulations regarding each procedure are provided in the following articles (Article 8 and following).
Before going into the details of these regulations, it should be noted that the existence of one of the conditions specified in Articles 5 and 6 of the KVK Law is required as a prerequisite for the transfer based on the qualification decision and transfer based on appropriate assurances. Articles 5 and 6 of the PDP Law regulate the general processing conditions of personal data and sensitive personal data. As transfer abroad is also a data processing activity, this transfer must also comply with the basic data processing conditions.
1. Transfer Based on Qualification Decision
Pursuant to Article 9/1 of the PDP Law and Article 8 of the Regulation, the Board may make an qualification decision not only on countries, but also on one or more sectors or international organisations within the country, unlike the safe country practice in the previous regulation. Therefore, in the event that there is no qualification decision on the country to be transferred, it is possible to issue a qualification decision only for one or more sectors within that country and the scope of the article has been expanded.
Prior Law No. 7499, the fact that the safe country list was never announced by the Board did not allow the transfer of data abroad based on this data transfer situation. In the new version of Article 9 of the PDP Law, no obligation has been imposed on the Board to take the qualification decision within a certain period of time, but it is stated that the qualification decision will be evaluated every four years at the latest (Art. 9). The Regulation largely repeats Article 9 of the PDP Law in this regard. In order to avoid a partial repetition of the problems caused by the non-disclosure of the safe country list in the period prior to the amendment, it will be important to announce the qualification decision on certain countries, sectors and international organisations that are important for the commercial life in Turkey as soon as possible.
2. Transfers Based on Appropriate Assurances
As mentioned above, in the absence of an qualification decision, the transfer of personal data abroad is permitted based on any of the appropriate assurances listed in Art. 9/4. The Regulation regulates the details of the application of these situations specified in Article 9/4 of the PDP Law.
2.1. Agreement that is not an International Convention
The first of the transfer based on appropriate assurances is the provision of appropriate assurances through agreements that do not constitute international agreements between public institutions and organisations in Turkey and professional organisations in the nature of public institutions and public institutions and organisations in foreign countries or international organisations (Art. 9/4(a) of the PDP Law and Art. 11 of the Regulation). In order to be able to transfer abroad based on an agreement that is not an international agreement, the Board's opinion must be obtained during the negotiation process of the agreement and an authorisation application must be made to the Board after the agreement is signed by the data transferor. The matters to be included in the agreement are regulated in detail in Article 11/3 of the Regulation.
2.2. Existence of Binding Corporate Rules
Binding corporate rules are texts that are used for the transfer of personal data abroad for multinational group companies and provide a written commitment of appropriate assurance. Prior to Law No. 7499, the Board, with an announcement text, accepted the use of binding corporate rules as one of the methods of data transfer abroad in order to provide practicality, even though it is not regulated in the PDP Law1. In this context, the Board prepared an Application Form and an Auxiliary Document Regarding the Basic Issues to be included in Binding Corporate Rules and shared it with the public.
With the amendment made by Law No. 7499, binding corporate rules have been codified as one of the situations of transfer based on appropriate assurance (Art. 9/4(b) of the PDP Law). Accordingly, appropriate assurance can be provided through binding corporate rules for the protection of personal data that companies within the group of undertakings engaged in common economic activities are obliged to comply with.
Binding corporate rules must be submitted to and approved by the Board. Data may be transferred abroad only after the binding corporate rules are approved by the Board (Art. 12/4 of the Regulation). In other words, in the presence of binding corporate rules approved by the Board, the transfer of personal data from the companies of a multinational group of companies in Turkey to their companies in foreign countries may be carried out without any further authorisation from the Board. The minimum content of the binding corporate rules is regulated in detail in Article 13 of the Regulation. In addition, on the same day the Regulation was published in the Official Gazette, the Board published on its website the application forms for binding corporate rules for data controllers and data processors and the auxiliary guidelines on the basic issues that should be included in these rules2
2.3. Provision of Appropriate Assurance by Standard Contract
Law No. 7499, one of the most important amendments regarding data transfer abroad is the authorisation of data transfer abroad based on the standard contract published by the Board. This procedure recognised in the GDPR constitutes one of the most intensively applied data transfer methods in EU countries. This opportunity introduced by Law No. 7499 in line with the GDPR is expected to facilitate the legitimate data transfers required by commercial life.
In this procedure, the details of which are regulated under Art. 14 of the Regulation, data may be transferred abroad without obtaining any other permission/pre-approval by using the standard contract text announced by the Board. Although the prior approval/permission of the Board is not stipulated as a condition for the transfer based on standard contracts, the obligation to notify the Personal Data Protection Authority (‘Authority’) within five business days following the signing of the standard contract has been introduced (Art. 5 of the PDP Law, Art. 14/5 of the Regulation). The sanction for non-compliance with the notification obligation is stipulated in the 5th paragraph added to Article 9. According to this paragraph, those who fail to fulfil the notification obligation may be subject to administrative fines from 50.000-TL (Turkish Lira) to 1.000.000-TL. Similarly, after the signing of the standard contract, the change of the parties to the contract, the change of the content of the contract by the parties and the termination of the contract must also be notified to the Authority (Art. 14/8 of the Regulation).
On 10.07.2024, the Board finalised the binding corporate rules and standard contract texts previously shared with the public with the ‘Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules’. Four different standard contracts to be used in the transfer from data controller to data controller, from data controller to data processor, from data processor to data processor and from data processor to data controller were shared with the public3.
2.4. Providing Appropriate Assurance with a Letter of Undertaking
The letter of undertaking procedure, which existed in the first version of Article 9 of the PDP Law, has been reorganised and retained by Law No. 7499. Accordingly, in the presence of a written undertaking containing provisions containing appropriate assurances for the protection of personal data, data may be transferred abroad provided that the Board's authorisation is obtained. If the Board approves the letter of undertaking upon application and grants permission, data may be transferred abroad. Although the transfer based on a letter of undertaking was also available in the previous regulatory period, it should be noted that the permissions granted by the Board were limited in number and were not frequently preferred in practice.
3. Exceptional Transfers
Another important amendment introduced by Law No. 7499 is the regulation of data transfer in exceptional situations that are not regular, occur only once or a few times, are not continuous and are not in the ordinary course of business. Accordingly, personal data may be transferred abroad under the conditions determined, provided that it is exceptional in situations where there is no adequacy decision and appropriate assurances. In the preamble of the amendment, an example of an exceptional transfer is given as “a company in Turkey sharing with a company abroad the information regarding its employees who will be in contact with the addressee company in terms of the commercial activity it intends to carry out incidentally”.
The exceptional situations of transfer listed in Article 16 of the Regulation are as follows:
Explicit consent to the transfer, provided that the person concerned is informed about the possible risks,
The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
The transfer is necessary for an overriding public interest,
The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
The transfer of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
As can be seen, transfer based on explicit consent is only possible in exceptional situations, provided that the data subject is informed about the possible risks. In this way, with Law No. 7499, an important transition has been made from the general freedom of transfer based on explicit consent to the freedom of transfer based on explicit consent in exceptional situations.
In addition, it is expected that the regulation on exceptional situations, which will be applied in the absence of appropriate assurances and qualification decision, will be interpreted narrowly. The regulation on exceptional situations will be clarified by the Board decisions.
D. CONCLUSION
Law No. 7499 introduced significant changes in the procedure for transferring personal data abroad, and the procedures and principles regarding the implementation of these changes are regulated by the Regulation.
Pursuant to the provisional article 3 added to the KVK Law, the first paragraph of the first version of Article 9 will continue to be applied until 01.09.2024 with the amended version of the article. In this context, until 01.09.2024, the old regulations regarding the transfer abroad and the new regulations introduced by Law No. 7499 will continue to be applied together. After this date, data transfer abroad will be required to comply with the provisions of Law No. 7499 and the Regulation. In this context, data controllers who currently transfer data abroad will need to take various steps for compliance, including reviewing the transfer procedures, revising the disclosure and explicit consent texts.
With the amendments, it is aimed to provide solutions to the problems encountered in practice regarding the transfer of data abroad, and the provisions regarding the transfer of data abroad have been harmonised with the GDPR. Within the scope of the new regulation, three different data transfer mechanisms have been regulated: adequacy decision, appropriate assurances and exceptional situations. It is estimated that transfer procedures based on standard contract and binding corporate rules, which are regulated as transfer based on appropriate assurances, will be preferred more frequently in practice.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners
Footnotes
1. Bkz. https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET- KURALLARI-HAKKINDA-DUYURU (Erişim Tarihi: 10.07.2024).
2. Bkz. https://kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar- Hakkinda- Kamuoyu-Duyurusu (Erişim Tarihi: 10.07.2024).
3. Bkz: https://www.kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar- Hakkinda-Kamuoyu-Duyurusu (Erişim Tarihi: 10.07.2024).
A. INTRODUCTION
Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws ("Law No. 7499"), which contains the long-awaited and needed amendments to the Law No. 6698 on the Protection of Personal Data (“PDP Law”), was published in the Official Gazette dated 12 March 2024 and numbered 32487. This law was published in the Official Gazette dated March 12, 2024, and numbered 32487. The Amending Law introduced significant amendments on the conditions for processing special categories of personal data, the transfer of personal data abroad, and the competent courts for appeals against decisions of the Personal Data Protection Board (“Board”), aiming to align with the European Union General Data Protection Regulation (“GDPR”).
With Article 34 of Law No. 7499, Article 9 of the PDP Law, which regulates the transfer of data abroad, has been substantially amended and it has been stated that the procedures and principles regarding the implementation of the new version of the article will be regulated by a regulation to be issued later. In this context, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (‘Regulation’) prepared by the Board entered into force after being published in the Official Gazette dated 10 July 2024 and numbered 32598.
B. GENERAL OVERVIEW OF THE AMENDMENTS ON DATA TRANSFER ABROAD
In the first version of Art. 9 of the PDP Law, for the transfer of personal data abroad, it was required that (i) the explicit consent of the data subject or (ii) one of the exceptions listed in Art. 5/2 and Art. 6/3 of Article 5/2 and n. 6/3 of the PDP Law and the country to be transferred must be one of the countries deemed safe by the Board, or if it is not one of the countries deemed safe, the transfer must be authorised by the Board. However, the fact that the safe countries were not published by the Board and the Board's authorisation process was long and cumbersome made it almost impossible to transfer personal data abroad without the explicit consent of the data subject. Law No. 7499 introduced important amendments to Article 9 of the PDP Law to facilitate the transfer of personal data abroad in order to eliminate the problems caused by this situation in commercial life.
According to the final version of Article 9 of the PDP Law amended by Law No. 7499, personal data may be transferred abroad based on one of the following situations;
The existence of a qualification decision issued by the Board on the country, sectors within the country or international organisations to which the transfer will be made,
Provision of one of the following appropriate assurances, existence of an agreement that is not an international convention and authorisation of the transfer by the Board,
Adoption of binding corporate rules, approved by the Board, to be complied with by companies within the group of undertakings engaged in joint economic activity,
Signing the standard contract announced by the Board,
Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board,
The transfer of data abroad temporarily for a single or several times under the conditions specified in the law.
The Regulation stipulates detailed regulations to explain the implementation of the said provisions regarding the transfer of personal data abroad.
C. REGULATIONS ON TRANSFER ABROAD
In Article 6 of the Regulation, in parallel with Article 9 of the PDP Law, the procedures for transfer abroad are divided into three as (i) Transfer Based on Qualification Decision, (ii) Transfer Based on Appropriate Assurances and (iii) Exceptional Transfers, and detailed regulations regarding each procedure are provided in the following articles (Article 8 and following).
Before going into the details of these regulations, it should be noted that the existence of one of the conditions specified in Articles 5 and 6 of the KVK Law is required as a prerequisite for the transfer based on the qualification decision and transfer based on appropriate assurances. Articles 5 and 6 of the PDP Law regulate the general processing conditions of personal data and sensitive personal data. As transfer abroad is also a data processing activity, this transfer must also comply with the basic data processing conditions.
1. Transfer Based on Qualification Decision
Pursuant to Article 9/1 of the PDP Law and Article 8 of the Regulation, the Board may make an qualification decision not only on countries, but also on one or more sectors or international organisations within the country, unlike the safe country practice in the previous regulation. Therefore, in the event that there is no qualification decision on the country to be transferred, it is possible to issue a qualification decision only for one or more sectors within that country and the scope of the article has been expanded.
Prior Law No. 7499, the fact that the safe country list was never announced by the Board did not allow the transfer of data abroad based on this data transfer situation. In the new version of Article 9 of the PDP Law, no obligation has been imposed on the Board to take the qualification decision within a certain period of time, but it is stated that the qualification decision will be evaluated every four years at the latest (Art. 9). The Regulation largely repeats Article 9 of the PDP Law in this regard. In order to avoid a partial repetition of the problems caused by the non-disclosure of the safe country list in the period prior to the amendment, it will be important to announce the qualification decision on certain countries, sectors and international organisations that are important for the commercial life in Turkey as soon as possible.
2. Transfers Based on Appropriate Assurances
As mentioned above, in the absence of an qualification decision, the transfer of personal data abroad is permitted based on any of the appropriate assurances listed in Art. 9/4. The Regulation regulates the details of the application of these situations specified in Article 9/4 of the PDP Law.
2.1. Agreement that is not an International Convention
The first of the transfer based on appropriate assurances is the provision of appropriate assurances through agreements that do not constitute international agreements between public institutions and organisations in Turkey and professional organisations in the nature of public institutions and public institutions and organisations in foreign countries or international organisations (Art. 9/4(a) of the PDP Law and Art. 11 of the Regulation). In order to be able to transfer abroad based on an agreement that is not an international agreement, the Board's opinion must be obtained during the negotiation process of the agreement and an authorisation application must be made to the Board after the agreement is signed by the data transferor. The matters to be included in the agreement are regulated in detail in Article 11/3 of the Regulation.
2.2. Existence of Binding Corporate Rules
Binding corporate rules are texts that are used for the transfer of personal data abroad for multinational group companies and provide a written commitment of appropriate assurance. Prior to Law No. 7499, the Board, with an announcement text, accepted the use of binding corporate rules as one of the methods of data transfer abroad in order to provide practicality, even though it is not regulated in the PDP Law1. In this context, the Board prepared an Application Form and an Auxiliary Document Regarding the Basic Issues to be included in Binding Corporate Rules and shared it with the public.
With the amendment made by Law No. 7499, binding corporate rules have been codified as one of the situations of transfer based on appropriate assurance (Art. 9/4(b) of the PDP Law). Accordingly, appropriate assurance can be provided through binding corporate rules for the protection of personal data that companies within the group of undertakings engaged in common economic activities are obliged to comply with.
Binding corporate rules must be submitted to and approved by the Board. Data may be transferred abroad only after the binding corporate rules are approved by the Board (Art. 12/4 of the Regulation). In other words, in the presence of binding corporate rules approved by the Board, the transfer of personal data from the companies of a multinational group of companies in Turkey to their companies in foreign countries may be carried out without any further authorisation from the Board. The minimum content of the binding corporate rules is regulated in detail in Article 13 of the Regulation. In addition, on the same day the Regulation was published in the Official Gazette, the Board published on its website the application forms for binding corporate rules for data controllers and data processors and the auxiliary guidelines on the basic issues that should be included in these rules2
2.3. Provision of Appropriate Assurance by Standard Contract
Law No. 7499, one of the most important amendments regarding data transfer abroad is the authorisation of data transfer abroad based on the standard contract published by the Board. This procedure recognised in the GDPR constitutes one of the most intensively applied data transfer methods in EU countries. This opportunity introduced by Law No. 7499 in line with the GDPR is expected to facilitate the legitimate data transfers required by commercial life.
In this procedure, the details of which are regulated under Art. 14 of the Regulation, data may be transferred abroad without obtaining any other permission/pre-approval by using the standard contract text announced by the Board. Although the prior approval/permission of the Board is not stipulated as a condition for the transfer based on standard contracts, the obligation to notify the Personal Data Protection Authority (‘Authority’) within five business days following the signing of the standard contract has been introduced (Art. 5 of the PDP Law, Art. 14/5 of the Regulation). The sanction for non-compliance with the notification obligation is stipulated in the 5th paragraph added to Article 9. According to this paragraph, those who fail to fulfil the notification obligation may be subject to administrative fines from 50.000-TL (Turkish Lira) to 1.000.000-TL. Similarly, after the signing of the standard contract, the change of the parties to the contract, the change of the content of the contract by the parties and the termination of the contract must also be notified to the Authority (Art. 14/8 of the Regulation).
On 10.07.2024, the Board finalised the binding corporate rules and standard contract texts previously shared with the public with the ‘Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules’. Four different standard contracts to be used in the transfer from data controller to data controller, from data controller to data processor, from data processor to data processor and from data processor to data controller were shared with the public3.
2.4. Providing Appropriate Assurance with a Letter of Undertaking
The letter of undertaking procedure, which existed in the first version of Article 9 of the PDP Law, has been reorganised and retained by Law No. 7499. Accordingly, in the presence of a written undertaking containing provisions containing appropriate assurances for the protection of personal data, data may be transferred abroad provided that the Board's authorisation is obtained. If the Board approves the letter of undertaking upon application and grants permission, data may be transferred abroad. Although the transfer based on a letter of undertaking was also available in the previous regulatory period, it should be noted that the permissions granted by the Board were limited in number and were not frequently preferred in practice.
3. Exceptional Transfers
Another important amendment introduced by Law No. 7499 is the regulation of data transfer in exceptional situations that are not regular, occur only once or a few times, are not continuous and are not in the ordinary course of business. Accordingly, personal data may be transferred abroad under the conditions determined, provided that it is exceptional in situations where there is no adequacy decision and appropriate assurances. In the preamble of the amendment, an example of an exceptional transfer is given as “a company in Turkey sharing with a company abroad the information regarding its employees who will be in contact with the addressee company in terms of the commercial activity it intends to carry out incidentally”.
The exceptional situations of transfer listed in Article 16 of the Regulation are as follows:
Explicit consent to the transfer, provided that the person concerned is informed about the possible risks,
The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
The transfer is necessary for an overriding public interest,
The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
The transfer of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
As can be seen, transfer based on explicit consent is only possible in exceptional situations, provided that the data subject is informed about the possible risks. In this way, with Law No. 7499, an important transition has been made from the general freedom of transfer based on explicit consent to the freedom of transfer based on explicit consent in exceptional situations.
In addition, it is expected that the regulation on exceptional situations, which will be applied in the absence of appropriate assurances and qualification decision, will be interpreted narrowly. The regulation on exceptional situations will be clarified by the Board decisions.
D. CONCLUSION
Law No. 7499 introduced significant changes in the procedure for transferring personal data abroad, and the procedures and principles regarding the implementation of these changes are regulated by the Regulation.
Pursuant to the provisional article 3 added to the KVK Law, the first paragraph of the first version of Article 9 will continue to be applied until 01.09.2024 with the amended version of the article. In this context, until 01.09.2024, the old regulations regarding the transfer abroad and the new regulations introduced by Law No. 7499 will continue to be applied together. After this date, data transfer abroad will be required to comply with the provisions of Law No. 7499 and the Regulation. In this context, data controllers who currently transfer data abroad will need to take various steps for compliance, including reviewing the transfer procedures, revising the disclosure and explicit consent texts.
With the amendments, it is aimed to provide solutions to the problems encountered in practice regarding the transfer of data abroad, and the provisions regarding the transfer of data abroad have been harmonised with the GDPR. Within the scope of the new regulation, three different data transfer mechanisms have been regulated: adequacy decision, appropriate assurances and exceptional situations. It is estimated that transfer procedures based on standard contract and binding corporate rules, which are regulated as transfer based on appropriate assurances, will be preferred more frequently in practice.
For further information and support, please contact us at info@lbfpartners.com.
LBF Partners
Footnotes
1. Bkz. https://www.kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-SIRKET- KURALLARI-HAKKINDA-DUYURU (Erişim Tarihi: 10.07.2024).
2. Bkz. https://kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar- Hakkinda- Kamuoyu-Duyurusu (Erişim Tarihi: 10.07.2024).
3. Bkz: https://www.kvkk.gov.tr/Icerik/7938/Standart-Sozlesmeler-ve-Baglayici-Sirket-Kurallarina-Iliskin-Dokumanlar- Hakkinda-Kamuoyu-Duyurusu (Erişim Tarihi: 10.07.2024).
k.bas@lbfpartners.com