CONFIDENTIALITY AND PERSONAL DATA PROCESSING AGREEMENT

Parties

This Agreement (“Agreement”) is entered into between Teknetatili Turizm Ticaret Limited Şirketi (“Company”), established and operating under the laws of the Republic of Turkey, with its registered headquarters at Şirinyalı Mah. İsmet Gökçen Cad. Çakırbey İş Merkezi C2 Blok No:12/Z1 Muratpaşa/ANTALYA, and […] (“…”), established and operating under the laws of the Republic of Turkey, with its registered headquarters at […].

Each of the above is separately referred to as a “Party” and collectively as the “Parties.”

Purpose

The Parties have signed this Agreement to ensure that all transactions, activities, actions, works, and services carried out within the scope of their commercial/business relationship (“BUSINESS”), which was initiated by the contract entitled […] dated […] and continued to date or planned to be established hereafter, are performed in compliance with the obligations under Law No. 6698 on the Protection of Personal Data (“KVKK”) and its secondary legislation, and to ensure the confidentiality of the information that the Parties will acquire about each other.

Definitions

In this Agreement, the following terms shall have the meanings set forth below:

  • Receiving Party: The Party to whom Personal Data is transferred.
  • Disclosing Party: The Party that discloses Confidential Information or from whom Confidential Information was obtained.
  • Receiving Entity: The Party that receives or otherwise acquires Confidential Information.
  • Confidential Information: All documents, data, correspondence, commercial books, records, copies, equipment, techniques, processes, methods, concepts, know-how, studies, findings, inventions, formulas, recipes, methods, ideas, works, systems, patents, copyrights, applications, source codes, software, intellectual and industrial property rights, trademarks, projects, designs, sketches, photographs, plans, drawings, equipment, samples, reports, price lists, ongoing developments, processes, marketing plans, product and service plans, technical plans, business strategies, strategic alliances and related information regarding partners, financial information, personnel information, customer lists, specifications, identity of potential or actual customers, supplier information, statistical information, any innovations, as well as all related technical and/or commercial information, trade secrets, and all other information belonging to the Disclosing Party, its suppliers, affiliates, group companies, or any third parties it has business relations with, including their employees, relevant stakeholders, and customers. For the avoidance of doubt, (i) publicly known information and (ii) information required to be disclosed by applicable laws, regulations, or court orders shall not be considered Confidential Information.
  • Relevant Person: The natural person to whom Personal Data relates.
  • KVKK: Law No. 6698 on the Protection of Personal Data.
  • KVK Legislation: KVKK, regulations issued pursuant to KVKK, notifications, decisions of the Board, commitments, and other relevant legislation regarding Personal Data.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Personal Data Processing: Any operation or set of operations performed on Personal Data in whole or in part by automated or non-automated means, including collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, taking over, making accessible, classification, or prevention of use.
  • Authority: Personal Data Protection Authority.
  • Board: Personal Data Protection Board.
  • Special Categories of Personal Data: Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
  • Disclosing Party: The Party sharing Personal Data.
  • Guidelines: All guiding and informative guidelines published or to be published by the Board on its website (https://www.kvkk.gov.tr/) explaining the provisions of the relevant legislation and the requirements for personal data processing.
  • Representatives: All partners, employees, agents, consultants, translators, representatives, directors, shareholders, board members, professional advisors, and similarly connected natural or legal persons and organizations of each Party.
  • Data Breach: Unauthorized access to processed Personal Data by others.
  • Data Processor: The natural or legal person that processes, hosts, stores, or otherwise handles Personal Data on behalf of the Data Controller under their authorization.
  • Data Controller: The natural or legal person that determines the purposes and means of processing Personal Data, establishes and manages the data recording system.

Nature and Scope of the Agreement

This Agreement is a complementary annex to all contracts that have been or will be concluded between the Parties. Regardless of whether contracts under negotiation are subsequently signed, the provisions of this Agreement shall apply during the negotiation stages and all phases of the ongoing commercial relations. If there is any previously agreed or customary arrangement on personal data security and confidentiality that contradicts this Agreement, the provisions of this Agreement shall prevail.

Any Personal Data and Confidential Information exchanged between the Parties, whether verbally, in writing, electronically, or via system integration before the execution of this Agreement, shall be evaluated under the scope of this Agreement.

Confidentiality Provisions

In this Agreement, the Parties may act as either Receiving Party or Disclosing Party depending on the nature of the BUSINESS, and they may be subject to the obligations applicable to both Receiving Party and Disclosing Party.

The Receiving Party shall use and store all Confidential Information in a confidential manner and only for purposes related to the BUSINESS.

All proprietary, financial, and other rights and disposal authority, including intellectual and industrial property rights, over the Disclosing Party’s Confidential Information belong to the Disclosing Party under applicable intellectual and industrial property legislation, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, and any other relevant legislation.

The Receiving Party shall act in accordance with confidentiality principles and shall not use, disclose, distribute, or transfer any Confidential Information in any way outside the scope of the Parties’ collaboration.

The Receiving Party is obliged to take and continuously maintain all necessary and reasonable administrative and technical security measures to store Confidential Information.

Without the Disclosing Party’s written consent, the Receiving Party shall not reproduce all or any part of the Confidential Information. All copies of such information shall remain the property of the Disclosing Party, and all copyrights, ownership, and other rights on those copies belong to the Disclosing Party. The Disclosing Party may, at any time, request in writing that the Receiving Party remove all copies of Confidential Information from any magnetic medium (and any copies thereof, if any) and confirm in writing that such information has been irrevocably destroyed.

The Receiving Party shall not disclose or transfer any Confidential Information obtained through its work with the Disclosing Party to any third parties in any manner. In case of mandatory disclosure to legally authorized administrative or judicial authorities under applicable law, the Receiving Party shall notify the Disclosing Party in writing immediately prior to such disclosure and act in coordination with the Disclosing Party.

All obligations and responsibilities of the Receiving Party concerning Confidential Information under this Agreement, as well as the rights and authorities of the Disclosing Party, shall continue indefinitely even after the termination of the relationship between the Parties.

If the Receiving Party discloses Confidential Information in violation of this Agreement, it shall be liable to compensate the Disclosing Party for all direct and indirect losses, including lost profits. Payment of compensation shall not relieve the Receiving Party of its continuing confidentiality obligations under this Agreement.

Upon termination of the relationship between the Parties or upon request by the Disclosing Party during the term of this Agreement, all materials containing Confidential Information shall be immediately returned to the Disclosing Party. Confidential Information that cannot be returned shall be destroyed by the Receiving Party.

The Receiving Party’s Representatives shall, during their employment or engagement and after their separation, comply with all confidentiality obligations set forth in this Agreement. They shall be jointly and severally liable with the Receiving Party for any damages arising from their breach, and the Receiving Party shall take all possible legal and practical measures to ensure compliance.

Provisions on the Processing of Personal Data

In this Agreement, depending on the nature of their relationship and BUSINESS, the Parties may act as Data Controller or Data Processor.

The Parties undertake to comply with KVKK, its Guidelines, and the provisions of this Agreement at every stage of Personal Data sharing.

The Company’s data existence notice for […] (i) if […] is a natural person, concerning the processing of his/her Personal Data, and (ii) regardless of whether […] is a natural or legal person, concerning the processing of his/her employees’/authorized persons’ Personal Data, is attached as Annex-1. […] undertakes that (i) if […] is a natural person, the notice in Annex-1 has been provided to him/her, and (ii) it will provide its employees and authorized persons with the Annex-1 notice on behalf of the Company.

Provisions Regarding Data Controller–Data Processor Relationships

When the Data Controller transfers Personal Data to the Data Processor, the Data Controller represents that the Personal Data transferred have been collected in compliance with KVKK. When the Data Processor collects or processes Personal Data on behalf of the Data Controller, the Data Controller acknowledges that the Personal Data processing/collection process to be performed by the Data Processor under its instructions is in compliance with KVKK.

If the Data Processor receives any notification, complaint, official letter, or notice from Relevant Persons, legal or administrative authorities, or any information indicating that the relevant Personal Data processing process is unlawful, it shall immediately inform the Data Controller.

The Data Processor shall process the Personal Data it receives from the Data Controller or on behalf of the Data Controller or collects from Relevant Persons or other sources strictly within the scope of the instructions, for the purposes defined by the Data Controller, and in compliance with law, KVKK, and Guidelines. The Data Processor shall not transfer Personal Data abroad or host them abroad without the Data Controller’s instruction or consent. It shall not allow unauthorized access by its personnel or sub-processors. The Data Processor will take all technical and administrative measures to ensure the security and confidentiality of Personal Data, including training and informing its employees and suppliers, restricting access rights, logging access and processing activities, and periodically auditing security measures, ensuring that the Personal Data shared with it are stored at least as securely as its own data.

The Data Processor undertakes to implement all technical and administrative measures required by KVKK, especially Article 12, to ensure data security. Otherwise, it shall be liable for all damages arising from non-compliance with the relevant legislation.

The Data Processor accepts that it is fully responsible to the Data Controller for any failure by its sub-processors and Representatives to comply with the commitments under this Agreement. Representatives, employees, subcontractors, or other personnel who process Personal Data on behalf of the Data Processor shall have their access rights defined in compliance with KVKK. The Data Processor shall ensure that these individuals do not share accessed information, passwords, or methods used for access with anyone. The Data Processor shall inform them about their obligations under KVKK. Even if they leave their positions after the signing of this Agreement, they shall continue to comply with the obligations stipulated herein.

The Data Processor shall respond in writing as soon as possible to any written question or request from the Data Controller. The Data Processor accepts to permit the Data Controller to conduct on-site or remote inspections to audit the security and preservation conditions of the Personal Data processed by the Data Processor. During these audits, the Data Controller may check the conditions under which the Personal Data are processed and stored; it can prepare a report, share its findings with the Data Processor, and instruct the Data Processor in writing to remedy any deficiencies, charging audit costs to the Data Processor. The Data Processor shall rectify such deficiencies as soon as possible and notify the Data Controller.

The Data Processor shall provide to the Data Controller, without delay, any information and documents requested by the Data Controller within the scope of applications from Relevant Persons or investigations/information requests by the Board or administrative/official institutions, including assistance for on-site inspections. It shall fulfill requests for correction, deletion, anonymization, or destruction of Personal Data as soon as possible.

If a Data Breach or a potential Data Breach event concerning the Personal Data processed or stored on behalf of the Data Controller occurs, the Data Processor shall notify the Data Controller as soon as possible and in any event no later than 24 hours after learning of the breach. If the Data Controller decides to notify the Board and Relevant Persons regarding the breach, the Data Processor shall promptly provide all requested information and documents to the Data Controller.

If the Board or another official/administrative authority imposes an administrative sanction (decision, administrative fine, directive, etc.) against the Data Controller or a court/arbitration authority orders the Data Controller to pay compensation or other fees, the Data Processor acknowledges that it may be held liable by the Data Controller to recoup damages arising from its fault, in proportion to its share of fault.

The Data Processor shall store the Personal Data processed, collected, and retained on behalf of the Data Controller for at least the retention periods determined by the Data Controller and shall destroy expired Personal Data using a destruction method approved by the Data Controller.

Upon termination of the commercial relationship with the Data Controller, the Data Processor shall either return the Personal Data in its possession or irreversibly destroy them under the supervision of persons appointed by the Data Controller, and provide evidence of destruction to the Data Controller.

When collecting, processing, or transferring Personal Data on behalf of the Data Controller, if the Data Processor is entrusted with the responsibility to inform the relevant individuals or obtain explicit consent, it shall use the notice/explicit consent text approved by the Data Controller and keep physical or digital records proving that these processes have been performed. If it fails to do so, it accepts that the Data Controller may seek recourse for any damage incurred.

The Data Processor shall implement all necessary technical and administrative measures to prevent unlawful processing, unlawful access, and ensure the security of Personal Data. Further, while processing Personal Data on behalf of the Data Controller, it shall take extraordinary technical and administrative measures from KVKK and Guidelines—especially the “Personal Data Security Guide (Technical and Administrative Measures)” published on the Board’s website (https://www.kvkk.gov.tr/)—including:

  • Preventing unauthorized entry to locations where Personal Data are processed (Access Control),
  • Preventing unauthorized persons from reading, copying, modifying, or removing data carriers (Workstation Control Related to Data Environment),
  • Preventing unauthorized persons from reading, copying, modifying, or deleting Personal Data during disclosure or transmission (Transmission Control),
  • Preventing unauthorized presence of Personal Data in memory, unauthorized access, modification, or deletion (Recording Control),
  • Preventing unauthorized persons from using automated data processing systems via transmission systems (e.g., remote access).
The Data Processor acknowledges and undertakes to be subject to indefinite confidentiality obligations regarding the processed Personal Data.

When processing Special Categories of Personal Data on behalf of the Data Controller, the Data Processor shall comply with the “Adequate Measures to Be Taken by Data Controllers in the Processing of Special Categories of Personal Data” specified in the Board’s Decision No. 2018/10 dated January 31, 2018.

Provisions Regarding Data Controller–Data Controller Relationships

If both Parties are Data Controllers, the Disclosing Party represents, warrants, and guarantees that the data transferred to the Receiving Party have been collected, processed, and transferred to the Disclosing Party in compliance with KVKK, relevant legislation, and Guidelines. The Receiving Party shall process Personal Data received from the Disclosing Party solely for the purpose of transfer and limited to the BUSINESS relationship with the Disclosing Party, in compliance with KVKK, relevant legislation, and Guidelines. Otherwise, the Parties shall indemnify each other for losses in proportion to their fault.

If a Data Breach or a potential Data Breach event occurs concerning the Personal Data received from the Disclosing Party or stored in the Receiving Party’s environment, the Receiving Party shall notify the Disclosing Party without delay and in any event no later than 24 hours after becoming aware of the breach. If the Disclosing Party decides to notify the Board and Relevant Persons regarding the breach, the Receiving Party shall promptly provide all requested information and documents to the Disclosing Party.

If Relevant Persons or official/administrative institutions make an application or request related to the other Party’s personal data processing processes, the receiving Party shall share the situation with the relevant Party as soon as possible and provide necessary information and assistance to enable the relevant Party to respond within the timeframe and in compliance with the law.

The Parties acknowledge and undertake that they are jointly and severally liable for ensuring that their Data Processors and Representatives comply with the commitments made to the other Party under this Agreement.

Liability and Penalty Clause

If the Board or another official/administrative authority imposes an administrative sanction (decision, administrative fine, directive, etc.) on one of the Parties, or if courts or dispute resolution bodies order one of the Parties to pay compensation, penalty, litigation or arbitration costs, attorney’s fees, or other fees, the at-fault Party shall indemnify the aggrieved Party for all direct and indirect damages incurred due to such sanction or payment obligation.

Other Provisions

If the receiving Party breaches its obligations under this Agreement, the other Party may suspend data transfers until the breach is remedied. If the breach is not remedied within a reasonable period or cannot be remedied, the data-transferring Party may terminate this Agreement and the primary contract with the breaching Party. This will not affect the rights accrued under the primary contract and this Agreement prior to termination.

Confidential Information or Personal Data that becomes publicly available through no fault of the Parties, obtained by unrelated third parties, disclosed by a third-party source outside the Parties, or required to be disclosed/transferred under applicable legislation or court or administrative orders, or already publicly disclosed prior to this Agreement, shall not be considered a breach of this Agreement. However, the Parties’ obligations regarding such Confidential Information or Personal Data shall continue.

This Agreement shall continue to apply and remain in force even after the commercial relationship between the Parties ends.

Unless the Parties notify each other in writing of changes to their addresses and contact information, any notices and communications made to the addresses stated in this Agreement shall be valid.

Any amendment to any provision of this Agreement shall be valid only upon mutual written agreement of the Parties. If changes in KVKK or other relevant legislation require amendments to this Agreement, the Parties shall use reasonable efforts to make such amendments as soon as possible. In any event, even if they do not take action within the maximum period specified by the legislation, the Parties are obliged to ensure that their personal data processing activities comply with the new/updated legal regulations as of the date they become effective. The provisions of this Agreement cannot be amended in a manner that violates KVKK or applicable laws.

Turkish law shall apply to the interpretation and implementation of this Agreement. All disputes arising from or related to this Agreement shall be exclusively subject to the jurisdiction of the Courts and Enforcement Offices of Ankara.

All costs arising from the execution of this Agreement, including stamp duty, shall be borne by […].

This Agreement has been executed in two (2) copies on […] so that each Party holds one copy.

TEKNETATİLİ TURİZM TİCARET LİMİTED ŞİRKETİ

On behalf of

Name and Surname:

Title:

Signature:

.......................................................

“…”

On behalf of

Name and Surname:

Title:

Signature:

CALL NOW WhatsApp