DATA PROCESSING AGREEMENT
This data processing agreement (“
acting on its own behalf and on behalf of its Affiliates (as defined below) and having its registered office at “Merkez Mahallesi Kağıthane Caddesi NO:37/4 KAĞITHANE/İSTANBUL”
Kuryem Technology Inc.
“) and a legal and commercial relationship with the Data Controller within the scope of courier intermediary services (“
“) who intends to establish a relevant user (“
“) was concluded between them.
This Agreement is a part of the Kuryem Membership Agreement concluded in order to establish a Business Relationship between the Data Controller and the Data Processor (“
“) is regulated as an annex and an integral part.
In this Agreement, the Data Controller and the Data Processor separately
referred to as
The terms used in this Agreement shall have the meaning ascribed to them below:
“Data Processor” refers to the person who is assigned by the Data Processor or assigned by any other sub-processor of the Data Processor, but in any case processes data in accordance with the instructions of the Data Controller.
” refers to the Membership Agreement concluded on the date concluded for the establishment of the Business Relationship between the Data Controller and the Data Processor.
” has the meaning ascribed to that term in the Law and the words “process”, “if”, “when” and similar expressions shall be interpreted in the same way.
An entity that is wholly or partially, directly or indirectly, owned or controlled by either party.
Law No. 6698 on the Protection of Personal Data.
Personal Data Protection Board.
have the meanings ascribed to those terms in the preamble to this Agreement.
” and “
” have the meanings ascribed to those terms in the Law.
“The Data Case”
means one or all of the meanings listed below:
(i) Incidental and/or unlawful destruction or loss of Personal Data;
(ii) Unauthorized and/or unlawful collection, use, copying, modification, alteration, elimination, disclosure or access of Personal Data or similar risks;
(iii) All other unlawful processing methods regulated in the KVKK and situations that would constitute a violation.
This Agreement shall apply in the event that the Personal Data of third parties acquired by the Data Processor is processed by the Data Processor in accordance with the purposes and means determined by the Data Controller within the scope of the Original Agreement. For the purpose of this Agreement, the Parties acknowledge that the Data Controller is the Data Controller as defined in the LPPD for the Personal Data in question and the Data Processor is the Data Processor as defined in the LPPD for the Personal Data in question.
The Data Processor shall process Personal Data on behalf of the Data Controller in full compliance with the applicable legislation, including but not limited to KVKK, the instructions of the Data Controller and this Agreement. This Agreement and the Master Agreement contain the preliminary instructions of the Data Controller to the Data Processor. Any processing outside the scope of this Agreement is subject to the agreement of the Parties. The Data Processor shall immediately inform the Data Controller if, for whatever reason, it cannot and/or will not be able to comply with the legislation, the instructions of the Data Controller or this Agreement and/or the Principal Agreement. In such a case, the Data Processor agrees in advance that the Data Controller has the right to suspend the transfer of Personal Data and/or terminate this Agreement and/or the Principal Agreement.
Purpose and/or Duration of Processing Personal Data.
When processing Personal Data, the Data Processor shall always process such Personal Data in accordance with the KVKK and this Agreement and in line with the instructions of the Data Controller in this regard, to the extent required by the purpose of processing and shall limit the processing to the maximum time required. In the event that the purpose of processing Personal Data ceases to exist and/or the period for processing Personal Data expires, the Data Processor shall immediately delete, destroy or anonymize the Personal Data together with all copies and backups, upon the instruction of the Data Controller or ex officio, as stipulated in the KVKK, and shall take all necessary steps to ensure that the Sub-Processors also delete, destroy or anonymize the Personal Data in question. In this context, the Data Processor undertakes that it will regularly check whether the purpose of processing Personal Data has disappeared and/or the processing period has expired at intervals determined by itself within the framework of the periodic destruction obligation imposed by the Regulation on Deletion, Destruction or Anonymization of Personal Data. In the event that there is any obstacle for the Data Processor or Sub-Processor to fulfill its obligations specified in this article in accordance with the legislation, the Data Processor or Sub-Processor accepts and undertakes that it will immediately stop the processing of Personal Data and take all necessary technical, organizational and administrative measures to ensure the confidentiality and security of Personal Data.
Method of Sharing Personal Data.
Personal Data may be shared by the Data Processor in physical environment and/or electronic environment including but not limited to e-mail, server, cloud environments.
If the Data Processor wishes to appoint a Subprocessor, they must comply with the following:
(i) carry out and document appropriate due diligence on the newialt processor;
(ii) provide the Data Controller with the details of the new sub-processor, its activities regarding Personal Data and all material findings obtained within the scope of the legal review carried out, by means of a written notification at least thirty (30) days before granting the new sub-processor access to Personal Data;
(iii) In the event that the Data Controller approves the new sub-processor, it shall provide the Data Controller with the agreement on the protection of Personal Data, which has been concluded with the new sub-processor and which shall include at least the provisions necessary for the relevant new sub-processor to comply with the obligations and responsibilities of the Data Processor arising from this Agreement, the Original Agreement and all applicable legislation, including but not limited to the KVKK;
(iv) In the event that the Data Controller withholds consent due to reasonable data protection concerns, the Data Controller shall notify the Data Processor of its refusal and shall detail its data protection concerns in this notification. In this case, the Data Processor will not allow the Personal Data received from the Data Controller to be processed by the new sub-processor in question before finding a solution that satisfies the Data Controller.
For the avoidance of doubt; a new sub-processor will be deemed to be authorized to process Personal Data only if it is approved by the Data Controller in accordance with this Article 3, and only after that point, it will have the title of “Sub-Processor” under this Agreement.
Obligations with respect to Sub-Processors.
If the Data Controller authorizes any Sub-Processor (including the Data Processor’s Affiliates) as set out in this clause 3:
(i) the Data Processor shall limit the Subprocessor’s access to Personal Data to that which is necessary for the Data Processor to fulfill its obligations under this Agreement and Subprocessors shall be prohibited from accessing Personal Data for any other reason;
(ii) the Data Processor shall impose contractual obligations on all Sub-Processors in writing and at least as protective as the provisions of this Agreement, the Principal Agreement and all applicable legislation, including but not limited to the GDPR.
(iii) The Data Processor shall ensure that all obligations imposed on the Data Processor under the provisions of this Agreement, the Master Agreement and all applicable legislation, including but not limited to the KVKK, are also fulfilled by the Sub-Processor, shall be fully responsible for all damages that may arise in case of breach of the aforementioned, and shall compensate such damages immediately, in cash and in lump sum upon the first request of the Data Controller.
Security Measures undertaken by the Data Processor.
The Data Processor accepts and undertakes that it will fulfill and maintain all appropriate technical, organizational and administrative security measures to protect Personal Data against Data Incident. Such measures shall at a minimum provide the protection prescribed and generally accepted as valid in accordance with applicable national and international legislation, including but not limited to KVKK, for the adequate protection of Personal Data.
4.2 The Data Processor shall be fully responsible for preventing the unlawful processing of Personal Data contained in any software, database and system authorized by the Data Controller to access the Data Processor, preventing unlawful access to Personal Data and storing Personal Data in accordance with the law and shall take all technical and administrative measures required to fulfill the obligations listed in this provision. The Data Processor shall be responsible for ensuring that the Sub-Processor also takes all technical and administrative measures listed and required under this provision.
Data Incident Reporting
(i) It will use its best efforts to ensure the security and confidentiality of any Personal Data obtained and to be processed under this Agreement before starting to process such Personal Data, and will take and maintain all appropriate technical, organizational and administrative measures to avoid a Data Incident in relation to any Personal Data obtained and to be processed under this Agreement;
(ii) immediately notify the Data Controller in writing if it becomes aware of a Data Incident affecting any Personal Data it processes within the scope of the service provided:
that you will be informed;
(iii) promptly take, and ensure that the Subprocessor promptly takes, all steps necessary to limit, mitigate or eliminate the adverse effects of such Data Incident and to minimize any harm resulting from such Data Incident;
(iv) keep the Data Controller regularly informed of the progress of all steps it has taken to limit, mitigate or remedy the adverse effects of the Data Incident and provide any other necessary information at the request of the Data Controller and act in cooperation and ensure that the Subprocessor also acts in cooperation;
(v) inform the Data Controller promptly in the event that the Personal Data is seized or threatened to be seized during processing by the Data Processor or Processor, in the event of a bankruptcy or liquidation or similar measures taken by third parties;
(vi) respond to the questions and requests of the Data Controller within the scope of this Agreement as soon as possible and;
(vii) comply with the decisions and opinions of the Board regarding the processing of Personal Data
accepts, declares and undertakes.
Disclosure to Third Parties.
The Data Processor shall not disclose, and shall ensure that the Sub-Processor does not disclose, Personal Data to any third party (including any public institution or court), except as required by a legally binding process, request or order (e.g. a subpoena, warrant or court order) where the Data Controller has given its written consent.If a third party requests access to or correction of Personal Data, the Data Processor and Subprocessor shall reject such request, inform such third party to direct its requests regarding Personal Data to the Data Controller and provide the third party with the contact information of the Data Controller. If the Data Processor and Subprocessor are obliged to disclose Personal Data to a third party, such as a judicial or legal authority, the Data Processor and Subprocessor shall inform the Data Controller (Subprocessor shall also inform the Data Processor) of such access as soon as possible before allowing access, in order to allow the Data Controller to find a protective measure or appropriate solution. If such notification is prohibited by law, the Data Processor and the Subprocessor shall take all reasonable measures to protect the Personal Data from unlawful disclosure, as if confidential information of their own were being requested, and shall promptly inform the Data Controller as soon as possible if and when the legal prohibition is lifted.
Employees of the Data Processor.
In the same direction, the Data Processor accepts, declares and undertakes that in the event that access is provided to the Data Processor, employee or Sub-Processor in any software, database and systems, it will determine the authorization matrix of such access with care and diligence; it will set a special and confidential password for the person authorized to access; It accepts, declares and undertakes that it will take all necessary technical and administrative measures for the safe use of the software, database and system, including but not limited to those to be taken against all cyber attacks that may occur. The Data Processor shall impose appropriate contractual obligations on its employees and the Subprocessor, including relevant obligations regarding confidentiality, protection of Personal Data and Personal Data security.In this respect, the Data Processor accepts and declares that if its employee acts in violation of the protection of personal data and the provisions of the relevant legislation, including but not limited to this Agreement, the Master Agreement and the KVKK, and if any damage arises in this regard before the Data Controller, it will be responsible for this situation. The Data Processor will ensure that all employees who have access to Personal Data undergo an appropriate training process to understand their protection responsibilities regarding the Personal Data they process.
Audit by the Data Controller.
The Data Processor agrees that the Data Controller (or its appointed representatives) or an independent third party on behalf of the Data Controller (who shall not be a competitor of the Data Processor) may, upon reasonable notice, during ordinary business hours and without disruption to the business operations of the Data Processor, It accepts and undertakes that the Data Processor may examine and audit the Data Processor’s processing of Personal Data and the technical, organizational and administrative measures (including data processing systems, policies, processes and records) carried out and maintained by the Data Processor and that the Data Processor will provide the opportunity and necessary convenience in this regard.
6.2 Alternative Audit. As an alternative to the audit that may be carried out by or on behalf of the Data Controller, the Data Processor may provide the Data Controller with external certificates acceptable at national and international level (e.g. ISO 27001:2013, etc.), summaries of audit reports and/or other documents that the Data Processor can confirm to the Data Controller that the Data Processor has adequately complied with the technical, organizational and administrative measures referred to in Article 4.2 of this Agreement.
Inspection by Personal Data Protection Authorities.
The Data Processor shall immediately forward to the Data Controller all requests received by national data protection authorities regarding the Personal Data processed by the Data Processor in order to fulfill its obligations under this Agreement. The Data Processor undertakes to cooperate with the Data Controller in the Data Controller’s dealings with national data protection authorities and in any audit requests received by national data protection authorities. The Data Processor shall not object to disclosure of this Agreement or any other provisions relating to data protection (which may exclude commercial information) agreed with the Data Controller and/or Sub-Processors in relation to their obligations under this Agreement or the Principal Agreement(s), if it receives a request by a data protection authority.
The Parties have entered into this Agreement, consisting of twelve (12) Articles, of their own free will. Stamp duty arising from this Agreement shall be borne equally by the Parties.