Draft bill on the amendment of the turkish Data Protectıon Law

Some of the long-awaited amendments to Law No 6698 on the Protection of Personal Data (the “Law“) have been included in a draft bill (the “Draft Bill“) that was presented for Commission consideration at the Turkish Parliament on 16 February 2024. The Draft Bill aims to achieve the goals set out in the Economic Reforms Action Plan and the Human Rights Action Plan by taking into account the current needs and problems encountered in practice and the principles set out in the EU’s General Data Protection Regulation (the “GDPR“). Within this framework, the Draft Bill sets out major changes relating to the processing of sensitive personal data and cross-border data transfers.  

REDEFINING THE LANDSCAPE OF SENSITIVE PERSONAL DATA PROCESSING 

The Draft Bill seeks to change the legal framework that governs the processing of sensitive personal data, including health data and data relating to sexual life. According to the Law, sensitive personal data (except for data concerning health and sexual life) can only be processed when (i) the data subject has given explicit consent or (ii) provided by laws.  

The Draft Bill suggests implementing new legal grounds for processing sensitive personal data without explicit consent. Accordingly, it would no longer be necessary to obtain explicit consent of the data subject when processing is required (i) to establish, use and protect a right; (ii) to perform legal obligations relating to employment, occupational health and safety, social security and social services; (iii) when sensitive personal data is made public by the data subject; or (iv) when the processing is carried out by a foundation, association or any other non-profit organisation with a political, philosophical, religious or trade union aim, provided that the processing is solely related to members or former members of that organisation. 

ADDRESSING CROSS-BORDER DATA TRANSFER: POTENTIAL SOLUTIONS IN SIGHT? 

As acknowledged in practice, and reaffirmed by the preamble of the Draft Bill, one of the principal challenges in implementing the Law revolves around the transfer of personal data outside of Türkiye. The situation is even more complex for multinational companies or companies that use service providers whose servers are located outside of Türkiye.  

In the current situation, personal data can only be transferred abroad if the explicit consent of the data subject is obtained, or if the data controller has submitted a commitment letter or binding corporate rules to the Turkish Data Protection Authority (the “DPA“). As the list of countries with adequate level of data protection has not been announced by the DPA, based on the current provisions of the Law, the options mentioned above are the only possible ways for data controllers to transfer personal data outside of Türkiye.   

The Draft Bill proposes a system akin to the standard contractual clauses under the GDPR. Accordingly, if parties involved in cross-border data transfers agree to the contractual terms set out by the DPA, then personal data could be sent to recipients outside of Türkiye. However, unlike the GDPR, these contracts would have to be presented to the DPA within five business days. A failure to do so would result in data controllers and processors facing administrative fines ranging from TRY 50,000 to TRY 1,000,000 (subject to further update). 

Another exception provided by the Draft Bill would be the case where the DPA issues an adequacy decision regarding a country, international organisation or sector within a given country where data will be transferred. In this case, the cross-border transfer of data would be allowed without the need to obtain explicit consent from the relevant data subjects.  

The Draft Bill further provides that explicit consent would not be required for data transfers outside of Türkiye in case; (i) the transfer is required to perform a contract or preliminary actions taken with the data subject’s request before the execution of a contract; (ii) the transfer is obligatory to establish or perform a contract in the interest of the data subject between the data controller and another natural or legal person, (iii) the transfer is required under an overriding public interest or (iv) the transfer is obligatory to establish, use or protect a right.  

CONCLUSION AND COMMMENTS  

If the Draft Bill is approved by the Turkish Parliament in its current content, the Law would be amended as of 1 June 2024 and benefit from increased mirroring of the GDPR. Although the Draft Bill addresses a number of practical issues, the implementation of secondary legislation would still be required, as various uncertainties remain as to how these measures can be executed.  

On a separate note, these amendments will likely require data controllers to review their existing data processing and to revise their privacy policies and explicit consent texts in order to ensure compliance with the revised requirements of the Law.