Amendments to the turkish Data Protection Law

Within the scope of Law No 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws, proposed amendments to Law No 6698 on the Protection of Personal Data (the “Law“) was adopted by the Turkish Grand National Assembly1 were published in the Official Gazette dated 12 March 2024 and numbered 32487. The amendments made to certain articles of the Law under the Economic Reforms Action Plan and the Human Rights Action Plan are of great importance for the harmonisation process with the European Union General Data Protection Regulation (“GDPR“).  

The amendments to the Law include relevant articles on (i) processing sensitive personal data, (ii) cross-border data transfer and (iii) appeals against the decisions of the Personal Data Protection Board (“DPA“). 

NEW DATA PROCESSING GROUNDS FOR SENSITIVE PERSONAL DATA 

Firstly, under Article 6 of the Law, the distinction between sensitive personal data relating to health and sexual life and other sensitive personal data has been removed and the term “sensitive personal data” has been unified. 

Although the processing of sensitive personal data is prohibited as a rule, the exceptions for processing sensitive personal data have been expanded with the new legislation, which stipulates that sensitive personal data may be processed in the presence of one of the following conditions: 

• The explicit consent of the data subject is obtained, 

• It is expressly stipulated by law, 

• Processing is necessary to protect the life or physical integrity of the data subject, or of another natural person where the data subject cannot disclose their consent due to actual impossibility or where that consent is not legally valid, 

• Processing of personal data made public by the data subject in accordance with the intention of the data subject, 

• Processing is mandatory for the establishment, exercise or protection of a right, 

• It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, managing and financing health services by entities under an obligation to keep information confidential, or by authorised institutions and organisations, 

• It is mandatory to perform legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, 

• Processing personal data of current or former members of foundations, associations or other non-profit organisations established for political, philosophical, religious or trade union purposes, or individuals who are in regular contact with these organisations under certain conditions. 

The legal grounds for processing sensitive personal data have been expanded with the amendment regulating the need to process sensitive personal data in order to comply with legal obligations in the areas of employment, occupational health and safety, labour and social security or social services and social assistance, as a new legal ground for processing provides a solution to the problems encountered in the current practice regarding the processing of health data processed by the employer only on the basis of explicit consent or through the workplace physician. In this context, the processes regarding health data previously processed by the employer data controllers based on explicit consent should be reviewed and the relevant texts should be updated. 

NEW METHODS OF CROSS-BORDER DATA TRANSFER 

As is well known, almost the only way to carry out a cross-border data transfer was to obtain the explicit consent of the data subject. Since the DPA did not publish a list of countries with adequate protection, a data transfer abroad was only possible with permission from the DPA by submitting a written undertaking or binding corporate rules. With the amendment of the Law, new methods such as standard contractual clauses and an adequacy decision, which are also regulated in the GDPR, have been introduced for cross-border data transfers. In addition, new grounds for cross-border data transfers have been regulated for incidental transfers of data abroad even in the absence of any transfer method. In this context, the relevant amendments are as follows: 

• Adequacy Decision: In order to transfer data abroad using this method, the DPA must adopt an adequacy decision on the relevant country, international organisation or sector within the country where the transfer will be made. With the DPA’s adequacy decision and the existence of one of the grounds listed in Articles 5 and 6 of the Law, cross-border data transfers will be possible. 

• Standard Contractual Clauses: Cross-border data transfers will be possible upon the existence of one of the grounds listed in Articles 5 and 6 of the Law and standard contractual clauses to be published by the DPA. However, in order to make a transfer, the data subject must have the opportunity to exercise their rights in the country where the transfer will be made, to apply for effective legal remedies, and the standard contractual clauses must be notified to the DPA within five business days from signing. 

• Incidental Cross-Border Data Transfer: In the absence of (i) an adequacy decision, (ii) an agreement between public institutions and organisations abroad, international organisations and public institutions and organisations or professional association in Türkiye, (iii) binding corporate rules, (iv) a written undertaking and (v) a standard contract, cross-border data transfers will be possible on an incidental basis in the presence of the following conditions:

1. The data subject’s explicit consent to the transfer, provided that they have been informed about the potential risks, 
2. The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the request of the data subject, 
3. The transfer is necessary to establish or perform a contract between the data controller and another natural or legal person for the benefit of the data subject, 
4. The transfer is necessary for an overriding public interest, 
5. The transfer is necessary for the establishment, exercise or protection of a right, 
6. The transfer is necessary to protect the life or physical integrity of the data subject or of another natural person where the data subject cannot disclose their consent due to actual impossibility or where the consent is not legally valid, 
7. The transfer is made from a register that is open to the public or people with a legitimate interest, to the extent that the conditions laid down by applicable law for accessing the registry and transfer is requested by those having legitimate interest are met. 

An incidental transfer based on the above conditions should not be continuous. In addition, the amended Article 9 states that the procedures and principles regarding cross-border data transfer will be set out in a regulation. 

APPEAL PROCESS TO DPA DECISIONS 

The amendment to Article 18 of the Law introduced the procedure of filing an appeal against the decisions of the DPA to the administrative courts, rather than criminal courts of peace, when appealing against administrative fines imposed by the DPA. However, applications pending before criminal judgeships of peace as of 1 June 2024 will continue to be heard by these judgeships. 

CONCLUSION AND ASSESSMENT 

The amendments will enter into force on 1 June 2024. In addition, a transitional provision has been regulated with the provisional Article 3, whereby the first paragraph of the pre-amended version of Article 9 (i.e. the provision on obtaining explicit consent for transfer abroad) will be applied together with the amended version until 1 September 2024. Therefore, cross-border data transfers based on explicit consents obtained before or after the entry into force of the article are allowed until 1 September 2024.  

By the effective date, data controllers are required to review their processes regarding the processing of sensitive personal data and cross-border data transfer, update their privacy policies and explicit consent texts and other corporate documents if necessary, and harmonise them with the new legislation.