The long-awaited amendments to the Personal Data Protection Law No. 6698 (“Law”) were promulgated in the Official Gazette dated 12 March 2024. The respective amendments will enter into force as of 1 June 2024.
To resolve the problems in the implementation of the Law and by taking into consideration the European Union General Data Protection Regulation (GDPR), comprehensive amendments were introduced especially to the conditions for processing special categories of personal data and the conditions for transferring personal data abroad. The important amendments made to the Law are summarized as follows:
The legal grounds for the processing of special categories of personal data have been expanded.
What are the special categories of personal data?
Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are defined as special categories of personal data.
With the amendment made in the Law, no changes have been made to the definition of special categories of personal data mentioned above; only the processing conditions of such data have been modified.
What was the situation before the amendment and what were the problems in practice?
In principle, special categories of personal data could not be processed without the explicit consent of the data subject and the exceptions to this rule were regulated in a very limited manner in the Law. In this respect, there was a dual distinction: Without the explicit consent of the data subject;(i) personal data relating to health and sexual life could only be processed for a limited number of purposes, such as the provision of health services, etc., and only by authorized institutions and organizations or persons with confidentiality obligations, and (ii) other special categories of personal data could only be processed in cases stipulated by the law.
This situation was causing difficulties in practice, especially in the processing of health data (e.g. disease information). Employers were, on one hand, obligated to process their employees’ health data in accordance with the occupational health and safety legislation. On the other hand, according to the Law, this data could only be processed by workplace physicians. In workplaces without workplace physicians, obtaining explicit consent from the employee was required to keep such data in the personnel file. Therefore, employers were compelled to steer employees towards giving explicit consent to fulfil their legal obligations, which was not in line with the principle of providing consent with “free will”.
What has changed in the conditions for processing special categories of personal data?
Firstly, the dual distinction referred to above among the special categories of personal data has been eliminated. Instead, the Law now allows that in the limited cases set out below, such data can be processed without obtaining the explicit consent of the data subject.
Considering the established practice of the Personal Data Protection Authority (“KVKK”); processing of special categories of personal data should only be pursued with the explicit consent of the data subject in cases where any of the above conditions are not present.
Transfer of personal data abroad has been facilitated.
What was the situation before the amendment and what were the problems in practice?
Although the Law stipulated that the transfer of personal data to countries with adequate protection could be carried out without the explicit consent of the data subject provided that the legal requirements for processing data are met, countries with adequate protection had not been announced by the Personal Data Protection Board (“Board”) thus far.
This has left the data controllers, who wanted to transfer data abroad, with two options: (i) obtaining the explicit consent of data subjects individually, and (ii) data controllers in Türkiye and in the country where the data will be transferred undertaking to providing adequate protection in writing and obtaining the Board’s permission to the undertaking. Nevertheless, as also stated in the preamble of the amendment, only around eighty applications have been made to the Board so far, and very few of them have been granted permission by the Board. As a result, in practice, the only option for data controllers to transfer data abroad has been to obtain explicit consent from data subjects.
With the amendments made to the Law, the conditions for data transfer abroad have been facilitated. Also, it is stipulated that secondary legislation will be enacted to govern the procedures and principles of data transfer abroad.
What has changed in the conditions for processing special categories of personal data?
First and foremost, the Board has been granted the authority not only to decide on the adequacy of protection in the country to where the personal data will be transferred but also to make adequacy decisions concerning an international organization and specific sectors within a country (adequacy decision). For example, it is now possible to issue an adequacy decision only for the automotive sector in a foreign country with whom the Turkish automotive sector has extensive trade relations, rather than for the entire foreign country. The Board will re-evaluate the adequacy decisions every four years at the latest and may revoke, suspend, or modify it if deemed necessary.
Data transfer abroad where there is an adequacy decision
In the presence of legal grounds for processing personal data set out in Article 5 (Article 6 for the special categories of personal data) of the Law, personal data may be transferred to a foreign country, international organization, or specific sector within a foreign country, for which the Board has issued an adequacy decision, without a need for obtaining explicit consent of data subject.
Data transfer abroad where there is no adequacy decision
In the absence of an adequacy decision, data controllers will be able to transfer data abroad without the explicit consent of the data subject, provided that the following conditions are met cumulatively:
Exceptions
In cases where there is no adequacy decision and one of the appropriate safeguards listed above cannot be provided, data may be transferred abroad on a one-time or occasional basis, provided it will not occur in a continuous manner. However, such data transfer can occur only under the following circumstances:
How long will the current practice (data transfer abroad based on explicit consent) can continue?
Until 1 September 2024, it will be possible to continue transferring data abroad based on the explicit consent previously obtained or to be obtained after the amendment to the Law.
A new type of breach subject to administrative fine has been introduced, alongside modifications to the appeal procedure concerning administrative fines.
In cases where data transfer abroad is conducted through the signing of the standard contract published by the Board, the data controller or data processor is required, as a separate obligation, to notify the KVKK within five business days from the signing of the standard contract. It is stipulated to impose an administrative fine ranging between TRY 50,000 and TRY 1,000,000 (to be valid for the year 2024) on data controllers or data processors who breach the notification obligation.
Moreover, considering the nature of administrative sanction decisions given by the Board, it is stipulated that instead of resorting to penal courts of peace, lawsuits will be filed before administrative courts. Pursuant to the transitional provision added to the Law, the files before the penal courts of peace as of 1 June 2024 will be finalized by these courts.
PARTNER
Müşavvir Enerji / Elektrik Petrol ve Doğal Gaz Madencilik Taşımacılık ve Lojistik Kamu Özel İşbirlikleri ve İmtiyazlar İnşaat ve Altyapı Finansal Hizmetler Projeler ve Proje Finansmanı Bankacılık ve Finans Şirketler ve Ticaret Hukuku Sermaye Piyasası Hukuku Kamu İhale Hukuku Gayrimenkul Hukuku
ASSOCIATE
Avukat Tüketim Ürünleri Enerji / Elektrik Madencilik Savunma Şirketler ve Ticaret Hukuku Birleşme ve Devralmalar Dava ve Uyuşmazlık Çözümleri
ASSOCIATE
Stajyer Avukat
Stay Informed
Subscribe to stay up to date on legal and regulatory information.
ÇAKMAK © 2024 | All rights reserved.