Significant Amendments to the Personal Data Protection Law

What was the situation before the amendment and what were the problems in practice?

Although the Law stipulated that the transfer of personal data to countries with adequate protection could be carried out without the explicit consent of the data subject provided that the legal requirements for processing data are met, countries with adequate protection had not been announced by the Personal Data Protection Board (“Board”) thus far.

This has left the data controllers, who wanted to transfer data abroad, with two options: (i) obtaining the explicit consent of data subjects individually, and (ii) data controllers in Türkiye and in the country where the data will be transferred undertaking to providing adequate protection in writing and obtaining the Board’s permission to the undertaking. Nevertheless, as also stated in the preamble of the amendment, only around eighty applications have been made to the Board so far, and very few of them have been granted permission by the Board. As a result, in practice, the only option for data controllers to transfer data abroad has been to obtain explicit consent from data subjects.

With the amendments made to the Law, the conditions for data transfer abroad have been facilitated. Also, it is stipulated that secondary legislation will be enacted to govern the procedures and principles of data transfer abroad.

What has changed in the conditions for processing special categories of personal data?

First and foremost, the Board has been granted the authority not only to decide on the adequacy of protection in the country to where the personal data will be transferred but also to make adequacy decisions concerning an international organization and specific sectors within a country (adequacy decision). For example, it is now possible to issue an adequacy decision only for the automotive sector in a foreign country with whom the Turkish automotive sector has extensive trade relations, rather than for the entire foreign country. The Board will re-evaluate the adequacy decisions every four years at the latest and may revoke, suspend, or modify it if deemed necessary.

Data transfer abroad where there is an adequacy decision

In the presence of legal grounds for processing personal data set out in Article 5 (Article 6 for the special categories of personal data) of the Law, personal data may be transferred to a foreign country, international organization, or specific sector within a foreign country, for which the Board has issued an adequacy decision, without a need for obtaining explicit consent of data subject.

Data transfer abroad where there is no adequacy decision

In the absence of an adequacy decision, data controllers will be able to transfer data abroad without the explicit consent of the data subject, provided that the following conditions are met cumulatively:

• With the condition that one of the legal grounds for processing personal data set out in Article 5 (or Article 6 for special categories of personal data) of the Law exists,
• Data subjects have the opportunity to exercise their rights and seek effective legal remedies in the country to where the transfer will be made, and
• One of the following appropriate safeguards is provided;
  
  • Data can be transferred between public institutions; if a cooperation protocol is signed between a public institution or professional organization with public institution status in Türkiye and a foreign public institution or international organization
  • Data can be transferred between group companies; if companies have binding corporate rules containing provisions on the protection of personal data that they are obliged to comply with, and these rules are approved by the Board,
• If the standard contract published by the Board is signed between the data controllers in Türkiye and in a foreign country, personal data may be transferred abroad without a need for obtaining additional permission from the Board.
• If a written undertaking containing provisions to ensure adequate protection is signed, data may be transferred abroad provided that the permission of the Board is obtained.

Exceptions
In cases where there is no adequacy decision and one of the appropriate safeguards listed above cannot be provided, data may be transferred abroad on a one-time or occasional basis, provided it will not occur in a continuous manner. However, such data transfer can occur only under the following circumstances:

• The data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers.
• The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request.
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person.
• The transfer is necessary for an overriding public interest.
• The transfer is necessary for the establishment, exercise or defense of legal claims.
• The transfer is necessary for the protection of life or physical integrity of the data subject or another person when the data subject is physically or legally incapable of giving consent.
• The transfer is made from a register that is available to the general public or persons with a legitimate interest, but only to the extent that the requirements under the applicable legislation for accessing the register are met and upon the request of the person with a legitimate interest.
  
  

How long will the current practice (data transfer abroad based on explicit consent) can continue?

Until 1 September 2024, it will be possible to continue transferring data abroad based on the explicit consent previously obtained or to be obtained after the amendment to the Law.