Personal Data Protection Law No. 6698 (“Law”) was amended on March 12, 2014, to be effective as of June 1, 2024. The amendments aim to harmonize with European legislation and introduce significant changes regarding processing of sensitive personal data and cross-border data transfers.
Accordingly, explicit consent was repositioned as an exceptional mechanism for cross-border data transfer. However, according to the transitional provision, data controllers can rely on explicit consent as a ground for cross-border data transfers until September 1, 2024.
According to the Law, the application of amendments for cross-border data transfers would be clarified by a regulation. It was expected that the operation of the new mechanisms with the existing ones, and form of appropriate safeguard documents would be shaped by additional legislation of the Turkish Personal Data Protection Authority (“DPA“).
- May 9, 2024: the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Draft Regulation”) was opened for public comments by the DPA until 20 May 2024, with changes planned to have effect as of 1 September 2024.
- May 17, 2024: draft documents and guidelines for standard contracts and binding corporate rules, was opened for public comments by the DPA until May 27, 2024.
This newsletter summarizes the amendments to the Law that will come into effect as of June 1, 2024. Please see our Newsletter “Information on the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad” for more information on the Draft Regulation.
The amendments include regulations concerning (i) the processing of sensitive personal data, (ii) the cross-border data transfers, (iii) sanctions to be applied by the DPA, and (iv) the procedure for appealing DPA decisions.
Key Changes
According to the Law, the changes concern (i) the processing of sensitive personal data, (ii) the cross-border data transfers, (iii) sanctions to be applied by the DPA, and (iv) the procedure for appealing DPA decisions.
New Scope for Processing of Sensitive Personal Data:
The newly enacted Law expands the conditions for processing sensitive personal data. However, no changes have been made to the scope of sensitive personal data (e.g., health data, genetic data, religious data, biometric data, racial data), which are enumerated in a limited manner. The amendments introduced are as follows:
| Aspect | Current Scope | New Scope
(to be applied as of 01 June 2024) |
| Rule | Sensitive personal data cannot be processed without explicit consent of the data subject. | The processing of sensitive personal data is prohibited. |
| Exception | With the presence of the following situations, sensitive personal data can be processed without obtaining explicit consent:
|
Sensitive personal data can be processed if:
|
Cross-border Personal Data Transfer
Currently, data transfers abroad are generally carried out by data controllers by obtaining explicit consent, and new amendments under the Law will introduce more flexibility for data transfers abroad. These changes include provisions similar to the European Data Protection Regulation (“GDPR”).
The Law states that the process of transferring data abroad with explicit consent can continue to be applied, along with the new changes, until 1 September 2024. However, after this date, the process of transferring data abroad with explicit consent will only be applied in exceptional circumstances.
| Aspect | Current Scope | New Scope
(to be applied as of 01 June 2024) |
| Rule | Explicit consent of the data subject is required for the transfer of personal data abroad. | Explicit consent of data subject is no longer stated as legal basis for cross-border data flows.
The new amendments under the Law on cross border data transfers first introduce the adequacy decision. Accordingly, if the country or international organization, or sector in a foreign country to which the transfer is to be made has been deemed to provide adequate protection by the DPA in accordance with the data processing conditions stipulated in the Data Protection Law No.6698, personal data can then be transferred abroad. |
| Exception | Personal data may be transferred abroad in the presence of one of the conditions stipulated in the Data Protection Law No.6698, in the foreign country to which the personal data will be transferred; if there is adequate protection. However, as of today, the DPA has not announced a country list that provide adequate protection.
Absence of Adequate Protection; the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection, and the DPA’s approval is obtained. This applies as Binding Corporate Rules, as well.
|
Absence of an Adequacy Decision but Presence of Appropriate Safeguards:
If there is no adequacy decision issued by the DPA, personal data can be transferred abroad provided that one of the following safeguards is in place: i. The existence of a non-international agreement-like arrangement between public, international, or professional organizations and permission from the DPA; ii. The preparation of binding corporate rules among group companies and obtaining approval from the DPA; iii. The existence of a standard contract announced by the DPA and its notification to the DPA; or iv. The preparation of a written undertaking containing provisions that ensure adequate protection related to the transfer and obtaining approval from the DPA. Absence of Both Adequacy Decision and Appropriate Safeguards: If the conditions mentioned above are not met, personal data can still be transferred abroad under the following circumstances: i. If the data subject is informed about the risks related to the transfer abroad and provides their explicit consent in this regard; ii. If the transfer is necessary for the performance of a contract between the data subject and the data controller; iii. If the transfer is necessary for the implementation of pre-contractual measures taken at the request of the data subject; iv. If the transfer is necessary for overriding public interest; v. If the transfer is necessary for the establishment, exercise or protection of a right; vi. If the transfer is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of providing their consent; or vii. If the transfer is made from a register which is open to the public or to persons with a legitimate interest, provided that the conditions for access to the register laid down in the relevant legislation are met and the person with a legitimate interest requests the transfer. |
New Misdemeanor
The Law stipulates that data controllers will have a notification obligation for cross-border data transfers using the option of standard contract published by the DPA. Failure to notify the execution of such standard contract within 5 business days may result in administrative fines on the relevant data controller or processor ranging from TRY 50,000 to TRY 1,000,000 (approx. EUR 1,500 to 30,000).
- Changes in the Appeal Process Against DPA Decisions
The law changes the appeal procedure against administrative fines imposed by the DPA. In this respect, the appeal process will be conducted before the Administrative Courts and not the Magistrates’ Courts.
The effective date for these new changes has been set as June 1, 2024. Following the publication of the Law in the Official Gazette, the DPA announced on March 12, 2024, that during the transition period, data controllers and processors must diligently and promptly conduct preparation works to comply with the new regulations.
