The Law No. 7499 on Amending the Code of Criminal Procedure and Certain Laws (“the, which includes the long-awaited amendments to the Turkish Personal Data Protection Law (the “Law”) and is also referred to as the 8th Judicial Reform Package, was published in the Official Gazette dated 12 March 2024 and numbered 32487.
Various amendments affecting data controllers have been made. Accordingly, data controllers shall review their compliance efforts with the Law, update their privacy notices and to execute and notify to the Personal Data Protection Authority ("Authority") standard contractual clauses with the parties involved in cross-border transfers. Additionally, in case of violation of the notification obligation regarding cross-border transfers, administrative fines may be imposed on data processors as well.
The amendments made in the Law entered into force on 1 June 2024. As secondary legislation is still pending, it is strictly recommended that data controllers and data processors closely monitor the developments and begin work to update their procedures and processes according to the amendments as soon as possible.
Processing of Sensitive Personal Data
Legal grounds applicable to processing of sensitive personal data are re-regulated. Accordingly, sensitive personal data may only be processed if one of the following reasons exists:
- where explicit consent of the relevant data subject is obtained,
- where processing is expressly stipulated by laws,
- where processing is necessary to protect the life or physical integrity of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid,
- where processing relates to personal data publicized by data subject and is in accordance with the intention of data subject of making it public,
- where processing is required for establishment, use, or protection of a right,
- when processing is compulsory by persons under the secrecy obligation or competent authorities or institutions for protection of public health, protective medicine, medical diagnosis, treatment and care services, planning, management and financing of healthcare services,
- where processing is required for fulfilment of legal obligations relating to employment, occupational health and safety, social security, social services and social benefits,
- where political parties and non-profit institutions or formations established for religious or union purposes such as foundations and associations process their own current and former members’ personal data provided that the relevant processing is compliant with legislation applicable to them and their purposes and that the relevant processing activities are restricted with their activity field and that the relevant data are not disclosed to third parties.
It is expressly stipulated that sensitive personal data cannot be processed and is prohibited if at least one of these conditions is not met.
Cross-Border Data Transfer
In addition to existing regulations and rules, new mechanisms relating to cross-border transfer of personal data are also regulated. The below regulations have been made in the Law:
- It is stipulated that the Personal Data Protection Board (“Board”) may issue adequacy decisions not only for countries but also for international organizations or sectors within the country, and cross-border data transfer may be carried out in accordance with the relevant decisions if any.
- In presence of agreements (except for international treaties/conventions) concluded between public institutions, public organizations or professional organizations with public institution status in Türkiye and public institutions and organizations or international organizations abroad, it is regulated that data may be transferred abroad subject to obtaining permission from the Board.
- It is regulated to include Binding Corporate Rules, which the Authority already recognized based on its authority as an alternative mechanism, in the Law. It is stated that in case that the intra-group Binding Corporate Rules are approved by the Board, companies within the relevant enterprise engaged in joint economic activities (in other words, affiliates in group of companies) may transfer personal data outside Türkiye. New guidance is waited from the Authority in relation to Binding Corporate Rules.
- In cases where interests of Türkiye and data subjects may be seriously harmed, it is regulated that data may be transferred abroad with the permission of the Board, taking into account the opinion of the relevant public institution or organization.
- The most significant amendment for data controllers and data processors is the acceptance of a mechanism similar to the "Standard Contractual Clauses" as per the European Union’s General Data Protection Regulation (“GDPR”). Accordingly, it is stipulated that if contractual terms to be determined and announced by the Board are signed between the parties involved in cross-border data transfer, personal data may be transferred abroad without explicit consent. However, as a difference from GDPR practice, the relevant contracts shall be notified to the Authority within 5 business days.
In addition, it is stipulated that in certain exceptional cases where the cross-data transfer does not comply with the above-mentioned principles, such transfers may still be made. These cases which should be considered as exception are as follows:
- where the data subjects give explicit consent to the transfer after being informed about potential risks,
- where the transfer is necessary for the required performance of a contract between the data subject and the data controller, or for the implementation of preliminary actions to be taken upon the data subject’s request before execution of a contract,
- where the transfer is required for establishment or performance of a contract between the data controller and another natural or legal person in the benefit of the relevant data subject,
- where the transfer is necessary for an overriding public interest,
- where the transfer is required for establishment, use and protection of a right,
- where the transfer is necessary to protect the life or physical integrity of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid,
- where the transfer is made from a publicly available register intended for access by the public or persons having a legitimate interest, provided that the conditions laid down by law for access are met and persons having a legitimate interest request for the access to the relevant data.
Subsequent transfers following the initial cross-border data transfers have also been regulated. It is stipulated that data controllers and data processors must comply with the Law for such subsequent transfers.
It is acknowledged that data controllers and data processors may be subject to other restrictions arising from other legislation, and it is stated that these special regulations will be prioritized in case of any discrepancy between the relevant special restrictions and the Law.
The procedures and principles regarding cross-border data transfer by the Authority are expected to be regulated with a separate secondary regulation.
Cross-border transfers based on explicit consent shall need to be revisited to make necessary arrangements based on the above and in order to continue transferring personal data outside Turkiye, one of the safeguards noted above shall be taken until 1 September 2024 at latest.
New Administrative Fine
As stated above, data controllers and data processors are obliged to notify the Authority of the standard contracts they may sign for cross-border data transfers within 5 business days. In case of non-compliance with this reporting obligation, both data controllers and data processors may be subject to an administrative fine amounting from TRY 50,000.- to TRY 1,000,000.-.
Legal Remedies
As is known, before the amendments in the Law, decisions of the Board regarding administrative fines could only be appealed to criminal courts of peace, and the administrative legal remedy could only be sought (in other words, applications can be made to administrative courts) only in case that the Board imposes a fine along with another administrative sanction or that only an administrative sanction with a fine is imposed. With the amendments, it is regulated that administrative fines imposed by the Board can also be challenged in administrative courts now.
Applications pending before criminal courts of peace as of 1 June 2024 will continue to be heard by these courts.
Summary Evaluation
The amendments bring the Law closer to the GDPR and address many issues encountered in practice. On the other hand, for compliance with the Law, based on the amendments, privacy notices and consent forms will need to be changed. Additionally, unlike the GDPR practice, standard contractual clauses which may be executed with the data transfer parties will need to be notified to the Authority.
The Authority is now expected to issue secondary regulations regarding cross-border data transfers and to announce the standard contractual clauses along with new guidelines for cross-border data transfers.