fbpx
  • Insights
  • Articles
  • Proposed Amendments Regarding the Turkish Personal Data Protection

Proposed Amendments Regarding the Turkish Personal Data Protection

Articles -
Data Protection and Privacy

A draft bill (the "Draft Bill") including long-awaited amendments to Turkish Personal Data Protection Law (the "Law") has been submitted for review to the commissions of the Turkish Grand National Assembly ("TBMM") and it is expected to be enacted shortly after being evaluated by the Justice Commission, the Constitution Commission, and the Planning and Budget Commission.

The Draft Bill contains comprehensive amendment proposals affecting data controllers. With enactment of the Draft Bill, significant amendments will come into effect regarding the processing of sensitive personal data, cross-border data transfers, administrative sanctions, and legal remedies against administrative sanctions.

If the amendments are accepted as proposed, data controllers may need to review their compliance efforts with the Law, update their privacy notices and to execute and notify to the Personal Data Protection Authority ("Authority") standard contractual clauses with the parties involved in cross-border transfers. Additionally, in case of violation of the notification obligation regarding cross-border transfers, administrative fines may be imposed on data processors as well. The Draft Bill is planned to enter into force on June 1, 2024. It is strictly recommended that data controllers and data processors closely monitor the developments and begin work to update their procedures and processes according to the amendments.

Processing of Sensitive Personal Data

Legal grounds applicable to processing of sensitive personal data is planned to be regulated again. Accordingly, it will be regulated that sensitive personal data may only be processed if one of the following reasons exists:

  • where explicit consent of the relevant data subject is obtained,
  • where processing is expressly stipulated by laws,
  • where processing is necessary to protect the life or physical integrity of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid,
  • where  processing relates to personal data publicized by data subject and is in accordance with the intention of data subject of making it public,
  • where processing is required for establishment, use, or protection of a right,
  • when processing is compulsory by persons under the secrecy obligation or competent authorities or institutions for protection of public health, protective medicine, medical diagnosis, treatment and care services, planning, management and financing of healthcare services,
  • where it is required for fulfilment of obligations under the secrecy obligation by persons or authorized institutions and organizations related to the protection of public health, protective medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing purposes,
  • where processing is required for fulfilment of legal obligations relating to employment, occupational health and safety, social security, social services and social benefits,
  • where political parties and non-profit institutions or formations established for religious or union purposes  such as foundations and associations process their own current and former members’ personal data provided that the relevant processing is compliant with legislation applicable to them and their purposes and that the relevant processing activities are restricted with their activity field and that the relevant data are not disclosed to third parties.

It is expressly stipulated that sensitive personal data cannot be processed and is prohibited if at least one of these conditions is not met.

Cross-Border Data Transfer

In addition to existing regulations and rules, new mechanisms relating to cross-border transfer of personal data are also being planned. According to the Draft Bill:

  • It is stipulated that the Personal Data Protection Board (“Board”) may issue adequacy decisions not only for countries but also for international organizations or sectors within the country, and cross-border data transfer may be carried out in accordance with the relevant decisions if any.
  • In presence of agreements (except for international treaties/conventions) concluded between public institutions, public organizations or professional organizations with public institution status in Türkiye and public institutions and organizations or international organizations abroad, it is regulated that data may be transferred abroad subject to obtaining permission from the Board.
  • It is regulated to include Binding Corporate Rules, which the Board already recognized based on its authority as an alternative mechanism, in the Law. It is stated that in case that the intra-group Binding Corporate Rules are approved by the Board, companies within the relevant enterprise engaged in joint economic activities (in other words, affiliates in group of companies) may transfer personal data outside Türkiye.
  • In cases where interests of Türkiye and data subjects may be seriously harmed, it is regulated that data may be transferred abroad with the permission of the Board, taking into account the opinion of the relevant public institution or organization.
  • The most significant amendment proposed for data controllers and data processors is the acceptance of a mechanism similar to the "Standard Contractual Clauses" as per the European Union’s General Data Protection Regulation (“GDPR”). Accordingly, it is stipulated that if contractual terms to be determined and announced by the Board is signed between the parties involved in cross-border data transfer, personal data may be transferred abroad without explicit consent. However, as a difference from GDPR practice, the relevant contracts will be required to be notified to the Authority within 5 business days.

In addition, it is stipulated that in certain exceptional cases where the cross-data transfer does not comply with the above-mentioned principles, such transfers may still be made. These cases which should be considered as exception are as follows:

  • where the data subjects give explicit consent to the transfer after being informed about potential risks,
  • where the transfer is necessary for the required performance of a contract between the data subject and the data controller, or for the implementation of preliminary actions to be taken upon the data subject’s request before execution of a contract,
  • where the transfer is required for establishment or performance of a contract between the data controller and another natural or legal person in the benefit of the relevant data subject,
  • where the transfer is necessary for an overriding public interest,
  • where the transfer is required for establishment, use and protection of a right,
  • where the transfer is necessary to protect the life or physical integrity of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid,
  • where the transfer is made from a publicly available register intended for access by the public or persons having a legitimate interest, provided that the conditions laid down by law for access are met and persons having a legitimate interest request for the access to the relevant data.

Amendments regarding subsequent transfers following the initial cross-border data transfers have also been proposed. It is stipulated that data controllers and data processors must comply with the Law for such subsequent transfers.

If the Draft Bill is enacted as proposed, it is acknowledged that data controllers and data processors may be subject to other restrictions arising from other legislation, and it is stated that these special regulations will be prioritized in case of any discrepancy between the relevant special restrictions and the Law.

The procedures and principles regarding cross-border data transfer by the Authority are expected to be regulated with a separate secondary regulation.

New Administrative Fine

As stated above, data controllers and data processors are obliged to notify the Authority of the standard contracts they may sign for cross-border data transfers within 5 business days. In case of non-compliance with this reporting obligation, both data controllers and data processors may be subject to an administrative fine amounting from TRY 50,000.- to TRY 1,000,000.-.

Legal Remedies

As is known, according to the Law, decisions of the Board regarding administrative fines can only be appealed to criminal courts of peace, and the administrative legal remedy can only be sought (in other words, applications can be made to administrative courts) only in case that the Board imposes a fine along with another administrative sanction or that only an administrative sanction with a fine is imposed. With the Draft Bill, it is regulated that administrative fines imposed by the Board can also be challenged in administrative courts.

Applications pending before criminal courts of peace as of June 1, 2024 will continue to be heard by these courts.

Summary Evaluation

The Draft Bill brings the Law closer to the GDPR and addresses many issues encountered in practice. On the other hand, for compliance with the Law, upon amendments, privacy notices and consent forms will need to be changed. Additionally, unlike the GDPR practice, standard contractual clauses which may be executed with the data transfer parties will need to be notified to the Authority.

After enactment of the Draft Bill, it the Authority is expected to issue secondary regulations regarding cross-border data transfers and to announce the standard contractual clauses.

Stay Informed

Subscribe to stay up to date on the latest legal insights and events of your choice.

Subscribe Now