The Turkish data protection authority, Kişisel Verileri Koruma Kurumu, has proposed amendments to the most controversial provisions of the Law on Personal Data Protection numbered 6698. The provisions have been heavily criticized by academia and business circles due to their inapplicability and inadequacy to meet needs. The amendments were actually part of the Economic Reforms, and specific tasks were introduced under the Economic Reforms to comply with the EU General Data Protection Regulation.
The DPA submitted a proposal Aug. 10 to amend the LPDP relating to (i) Article 6 (processing special category of personal data) and (ii) Article 9 (cross border data transfers) of the LPDP.
Article 6 of the LPDP — Processing special categories of personal data
Article 6 of the LPDP regulates the processing of special categories of personal data. The personal data related to the data subject's race; ethnicity; political opinion; philosophical belief; religion; sect or other belief; clothing; memberships to associations, foundations or trade-unions; health; sexual life; convictions and security measures; and biometric and genetic data all fall within the definition of a special category of personal data.
Special categories of personal data can be processed upon obtaining the data subject's explicit consent if and when the provisions of laws require the processing (applicable to special categories of personal data other than health and sexual life data). For health and sexual life data, the legal ground is even more restricted. Health and sexual life data can only be processed without explicit consent to protect public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health care services, and financing by authorized entities or persons under secrecy obligation.
Such restricted application of the LPDP for processing special categories of personal data, particularly for health data, has caused difficulties in practice for data controllers processing health data in line with legal obligations to prevent risks, etc.
What does the proposal introduce?
The proposal removes the difference between sexual and health data from the other special categories of personal data sets and introduces additional legal grounds for processing. So when the LPDP refers to special categories of personal data, health data and sexual life data will not be treated differently.
The proposal introduces a new set of legal grounds for the lawful processing of special categories of personal data.
Accordingly, processing special categories of personal data will be held lawful when processing (i) is made upon obtaining explicit consent of the data subject (ii) is required by laws, (iii) is related to personal data made public by the data subject itself, (iv) is necessary to protect the vital interests of the data subject or another natural person, (v) is carried out for the establishment, exercise or protection of a legal right, (vi) is necessary to carry out the obligations in the field of employment and social security or social services, and (vii) is made by a foundation, association, union or any other not-for-profit body relating to its members on condition that the processing relates solely to their activities and purposes, and that personal data is not disclosed to third parties.
The proposal does not cover all legal grounds that the GDPR has for processing special categories of personal data. We believe the legal grounds are still limited compared to the GDPR structure.
Article 9 of the LPDP — Cross-border data transfers
Article 9 of the LPDP regulates cross-border data transfers. Accordingly, personal data can be transferred abroad upon obtaining the data subject's explicit consent or in the presence of legal grounds (other than explicit consent) outlined under Article 5 of the LPDP to countries where there are adequate measures to protect personal data. Having said that, as the KVKK has not issued a safe country list yet, the application of the latter is not possible. Therefore, if there are legal grounds (other than explicit consent), the data controller must apply to the KVKK with an undertaking and obtain permission. Further, the KVKK has announced the application of binding corporate rules as an accepted method based on Article 9.
Obtaining explicit consent is the only viable method for the time being to legalize cross-border transfers. Data controllers can always apply to the KVKK with an undertaking to obtain a permit or approve BCRs; however, these procedures may take at least one year.
The current cross-border transfer regime is problematic and forces companies to settle their infrastructure in Turkey since the transfer is, in practice, solely based on the explicit consent of the data subject and restricts the ability to transfer data abroad. Industry players and academics have intensively criticized the current regime. Thus, amendments introduced with the proposal have been long waited and are a serious need for the data controllers in Turkey.
What does the proposal introduce?
Under the proposal, personal data will be transferred to countries, specific sectors or international institutions in such countries based on legal grounds outlined in Articles 5 and 6 (including onward transfers) upon issuance of an adequacy decision. The board will grant an adequacy decision based on the reciprocity rule and will take into account other aspects. “Reciprocity" is added explicitly to the law as one of the measures evaluated while evaluating the adequacy decision. The DPA representatives have already relied on the "Reciprocity" rule on various occasions to justify transfer restrictions to the EU countries.
In the absence of an adequacy decision held by the KVKK, personal data will be transferred based on the following:
- Notification to the KVKK with a standard undertaking.
- Submission of a written agreement to the KVKK, including protective measures that will be applicable, and obtaining a permit.
- Approval of BCRs.
- Agreement between public entities and bodies in Turkey with compatible ones in the transferred country.
The most significant changes to international data transfers will be the submission of the standardized undertaking to the DPA, which will no longer require any permit to be granted. This means that with the use of the standard undertaking mechanism, transfer of personal data abroad will be straightforward.
In the absence of an adequacy decision and relevant undertakings provided by the data controller, personal data can be transferred in exceptional/particular cases based on the following tools: (i) upon explicit consent of the data subject after informing them on the absence of precautions and possible risks, (ii) conclusion or performance of a contract that is executed for the benefit of this party data subject, (ii) vital interests of the data subject or another natural person, (iii) for the establishment, exercise or protection of a legal right, and (iv) for the execution of the duties of state bodies or professional institutions with public duties.
The proposal has been shared with the related public institutions and associations to collect their opinion but has not yet been submitted to the National Assembly. The acceptance of the proposal would be seen as a big step in getting closer to the GDPR, which was previously set as a target with the 11th Development Plan of the Turkish Presidency. When compared to the GDPR, the LPDP is still limited in many aspects; however, such development in parallel with the GPDR will be a relief for Turkey. The proposal is expected to come into force in 2022 and data controllers will need to take active actions to align with the LPDP.
First published by IAPP - Privacy Tracker , in 24.12.2021