The Law No. 7499 on Amending the Code of Criminal Procedure and Certain Laws (“the, which includes the long-awaited amendments to the Turkish Personal Data Protection Law (the “Law”) and is also referred to as the 8th Judicial Reform Package, was published in the Official Gazette dated 12 March 2024 and numbered 32487.
Significant changes regarding the processing of sensitive personal data, cross-border transfer of personal data, administrative sanctions and legal remedies against administrative fines will come into effect on 1 June 2024.
In brief, the major amendments are as follows for consideration of data controllers and data processors:
- Processing of Sensitive Personal Data: The legal regime applicable to processing of sensitive personal data (including health data and data relating to sexual life) has been amended. Accordingly, with the addition of new legal grounds to the current regulations, the processing of such data without explicit consent has also become possible. For instance, in case processing is required for establishment, use and protection of a right or for compliance with legal obligations relating to employment, occupational health and safety, social security, social services and social benefits, sensitive personal data may be processed without explicit consent. Again, when sensitive personal data is publicized by data subject, data controllers will be able to process such data for the purposes why the relevant data is publicized.
- Cross-Border Transfer and New Administrative Sanction: Major amendments have been made regarding the cross-border transfer of personal data, where alternative transfer methods have been established without the need for obtaining explicit consent, apart from transfer based on adequacy decisions. The Binding Corporate Rules, which the Personal Data Protection Board ("Board") has recognized as an alternative mechanism based on its authority, have gained legal basis. The most significant change regarding the cross-border transfer of personal data is the adoption of a mechanism similar to “Standard Contractual Clauses” in practice as per the European Union’s General Data Protection Regulation (“GDPR”). In case that the parties to cross-border data transfer accepts contractual terms to be determined and announced by the Board, personal data may be transferred to the relevant data recipient outside Türkiye. However, as a difference from GDPR practice, the relevant contracts will be required to be notified to the Personal Data Protection Authority within 5 business days. Otherwise, data controllers and data processors may be subject to an administrative fine amounting from TRY 50,000.- to TRY 1,000,000.-.
- Exceptional Cross-border Data Transfers: In addition, the cross-border transfer may also be possible without consent for some exceptional cases where it is “required for establishment, use and protection of a right” or “required for performance of a contract or preliminary actions taken upon data subject’s request before execution of a contract”.
- Legal Remedies: Upon the amendments become effective, data controllers and data processors will apply to the administrative courts against administrative fines to be imposed by the Personal Data Protection Board.
It is strictly recommended that data controllers and data processors evaluate the amendments in details and initiate their studies as soon as possible to update their procedures and processes in order to be ready on 1 June 2024.