Turkish Personal Data Protection Law is Becoming GDPR Compliant
The long-awaited amendment to the Law No. 6698 on the Protection of Personal Data Law ["Law" or "PPDL"] was published in the Official Gazette dated March 12, 2024 after it was adopted and enacted by the General Assembly of the Grand National Assembly of Turkey within the scope of the 8th Judicial Package.
The current Law was initially prepared based on the Directive 95/46/EC of the European Parliament and of the Council of 1995 ["Directive"]. However, two years after the Law entered into force, the Directive was repealed, and the European Union General Data Protection Regulation (2016/679) ["GDPR"] was adopted, which came into effect on May 25, 2018. The amendments made to the Law are intended to harmonise with the GDPR; in which important new regulations have been introduced on the processing of personal data of special nature and the transfer of personal data abroad.
With the amendments, on the one hand, new grounds of lawfulness are foreseen for the processing of special categories of personal data, and on the other hand, the system based on explicit consent in the transfer of personal data abroad is replaced by easier and more applicable mechanisms, aiming to result in a more favorable environment within the scope of personal data protection legislation for foreign companies that want to invest in Turkey. The scope of the amendments is as follows:
Processing of Sensitive Personal Data (Article 6)
With the amendments, apart from explicit consent, new conditions and reasons for compliance with the law are introduced in addition to the reasons already existing within the scope of Article 5/2 of the Law regarding the processing of sensitive personal data. In addition, in the new order, the distinction on personal data related to health and sexual life is abolished and the conditions for processing such data are unified under a single category. In this respect, the processing of sensitive data will be possible in the following cases other than explicit consent:
- Cases where it is impossible to obtain actual consent or there should be a situation that is important for the life or physical integrity of oneself or someone else.
- Data related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public.
- Cases where the processing is mandatory for the establishment, exercise or protection of a right.
- Cases where the processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
- Cases where the processing is mandatory for the fulfilment of legal obligations regarding employment, occupational health and safety, social security, social services and social assistance.
- Cases where the processing is intended for current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or for persons who are in regular contact with these organizations and formations, provided that it complies with the legislation to which they are subject and their purposes, is limited to their fields of activity and is not disclosed to third parties.
- Other reasons explicitly stipulated by law.
The provision excluding criminal records and health reports provided by individuals in their employment documents in the processing of sensitive personal data has been abandoned with this amendment. In addition, the data processing to be carried out in order for the data subject to have a right or to benefit from an existing right has also been included within the scope of the exceptions to the explicit consent requirement. When these two clear amendments are evaluated together with the other amendments in the article, it can be said that the practical necessities regarding the processing of sensitive personal data have been taken into consideration and therefore the processing of such data has been expanded in the article, albeit in limited circumstances.
Transfer of Personal Data Abroad (Article 9)
The method of transferring personal data abroad is also significantly changed within the framework of the amendment made within the context of the 8th Judicial Package. By introducing a new system based on adequacy decisions, appropriate assurances and exceptions stipulated in the law for incidental cases, instead of the previous system based on the safe country list, commitment letter and explicit consent, it is aimed to eliminate the uncertainties around the transfer of personal data abroad and to facilitate the transfer.
One of the main mechanisms established for the transfer of personal data abroad are adequacy decisions. The Personal Data Protection Board ["Board"] will issue adequacy decisions on countries, international organizations or sectors within a country, and these decisions will be re-evaluated at least every four years. Thus, in case of an adequacy decision, data can be transferred abroad by data controllers and data processors.
In the absence of an adequacy decision, personal data may still be transferred abroad provided that certain safeguards are provided, provided that the data subject has the opportunity to apply for legal remedies in the country of transfer, depending on the existence of one of the data processing conditions. These safeguards consist of various methods such as agreements between foreign and international public institutions and Turkish public institutions that don’t qualify as an international agreement and the Board's approval, a commitment that adequate protection will be provided, binding company rules to be approved by the Board or standard contracts approved by the Board.
Apart from these possibilities, the transfer of personal data without an adequacy decision or appropriate safeguards specified in the law has also been made possible in certain cases, provided that it is a temporary situation. As an example of these situations, the new Law recognises the following limited number of examples as valid reasons for temporary data transfer abroad:
- If the data subject gives explicit consent to the transfer, provided that they are informed about the possible risks.
- If the transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
- If the transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
- If the transfer is mandatory for a superior public interest.
- If the transfer of personal data is mandatory for the establishment, exercise or protection of a right.
- If the transfer of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
- In the case of a transfer from a registry that is open to the public or to persons with legitimate interests, provided that the conditions required for accessing the registry in the relevant legislation are met and the request is made by a person with a legitimate interest.
Compliance and Timely Notification (Article 18)
The amendment stipulates fines ranging from 50,000 Turkish liras to 1,000,000 Turkish liras for data controllers and data processors who fail to notify the Board within five days of adopting standard contractual clauses for the international transfer of personal data.
On the other hand, following the publication of the amendment in the Official Gazette, the regulation on filing lawsuits against administrative fines imposed by the Board in criminal courts of peace will be abolished, with administrative courts handling such lawsuits in the future.
Transition Period and Enforcement
The current data transfer conditions regarding the international transfer of personal data will remain in force until September 1, 2024. In addition, the applications against the administrative fines imposed by the Board, which are currently pending before the criminal courts of peace, will continue to be heard by these courts until June 1, 2024. All other amendments will enter into force on June 1, 2024.
Conclusion
With the amendments to be made to the Law, a new era will be opened in the field of personal data protection in Turkey. While this new era may alleviate burden on data controllers, particularly concerning the transfer of personal data abroad, it will also necessitate a new period of compliance and harmonization for both data controllers and processors.
The implementation of the amendments and the coordination with the GDPR in the period following the harmonisation process will both enhance the enforceability of the Law by improving the mobility of the Personal Data Protection Authority and ensure legal predictability for multinational companies.