Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws (“Law Amendment”), which includes significant changes to the Personal Data Protection Law (“PDPL and the Law”), was published in the Official Gazette on March 12, 2024.
With Law Amendment, Article 6 titled Processing of Special Categories of Personal Data, Article 9 titled Transfer of Personal Data Abroad and Article 18 titled Misdemeanors of the PDPL have all been amended.
With the amendments made to the Law, the compatibility between the European Data Protection Regulation (“GDPR“) and PDPL has been increased, and amendments have been made on issues such as the transfer of personal data abroad, which are important for data controllers conducting their operations in the international arena.
In addition, amendments were made to the conditions for the processing of special categories of personal data and the objection authority regarding administrative fines imposed by the Personal Data Protection Board (“Board“).
1. Amendments in relation to Conditions for Processing Special Categories of Personal Data
The provision prohibiting the processing of special categories of personal data has been retained, whilst the provision on the processing of special categories of personal data only with the explicit consent of the individuals has been abolished.
The classification of special categories of personal data as data relating to health and sexual life and other special categories of personal data has been abolished. Accordingly, the lawful grounds determined for the processing of special categories of personal data will apply to all special categories of personal data without any classification.
Prior to Law Amendment, data controllers could process the special categories of data listed in Article 6 of the Law, except for data concerning health and sexual life, on the condition that they were stipulated in the Law or the explicit consent of the data subjects.
Data concerning health and sexual life, on the other hand, could not be processed even if stipulated in the laws, and could only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality, without seeking the explicit consent of the data subject.
With Law Amendment the legal grounds allowing the processing of special categories of personal data have been expanded to eight clauses as explained below, including explicit consent, and listed in a limited manner.
Under Law Amendment provisions of Article 5 of the Law, which are the general conditions for personal data processing, such as publicization by the person concerned and being mandatory for the establishment, exercise or protection of a right, have also been introduced as a reason for compliance with the law for special categories of personal data processing.
In addition, new processing grounds have been created with the provision that it is mandatory for the fulfilment of legal obligations in the field of employment, occupational health and safety, social security or social services and social assistance, and the provision that foundations, associations or other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; are intended for their current and former members and members or persons who are in regular contact with these organizations and formations.
In particular, due to the uncertainty experienced in terms of personal data processed in employment processes in business life, with the regulation made in parallel with the “Employment” regulation in Article 9(2) (b) of the GDPR, the processing of special categories personal data in labour processes has been included in the Law with the Amendment.
2. Amendments to the Provision of Transfer of Personal Data Abroad
Prior to Law Amendment, under the Article 9 of the PDPL,the existence of one of the following legal conditions was required to transfer personal data abroad:
(i) Explicit consent of the data subject,
(ii) The existence of one of the relevant processing conditions set out in the Law for personal data and special categories of personal data in the transfer of personal data to countries where adequate safeguards exist,
(iii) the existense of an undertaking to be signed by the data controllers in Turkey and the relevant country to provide safeguards and the Authorisation of the Board for the transfer of personal data to countries where there are no adequate safeguards.
The regulatory approach that envisages obtaining explicit consent as a general rule for personal data transfers abroad has been set aside.
Mechanisms to ensure lawful transfer: such as (i) an adequacy decision, (ii) appropriate safeguards, (iii) incidental circumstances, have been determined for data controllers and data processors.
As per the Article 5 titled Conditions for Processing Personal Data and the Article 6 titled Conditions for Procession Special Categories of Personal Data of the PDPL, the presence of one of the conditions for the processing of personal data and the presence of an Adequacy Decision on the country, international institution, or sectors within the country to which the transfer will be made are regulated.
The reciprocity status regarding the transfer of personal data between the country, sectors within the country or international institutions and Turkey has been determined as one of the regulations that the Board will take into consideration when making an adequacy decision.
In case there is no adequacy decision, it is regulated that personal data may be transferred abroad if one of the appropriate safeguards is provided by the parties, provided that one of the requirements set forth in Articles 5 and 6 exists, the data subject has the opportunity to exercise his/her rights and to exercise effective legal remedies in the country where the transfer will be made.
In the absence of an adequacy decision and any appropriate safeguards personal data may be transferred abroad in the existence of one of the exceptional circumstances in the relevant article (Derogations for specific situations) provided that it is incidental (temporary).
With Law Amendment, the provisions regarding transfers abroad have been expanded. According to Amendment, personal data may be transferred abroad by data controllers and data processors in the presence of one of the conditions specified in Articles 5 and 6 of the PDPL and the existence of an Adequacy Decision about the country, international organization or sectors within the country to which the transfer will be made.
The qualification decision will be rendered by the Board upon determining the following primarily;
a) The reciprocity status regarding the transfer of personal data between Turkey and the country, sectors within the country or international organizations to which personal data will be transferred,
b) The relevant legislation and practice of the country to which the personal data will be transferred and the rules governing the international organization to which the personal data will be transferred to,
c) The existence of an independent and effective data protection authority in the country or international organization to which the personal data will be transferred and the existence of administrative and judicial remedies,
d) The status of the country or international organization to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organizations,
e) The membership status of the country or international organization to which personal data will be transferred to global or regional organizations of which Turkey is a member,
f) The criteria of international conventions to which Turkey is a party to.
It has been added to the legislation that transferring personal data to a country in the absence of an adequacy decision, will be possible in the existence of one of the conditions for processing personal data and special categories of personal data and the data subjects have the opportunity to exercise their rights and to apply for effective legal remedies in the country of transfer and in the presence of one of the Appropriate Safeguards listed in Amendment.
With Law Amendment Binding Corporate Rules approved by the Board and containing provisions on the protection of personal data, which are required to be followed by companies within the group of undertakings engaged in joint economic activities, is included to PDPL as one of the Appropriate Safeguards.
Another Appropriate Safeguards is stipulated as the existence of a standard contract announced by the Board, which includes data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.
The third method to ensure the Appropriate Safeguard is the existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.
Fourth, a method is envisaged for the data controllers that are public institutions. The existence of an agreement that is not in the nature of an international convention between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey or professional organizations in the nature of a public institution and the Board’s authorization of the transfer is also considered as an Appropriate Safeguard.
With Law Amendment data controllers and data processors may transfer personal data abroad in the absence of an adequacy decision or any of the Adequacy Safeguards, only in the presence of one of the following cases, provided that the data transfer abroad is incidental,:
a) The data subject’s explicit consent to the transfer, provided that data subject has been informed about the possible risks,
b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
c) The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
d) The transfer is necessary for an overriding public interest,
e) The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
f) The transfer of personal data is mandatory for the protection of the life or physical integrity of the person who is unable to disclose data subject’s consent due to actual impossibility or whose consent is not legally valid,
g) Transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions for access to the registry are met in the relevant legislation and the person with a legitimate interest requests it.
With Law Amendment it is determined that the procedures and principles regarding the transfer abroad will be regulated separately by secondary legislation.
3. Provisions regarding the Administrative Judicial Remedy
Amendment regulates that administrative fines imposed by the Board shall be filed with administrative courts instead of appealing and applying to criminal judgeships of peace. The relevant regulation will enter into force as of 1/6/2024.
Accordingly, as of 1/6/2024, the applications before the criminal judgeships of peace shall continue to be heard by these judgeships.
4. Provisions Regarding the Effective Date, Notification Obligation and Administrative Fine
(i) As of June 1, 2024, which is the date of entry into force of the amendment to the Law, it is allowed to transfer data abroad in accordance with the law as it was before the amendment for another three months – until the date of 01.09.2024.
(ii) The obligation to notify the Authority within 5 business days by the data processor or data controller in case of signing standard contracts, in other words, standard contractual clauses, listed under appropriate safeguards for data transfer abroad has been introduced.
(iii) Imposition of an administrative fine between TRY 50,000 and TRY 1.000.000 in case of failure to fulfil the obligation to notify the standard contracts is stipulated.
The amendments to the Law will enter into force on June 1, 2024. The full text of Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws is available at the link below:
https://www.resmigazete.gov.tr/eskiler/2024/03/20240312-1.htm