Eighth Judicial Package, officially published in the Official Gazette on 12.03.2024 under the name of Law on Amendments to the Code of Criminal Procedure and Some Other Laws, brings significant changes in various areas such as criminal law, enforcement, and bankruptcy law, personal data protection law, and legal timeframes. In this article, we will examine the changes concerning privacy laws.

A. Changes Made in the Conditions for Processing Sensitive Personal Data

The conditions for processing sensitive personal data have been relaxed with the new judicial package. Previously, processing sensitive personal data was prohibited unless there was explicit consent. With the changes, although processing sensitive personal data is reiterated to be prohibited, additional criteria have been introduced to facilitate the processing of such data beyond explicit consent.

According to the amendment, the processing of this data is permitted under the following conditions:

  • Explicit consent of the data subject,
  • Explicit provision in the laws,
  • Necessity for the protection of the life of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid,
  • Being relevant to personal data made public by the data subject and being in line with the intention of publicity,
  • Being necessary for the establishment, exercise, or protection of a right,
  • Being necessary for the fulfillment of legal obligations in employment, occupational health and safety, social security, social services, and social assistance fields,
  • Being permitted for foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, provided that they comply with the relevant legislation and objectives, are limited to their activities, and are not disclosed to third parties; if directed at existing or former members or affiliates, or individuals who are in regular contact with such organizations.

B. Changes Made in the Conditions for Transferring Personal Data Abroad 

Changes have been made in the transfer of personal data abroad. With the amendment, it is required that one of the processing conditions for general and sensitive personal data be met for the transfer abroad.

For the processing of general categories of personal data without the explicit consent of the data subject, the following are required:

  • Explicit provision in the laws.
  • Necessity for the protection of the life of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid.
  • Directly related to the establishment or performance of a contract, provided that it is between the parties to the contract.
  • Necessity for the data controller to fulfill its legal obligation.
  • Made public by the data subject.
  • Necessity for the establishment, exercise, or protection of a right, provided that it does not harm the fundamental rights and freedoms of the data subject.
  • Necessity for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The conditions for processing sensitive personal data have undergone changes, and different conditions are specified above.

Obtaining Adequacy Decision

In addition to the processing conditions, it is required to have an adequacy decision regarding the country or international organizations to which the data transfer will be made. The adequacy decision is issued by the Personal Data Protection Board. If necessary, the Board may consult relevant institutions and organizations. The adequacy decision is evaluated at least every four years. The Board may, after evaluation or in other cases deemed necessary, amend, suspend, or revoke the adequacy decision to be effective in the future.

When making the adequacy decision, the following points will be considered primarily:

  • The reciprocity status regarding personal data transfer between the country to which personal data will be transferred, sectors within that country, or international organizations and Turkey.
  • The legislation and practice of the country to which personal data will be transferred and the rules to which the international organization to which personal data will be transferred is subject.
  • The presence of an independent and effective data protection authority in the country to which personal data will be transferred or the international organization to which personal data will be transferred and the existence of administrative and judicial remedies.
  • Membership status of the country to which personal data will be transferred or the international organization to which personal data will be transferred in international agreements related to the protection of personal data.
  • Membership status of the country to which personal data will be transferred or the international organization to which personal data will be transferred in global or regional organizations to which Turkey is a member.
  • International agreements to which Turkey is a party.

These points were generally present before the amendment to the law. However, with the amendment, the expressions in the law have been changed, and the subject has been further detailed.

Data Transfer in the Absence of Adequacy Conditions

In cases where there are processing conditions for personal data but no adequacy decision, it has been regulated that personal data can be transferred abroad subject to compliance with certain conditions. Accordingly, it will be necessary to ensure that the data subject has the opportunity to exercise their rights and access effective legal remedies in the country where the transfer is made, and certain guarantees must be provided.

These guarantees include:

  • The existence of a non-international agreement of a contractual nature between public institutions and organizations abroad or international organizations and public institutions or professional organizations with public institution status in Turkey regarding notification obligations under the contract and permission granted by the Board.
  • The existence of binding corporate rules approved by the Board containing provisions on the protection of personal data that companies within an enterprise group must comply with.
  • The existence of a standard contract containing provisions such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for sensitive personal data announced by the Board.
  • The existence of a written commitment containing provisions ensuring adequate protection and permission granted by the Board for the transfer.

Within five business days from the signing of the standard contract containing the provisions such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for sensitive personal data announced by the Board, the contract shall be notified to the Authority by the data controller or data processor.

Temporary Data Transfer in the Absence of Guarantees

The new judicial package also regulates that data can be temporarily transferred in cases where there is no adequacy decision and guarantees. These cases include:

  • The data subject giving explicit consent, provided that they are informed about possible risks.
  • The transfer being necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
  • The transfer being necessary for the conclusion or performance of a contract between the data subject and another natural or legal person.
  • The transfer being necessary for an overriding public interest.
  • The transfer being necessary for the establishment, exercise, or protection of a right.
  • The transfer being necessary for the protection of the life of the data subject or another person who is unable to give consent due to physical impossibility or whose consent is not legally valid.
  • The transfer being made from a register open to the public, provided that the conditions required to access the register in the relevant legislation are met and the person with a legitimate interest requests it.

The same conditions will apply to subsequent transfers of personal data transferred abroad by data controllers and data processors.

It is important to note that personal data may only be transferred abroad with the permission of the Board, taking into account the opinion of the relevant public institution or organization, in cases where serious harm may be caused to Turkey's or the data subject's interests, except for international treaty provisions.

D. Administrative Fines

Changes have been made in the context of administrative fines and administrative authority regarding the transfer of personal data abroad. Accordingly, administrative fines ranging from 50,000 Turkish liras to 1,000,000 Turkish liras will be imposed on those who fail to fulfill their obligation to notify the contract. Individuals responsible for these fines are natural and legal persons who are data controllers or data processors.

With the 8th Judicial Package, it has been regulated that administrative fines given by the Personal Data Protection Board can be appealed in administrative courts. Previously, cases were heard in criminal courts of peace, but after June 1, 2024, cases will be filed in administrative courts.

E. Effectiveness

The changes made in the field of the Personal Data Protection Law will come into effect on June 1, 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.