The Turkish Parliament has recently enacted on March 12, 2024 significant amendments (the "Amendments") to the Turkish Personal Data Protection Law ("PDPL"). We present below a summary of these Amendments, which will enter into force on June 1, 2024.

Enacted by the Turkish Parliament, these Amendments represent a pivotal step towards aligning Turkiye's data protection standards with global best practices. This article provides a comprehensive examination of the Amendments to the PDPL, highlighting the key revisions and their implications for data controllers, data processors and data subjects alike.

  1. Processing of Sensitive Personal Data:

Under the previous PDPL, sensitive personal data processing necessitates explicit consent from the data subject, with limited exceptions permitted by law.

Sensitive personal data can be processed without the explicit consent of the data subject in cases where:

  • the processing of sensitive personal data (except for health and sexual life data) is permitted by applicable law

or

  • the data subject's health and sexual life data is processed with limited purposes and by persons who are under the obligation of confidentiality, or by authorized institutions and organizations.

Changes Introduced:

The Amendments expand the circumstances under which sensitive personal data may be processed, encompassing explicit consent, legal permissions, and instances essential for protecting individual rights or public interests.

With the Amendments, the conditions for processing sensitive personal data were amended to include the following cases:

  • where the data subject has given explicit consent for the processing of sensitive personal data;
  • processing of sensitive personal data, including health and sexual life data, is permitted by applicable law;
  • processing of sensitive personal data is necessary to protect the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid;
  • processing of sensitive personal data relates to data made public by the data subject and the processing is consistent with subject's intention to make the data public;
  • processing of sensitive personal data is necessary for the establishment, exercise or protection of a right;
  • processing of sensitive personal data by persons who are under the obligation of confidentiality, or by authorized institutions and organizations is necessary for the protection of public health, preventative medicine, medical diagnosis, the delivery of treatment and care, and the planning, management and finance of healthcare services;
  • processing of sensitive personal data is compulsory to fulfill legal obligations regarding employment, occupational health and safety, social security, social services or social aid; and
  • processing of sensitive personal data is undertaken by foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or union purposes with respect to their current of former members, or persons who are in regular contact with these organizations and entities, where the processing complies with applicable law and their purposes, is limited to their fields of activity and is not disclosed to third parties.
  1. Obligations for Ongoing Transfer of Personal Data:

As per previous legislation, there were no explicit obligations for ongoing transfers of personal data abroad.

Changes Introduced:

Extended Compliance Obligations:

  • Data controllers and processors must ensure ongoing compliance with PDPL safeguards for transfers of personal data abroad.
  • Comprehensive familiarity with transferee country laws and continuous monitoring of data transfers are mandated.
  1. Transfer of Personal Data Abroad:

As per previous legislation, data transfers abroad primarily relied on explicit consent or specific conditions outlined in the PDPL and limited provisions exist for countries offering adequate data protection.

Changes Introduced:

  • Data Transfer to Countries Where There is Adequate Protection
  • Personal data can be transferred abroad if one of the conditions for data processing or sensitive personal data processing is met and there is an adequate protection decision by the Board regarding the relevant country, sectors within the country or international organizations.
  • The Board considers various factors, including reciprocity, when making adequacy decisions.
  • Despite the Amendments enabling the Board to assess adequacy for specific sectors within a country and international organizations, as well as for entire countries, it's noteworthy that since 2016, when the authority to designate countries with adequate protection was established, no country has yet received such a designation.
  • Taking Adequate Measures

If there is no adequacy decision, data transfers abroad are possible under certain conditions:

  • If agreements are signed between foreign public institutions or organizations and Turkish public institutions or professional organizations, approved by the Board.
  • For multinational companies with approved binding corporate rules.
  • Using a standard contract published by the Board, specifying purposes, data categories, technical measures, etc.
  • With written undertakings by data controllers in Turkiye and relevant foreign countries, approved by the Board.
  • Temporary Transfers Abroad

Non-repetitive transfer of personal data abroad is possible under specific circumstances:

  • Explicit consent of the data subject is obtained, provided they have been informed about the potential risks;
  • The transfer is necessary for the performance of a contract between the data subject and the data controller, or to perform the precautions requested by the data subject before the contract was executed;
  • The transfer is necessary for establishment or performance of a contract for the benefit of the data subject that is signed between the data controller and another natural or legal person;
  • The transfer is necessary for a superior public benefit;
  • The transfer is necessary for the establishment, exercise or protection of a right;
  • Processing data is necessary for the protection of the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid; or
  • The transfer is made from a registry open to the public or to persons with legitimate interests, provided that the necessary conditions set by the relevant legislation to access the registry are met and transfer is requested by a person with legitimate interest.

In this framework, data controllers and data subjects are initially required to conduct personal data transfers abroad in accordance with the established general rules. Should this prove unfeasible, temporary transfers, which are non-repetitive in nature, may be pursued following the same outlined regulations. Under this framework, transferring data to an overseas company for commercial purposes is permissible, provided such transfers occur infrequently, typically on a one-time or occasional basis, and are not permanent in nature. Hence, it's crucial to emphasize that the Amendments do not permit data controllers to utilize servers situated abroad on a permanent basis.

  1. Administrative Fines for Non-Compliance:

As per previous legislation, the PDPL lacked provisions for reporting standard contracts for data transfers abroad and primarily holds data controllers liable for administrative fines.

Changes Introduced:

The Amendments introduce stringent reporting requirements for standard contracts used in international data transfers and extend liability to data processors. Non-compliance may result in substantial fines, underscoring the imperative of adherence to regulatory obligations.

The Amendments introduce stricter enforcement mechanisms, particularly concerning reporting obligations for data transfers abroad. Failure to report transfers as per the standard contract within the specified timeframe may lead to substantial fines ranging from TRY 50,000 to TRY 1,000,000. Notably, both data controllers and processors bear responsibility for compliance.

  1. Legal Remedies Against Administrative Fines:

As per previous legislation, challenges against administrative fines imposed by the Personal Data Protection Board were adjudicated in criminal courts of peace.

Changes Introduced:

Under the Amendments, legal recourse against administrative fines will shift to administrative courts, aiming to streamline dispute resolution processes and enhance judicial oversight.

  1. Entry Into Force and Transitional Provisions:

The Amendments will take effect on June 1, 2024, with transitional provisions ensuring the continuity of existing data transfers until September 1, 2024. This phased implementation facilitates a smooth transition to the revised regulatory framework, ensuring compliance while allowing stakeholders time to adapt to the new requirements.

The Amendments to Turkiye's PDPL signify a decisive stride towards bolstering data protection mechanisms, aligning regulatory practices with evolving global standards. By delineating clearer guidelines for sensitive data processing and international data transfers and imposing robust penalties for non-compliance, these Amendments underscore Turkiye's commitment to safeguarding individuals' privacy rights in the digital age. As stakeholders navigate the intricacies of the revised legal landscape, adherence to regulatory mandates and proactive compliance measures will be imperative to ensure sustained data protection and foster trust in the digital ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.