On 19 December 2024, the Turkish Personal Data Protection Authority ("DPA") has published the information note titled Application of Misdemeanors in Terms of Time within the Scope of the Amendment to the Personal Data Protection Law No. 6698 ("PDPL") dated 2 March 2024.
Background
The amendment specifies that previous provisions regarding international data transfers, which granted data controllers a new transition period (1 June 2024 to 1 September 2024), remained in effect until 1 September 2024. As this period concluded, questions arose regarding the timing of violation penalties.
Fundamentals of criminal law
Accordingly, the DPA has confirmed that criminal law shall govern interpretation of the Law on Misdemeanors and, further, that the law in force at the time of the offence (a basic principle of criminal jurisprudence) will apply also. However, continuous crimes shall see the law in force when the offence ceased apply (whether in the defendant's favor or not).
Exceptional cases may favor the defendant, including where acts considered criminal at the time of the offence are retrospectively decriminalized or favor the defendant. For continuous crimes, the date of commission is accepted as the date of the act's completion.
Implementation of the principles in the PDPL
Sensitive Data
Cross-border data transfer
Due to the amendments, provisions regarding data transfer abroad did not enter into force on 1 June 2024 and cross-border data transfers with the explicit consent of the data subject were allowed until 1 September 2024. The DPA has now confirmed that, as of 1 September 2024, explicit data subject consent did not by itself allow cross-border transfers without also including elements of the new provision:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.