Turkish Data Protection Law 2024

A. DEVELOPMENTS IN LEGISLATION AND PRACTICE

I. Overview of the Legislation on the Protection of Personal Data

Although personal data is protected by several legislative sources, including primarily the Constitution of the Republic of Turkiye, the main inclusive regulation in compliance with the international modern approach to personal data protection was adopted in Turkiye through the Personal Data Protection Law No. 6698 ("DP Law"). With the DP Law's coming into force, several pieces of legislation regarding personal data protection and its interpretation and practice have been clarified, primarily including the provisions of the Turkish Criminal Code No. 5237 ("TCC").

Under the DP Law, the Personal Data Protection Authority ("Authority") was established as a financially and administratively autonomous public legal entity with regulatory and supervisory authority. The Authority conducts its operations through a structure comprising the decision-making body, the Personal Data Protection Board ("Board"), and the Presidency.

Secondary legislative processes have been executed subsequent to the DP Law coming into force, including the Regulation on the Data Controllers Registry; Regulation on the Deletion, Destruction or Anonymization of Personal Data; Communiqué on Application Procedures and Principles for Data Controllers; Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform; and Communiqué on Procedures and Principles Regarding Personnel Certification Mechanisms. Since then, the Authority has been leading practice in the field of personal data protection through its public announcements and decisions of the Board on its supervisory activities.

II. Legislation and Regulations on Data Protection and Privacy

In 2024, significant amendments were made to the DP Law to align it with the European Union General Data Protection Regulation ("GDPR"), which changes had been anticipated for a long time.

1. Amendments to the DP Law and the Regulation on the Principles and Procedures for the Transfer of Personal Data Abroad

With the Law on Amendments to the Code of Criminal Procedure and Certain Laws No. 7499, published in the Official Gazette No. 32487 dated 12 March 2024 ("Law Amendment"), changes were made to Articles 6, 9, and 18 of the DP Law.

The amendments include provisions regarding the processing of special categories of personal data, the transfer of personal data abroad, administrative fines, and appeal processes. These changes came into effect on 1 June 2024. An additional transition period was introduced through Provisional Article 3 concerning cross-border data transfers, stipulating that the previous version of Article 9/1 of the DP Law (data transfers based on explicit consent) would continue to apply alongside the amended version until 1 September 2024.

Detailed explanations regarding the Law Amendment are provided below.

1.1. Amendments to the DP Law and the Regulation on the Principles and Procedures for the Transfer of Personal Data Abroad

The Law Amendment removes the prior distinction concerning data related to health and sexual life, as stipulated under Article 6/3 of the DP Law. While the prohibition on processing special categories of personal data remains intact, the conditions for processing have been expanded. The requirement to adopt adequate safeguards determined by the Board for processing special categories of personal data also remains in place.

Following the Law Amendment, the conditions for processing special categories of personal data are as follows:

• The explicit consent of the data subject.
• An explicit stipulation in law.
• Situations where it is necessary to protect the life or physical integrity of the person or another individual who is incapable of giving consent due to actual impossibility or whose consent is not legally valid.
• The personal data being made public by the data subject and processed in accordance with the intention of such disclosure.
• Necessity for the establishment, exercise, or protection of a legal right.
• Necessity for purposes of public health protection, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning, management, and financing of health services, carried out by persons under an obligation of confidentiality or authorized institutions and organizations.
• Necessity to fulfill legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance.
• Data being processed by foundations, associations, or other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, provided that the processing is in compliance with the applicable legislation and the organization's purpose is limited to its field of activity and is not disclosed to third parties. This applies to data concerning current or former members and affiliates or individuals who are in regular contact with such organizations or entities.

1.2.Amendments Regarding the Transfer of Personal Data Abroad

Long-awaited regulations concerning the transfer of personal data abroad were implemented with the Law Amendment, and the mandatory requirement for explicit consent in practice was abolished. Throughout 2024, the procedures and principles for applying the new transfer conditions were shaped through secondary legislation, guidelines issued by the Board, and public announcements. In this regard, the amendments made to Article 9 of the DP Law were assessed alongside the following developments:

• The regulations introduced by the Regulation on the Principles and Procedures for the Transfer of Personal Data Abroad ("Regulation"), published in the Official Gazette No. 32598 dated 10 July 2024, which came into force on the date of its publication.
• The Standard Contractual Clauses¹ ("SCCs") and Binding Corporate Rules² ("BCRs") Application Form published on the official website of the Authority on 10 July 2024.
• The Public Announcement Regarding the Standard Contractual Clauses Notification Module, published on 25 October 2024 on the Authority's official website, regarding the decision of the Board dated 17 October 2024 No. 2024/1793, enabling data controllers and processors to fulfill their notification obligations more efficiently and promptly via the "Standard Contractual Clauses Notification Module"³.
• The "Announcement on the English Translations of the Regulation on the Principles and Procedures for the Transfer of Personal Data Abroad and the Standard Contractual Clauses", published on the Authority's official website on 29 August 2024.
• The "Guidelines on the Transfer of Personal Data Abroad"⁴ ("Cross-Border Data Transfer Guidelines"), published on the Authority's official website on 2 January 2025.

In parallel with the new regulations introduced by the Law Amendment, the procedures and principles to be applied in cross-border data transfers have been defined by the Regulation, while detailed explanations of the processes are provided in the Cross-Border Data Transfer Guidelines. Similarly, the final versions of the SCCs and BCRs, which were expected to be shared with the public by the Board, came into effect as of 10 July 2024.

With the Regulation, a "cross-border data transfer" was defined for the first time, as "the transfer of personal data by a data controller or data processor subject to the DP Law to a data controller or data processor abroad or otherwise making such data accessible abroad." The Cross-Border Data Transfer Guidelines specify that the activity of transferring personal data abroad occurs when the following three conditions are all met:

• The data exporter, whether a data controller or data processor, is subject to the DP Law for the personal data processing activity. The Cross-Border Data Transfer Guidelines provide detailed explanations under this heading, particularly regarding the territorial scope of the DP Law. It emphasizes that the scope of the DP Law is interpreted based on the "effect principle" rather than the "territoriality principle.
• The personal data processed by the data exporter is transferred or otherwise made accessible. In this regard, the Cross-Border Data Transfer Guidelines include numerous practical examples of data transfer activities.
• The data recipient, whether a data controller or data processor, is geographically located in a third country, regardless of whether they are subject to the DP Law.

Before the Law Amendment, the transfer of personal data abroad was possible under the following conditions: (i) obtaining the explicit consent of the data subject; (ii) the presence of an adequacy decision issued by the Board regarding the foreign country to which data would be transferred; (iii) in the absence of adequate protection, the execution of a commitment between the parties and its approval by the Board; or (iv) the presence of BCRs approved by the Board. With the Law Amendment, alternative methods for crossborder data transfers have been introduced, establishing a three-step process for such transfers:

1. The presence of an adequacy decision regarding the country, specific sectors within that country, or international organizations to which the transfer will be made.
2. In the absence of an adequacy decision, ensuring that the data subject has the ability to exercise their rights and access effective legal remedies in the country to which the transfer will be made, provided that one of the appropriate safeguards specified under Article 9 of the DP Law is fulfilled by the parties.
3. If no adequacy decision is in place and none of the appropriate safeguards can be ensured, the transfer may still proceed on an exceptional basis, provided that it is incidental in nature and one of the conditions outlined under Article 9 of the DP Law is met.

The details of the cross-border data transfers to be carried out under these conditions are explained below.

a. Cross-Border Data Transfer Under an Adequacy Decision: Pursuant to Article 9/1 of the DP Law, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the DP Law⁵ is met, and there is an adequacy decision in place regarding the country, specific sectors within the country, or international organizations to which the transfer will be made. The amendment allows adequacy decisions to be issued not only for countries as a whole but also for specific sectors or international organizations.

Adequacy decisions are issued by the Board and published in the Official Gazette. The Board may consult relevant institutions and organizations if needed. Adequacy decisions are reviewed by the Board every four years or as required. Based on its assessment or other necessary circumstances, the Board may amend, suspend, or revoke adequacy decisions with prospective effect.

When issuing adequacy decisions, the following factors are primarily considered:

• The reciprocity status regarding personal data transfers between Türkiye and the country, sectors within the country, or international organizations to which personal data will be transferred.
• The legislation and practices of the country to which personal data will be transferred, as well as the rules applicable to the international organization receiving the data.
• The presence of an independent and effective data protection authority in the country or within the international organization receiving the data, along with the availability of administrative and judicial remedies.
• Whether the country or international organization receiving the data is a party to international agreements or a member of international organizations related to the protection of personal data.
• The membership status of the country or international organization receiving the data in global or regional organizations to which Türkiye is a member.

As of yet, the Board has not issued any adequacy decision.

b. Cross-Border Data Transfer Based on Appropriate Safeguards: In the absence of an adequacy decision, data controllers and data processors may transfer personal data abroad if the following conditions are all met: (i) the existence of the conditions specified in Articles 5 and 6 of the DP Law; (ii) the data subject has the ability to exercise their rights and access effective legal remedies in the country to which the transfer will be made; and (iii) one of the appropriate safeguards listed below is provided by the parties.

Before relying on the appropriate safeguards, the existence of the other two conditions must always be assessed. This approach aligns with the transfer impact assessment ("TIA") concept applied within the European Union ("EU").

1. Providing Appropriate Safeguards Through Non-Treaty Agreements: Appropriate safeguards can be ensured for personal data transfers between public institutions and organizations in Türkiye, public professional organizations with public institution status, and public institutions or organizations or international organizations in foreign countries through provisions on personal data protection included in non-treaty agreements. Such agreements must contain the minimum provisions⁶ on personal data protection specified under the Regulation and must be submitted to the Board for its opinion during the negotiation stage. As stated in the Cross-Border Data Transfer Guidelines, this safeguard applies to international data transfers conducted between public institutions for the purposes of cooperation. It does not cover the transfer of personal data from a public institution to a private entity or vice versa. Within the scope of the Guidelines, non-treaty agreements can take the form of cooperation protocols, memorandums of understanding, or administrative agreements. The Guidelines highlight the administrative agreement concluded between the Turkish Medicines and Medical Devices Agency and the European Commission as a concrete example of such an arrangement.
2. Providing Appropriate Safeguards Through BCRs: The Law Amendment establishes BCRs as a legal safeguard within the legislative framework. Accordingly, appropriate safeguards can be ensured through BCRs that set out obligations regarding the protection of personal data for companies within a group engaged in joint economic activities. To transfer personal data abroad based on BCRs, an application for approval must be submitted to the Board. The approval process must be completed before the commencement of the data transfer, and transfers can only be carried out based on the approval granted by the Authority.

Article 13 of the Regulation specifies the minimum requirements that must be included in BCRs, while the Cross-Border Data Transfer Guidelines provide detailed explanations regarding these minimum elements. In this regard, a BCR document must, at a minimum, include the following:

• The organizational structure and contact details of each member of the group engaged in joint economic activities.
• Details regarding the transfers to be conducted under the BCRs, including personal data categories, processing activities and purposes, data subject group(s), and the country or countries to which the data will be transferred.
• A commitment that the BCRs are legally binding both within the internal relationships of the group engaged in joint economic activities and in their other legal relationships.
• Data protection measures, including compliance with general principles, conditions for processing personal data, conditions for processing special categories of personal data, technical and administrative measures to ensure data security, adequate safeguards for processing special categories of personal data, and restrictions on further transfers of personal data.
• A commitment to enable data subjects to exercise their rights under Article 11 of the DP Law, as well as the right to lodge a complaint with the Board in accordance with the procedures and principles set out in Article 14 of the DP Law, along with the procedures and principles for exercising these rights.
• A commitment that, in the event of a breach of the BCRs by any group member not located in Türkiye, a data controller and/or data processor established in Türkiye will assume responsibility for the breach.
• Explanations on how data subjects will be informed about matters related to the BCRs, in addition to the information provided under Article 10 of the DP Law as part of the obligation to inform.
• Explanations regarding training to be provided to employees on the protection of personal data.
• The responsibilities of individuals or units tasked with monitoring the group's compliance with the BCRs, including activities related to responding to data subject requests.
• Mechanisms to monitor and verify compliance with the BCRs within the group, including data protection audits and methods to ensure corrective actions to protect the rights of the data subjects. The results of such audits must be reported to the individuals or units responsible for monitoring compliance with the BCRs, the management board of the controlling company within the group, and, on request, the Board.
• Mechanisms for reporting and recording changes to the BCRs and notifying the Board of such changes.
• An obligation for the group members to cooperate with the Authority to ensure compliance with the BCRs.
• A commitment that there are no national regulations in the countries where the transfer will occur that contradict the safeguards provided by the BCRs, and a mechanism to notify the Board of any legislative changes likely to negatively impact these safeguards.
• A commitment to provide appropriate data protection training to personnel who have regular or continuous access to personal data.

The factors considered by the Board when evaluating applications for BCRs are as follows:

• The BCRs must be binding and enforceable for all members of the group.
• There must be commitments to protect the rights of data subjects.
• The BCRs must include the minimum elements specified in Article 13 of the Regulation.

As of 10 July 2024, two separate application forms have been published on the official website of the Authority: the BCR Application Form for Processors⁷ and the BCR Application Form for Controllers⁸. In addition to the BCR application forms, the following supporting guides were also made available: Key Considerations for Binding Corporate Rules for Controllers – Supporting Guide⁹ and Key Considerations for Binding Corporate Rules for Processors – Supporting Guide¹⁰

For BCR applications, in addition to completing the BCR Application Form, it is also necessary to complete the Supporting Guides. The Cross-Border Data Transfer Guidelines aim to establish a standard form for applications submitted to the Board concerning BCRs, clarify the content of the minimum elements that must be included in BCR applications, ensure compliance with regulatory requirements through the Supporting Guides, and specify the documents that must be submitted to the Board.

Prior to the Law Amendment, the BCRs method was only available to data controllers. However, it can now also be used by data processors. The details regarding the points to be considered in BCRs applications are regulated by the Regulation and the Cross-Border Data Transfer Guidelines. BCRs applications have been accepted since 2020. However, the Cross-Border Data Transfer Guidelines indicate that three applications were submitted to the Authority up until 1 June 2024 but were rejected due to procedural and substantive deficiencies.

Footnotes

1 The English versions of the SCCs were published on the Authority's official website on 29 August 2024. You can refer to the Authority's announcements on this matter in Section VII.1.3.

2 The English versions of the BCRs have not yet been published by the Authority.

3 Only the Turkish version is available.

4 Only the Turkish version is available.

5 "Conditions for processing personal data" in Article 5 of the DP Law,
(1) Personal data shall not be processed without explicit consent of the data subject.
(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself/herself.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

"Conditions for processing of Special categories of personal data" in Article 6 of the DP Law,
(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.
(2) Repealed.
(3) The processing of special categories of personal data is prohibited. However, such data may be processed under the following conditions:
a) The explicit consent of the individual is obtained,
b) Explicit provision in the law,
c) In cases where the individual is unable to express consent due to actual impossibility or where consent is legally invalid, it is mandatory for the protection of the individual's or another person's life or physical integrity,
ç) If the personal data in question has been made public by the individual and the processing aligns with their intention to make it public,
d) If it is mandatory for the establishment, exercise, or protection of a legal right,
e) If it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as the planning, management, and financing of health services, carried out by persons or authorized institutions bound by confidentiality obligations,
f) If it is mandatory for fulfilling legal obligations related to employment, occupational health and safety, social security, social services, and social assistance,
g) If it is for political, philosophical, religious, or trade union purposes within the framework of associations, foundations, and other non-profit organizations or formations, provided it complies with the legislation they are subject to, is limited to their activities, and not disclosed to third parties. It may also apply to their current or former members or individuals in regular contact with such entities. (4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

6 The provisions on personal data protection to be included in the agreement shall specifically cover the following:
a) The purpose, scope, nature, and legal basis of the personal data transfer.
b) Definitions of key concepts in compliance with the DP Law and related legislation.
c) A commitment to adhere to the general principles outlined in Article 4 of the DP Law.
ç) The procedures and principles for informing data subjects about the agreement and the personal data transfers conducted under the agreement.
d) A commitment to enable the data subjects to exercise their rights specified under Article 11 of the DP Law, along with procedures and principles for applications related to exercising these rights.
e) A commitment to take all necessary technical and administrative measures to ensure an adequate level of data security.
f) A commitment to adopt the adequate measures determined by the Board for the transfer of special categories of personal data.
g) Restrictions on further transfers of personal data.
ğ) Remedies available to the data subjects in the event of a breach of the provisions on personal data protection included in the agreement.
h) A monitoring mechanism to oversee the implementation of the provisions on personal data protection included in the agreement.
ı) A clause granting the data exporter the right to suspend data transfers and terminate the agreement if the data importer fails to comply with the provisions on personal data protection included in the agreement.
i) A commitment by the data importer, in the event of termination or expiration of the agreement, to either return the transferred personal data along with its backups to the data exporter or permanently destroy the personal data, depending on the preference of the data exporter.

7 Only the Turkish version is available.

8 Only the Turkish version is available.

9 Only the Turkish version is available.

10 Only the Turkish version is available.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.