- Introduction
On February 16, 2024, a draft bill (the “Bill”) proposing significant amendments to the Personal Data Protection Law No. 6698 (the “PDPL”), was submitted to the Justice Committee of the Grand National Assembly of Türkiye (the “TBMM”) and was accepted by the TBMM on February 21, 2024.
The Bill aims to align the PDPL with the General Data Protection Regulation of the European Union (the “GDPR”), in order to respond to a number of issues that have arisen in practice, mainly in relation to (i) the transfer of personal data abroad and (ii) the processing of special categories of personal data.
- New Conditions for Processing Special Categories of Personal Data
Pursuant to current Article 6 of the PDPL, the processing of special categories of personal data without the explicit consent of the data subject is, as a rule, prohibited. The Bill introduces several exceptions to the processing of special categories of personal data without explicit consent. Accordingly, in addition to the 3 (three) processing conditions currently in force, 5 (five) new processing conditions have been determined for the processing of special categories of personal data:
- Explicit consent of the data subject (in force);
- Explicit stipulation by law (in force);
- Necessity for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of health services, by persons or authorized institutions and organizations under the obligation of secrecy (in force);
- Necessity for the protection of life or physical integrity of the person who is physically or legally incapable of giving consent (added);
- Public disclosure of personal data by the data subject (added);
- Necessity for the establishment, exercise, or protection of a right (added);
- Necessity for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance (added); or
- Limited with and non-disclosure to third parties, in cases required by political, philosophical, religious, or trade union organizations in accordance with the purpose of the organization (added).
- New Conditions for the Transfer of Personal Data Abroad
Article 9 of the current PDPL prohibits the transfer of personal data abroad without the explicit consent of the data subject and requires (i) one of the conditions for processing personal data to be met and (ii) the presence of adequate protection in the foreign country for the transfer of personal data without explicit consent. If there is no adequate protection in the foreign country, written assurance of adequate protection by data controllers in Türkiye and the foreign country and the permission of the Personal Data Protection Board (the “Board“) are required.
One of the most significant changes introduced by the Bill is that the adequacy decisions of the Board may be taken not only for countries but also for international organizations or specific sectors within countries. Another important change is the addition to the PDPL of a structure similar to the “Standard Contractual Clauses” already in place under the GDPR for cases where no adequacy decision is available.
Accordingly, if a standard contract, the content of which will be determined and announced by the Board, is signed between the parties to the data transfer and other conditions required by the PDPL are also present, personal data may be transferred abroad without seeking explicit consent, and it will be sufficient to notify the Personal Data Protection Authority (the “Authority“) of the relevant contracts within 5 (five) work days from the date of signature. Failure to comply with this notification obligation may result in administrative fines ranging from 50,000 TL (fifty thousand Turkish liras) to 1,000,000 TL (one million Turkish liras) for data controllers and processors.
In addition to providing assurances through the conclusion of standard contracts, it is also aimed to introduce other safeguards. Namely public institutions and organizations in Türkiye or professional organizations with the status of public institutions can transfer data abroad by concluding agreements with public institutions and organizations abroad or international organizations that do not constitute international agreements, provided that permission is obtained from the Board. Not only public institutions and organizations, but also companies within undertakings engaged in joint economic activities will be able to transfer data abroad in the presence of binding corporate rules approved by the Board.
In cases where neither an adequacy decision nor any of the appropriate safeguards listed in the PDPL are present, personal data may also be transferred abroad under certain incidental circumstances:
- With explicit consent from the data subjects after being informed about potential risks,
- If the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request,
- If the transfer is necessary for the establishment or performance of a contract in the interest of the data subject between the data controller and another natural or legal person,
- If the transfer is necessary for public interest,
- If the transfer is necessary for the establishment, exercise, or protection of a right,
- If the transfer is necessary for the protection of the life or physical integrity of a person who is physically or legally incapable of giving consent, or
- If the data is transferred from a registry that is open to the public or to persons with a legitimate interest, provided that the conditions for accessing the registry prescribed by the law are met and the transfer is requested by a person with a legitimate interest.
The current provision on the transfer of personal data abroad with explicit consent is expected to remain in force until September 1, 2024.
- Appeals Against Board Decisions
Another innovation proposed by the Bill is the abolition of the procedure of appealing against administrative fine decisions of the Board to criminal courts of peace, making administrative courts responsible for examining appeals against administrative fines.
However, it is envisaged that applications pending before criminal courts of peace as of June 1, 2024 will continue to be examined by these courts.
- Conclusion
The Bill is intended to come into effect on 1 June 2024, and it would be beneficial for data controllers and processors to review and make necessary changes to their compliance processes with the PDPL before the planned effective date of the Bill. Although the Bill is expected to be accepted in its current form by the TBMM, the regulation on the transfer of personal data abroad to be issued by the Board and the standard contract provisions to be announced by the Board will guide the compliance processes with the PDPL.
Best regards,
Vardar Şanlı