Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey: A comprehensive guide to the amendments to the personal data protection law

In pursuit of a longstanding governmental objective to converge with EU legislation, notably the General Data Protection Regulation (GDPR), substantial revisions have been made to the Personal Data Protection Law No. 6698 (the Law). Published in the Official Gazette in March 2024, these amendments represent a concerted effort to align the Law with the GDPR principles, particularly focusing on addressing specific contentious issues. Yücel Hamzaoğlu, Partner at Hamzaoğlu Hamzaoğlu Kınıkoğlu Attorney Partnership, takes a look at the amendments and their impact on the current provisions.

sellmore/Moment via Getty Images

At the core of the amendments lies the strengthening of regulations concerning the processing of special categories of personal data and cross-border data transfers. Additionally, the amendments address administrative fines and the appeal authority for administrative fines. These changes underscore Turkey's commitment to upholding robust data protection standards in line with the GDPR, thereby ensuring the safeguarding of personal data and bolstering trust in the digital ecosystem.

Special categories of personal data - implications of the amendments

Under the Law, individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and appearance, membership of association, foundation, or union, health, sexual life, criminal conviction, and security measures-related data, as well as biometric and genetic data, are considered as special categories of personal data. Currently, in most cases, the processing of such data requires the explicit consent of the data subjects, except when processed under the limited circumstances outlined by Article 6 of the Law. The pre-amended version of the provision has posed numerous practical challenges, particularly concerning the processing of employee data under other laws, notably those governing employment and workplace safety.

For example, under Turkish employment law, employers are required to process employee health data prior to their commencement of work and are responsible for monitoring employee health and safety throughout their employment tenure. Moreover, certain companies are legally mandated to hire a specific quota of disabled individuals, necessitating the processing of health data for these employees. However, if the processing of health data does not qualify for exemptions, such as those related to public health protection, preventive medicine, medical diagnosis, treatment execution, care services, as well as health service planning, management, and financing, and if conducted by individuals not bound by legal confidentiality obligations, explicit consent from employees becomes necessary. This is particularly significant given that many HR activities typically do not align with these exempted purposes, and HR personnel are not generally subject to legal confidentiality obligations.

Due to the inherent power dynamics within the employer-employee relationship, seeking explicit consent from employees to fulfill obligations mandated by labor law or any other laws has posed and continues to pose challenges. While employers may encounter difficult situations if employees refuse consent for processing their special categories of personal data, obtaining explicit consent itself has consistently been a challenging task, especially within the context of employer-employee relationships, where its validity is subject to debate.

Consequently, these amendments are anticipated to ultimately resolve these issues. The revised provision of the Law concerning the processing of special categories of personal data significantly broadens the legal grounds for such processing. Specifically, in response to the concerns, health data may now be processed without explicit consent when necessary to fulfill legal obligations in areas such as employment, occupational health and safety, social security, or social services and assistance.

The additional legal bases for processing special categories of personal data, as expanded by these amendments, include processing stipulated under the Law, the vital interest of the data subject, personal data made public, and processing necessary for the exercise or protection of a right. Furthermore, the amendments include a specific provision for foundations, associations, and non-profit organizations. Under this provision, these entities are permitted to process special categories of personal data solely concerning their members and contributors. This processing must comply with relevant legislation, be restricted to their field of activity, and refrain from disclosing processed personal data to third parties.

Cross-border data transfers

Currently, the options available for transferring personal data outside of Turkey are relatively restricted. According to the pre-amended version of Article 9 of the Law, at least one of three conditions must be fulfilled for such transfers to occur. These conditions include obtaining explicit consent from the data subject, transferring data to countries with adequate protection measures in place, or executing a data transfer agreement between the involved parties, subject to approval by the relevant regulatory authority, the Personal Data Protection Board (the Board).

However, in practice, there has been a de facto restriction despite the absence of an official constraint. Delays in publishing the list of countries with adequate data protection measures and lengthy approval procedures for data transfer agreements have made explicit consent a pivotal means for transferring personal data abroad. Acknowledging this, the amendments introduce new pathways for international data transfers.

The amended regulations have introduced a three-tiered framework like the model for legal bases for cross-border data transfers established by the GDPR. These tiers include: (i) the establishment of an adequacy decision by the Board; (ii) the implementation of appropriate safeguards as outlined in the Law in the absence of an adequacy decision; and (iii) compliance with derogations specified in the Law when both an adequacy decision and appropriate safeguards are lacking.

Adequacy decision

The amendments empower the Board to render an adequacy decision concerning not only specific countries but also specific sectors within those countries or international organizations. This expansion broadens the scope of the countries which have adequate protection outlined in the existing Law.

Appropriate safeguards

In the absence of an adequacy decision, parties may transfer personal data abroad under appropriate safeguards. For such transfers to occur under an appropriate safeguard, at least one of the legal grounds outlined in Articles 5 and 6 of the Law must be present, alongside the fulfillment of specific conditions in the recipient country: i) the data subject must have the ability to exercise their rights; and ii) effective legal remedies must be available for data subjects.

If these conditions are met, personal data may be transferred under one of the following safeguards:

  • Execution of an Agreement: An agreement, not classified as an international contract, between foreign public institutions/international organizations and Turkish public institutions/public organizations, subject to approval by the Board.
  • Binding Corporate Rules (BCRs): BCRs regarding personal data protection among entities within the same group undertaking joint economic activities (e.g., group companies), provided these rules are approved by the Board.
  • Data transfer agreement: Signing a data transfer agreement with provisions ensuring adequate protection, subject to approval by the Board.
  • Standard contract: Execution of a standard contract, as published by the Board, detailing data categories, transfer purposes, recipients, technical and administrative measures by the recipient, and special categories of personal data measures. Transfer can proceed upon signing the standard contract announced by the Board, without additional permission. The data controller or processor must notify the Personal Data Protection Authority (KVKK) within five business days of signing.

Derogations

The amendments outline exceptional circumstances in which data transfers can occur without an adequacy decision or specified safeguards. These circumstances include:

  • Explicit consent: Transfer may occur with explicit consent from data subjects who are duly informed about potential risks.
  • Mandatory transfer: Transfer is mandatory for reasons such as:
    • performance of a contract between the data subject and the data controller, or for pre-contractual measures at the request of the data subject.
    • execution of a contract between the data controller and another party for the data subject's benefit.
    • overriding public interest.
    • exercise or protection of a legal right.
    • protection of life or physical integrity of individuals unable to consent or whose consent is invalid, or of others; and
    • transfer from a public registry or to persons with legitimate interests, provided legal conditions for registry access are met and requested by a legitimate party.

In cases where Turkey's or data subjects' interests would be significantly harmed, data transfer abroad requires the Board's permission after obtaining relevant public institution or organization opinion.

Next steps for companies in terms of cross-border data transfers

With the introduction of new methods through the amendments, explicit consent is now regarded as an exceptional mechanism under the amendments, prompting data controllers who currently transfer personal data abroad using explicit consent to reassess their transfer procedures. It is important to note here that explicit consents obtained before and after the enactment of the amendments will remain valid until September 1, 2024.

Upon reviewing cross-border data transfer mechanisms, the most practical option for Turkish companies and global entities operating in Turkey, that transfer personal data abroad via IT systems or alternative means in the absence of adequacy decisions, seems to be the execution of standard contracts published by the Board. Unlike previous methods, the primary advantage of this approach is the elimination of the requirement for Board approval post-contract signing. Instead, a notification process is mandated. Following contract execution, the data controller or data processor must promptly notify the KVKK within five business days. Failure to adhere to this notification timeframe may lead to the imposition of administrative fines.

Additionally, an upcoming secondary regulation addressing the new guidelines for cross-border data transfers is expected to be released soon. This regulation will determine the specific requirements and structure of a standard contract as an appropriate safeguard, as well as any additional rules that may need to be adhered to in terms of data transfers abroad.

Appeal

The amendments have shifted the jurisdiction for appeals against administrative fines from criminal courts of peace to administrative courts. This change means that appeals against fines imposed by the Board will now follow the 60-day period applicable to administrative appeals, rather than the previous 15-day appeal period before criminal courts of peace.

The effective dates

While the amendments are scheduled to come into effect on June 1, 2024, the current methods for cross-border transfer of personal data will remain valid until September 1, 2024. After this date, data controllers will be required to adhere to the provisions introduced by the amendments.

Yücel Hamzaoğlu Partner
[email protected]
Hamzaoğlu Hamzaoğlu Kınıkoğlu Attorney Partnership, Istanbul