A draft (the "Draft Bill") bill including the long-awaited amendments to the Turkish Personal Data Protection Law (the "Law") has been submitted for review of commissions at Turkish Grand National Assembly ("TBMM").

Upon enactment of the Draft Bill, the Law will be amended as of 1 June 2024 in relation to processing of sensitive personal data, cross-border transfer of personal data, administrative sanctions and legal remedies against administrative fines.

In brief, the major proposed amendments are as follows for consideration of data controllers and data processors:

  • Processing of Sensitive Personal Data: The legal regime applicable to processing of sensitive personal data (including health data and data relating to sexual life) is planned to be amended. Accordingly, in addition to the current regulations, data controllers will be able to depend on new legal reasons to process such data without explicit consent. For instance, in case processing is required for establishment, use and protection of a right or for compliance with legal obligations relating to employment, occupational health and safety, social security, social services and social benefits, sensitive personal data may be processed without explicit consent. Again, when sensitive personal data is publicized by data subject, data controllers will be able to process such data for the purposes why the relevant data is publicized.
  • Cross-Border Transfer and New Administrative Sanction: Major amendments relating to the cross-border transfer of personal data are also proposed. Accordingly, a mechanism similar to "Standard Contractual Clauses" in practice as per the European Union's General Data Protection Regulation ("GDPR") may be accepted. The Draft Bill states that in case that the parties to cross-border data transfer accepts contractual terms to be determined and announced by the Personal Data Protection Board, personal data may be transferred to the relevant data recipient outside Türkiye. However, as a difference from GDPR practice, the relevant contracts will be required to be notified to the Personal Data Protection Authority within 5 business days. Otherwise, data controllers and data processors may be subject to an administrative fine amounting from TRY 50,000.- to TRY 1,000,000.-.

In addition, the cross-border transfer may also be possible without consent for some exceptional cases where it is "required for establishment, use and protection of a right" or "required for performance of a contract or preliminary actions taken upon data subject's request before execution of a contract".

  • Legal Remedies: Upon enactment of the Draft Bill, data controllers and data processors will apply to the administrative courts against administrative fines to be imposed by the Personal Data Protection Board.

The Law will become more similar to GDPR with the enactment of the Draft Bill. Furthermore, various problems in practice arising from the implementation of the Law will be responded. On the other hand, for compliance with the Law, data controllers will need to take actions including updating their privacy notices and consent forms.

It is strictly recommended that data controllers and data processors evaluate the Draft Bill in details and initiate their studies as soon as possible to update their procedures and processes in order to be ready on 1 June 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.