Turkey: Türkiye's Paradigm Shift Towards GDPR Aligment

Türkiye has taken a step to align the Turkish Personal Data Protection Law no. 6698 ("PDPL") with the EU's General Data Protection Regulation ("GDPR").

Pursuant to the amendments (the "Amendment/s") published in the Official Gazette on March 12, 2024, the regulations concerning three key areas have been updated, with changes set to take effect on June 1, 2024:

• Sensitive Data. The conditions for processing special category data (also known as "sensitive personal data") have been restructured.
• Cross-border Data Transfer. The previous requirement for "explicit consent" for transferring personal data abroad has been replaced with a new framework: "adequacy decision > appropriate safeguard > occasional transfers."
• Jurisdiction. The jurisdiction for administrative fines has been assigned to the administrative courts .

It should be noted that these changes represent the first step towards GDPR aligment in Türkiye and that more comprehensive amendments in the PDPL are expected in the future.

Why Has Türkiye Taken This Step?

Turkey's decision to amend its PDPL arises from a need to modernize and align with international standards, specifically the GDPR.

Initially, the PDPL was modeled after the EU's Directive 95/46/EC. However, this Directive was superseded by the GDPR shortly after the PDPL's enactment, highlighting the PDPL's outdated framework in the face of rapidly evolving technological and business landscapes.

This gap and the pressing need for updates were acknowledged in strategic documents like the 2021 Action Plan on Human Rights, Economic Reforms Action Plan, and the 2024–2026 Medium-Term Program in Türkiye. These plans underscored the urgency of harmonizing Turkish data protection laws with the GDPR to address the challenges of modern data processing and cross-border data transfer.

The recent amendments signify a paradigm shift and a crucial step towards alignment with the GDPR, focusing specifically on the nuanced management of "special category personal data" and "cross-border data transfer" mechanisms. This initiative aims to elevate the PDPL to GDPR standards, ensuring that Türkiye's data protection framework is robust, contemporary, and aligned with global best practices.

The Changes regarding the Special Category Personal Data (PDPL Article 6)

The amendment to Article 6 of the PDPL has broadened the processing conditions for special category personal data, resolving deadlocks in sectors such as insurance, labor legislation, occupational health and safety, and social services.

Before the amendment, processing of sensitive personal data, except for health and sexual life, was possible only with the explicit consent of the data subject or as provided by law.

On the other hand, personal data related to health and sexual life could be processed without explicit consent only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of health services.

With the amendment, the principle that "the processing of special category personal data is prohibited" and the following three conditions for processing such data are preserved:

• The explicit consent of the data subject,
• Cases explicitly provided by law (For example, the processing of data related to criminal convictions in accordance with Law on Criminal Records and the collection of fingerprints of individuals under Article 5 of Law on Police Duties and Authorities.),
• Data processing is necessary by individuals under the obligation of confidentiality or by authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management, and financing of health services (e.g., data held by the Ministry of Health and all health institutions and the Social Security Institution for these purposes)

Additionally, the following new conditions for processing special category data have been introduced.

• It is necessary due to physical impossibility for the protection of life or physical integrity of the person who is incapable of giving consent or whose consent is not legally recognized, either for themselves or for another person (For example, processing special category personal data such as blood type and past illnesses specifically for the purpose of protecting the life or physical integrity of a person who cannot give consent due to unconsciousness caused by any reason),
• It concerns personal data made public by the data subject, and the processing of this data must be in line with the intention of making it public (For example, the processing and use of personal data such as blood type and allergy information that a person has shared in a publicly accessible area for emergency use, in accordance with the purpose for which it was made public),
• Necessity for the establishment, exercise or defense of legal claims (For example, an employer continuing to store health data of a former employee for the purpose of defense in possible lawsuits following the termination of the employment contract, or processing a disabled person's disability report by the tax authority for the person to benefit from the right to purchase a vehicle exempt from special consumption tax.),
• It is required for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social aid (For example, processing individuals' health data or data related to criminal convictions by employers to fulfill the obligation of employing disabled or convicted individuals as mandated by the Labor Law №4857.)
• It pertains to foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union aim, ensuring the processing is in compliance with their statutes and purposes, limited to their activity areas, and not disclosed to third parties; targeting their current or former members or those in regular contact with them (For example, these organizations or entities processing information related to their current members, as well as former members and individuals who regularly donate, in accordance with their status.),

Before the amendment of the PDPL, the conditions for processing sensitive personal data were very restrictive, leading to significant challenges, especially in human resource processes.

We believe that with the newly introduced processing conditions, these deadlocks will be resolved, and data controllers will be able to design much simpler and PDPL-compliant processes in terms of processes such as human resources and similar areas.

The Changes Regarding the Cross-Border Transfer (PDPL Article 9)

The amendments to the Article 9 of the PDPL have restructured the conditions for the transfer abroad of personal data, shifting from an approach based on explicit consent to a systematic process of "adequacy decision > appropriate safeguards > occasional circumstances."

Before the Amendment, "explicit consent" had almost become the sole method for transferring personal data abroad. The Personal Data Protection Board ("the Board") had not declared any country as a safe country, nor had it approved more than a few commitment to date.

The Reasoning of the Amendment notes that this situation "almost made it impossible to legally use many cloud-based software and applications, which are frequently used by almost every company and individual in commercial life and whose servers are located abroad," and "prevents investments in Türkiye.". To address these issues and align with the GDPR, the following mechanism has been established.

It is noted that the procedures and principles regarding cross border transfer will be regulated by a separate regulation to be issued by the Board in the near future. This regulation is deemed significant in specifying the details of standard contractual clauses as well as detailing the processes for occasional transfers.

Moreover, it is important to note that another significant provision newly introduced is that the above-mentioned safeguards will also be applied to subsequent transfers (further processing) of personal data abroad, and the provisions of this article will be implemented.

In this context, with the amendments, one of the following conditions must be sequentially met during the cross border transfer; .

Availability of an Adequacy Decision

This condition requires that one of the processing conditions for personal data (under PDPL Article 5) or for special category personal data (under PDPL Article 6) is met AND there is an adequacy decision for (i) the country, (ii) specific sectors within the country, or (iii) international organizations to which the data will be transferred.

Unlike the provision before the Amendment, it is now possible to issue an adequacy decision for a specific sector or international organization within a foreign country, rather than for the entire country. This update is explained in the Reasoning of the Amendment with a note stating, "It becomes possible to issue an adequacy decision for the automotive sector in a foreign country, rather than for the entire country, with which our country's automotive sector has established intense commercial relationships."

If There Is No Adequacy Decision

In the absence of an adequacy decision, the transfer of personal data by data controllers or processors abroad becomes possible if one of the conditions for processing personal data (PDPL Article 5) or special category personal data (PDPL Article 6) is met AND there is a provision of one of the appropriate safeguards by the parties, provided that the country to which the transfer is made allows the data subject to effectively exercise their rights and access legal remedies.

What Are the Appropriate Safeguards?

• Agreements Between Public Institutions and Organizations: The existence of agreements made between the public institutions and organizations or international organizations abroad and public institutions, organizations, or professional organizations of public institution status in Türkiye. The Board's authorization is required for the transfer of personal data within the framework of these agreements.
• Binding Corporate Rules: In the presence of binding corporate rules approved by the Board within the same enterprise, inter-company data transfer can occur without additional permission from the Board, provided that one of the conditions for data processing set out in Articles 5 and 6 of the PDPL is met.
• Standard Contractual Clauses: The transfer of data can take place without a need for permission upon signing the standard contractual clauses announced by the Board. It has been required that this agreement shall be notified to the Personal Data Protection Authority ("Authority") within 5 business days after its signing. It should be noted that failing to notify the Authority within 5 business days after signing of the agreement will result in an administrative fine ranging up to 1,000,000 Turkish Liras (approximately 30.000 USD as of March, 2024)) . This sanction can also be applied to data processors.
• Written Commitment: The existence of a written commitment containing provisions that ensure adequate protection and the transfer being permitted by the Board.

Occasional Transfers - Specific Circumstances Where Adequacy Decision and Appropriate Safeguards Are Not Available

With the Amendment, in certain exceptional circumstances where an adequacy decision is not available and none of the appropriate safeguards can be provided, data controllers and processors are given the opportunity to transfer data abroad on conditional basis.This is named as "occasional transfer" by the Authority. In other words, the data transfer can be done once or a few times, without continuity, as a last resort.

In the Reason for the Amendment, the example for such occasional transfer method is given as "a company in Türkiye sharing information related to its employees who will be in contact with a company abroad for a commercial activity to be incidentally carried out".

In exceptional circumstances for the transfer of personal data abroad, the presence of one of the following conditions is required.

• Explicit consent given to the transfer by the data subject who has been informed about potential risks,
• The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the data subject's request,
• The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the data controller and another natural or legal person,
• The transfer is necessary for important reasons of public interest,
• The transfer is necessary for the establishment, exercise, or defense of legal claims,
• The transfer is necessary for the protection of the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent,
• The transfer from a register which is intended to provide information to the public and is open to consultation either by the public or any person who can demonstrate a legitimate interest, provided the conditions for access prescribed in the legislation are fulfilled.

The amendment also stipulates, as an exception, that the first three situations listed above shall not apply to the activities of public institutions and organizations subject to public law.

Changes in Judicial Remedies Against Board Decisions (PDPL Article 18)

With the amendment, it has been stipulated that lawsuits against administrative fines imposed by the Board can be filed in administrative courts instead of criminal courts of peace.

The Transition Period (PDPL Provisional Article 3)

With the amendment, Provisional Article 3 has been added to the PDPL, establishing a transition process.

Accordingly:

• The Amendments will come into force on June 1, 2024,
• The previous PDPL provision (Art. 9/1), which accepts explicit consent as a condition for the cross-border transfer of personal data, will continue to be applied until September 1, 2024.

How should companies react to the Amendments?

With the Amendment, it is possible to say that a new era has begun in the Turkish data protection ecosystem. We believe that the said regulations will eliminate many existing problems regarding special category personal data in practice and ease the difficulties concerning the transfer of personal data abroad.

For companies to comply with the relevant regulations, we recommend:

• Conducting the necessary privacy impact assessments and updating their documentation sets as soon as possible to align with the changes brought about for special category personal data,
• Taking the necessary actions following the publication of the Regulation concerning the transfer of data abroad.

It should be noted that the PDPL specifies upper limits for administrative fines. However, with the future second amendment aimed at aligning with the GDPR, it is expected that administrative fines will be subject to a percentage of turnover.

Therefore, we believe it is important for data controllers and processors to take the necessary steps to comply and avoid facing these administrative penalties.

• The "Law on Amendments to the Criminal Procedure Law and Some Other Laws" dated March 12, with the law number 7499, can be found at https://www.resmigazete.gov.tr/eskiler/2024/03/20240312-1.htm.
• * The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.