The legislative proposal known as the "8th Judicial Package," titled "Law Proposal for Amendments to the Criminal Procedure Law, Some Other Laws, and Decree Law No. 659," was submitted to the Presidency of the Grand National Assembly of Türkiye. The proposed judicial package includes amendments within the scope of the Personal Data Protection Law (PDPL).

As part of the rationale for the amendment, it was noted that during the preparation process of the Personal Data Protection Law No. 6698 (PDPL), the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals regarding the processing of personal data and on the free movement of such data was taken into consideration. However, this Directive was repealed two years later and replaced by the General Data Protection Regulation (GDPR). The necessity for updates under the GDPR framework is also justified by their inclusion in the Human Rights Action Plan announced in 2021, the Economic Reforms Action Plan, and the 2024-2026 Medium-Term Program.

The proposed changes include:

  • In cases where special categories of personal data are processed, the current provisions allowing the processing of personal data related to health and sexual life without explicit consent, solely for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the management and planning of health services and financing, do not meet contemporary needs. Considering the necessity of health data particularly in sectors such as insurance, labour law, occupational health and safety, and social services, the conditions for processing have been expanded. The conditions are now exhaustively listed under Article 6/2 of the PDPL and accordingly, the provision of Article 6/3 has been repealed.
  • The provision of the PDPL that governs international data transfers fails to consider GDPR standards, current technologies, and commercial dynamics, resulting in the enhancement of alternative methods for transfer conditions and an expansion in the mechanisms of transfer. Rather than basing evaluations on the destination country of the data transfer, it has been proposed that the sector undergoing the transfer should be assessed. Accordingly, one of the proposed methods involves the execution of a standard agreement published by the regulatory board by the transferring parties, which must then be presented to the authority.
  • The regulation has been structured to apply sanctions not only against the data controller but also against the data processor if the standard contract is not presented within its stipulated duration. With this anticipated regulation, for the first time, the implementation of sanctions against the data processor has also been introduced.
  • Administrative sanctions have been restructured under the new provisions, and it is envisaged that objections to administrative sanction decisions issued by the Board will be reviewed by Administrative Courts directly, instead of by Criminal Judgeships of Peace.

If the articles regarding personal data of the package, which is expected to be discussed in the Justice Commission of the Grand National Assembly of Türkiye, are accepted, it is expected to enter into force as of 01/06/2024.

The amendments proposed to be implemented with the package are as follows:

CURRENT

PROPOSED

Conditions for processing of Special categories of personal data

Article 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

Transfer of personal data abroad

ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Türkiye is a party,

b) the state of reciprocity relating to data transfer between the requesting country and Türkiye ,

c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

d) the measures committed by the data controller in the country to which the personal data are to be transferred,

5) Without prejudice to the provisions of international agreements, in cases where interest of Türkiye or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.

6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

Conditions for processing of Special categories of personal data

Article 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject. However, the processing of these data is possible under the following circumstances:

a) The explicit consent of the data subject is obtained,

b) It is explicitly provided for by law,

c) It is necessary for the protection of the life or physical integrity of the person who is physically or legally incapable of giving consent, or of another person,

d) It concerns personal data made public by the data subject and is in compliance with the intention of making it public,

e) It is necessary for the establishment, exercise, or protection of a right,

f) It is necessary for the purposes of carrying out the obligations of employment, occupational health and safety, social security, social services, and social assistance by persons or authorized institutions and organizations under confidentiality obligation, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management, and financing of health services,

g) It is necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

h) It is carried out by foundations, associations, or other non-profit organizations or formations established for political, philosophical, religious, or trade union purposes, provided that the processing is in accordance with the legislation and the purposes they are subject to, limited to their field of activity, and not disclosed to third parties; and is aimed at their current or former members or those who are in regular contact with these organizations or formations.

(3) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

Transfer of personal data abroad

ARTICLE 9 –(1) Personal data can be transferred abroad by data controllers and data processors, provided that one of the conditions specified in Articles 5 and 6 exists and there is an adequacy decision regarding the country, international organization, or sectors within the country to which the transfer will be made.

(2) The adequacy decision is issued by the Board and published in the Official Gazette. The Board may consult the opinions of relevant institutions and organizations if needed. The adequacy decision is reviewed at least every four years. Based on the assessment outcome or other circumstances deemed necessary, the Board may modify, suspend, or revoke the adequacy decision with future effect.

(3) The following factors are primarily considered when making an adequacy decision:

a) The state of reciprocity regarding the transfer of personal data between the country, sectors within the country, or international organizations to which personal data will be transferred, and Türkiye.

b) The legislation and practice of the country to which personal data will be transferred and the rules applicable to the international organization.

c) The existence of an independent and effective data protection authority in the country or within the international organization to which personal data will be transferred, and the availability of administrative and judicial remedies,

ç) The status of the country or international organization to which personal data will be transferred as a party to international treaties related to the protection of personal data or as a member of international organizations,

d) The membership status of the country or international organization to which personal data will be transferred in global or regional organizations to which Türkiye is a member.

e) International treaties to which Türkiye is a party.

(4) In the absence of an adequacy decision, personal data can be transferred abroad by data controllers and processors, provided that one of the conditions specified in Articles 5 and 6 exists, and the data subject has the opportunity to exercise their rights and access effective legal remedies in the country to which the transfer will be made, and one of the following appropriate safeguards is provided by the parties:

a) The existence of an agreement, not of an international treaty nature, between public institutions and organizations abroad or international organizations and public institutions and organizations or professional organizations of public institution status in Türkiye, and the permission for the transfer by the Board,

b) The existence of binding corporate rules that contain provisions on the protection of personal data, which companies within a group of enterprises engaged in joint economic activities are obliged to comply with and which have been approved by the Board,

c) The existence of a standard contractual clause announced by the Board, containing details such as data categories, purposes of data transfer, recipient and groups of recipients, technical and administrative measures to be taken by the data recipient, and additional measures for the protection of special categories of personal data,

ç) The presence of a written commitment containing provisions that ensure adequate protection and the permission for the transfer by the Board.

(5) The standard contract shall be reported to the Authority by the data controller or processor within five business days of its signing.

(6) In the absence of an adequacy decision and if none of the appropriate safeguards specified in paragraph four can be provided, data controllers and processors may transfer personal data abroad only on an incidental basis, under the condition that one of the following situations exists:

a) The data subject has given explicit consent to the transfer, after being informed of the potential risks,

b) The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject,

c) The transfer is necessary for the conclusion or performance of a contract in favor of the data subject between the data controller and another natural or legal person,

ç) The transfer is necessary for reasons of significant public interest,

d) The transfer is necessary for the establishment, exercise, or defense of legal claims,

e) The transfer is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent,

f) The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, provided the conditions for accessing the register specified in the relevant legislation are met and upon request by the person with a legitimate interest.

(7) Paragraphs (a), (b), and (c) of section six do not apply to activities subject to public law carried out by public institutions and organizations.

(8) Data controllers and processors ensure that the safeguards provided in this Law are applied to subsequent transfers of personal data abroad and to international organizations, and the provisions of this article are enforced.

(9) In cases where the interests of Türkiye or the data subject would be seriously harmed, Personal data may be transferred abroad, notwithstanding the provisions of international treaties, only with the opinion of the relevant public institution or organization and the permission of the Board.

(10) Provisions regarding the transfer of personal data abroad contained in other laws are reserved.

(11) The procedures and principles regarding the implementation of this article shall be regulated by regulations.

Misdemeanours

ARTICLE 18 - (1) For the purposes of this Law;

a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,

b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,

c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,

ç) For those who act contrary to the obligations for registry with the Data Controllers' Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.

(2) The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers.

(3) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.

Misdemeanours

ARTICLE 18 - (1) For the purposes of this Law;

a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,

b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,

c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,

ç) For those who act contrary to the obligations for registry with the Data Controllers' Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.

d) For those who do not fulfil the obligation to notify provided for in the fifth paragraph of Article 9 shall be imposed to pay an administrative fine of 50.000 to 1.000.000 TL.

(2) The administrative fines provided for in subparagraphs (a), (b), (c) and (ç) of this article shall be applied to the data controller, and the administrative fine provided in subparagraph (d) shall be applied to data controller or data processors, who are natural persons and the private law legal persons.

(3) Legal action can be taken in Administrative Courts against the administrative fines imposed by the Board.

PROVISIONAL ARTICLE 3 - (1) The first paragraph of Article 9, prior to its amendment by the law enacting this article, shall continue to be applied until September 1, 2024, along with its amended version that came into effect.

(2) As of June 1, 2024, applications pending in the Criminal Judgeships of Peace will continue to be processed by these judgeships.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.