1. Introduction

The long-awaited amendments to the Law on the Protection of Personal Data were published in the Official Gazette on 12.03.2024 and became law. This is a significant change in Turkish data protection law, particularly in relation to the transfer of data abroad. It can be argued that a decisive step has been taken towards aligning the PDPL with the GDPR, which has long been the subject of debate, as the GDPR was enacted after the previous Law. While more substantial changes are planned, these changes will undoubtedly have a profound impact on data protection practices. The legislature has introduced changes in three main categories: firstly, significant changes have been made to the processing of special categories of data in order to address challenges in business operations; secondly, reforms have been made in relation to data transfers abroad; and finally, concerns have been addressed in relation to judicial redress, an issue that has been the subject of considerable criticism.

  1. Amendments on Special Categories of Personal Data

The original provisions of the law placed a strong reliance on the obtaining of explicit consent for the processing of sensitive personal data. In particular, the law almost prohibited the processing of data relating to health and sexual life without 'explicit consent', except for the persons and for the purposes specified in the law. This requirement often led to burdensome procedures for obtaining explicit consent, especially in the dynamics of employer-employee relationships in business settings and between insurers and insured persons in insurance companies procedures. This change incorporates Art. 9(2)(b) and (d) of the General Data Protection Regulation into the Act by analogy.

In the previous version of the Law, the conditions for processing special categories of personal data included "explicit consent," as well as exceptions for data relating to health and sexual life, which were included in the laws. Additionally, it allowed for processing by individuals under confidentiality obligations concerning data relating to health and sexual life for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning, management, and financing of health services. With the amendment, processing for these purposes, which is one of the lawful processing conditions outlined in Article 5 of the PDPL, has been expanded.

The amendment introduces additional grounds upon which processing is lawful, including;

  • when it is necessary to protect the life and physical integrity of persons who are unable to give consent due to actual or legal incapacity
  • Personal data have been made public by the data subject himself/herself
  • exercise or defence of legal claims, and for the fulfilment of legal obligations.

These amendments aim at providing more flexibility in data processing while ensuring the protection of individuals' rights and interests.In addition, two new articles have been introduced. These articles outline conditions for processing special categories of personal data:

a. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

b. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

These provisions require a reassessment of existing practices and alignment with the new law. As a result, data controllers will need to revise their data inventories, privacy notices and explicit consent forms to ensure compliance with the amended legislation.

  1. Data Transfer Abroad

Many companies in Turkey have foreign partnerships or are engaged in business activities abroad. In addition, they commonly use foreign software or modern cloud technologies, resulting in frequent data transfers. However, the current version of the PDPL imposes strict restrictions on the transfer of personal data abroad.

Currently, the explicit consent of those concerned serves as the primary condition for such transfers to occur. The transfer may also be made if one of the grounds for compliance with the law specified in Articles 5 and 6 of the Law is present, in accordance with the procedures specified in Article 9 of the Law. If we list the procedures specified in Article 9 of the Law, we come to the following conclusions.

  • Transfers are permitted if adequate protection exists in the destination country (countries with adequate protection are to be announced by the Board).
  • In cases where adequate protection is lacking, data controllers in Turkey and the foreign entity must provide a written commitment to ensure adequate protection, subject to approval by the Board.

Since the Law came into effect in 2016, the Board has not yet announced countries with adequate protection, and only a limited number of contracts regarding written commitments have received Board approval. Consequently, data controllers predominantly rely on obtaining "explicit consent" for their international data transfers. However, the practicality and reliability of relying solely on explicit consent for such transfers are debatable.

In recognition of this challenge, the authority has acknowledged the limitations of explicit consent and has now designated it as a necessary condition for data transfers abroad.

To summarise the changes in light of these explanations: Explicit consent is no longer the primary basis for data transfers. Instead, a new concept, the adequacy decision, has been introduced into our legislation. In addition, a significant change has been made by allowing data transfers to both data processors and data controllers, which is a radical change in practice

3.1. Adequacy Decision:

As a general rule, for personal data to be transferred abroad, one of the data processing conditions set out in Articles 5 and 6 of the Act must be met and an adequacy decision must be issued in respect of the country, international organisation or specific sectors within the country to which the personal data are transferred. The procedure for making the adequacy decision is specified. The criteria to be considered by Board when making an adequacy decision are as follows:

a. The reciprocity status regarding the transfer of personal data between Turkey and the destination country, sectors within the country or international organisations.

b. The relevant legislation and practices of the destination country or international organisation, as well as the rules governing data protection within these entities.

c. The existence of an independent and effective data protection authority in the destination country or international organisation and the availability of administrative and judicial remedies.

d. The status of the destination country or international organisation as a signatory to international conventions on the protection of personal data or as a member of international organisations.

e. International conventions to which Turkey is a party.These criteria are to be established by the Authority for the adequacy decision.

The adequacy decision mirrors the structure of adequate protection in the current version of the Law.

3.2 Adequate Safeguards

Personal data may be transferred to countries, international organisations or specific sectors within a country or international organisation in which no adequacy decision has been taken, provided that one of the conditions for processing set out in Articles 5 and 6 is met and that one of the following 'adequate safeguards' exists to ensure that data subjects are able to exercise their rights and seek effective legal remedies in the receiving country

  • Data may be transferred abroad if there exists an agreement, other than an international treaty, between public institutions or organisations abroad and those in Turkey, or professional organisations having the status of public institutions in Turkey, subject to the approval of the Board.
  • Transfers between companies within the same group may be made without further Board approval if binding corporate rules containing personal data protection provisions are approved by the Board and one of the data processing conditions in Articles 5 and 6 is met.
  • Transfers may be made by signing the standard contract issued by the Board without additional authorisation from the Board. This contract will specify the categories of data, the purposes of the transfer, the recipients, the technical and administrative measures to be implemented by the recipient and any additional measures for special categories of personal data. The controller or processor must notify the DPA within five working days of signing the contract.
  • Personal data may be transferred to countries lacking an adequacy decision with a written undertaking ensuring adequate protection, subject to Board authorization.

This situation must be reported to the authority within 5 days of the signing of the standard contracts for the relevant guarantees. Failure to do so constitutes a new offence under the Law, punishable by administrative fines ranging from 50,000 to 1,000,000 Turkish Liras. These fines apply to data controllers, data processors and private legal entities that fail to comply with the obligation to notify the authority of the standard contract. In addition, first-time data processors are also subject to administrative fines under the Law.

3.3 Occasional transfers

In exceptional cases where there is no adequacy decision and one of the adequate safeguards referred to in the fourth paragraph cannot be provided, data may be transferred abroad on an incidental basis, i.e. sporadically and not continuously. For example, a Turkish company may transfer information about its employees to a foreign company with which it intends to engage in occasional commercial activities.

For such transfers, the following conditions must be met:

a. The data subject gives explicit consent to the transfer after being informed about potential risks.

b. The transfer is necessary for fulfilling a contract between the data subject and the data controller or for implementing pre-contractual measures at the data subject's request.

c. The transfer is necessary for concluding or performing a contract between the data controller and another natural or legal person for the benefit of the data subject.

d. The transfer is mandated by a superior public interest.

e. The transfer of personal data is essential for establishing, exercising, or defending a legal right.

f. The transfer of personal data is necessary for protecting the life or physical integrity of the data subject or another person who cannot provide consent due to incapacity.

g. Transfer from a publicly accessible registry or to individuals with legitimate interests, provided that the conditions for accessing the registry as per relevant legislation are met and a legitimate interest is demonstrated.

These transfers are allowed for specific cases and should not be continuous, but rather based on the specific task at hand. Clearly, data transfers abroad based on explicit consent are now very limited. We expect the Authority to adopt secondary legislation on data transfers abroad. It would be prudent to wait for the issuance of standard contracts and evaluate the process following the Authority's secondary legislation.

4. Other Provisions and Effective Dates

Judicial appeals against decisions of the PDPL were previously handled by the Criminal Judgeships of Peace under the Misdemeanours Act. Criticism arose from concerns about judges' lack of understanding of the PDPL, unjustified decisions, limited objection and appeal procedures, and consequent difficulty in obtaining fair decisions. In response, the responsibility for challenging the decisions of the Board has been transferred to the Administrative Tribunal through appropriate legislation. This move aims to establish a specialized approach to handling cases similar to competition law and to ensure a more competent decision-making process.

As of 1 June 2024, cases pending before the Tribunals will continue to be heard by these bodies. In addition, in recognition of potential challenges following the amendments to Article 9, the provisions of the original Article will continue to apply for an additional three months (until 1 September 2024), providing a grace period. During this period, data transfers abroad based on explicit consent obtained before or after the entry into force of the amendment will continue to be permitted. Otherwise, the date of entry into force of all three amendments has been set at 01.06.2024.

5. Conclusion

We are now entering a period where data controllers will experience new practices and regulations as we move into what's known as PDPL 2.0. In anticipation of these changes, it's imperative that data controllers put a number of necessary processes in place. This involves updating personal data inventories, reviewing notice and consent procedures, and ensuring the completion of administrative data transfer protocols. As organisations adapt to the revised regulations, it is anticipated that these tasks may involve a significant workload.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.