Introduction

An amendment ("Amendment") to the Turkish Data Protection Law numbered 6698 ("TDPL") has been published in the Official Gazette dated March 12, 2024, and numbered 32487. The Amendment was published within Articles 33 to 36 of the Law on Amending the Criminal Procedure Law and Other Laws numbered 7499 and you may access the Turkish text of the Amendment here.

As a background, since the enactment of the TDPL in 2016, one of the most critical problems that companies face in practice has been the cross-border transfer of personal data. Due to the challenges experienced by market players related to the impracticalities of the cross-border transfer regime outlined in the TDPL, both foreign investors and local stakeholders have raised concerns. In response to these concerns, the government has announced in recent years that it has begun working on amending the TDPL to harmonize it with the EU's General Data Protection Regulation ("GDPR") through various policy documents. As a result, the Amendment entered into the Grand National Assembly of Turkey's agenda to amend the cross-border transfer regime, as well as certain other provisions that complicate business operations and commercial transactions in Turkey.

The Amendment which had been expected for some time within this scope has finally been published in the Official Gazette.

The most important change the Amendment introduces is a new mechanism consisting of the execution of standard contractual clauses published by the Turkish Data Protection Authority ("TDPA") and making a notification, without the need for obtaining an approval, to transfer personal data abroad.

Accordingly, this article aims to illustrate the main changes introduced by the Amendment, in particular which relate to the amendments on (i) processing of special categories of personal data (Article 6), (ii) cross-border transfers (Article 9), (iii) misdemeanors and jurisdiction (Article 18).

Processing of special categories of personal data (Article 6)

While the Amendment maintains the previously listed types of special categories of personal data, it introduces new exceptions to the explicit consent requirement for processing such data as stipulated under Article 6. The distinction between health and sexual life data and other special categories of personal data is now abolished, and each special category of personal data can be processed if the listed exceptions in the same Article are met.

These new exceptions, in addition to explicit consent provided by the data subject, align mostly with the respective provisions of GDPR. They encompass situations where:

(a) explicitly stipulated by laws (an additional exception compared to the GDPR)

(b) processing is necessary to protect the life or physical integrity of the data subject or of another natural person where the data subject cannot disclose their consent due to actual impossibility or whose consent is not legally valid

(c) processing of personal data made public, in accordance with the intention of the data subject

(d) processing is mandatory for the establishment exercise or protection of a right

(e) processing by persons or authorized institutions and organizations under the secrecy obligation, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services (similar to Article 6 (3) before the amendment concerning the processing of health data for specific limited purposes by individuals subject to confidentiality obligations, serving as a legal basis for processing)

(f) processing mandatory for the fulfillment of legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance

(g) processing carried out by other non-profit organizations established for political, philosophical, religious or trade union purposes on condition that the processing relates solely to the members of the organization or to persons who are in regular contract with this organization

As the legal bases for processing special categories of personal data have been broadened, permitting companies engaging in processing activities in the fields of employment, occupational health and safety, labor and social security, or social services and social assistance, as well as certain non-profit organizations, both data controllers and data subjects must take note of this amendment. This is particularly important for data controllers, as they may need to update their privacy documents and their VERBIS registrations.

Cross-border transfers (Article 9)

The Amendment introduces revisions regarding cross-border transfers of personal data to align with Chapter 5 of the GDPR. According to the Amendment, both data controllers and data processors in Turkey will be able to lawfully engage in cross-border transfers of personal data if one of the following conditions is met:

  • One of the conditions set forth underArticle 5 and 6 (conditions for processing personal data) is present, AND the TDPA has issued an adequacy decision as per the criteria stipulated in the Amendment showing the country, sectors within a country or international organizations are competent for this data transfer

OR

  • One of the conditions set forth under Article 5 and 6 (conditions for processing personal data) is present, AND the data subject has the means to exercise their rights and to have recourse to effective legal remedies in the recipient country and AND the parties have provided one of the following appropriate safeguards provided under the TDPL. The safeguards mentioned within the Amendment include:

(i) agreements permitted by the TDPA between public institutions and international organizations abroad or professional associations with public entity status in Turkey, which do not constitute international contracts,

(ii) executing binding corporate rules approved by the TDPA,

(iii) execution of standard contractual clauses to be published by the TDPA AND notifying the TDPA within 5 business days of execution of these clauses,

(iv) existence of a written contract whose provisions are sufficient enough to ensure adequate level of protection and approval of such written contract by the TDPA.

OR

  • Non-repetitive data transfers are exercised under specific situations such as:
  1. the data subject provides explicit consent to the transfer, contingent upon being informed about the potential risks.
  2. the transfer is necessary for fulfilling a contract between the data subject and the data controller or for executing pre-contractual measures initiated at the data subject's request.
  3. the transfer is necessary for establishing or fulfilling a contract between the data controller and another natural or legal person for the data subject's benefit.
  4. the transfer is necessary for reasons of overriding public interest.
  5. the transfer of personal data is necessary for establishing, exercising, or safeguarding a right.
  6. the transfer of personal data is necessary to safeguard the life or physical integrity of an individual who is unable to give consent due to actual impossibility or whose consent is legally invalid.
  7. the transfer occurs from a registry accessible to the public or individuals with a valid interest, as long as the criteria outlined by relevant laws for accessing the registry are fulfilled, and the transfer is requested by those with legitimate interest.

Furthermore, the Amendment states that the rules regarding cross-border transfers set out under Article 9 shall also be applicable to onward transfers and it emphasizes that unlike the current regime under Article 9 of the TDPL, that data processors shall also be liable for cross-border transfers of personal data.

Additionally, as the regime for relying on explicit consent for cross-border transfers was amended a transitional clause was included in the Amendment. According to the Provisional Article 3 added to the TDPL, after the Amendment takes effect in June, controllers may keep relying on explicit consent as a legal basis for cross-border transfers, until September 1, 2024. However, after that date, the new regime foreseen under the Amendment will be applicable for engaging in cross-border transfers.

The TDPA will also publish a new regulation concerning the implementation of rules on cross-border transfers. The TDPA must publish this regulation by June 1, 2024 to clarify the details on how to handle undertakings and other mechanisms besides explicit consent.

Misdemeanors and jurisdiction (Article 18)

The Amendment introduces a new type of misdemeanor for failing to notify the TDPA within 5 business days of the execution of the standard contractual clauses to be concluded for cross-border transfers, for both data controllers and processors.

The Amendment also introduces a special provision stating that administrative courts shall have jurisdiction over the disputes arising out of administrative fines imposed by the TDPA while consequently updating the period to file a lawsuit against TDPA decisions. However, it is envisaged that the cases pending before the criminal courts of peace as of June 1, 2024, shall continue to be heard by these courts.

Conclusion and our considerations

While the Amendment reflects alignment with the GDPR as a guiding framework, the TDPL still requires substantial adjustment to fully align with the GDPR. However, these amendments still represent an initial step toward harmonization.

Specifically, as the long-anticipated amendment concerning cross-border transfers takes effect, it is crucial to highlight that explicit consent is no longer the primary legal basis as it once was in the process. Consequently, data controllers are expected to revise their cross-border data transfer policies and processes to achieve compliance with the new rules introduced.

However, companies should always consider that, in addition to the TDPL, there exist special data localization provisions that restrict or prohibit cross-border data transfers in various sectors such as banking, electronic communications, finance, financial leasing, taxation, healthcare, etc. Data localization provisions per those sector-specific regulations aims to establish a "reasonable balance" between national policies related with data protection (including personal data) and the effective continuation of data-driven commercial activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.