On February 16, 2024, the Law Proposal amending the Code of Criminal Procedure, Certain Laws and Statutory Decree numbered 659 ("Proposal") which also included amendments to the Law numbered 6698 on the Protection of Personal Data ("DPL") was published on the Grand National Assembly of Turkiye's ("GNAT") official website1. The Proposal was submitted before the Justice Commission, Constitution Commission and Planning and Budget Commission of GNAT for further discussion.
As stated in the general recital of the Proposal2, The Human Rights Action Plan announced in 2021, the Economic Reforms Action Plan and the 2024-2026 Medium Term Program all included the objective of aligning the DPL with the European Union's ("EU") General Data Protection Regulation ("GDPR"). In this respect, with the Proposal the essential provisions relating to legal conditions for processing special categories of personal data and cross-border data transfers are amended.
On March 1, 2024, the GNAT announced on its website that the Proposal introducing changes to Article 6 (Conditions related to the processing of special categories of personal data), Article 9 (Transfer of personal data abroad) and Article 18 (Minor Offences) of the DPL has been accepted by the GNAT and became law ("Amendment")3. The Amendment was published on the Official Gazette of March 12, 20244 upon being confirmed by the President.
I. Amendments regarding Special Categories of Personal Data
Special categories of personal data are defined under first paragraph of Article 6 of the DPL as "data regarding persons' race, ethnic origin, political opinion, philosophical belief, religion, sect or any other beliefs, appearance and clothing, information regarding association, foundation or union membership, health, sexual life, criminal conviction and biometric and genetic data." Processing such data were regulated in a strict manner under the current version of the DPL, which caused challenges especially for employers and companies operating in the health sector.
One of the most significant changes brought by Article 33 of the Amendment is the new processing conditions introduced for special categories of personal data. The recital for Article 33 of the Amendment states that the conditions for processing special categories of personal data are revised taking the GDPR into consideration. Although the prohibition on processing special categories of personal data is reserved and the conditions are still listed exhaustively under the amended article, there are now additional conditions in terms of processing such personal data.
With Article 33 of the Amendment, second paragraph of Article 6 of the DPL is repealed, and the new conditions are set forth with the third paragraph added to the said article. In this respect, the amended conditions for processing special categories of personal data are as follows:
i. With the explicit consent of the data subject,
ii. When explicitly foreseen by laws,
iii. When necessary for the protection of life or bodily integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not deemed legally valid,
iv. When related to personal data publicly disclosed by the data subject and in accordance with their disclosure will,
v. When necessary for the establishment, exercise, or defense of a legal claim,
vi. When required by individuals or authorized institutions or organizations under a confidentiality obligation, for purposes such as protecting public health, conducting preventive medicine, medical diagnosis, treatment, and care services, as well as planning, management, and financing of health services.
vii. When necessary for fulfilling legal obligations regarding employment, occupational health and safety, social security, social services, and social assistance.
viii. With regards to current or former members and participants or individuals regularly in contact with these organizations, provided that it is processed by foundations, associations, and other non-profit organizations established for political, philosophical, religious or syndicate purposes, in compliance with their legislation and objectives, limited to their operational scope, and that it is not disclosed to third parties.
II. Amendments regarding Transfer of Personal Data Abroad
Transferring personal data abroad was a major challenge both for data controllers and data processors as the current version of the DPL had very limited instruments to rely on for cross-border transactions. In this regard, the current version of Article 9 only allowed cross-border transfers based on the data subject's consent as the principal rule. In addition, pursuant to second paragraph of the existing article, personal data can be transferred abroad if one of the legal conditions stipulated under Article 5/2 and Article 6/3 is met and a decision of the Personal Data Protection Board ("Board") setting forth that the country to which the personal data is being transferred has an adequate level of protection (adequacy decision). On the other hand, transferring personal data without the explicit consent of the data subject to countries for which there exists no adequacy decision is only possible if data controllers in Turkiye and the respective country undertake an adequate level of protection in writing and the Board permits it provided that one of the legal conditions is met.
The recital for Article 34 of the Amendment amending the said cross-border transferring conditions under Article 9 of the DPL also acknowledges the challenges that the current version causes for the actors that process personal data, as the Board has not rendered an adequacy decision since the enactment of the DPL in 2016 and only approved a few of the undertakings among more than eighty applications received in the meantime. Therefore, an amendment to Article 9 of the DPL regulating cross-border transactions was a long-awaited change especially for group companies that have foreign affiliates or subsidiaries.
The recital also states that the Amendment was based on the GDPR's provisions as the EU considered the ever-developing technology and digitalization and requirements arising from the dynamic commercial life while regulating the instruments for cross-border transfers during the preparation of the GDPR.
Pursuant to Article 34 of the Amendment amending Article 9 of the DPL, personal data may be transferred abroad by data controllers and processors;
A. if one of the conditions stipulated under Articles 5 and 6 of DPL is applicable, and there is an adequacy decision regarding the country, international organization, or sectors within the country to which data will be transferred.
B. if there is no adequacy decision, provided that one of the conditions stipulated under Articles 5 and 6 of DPL is applicable and the data subjects have the opportunity to exercise their rights and access effective legal remedies in the country of transfer, upon the provision of one of the following appropriate safeguards by the parties:
i. the existence of a non-international agreement between public institutions and organizations abroad or international organizations and public institutions or professional organizations with public institution status in Turkiye and the authorization granted by the Board.
ii. the existence of binding corporate rules approved by the Board including provisions related to the protection of personal data, to which companies within the group engaged in common economic activities are obliged to comply.
iii. the existence of a standard contract announced by the Board pertaining to matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data.
iv. the existence of a written undertaking including provisions ensuring adequate protection and authorization granted by the Board.
C. if there is no adequacy decision and none of the appropriate safeguards above can be provided, only in the presence of one of the following conditions on a temporary basis:
i. with the explicit consent of the data subject, provided that they are informed about the potential risks of the transfer,
ii. when necessary for the execution of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject,
iii. when necessary for the conclusion or execution of a contract in the interest of the data subject between the data controller and another real or legal person,
iv. when necessary for an overriding public interest,
v. when necessary for the establishment, exercise, or defense of a legal claim.
vi. when necessary for the protection of life or bodily integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not deemed legally valid,
vii. in case of transferring from a register available to the public or accessible by persons with a legitimate interest, upon meeting the necessary conditions for accessing the register as stipulated in the relevant legislation and upon the request of the person with a legitimate interest.
The Amendment also sets forth that the said provisions and safeguards stipulated under the DPL will be applicable to subsequent transfers and transfers to international organizations and the procedures and principles regarding the implementation of the amended article will be regulated by a regulation. So, the Personal Data Protection Authority ("Authority") is expected to publish a comprehensive regulation also containing the standard contact and detailed guidance on the new cross-border transfer instruments following the enactment of the Amendment.
III. Other Provisions
The Amendment also introduces changes in Article 18 of the DPL regulating minor offences related to the infringement of the DPL. In this regard, in line with the new obligation set forth in the amended Article 9, the data processors and data controllers who fail to notify the Board upon the conclusion of a standard contract which is also brought by the Amendment within five days following the signing date will be subject to an administrative fine ranging from 50,000 Turkish Liras up to 1,000,000 Turkish Liras.
In addition, apart from relaxing the challenges related to processing special categories of personal data and transferring personal data abroad, the Amendment brings clarity regarding the imposition of administrative fines and legal remedies against the Board's decisions. In this regard, the Amendment stipulates that the administrative fines relating to failing to fulfil the obligation to inform data subjects, failing to fulfil the obligations relating to data security, failing to comply with the Board's decisions, and failing to register with VERBIS will be imposed upon data controllers whereas the administrative fine mentioned above relating to failing to notify the Board upon the conclusion of a standard contract within five days will be imposed on both data controllers and data processors who are real persons and private law legal entities. Moreover, the Amendment explicitly states that the administrative courts will be the higher appealing courts for the decisions rendered by the Board.
IV. Entry Into Force
The Amendment is set to enter into force on June 1, 2024. That being said, the Amendment also states that the current first paragraph of Article 9 of the DPL which stipulates that personal data cannot be transferred abroad, without the explicit consent of the data subject will remain in force until September 1, 2024, along with the amended version. Further, applications before the criminal judgeships of peace will be concluded by the same judgeships as of June 1, 2024.
V. Conclusion
To conclude, it is clear that the Amendments will improve the crucial arease that the data processing actors face especially while processing special categories of personal data and during cross-border data transfers. With the Amendments, data processors will have a wider range of conditions to rely on for processing special categories of personal data, specifically the employers who wish to collect employees' health data for complying with occupational safety regulations and data processors operating in the health sector who had to exclusively rely on explicit consent pursuant to the existing version of the DPL. The Amendment also brings clarity to another discussion on the legal remedies against the Board's decisions while in general bringing Turkiye's data protection regime closer to that of the EU. However, the Authority's and Board's further actions are much needed for guidance on the implementation of the Amendment.
Footnotes
1. https://cdn.tbmm.gov.tr/KKBSPublicFile/D28/Y2/T2/WebOnergeMetni/6e8b6477-2942-49d1-acf1-cfa13bcac252.pdf (Last accessed on March 5, 2024)
2. https://cdn.tbmm.gov.tr/KKBSPublicFile/D28/Y2/T2/WebOnergeMetni/6e8b6477-2942-49d1-acf1-cfa13bcac252.pdf, paragraph 11, (Last accessed on March 5, 2024)
3. https://www.tbmm.gov.tr/Haber/Detay?Id=58ea63d5-7f59-473f-b3cb-018dfbd0e2bf (Last accessed on March 5, 2024)
4. https://www.resmigazete.gov.tr/eskiler/2024/03/20240312-1.htm (Last accessed on March 12, 2024)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
