Within the scope of the 8^th Judicial Package published in the Official Gazette dated March 12, 2024, amendments were made to the Law No. 6698 on the Protection of Personal Data ("LPPD" or "Law"). These amendments entered into force on June 1, 2024. Therefore, we would like to inform you about these amendments.

1. Amendment to Article 6 of the Law Concerning the Processing of Sensitive Personal Data

With the amendment to Article 6 of the Law, the provision regarding the sensitive personal data will be as follows:

“…(3) Processing of sensitive personal data is prohibited. However, processing thereof is possible in case of;

a) Explicit consent by data subject,

b) Explicitly stipulated by laws,

c) Processing is mandatory to protect the life or physical integrity of the data subject or of another natural person where the data subject cannot disclose their consent due to actual impossibility or whose consent is not legally valid,

ç) Processing of personal data made public, in accordance with the intention of the data subject,

d) Processing is mandatory for the establishment, exercise or protection of a right,

e) Processing by persons or authorized institutions and organizations under the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services,

f) Processing is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, labor and social security or social services and social assistance,

g) Processing is carried out by foundations, associations and other non-profit organizations established for political, philosophical, religious or trade union purposes provided that they comply with the legislation they are subject to and their purposes, are limited to their fields of activity and are  not disclosed to third parties; where it is related solely to the members of the organization or to persons who are in regular contact with this organization.”

2. Our Notes Regarding the Amendment to Article 6 Concerning the Processing of Sensitive Personal Data

Before the amendment, a different data processing system was envisaged for “data related to health and sexual life” which are sensitive personal data. The processing of above-mentioned sensitive personal data was only possible (i) on condition that explicit consent is obtained from the data subject or (ii) (without explicit consent) for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing and provided that such procession is by persons under the obligation of confidentiality or authorized institutions. With the amendment to the Law, the different system envisaged for "sensitive categories of personal data regarding health and sexual life" has been abolished and they will be subject to the same conditions as the processing of other sensitive categories of personal data.

The above-mentioned difference regarding the processing of health data was causing problems in practice as to the processing of employees' health data and health reports, especially in employment relations. Because, pursuant to the previous provisions of the Law, employees’ health data could be processed either by obtaining explicit consent or, in the absence of explicit consent, only by workplace physician and limited to the purposes specified in the Law. However, as it is not mandatory to have a workplace physician in every workplace, employees' health data were generally processed only with explicit consent. Additionally, whether employees provide explicit consent with their free will and the possibility of withdrawing the consent were among the issues discussed. With the amendment to the Law, these discussions in practice have been put to an end and the processing of health data within the scope of employment relations has become possible even without explicit consent, provided that it is complied with the Law.

It is now possible to process health data if it is expressly stipulated by laws. Although other laws required the processing of health data, the fact that the previous provisions of the Law did not allow processing was another issue that caused controversy. With the amendment to the Law, data regarding health and sexual life, like other personal data with sensitive nature, can be processed without explicit consent where it is clearly stipulated by the laws.

In other clauses of the amended Article 6 of the Law, the differences in terms of sensitive data regarding health and sexual life have been eliminated and the general processing conditions as to the sensitive personal data have been expanded.

3. Our Notes Regarding the Amendment to Article 9 of the Law on Cross-border Transfer of Personal Data

In accordance with the previous provisions of the Law, personal data could be transferred abroad (i) with explicit consent, (ii) based on a safe country decision, (iii) in the absence of a safe country decision, in the presence of a letter of undertaking. However, in practice, the list of safe countries has not yet been accepted by the Personal Data Protection Board (“Board”). Additionally, it is known that very few letters of undertaking have been approved by the Board. Therefore, the most common method for cross-border transfer of personal data is the explicit consent of the data subject. However, because it is possible for the data subject to withdraw his/her consent and has the right to request the deletion or destruction of his/her data, the deletion or destruction of data once transferred abroad causes problems in practice. The European Data Protection Regulation (“GDPR”), which is the basis of the Law, does not accept explicit consent as a general transfer condition for cross-border data transfer, and allows cross-border data transfer based on explicit consent in exceptional cases. With the amendment to the Law, a closer system with the GDPR has been introduced for cross-border personal data transfer. The new tiered system introduced with the amendment to the Law for cross-border personal data transfer is as follows:

1. Existence of an adequacy decision,
2. Appropriate safeguards (in cases where there is no adequacy decision),
3. Transfer conditions regarding occasional cases (in cases where adequacy decision and appropriate safeguards are not available).

3.1. Adequacy Decision

The adequacy decision will be made by the Board and published in the Official Gazette. The adequacy decision can be made not only for a country, but also for sector within the country or international organizations and will be re-evaluated by the Board every four years at the latest. The aspects to be taken into consideration when making an adequacy decision are regulated in the Law.

3.2. Appropriate Safeguards

In accordance with the Law, in the absence of an adequacy decision, the mechanism to be applied to cross-border transfer of personal data will be appropriate safeguards. Appropriate safeguards are listed in the Law as follows:

1. Existence of an administrative agreement between public institutions and organizations or international organizations abroad and those in Türkiye and the Board's permission for the transfer;
2. Existence of binding corporate rules;
3. Existence of standard contractual clauses;
4. Existence of a written undertaking and the Board’s permission.

Within the context of appropriate safeguards, the Binding Corporate Rules determined by the Board prior to amendment to the Law remain valid. As another appropriate safeguard, cross-border data transfer is also possible in the presence of standard contractual clauses. However, standard contractual clauses must be notified to the Board by the data controller and data processors within five business days. It is also possible to carry out cross-border personal data transfer with a written undertaking to be issued by the parties who wish to transfer data abroad. However, these written undertaking must be approved by the Board. Before the amendment to the Law, only the data controller was addressed regarding what needed to be done for cross-border personal data transfer. With the amendment to the Law, data processors have also been imposed with obligations for cross-border personal data transfer.

3.3. Occasional Cases

In accordance with the amendment to the Law, if there is no adequacy decision for cross-border personal data transfer and if any of the appropriate safeguards listed above are not ensured, cross-border personal data transfer may be carried out in case of any of the following exceptional cases provided that the transfer remains occasional:

1. Data subject’s explicit consent to the transfer, provided that they have been informed about the potential risks.
2. Transfer is being necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject.
3. Transfer is being necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
4. Transfer is being necessary for an overriding public interest.
5. Transfer is being necessary for the establishment, exerbise or protection of a right.
6. Transfer is being necessary to protect the life or physical integrity of the data subject or another natural person where the data subject cannot disclose their consent due to actual impossibility or whose consent is not legally valid.
7. Transfer is being made from a registry that is open to the public or persons with a legitimate interest, to the extent that the conditions laid down by applicable law for accessing the registry is met and transfer is requested by those having legitimate interest.  

With the amendment to the Law, explicit consent has been rendered a legal ground in exceptional cases in the cross-border personal data transfer. Accordingly, in cross-border personal data transfer, first the existence of an adequacy decision and appropriate safeguards must be ensured. If these cannot be ensured, in exceptional cases which must be occasional, cross-border personal data transfer may be carried out with explicit consent and other legal grounds specified in the Law. In any case, it is understood that explicit consent will not make cross-border data transfer legal in a case where a temporary nature does not exist.

4. Our Notes Regarding the Amendments to Article 18 of the Law entitled Misdemeanors

With the amendment to the Law, it has been accepted that administrative fines ranging from TL 50,000 to TL 1,000,000 have been introduced for those who fails to notify the Board of the standard contractual clauses stipulated in Article 9. Since it is stated in the relevant provision of the Law that the administrative fine will be applied to the "data controller or data processor", this provision is interpreted that an administrative fine should be imposed on whoever transfers data abroad de facto where the relevant obligation is not fulfilled.

In the previous version of the Law, there was no explicit provision regarding the judicial authority which should be applied to challenge against the Board's administrative fines. However, in practice, challenges against Board’s administrative fines were made at the Criminal Judgeships of Peace. With the amendment to the Law, a provision was introduced on this aspect, and it was set out that an administrative lawsuit should be filed before the Administrative Courts as a judicial remedy against administrative fines.

5. Our Notes Regarding the Transitional Provision and Its Enforcement

The amendments to the Law explained above entered into force on June 1, 2024. However, with the transitional provision adopted to the Law, it is envisaged that the previous paragraph 1 of Article 9 of the Law will continue to be implemented until 01/09/2024, with the amended version of the article. The related provision stipulates that personal data cannot be transferred abroad without the explicit consent of the data subject. Therefore, it is understood that explicit consents obtained from the data subjects regarding the cross-border personal data transfer will be considered legal until September 1, 2024.

In addition, in accordance with the transitional provision adopted to the Law, objections against the administrative fines imposed by the Board, which are currently being heard before the Criminal Judgeships of Peace as of June 1, 2024, will continue to be heard before these courts. However, competent court for new challenges against the Board’s administrative fines will be the Administrative Court.

6. Conclusion

First of all, with the amendment to Article 6 of the Law, different processing conditions for data related to health and sexual life have been abolished and their processing has become subject to the same conditions as the processing of other special categories of personal data. In general, the processing conditions for all special categories of personal data have been expanded. Therefore, the legal reasons regarding the processing of special personal data stated in the privacy statements will need to be updated and more compatible with the Law. 

With the amendment to Article 9 of the Law, in cross-border personal data transfers, explicit consent has become a legal ground to be applied in exceptional cases, rather than to be applied in general, in parallel with the provisions of the GDPR. Pursuant to amended Article 9 of the Law, unlike the old system, in data transfer abroad, it will first be required to ensure the existence of an adequacy decision and appropriate safeguards. If these cannot be ensured, in exceptional cases which must be occasional, data transfer abroad can be carried out with explicit consent and other legal grounds specified in the Law. For this reason, those who transfer personal data abroad based on explicit consent must comply with the changed version of the Law by September 1, 2024, fulfill the necessary conditions in this regard, and update their privacy statements accordingly.

A draft regulation has been announced by the Board regarding the procedures and principles of transferring personal data abroad. Further information on this subject can be provided once the draft regulation on this matter is finalized and published on the Official Gazette.

For information and inquiries please contact:

info@ozel-law.com

ÖZEL Attorneys-at-Law

This bulletin has been prepared on 06/01/2024 in order to share the legal developments in Turkish law. It does not include any legal advice nor guidance; for general information only.