11 March 2024
A-
A+
What is this article about?
i. Introduction
ii. Cross-Border Data Transfer
iii. Processing of Sensitive Data
iv. Administrative Fines and Legal Remedies
v. Coming Into Force
vi. Consequences
On 2 March 2024, significant amendments were made to Law No. 6698 on the Protection of Personal Data ("TDPL”) as adopted by the Grand National Assembly of Türkiye, aiming to solve the most challenging topics since the enactment of the TDPL (i.e. cross border transfers and processing of sensitive data).
We welcome the partial changes to the TDPL, which we believe must provide necessary mechanisms for businesses to regulate their international data transfers. However, we note that the draft bill for the General Data Protection Regulation level (“GDPR”) new data protection law is still waiting to be discussed at the Grand National Assembly.
The amendments made to the TDPL are summarized under the following three headings:
In the preamble of the amendment, it is emphasized that the transfer of data abroad currently depends only on obtaining the explicit consent of the data subjects or the approval of the Personal Data Protection Board (“KVKK”) and this complicates the implementation of the TDPL. To keep up with the technology requirements and harmonize the TDPL with the GDPR, it is envisaged to implement new mechanisms in terms of cross border data transfers.
As per the amendment, as a rule, below criteria must be met to be able to transfer data abroad:
Unlike the previous version of the TDPL, it is now possible to resolve an adequacy decision for a sector or international organization within that country instead of the entire country where the amendment aims to adopt the same principle stipulated in Article 45 of the GDPR. The procedure for resolving an adequacy decision and the criteria primarily taken into consideration by the KVKK have also been determined with the amendment as in the GDPR. Also, the KVKK is authorized to change, suspend, or remove its decision with prospective effect.
In the absence of an adequacy decision, personal data may only be transferred abroad if,
a. One of the legal grounds foreseen for data processing in the TDPL exist,
b. Data subject has the possibility to exercise his/her rights and to have recourse to effective remedies in the receiving country; and
c. Existence of one of the procedural safeguards listed in the amendment.
The TDPL once more mentions the requirement of data processing legal grounds for the cross-border data transfer.
Four procedural safeguards are listed in the TDPL with the amendment:
1. Existence of an agreement that does not constitute an international agreement between foreign public institutions and organizations or international organizations and Turkish public institutions and organizations or professional organisations like public institutions. In this first possibility, the KVKK’s authorization/approval is required in addition to the agreement mentioned above.
2. Existence of binding corporate rules. Binding corporate rules are defined as "the provisions regarding the protection of personal data that all companies in the group of undertakings are obliged to comply with". In the presence of binding corporate rules previously approved by the KVKK, it is possible to transfer personal data to another company of the same group in a foreign country.
3. Execution of "Standard Contractual Clauses". Accordingly, it will be possible to transfer data without the need for a separate authorization/approval of the KVKK by signing the standard contract to be announced by the KVKK. The standard contract will contain, among others, data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data. However, different from GDPR the data processor or data controller has the obligation (reach of which will be subject to administrative fines) to notify the KVKK within five business days from the date of the standard agreements.
4. The last procedural safeguard is a written undertaking. It is possible to transfer personal data to a country where there is no adequacy decision in the presence of a written undertaking as published by the KVKK containing provisions to ensure adequate protection and if the KVKK authorises the transfer. We had this option under the TDPL previously and out of 80 applications the KVKK has only approved 8 applications which, therefore, was not a very viable option for data controllers in the past.
The amendment also regulate how personal data can be transferred abroad in exceptional cases where both an adequacy decision and procedural safeguards are not available. In the cases listed in the relevant article of the TDPL, it is possible to transfer data abroad on occasional terms (probably to be interpreted in the coming days as “for once” or “more than once but in a non-repetitive manner”). However, some of these exceptions cannot be applied to public institutions and organisations.
Since the amendment stipulates that data transfers abroad shall be regulated in more detail by a regulation, it is expected that the guidelines and regulations to be prepared by the KVKK will provide further guidance on data transfers and application of the new provisions.
Before the amendment, processing of health and sexual life data were subject to stringent rules compared other categories of sensitive data. With the amendment, in parallel with the General Data Protection Regulation ("GDPR"), such distinction between sensitive data categories has been abolished now.
Within the scope of TDPL, it is now possible to process sensitive data in the existence of one of the situations in the table below:
Legal Ground
Explanation
Comparison
a. Explicit Consent
Although the same processing condition exists in the GDPR, the part, which explains that the prohibitions that cannot be lifted by the data subject with consent, is not included in the TDPL.
However, under general rules of Turkish civil laws considering Article 27 of the Turkish Code of Obligations No. 6098, it can be said that consent cannot be given in violation of the laws as it is stated in the GDPR.
b. Processing is explicitly stipulated by law
Before the amendment, this reason legal ground was included in Article 5 of the TDPL and constituted one of the conditions for processing personal data. With the amendment, it has become possible to process health and sex life data sensitive data in cases explicitly stipulated by law.
Although Article 9 of the GDPR also a number of legal grounds with a basis in laws (such as substantial public interest, health and social care, etc) the amendment to the TDPL provides a wider legal ground based on laws for processing sensitive data. There is no such regulation in the GDPR.
c. Processing is mandatory to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
Similar to subparagraph b, this legal ground was included in Article 5 of the TDPL before the amendment for “normal” personal data.
It can be considered that this data processing condition has been introduced for sensitive data in parallel with the GDPR.
d. Processing relates to personal data made public by the data subject and is as per the data subject's will to make it public
In the decision summary of the KVKK dated 07/11/2019 and numbered 2019/331, it was stated that personal data should be processed per the data subject’s purpose of making their data public. With the amendment, the KVKK’s decision has gained a legal basis.
This condition is also included in the GDPR.
e. Processing is mandatory for the establishment, exercise, or protection of a right
Again, like the legal grounds for processing in subparagraphs b and c, this also existed in the TDPL for “personal data” before the amendment.
The GDPR shows that this legal ground is limited to “employment, social security and social protection areas". However, in terms of TDPL, it is possible to process sensitive data based on this legal ground regardless of the context.
f. Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations:
This legal ground was included in the TDPL for only health and sexual life data before the amendment. With the amendment, minor changes were made in the wording of the article.
Although this data processing condition is not exactly the same as the GDPR, it mostly overlaps in terms of purpose and scope.
g. Processing is mandatory for carrying out legal obligations in the field of employment, occupational health and safety, social security, social services and social assistance:
The rights and obligations of the employee are not mentioned separately in the TDPL but considering the purpose and the whole of the TDPL, it should be possible to process sensitive data based on this subparagraph for the rights and obligations of the employees.
In addition to subparagraph e, the regulation in the GDPR is similar to this subparagraph. Again, it can be said that the said clause is broader compared to the GDPR.
h. Processing is carried out for current or former members of or for persons who are in regular contact with the foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity and not disclosed to third parties:
Within the scope of this subparagraph, in cases where sensitive data is processed, the data controller will not be able to transfer personal data to third parties. However, such transfer is possible in cases where explicit consent is obtained from the data subject.
This clause, which is one of the new legal grounds introduced by the amendment, is very similar to the relevant article in the GDPR. Unlike the GDPR, the amendment regulates the condition of "not transferring data to third parties".
For the first time with the amendment, both data controllers and data processors as exporters of data are liable to abide by the rules in the TDPL and a new administrative fine is introduced for breach of obligation to notify the KVKK regarding execution of the standard contractual clauses, if that route is chosen. One of the most important amendments is that administrative fines imposed under the TDPL will be challenged before administrative courts instead of criminal courts.
These amendments will enter into force gradually.
The provisions regulating the conditions of processing sensitive data and cross-border data transfer will enter into force on June 1, 2024. However, Article 9 of the TPDL the transfer abroad will remain in force until September 1, 2024, together with the new amendments and as of September 1, 2024, Turkish data exporters will no longer be able to utilize the legal ground of “explicit consent for transfer abroad” which has been the mostly used legal ground under the previous regime.
In terms of the legal remedy to be applied against administrative fines, it is planned that the applications that were being heard by the criminal courts until June 1, 2024 will continue to be heard by these courts.
Consequently, from now on Turkish data controllers will as soon as possible need to revisit their sensitive data processing operations and again data export operations abroad and prepare new mechanisms (i.e. prepare their Transfer Impact Assessments) and re-arrange their documentation for compliance with the amendments.
Also, as for data exportation, Turkish data processors will need to work on their data exportation regimes and comply with the new rules.
Although the amendments are aimed at complying with the GDPR, the differences between the amended TDPL and the GDPR are still not minor. In order to say that TDPL is fully compatible with GDPR, a major law change that is planned to come into force soon should be seen.
Data Privacy Blog