AMENDMENTS MADE TO THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA WITH THE 8TH JUDICIAL PACKAGE
With the Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws published in the Official Gazette dated 12.03.2024, some important amendments have been made to the Law on the Protection of Personal Data (“KVKK” or “Law“).
With the amendments made, important innovations have been introduced, especially in the issues of transfer of personal data abroad and the conditions for processing of sensitive personal data.
A.Processing of Sensitive Personal Data
Although the provision that the processing of sensitive personal data is prohibited has been retained, the provision that sensitive personal data can only be processed with the explicit consent of individuals has been removed.
In addition, the distinction between data relating to health and sexual life and other kinds of sensitive personal data under sensitive personal data has been abolished, and the conditions for processing have been expanded by means of a restricted counting method.
Accordingly, the processing of sensitive personal data will be possible in the presence of the following:
a) Explicit consent of the data subject,
b) It is explicitly stipulated in the laws,
c) It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not deemed legally valid, himself/herself or of another person,
ç) It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
d) It is mandatory for the establishment, use or protection of a right,
e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of health services by persons under the obligation to keep secrets or authorised institutions and organisations,
f) It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
g) It is intended for current or former members of foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organisations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties.
B.Transfer of Personal Data Abroad
With regard to the transfer of Personal Data abroad, the approach that prioritises the explicit consent of the data subject has been abandoned, and with the new additions, data transfers to be carried out abroad by both the data controller and the data processor must be carried out under the following conditions:
(1) Personal data may be transferred abroad by data controllers and data processors in the presence of one of the conditions specified in Articles 5 and 6 and an adequacy decision on the country, sectors within the country or international organisations to which the transfer will be made.
(2) The adequacy decision shall be made by the Board and published in the Official Gazette. The Board shall take the opinion of the relevant institutions and organisations if necessary. The qualification decision shall be evaluated every four years at the latest. As a result of the evaluation or in other cases deemed necessary, the Board may change, suspend or revoke the qualification decision with future effect.
(3) The following issues are primarily taken into consideration when making a qualification decision:
a) The reciprocity status regarding the transfer of personal data between Turkey and the country, sectors within the country or international organisations to which personal data will be transferred.
b) The relevant legislation and practice of the country to which personal data will be transferred and the rules to which the international organisation to which personal data will be transferred is subject.
c) The existence of an independent and effective data protection institution in the country to which personal data will be transferred or to which the international organisation is subject, and the existence of administrative and judicial remedies.
ç) The status of the country or international organisation to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organisations.
d)The membership status of the country or international organisation to which personal data will be transferred to global or regional organisations of which Turkey is a member.
e) International conventions to which Turkey is a party.
(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is provided by the parties, provided that one of the conditions specified in Articles 5 and 6 exists and the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made:
a) Existence of an agreement that is not in the nature of an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations in Turkey or professional organizations in the nature of public institutions and the Board permits the transfer.
b) Existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
c) Existence of a standard contract announced by the Board, containing data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data
ç) Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.
(5) The standard contract shall be notified to the Agency by the data controller or data processor within five business days following its signature.
(6) Data controllers and data processors may transfer personal data abroad in the absence of an adequacy decision and in the absence of any of the appropriate safeguards provided for in paragraph 4, provided that it is incidental and only in the presence of one of the following cases
a) The data subject gives explicit consent to the transfer, provided that he/she is informed about the possible risks.
b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
c) The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
ç) The transfer is mandatory for a superior public interest.
d) The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
e) The transfer of personal data is mandatory for the protection of the life or bodily integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, or of another person.
f) Transfer from a registry that is open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
(7) Subparagraphs (a), (b) and (c) of the sixth paragraph shall not apply to the activities of public institutions and organizations subject to public law.
(8) The guarantees set forth in this Law shall also be provided by data controllers and data processors for subsequent transfers of personal data transferred abroad and transfers to international organizations and the provisions of this Article shall apply.
(9) Without prejudice to the provisions of international agreements, personal data may be transferred abroad in cases where the interests of Republic of Türkiye or the data subject would be seriously harmed, only with the permission of the Board by obtaining the opinion of the relevant public institution or organization.
In this context, two new methods have been introduced for transferring personal data abroad:
1- The Personal Data Protection Board’s (“Board”) qualification decision on the country of transfer.
2- One of the following conditions, provided that there is no qualification decision but the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made:
a.Existence of an agreement that is not an international contract and the Board authorises the transfer,
b.Existence of binding company rules approved by the Board,
c.Existence of the standard contract announced by the Board and the requirement to notify the Personal Data Protection Authority (“Authority“) within 5 (five) business days regarding the conclusion of the contract (in case of failure to notify, an administrative fine from 50,000 Turkish Liras to 1,000,000 Turkish Liras is imposed), or
d.Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board.
In addition, it has been determined that the procedures and principles to be applied regarding the transfer of personal data abroad will be set out by a regulation to be issued. The regulation on transfers abroad and the standart contracts to be published by the Board will be enlightening for data processors and data controllers.
These amendments will enter into force on 1 June 2024 and are considered as an important step in terms of harmonisation and parallelism of the Personal Data Protection legislation implemented in Turkey with the General Data Protection Regulation (GDPR) implemented in the European Union.
It should be noted that, with the article regarding the entry into force, it is possible to transfer personal data abroad for three more months (until 01.09.2024) after the entry into force of the Amendment, based on the explicit consent obtained before or after the entry into force of the Amendment. In this case, personal data can be transferred abroad based on explicit consent until 1 September 2024.