05 August 2024
Amendments to the Law on the Protection of Personal Data No. 6698 Within the Scope of the 8. Judicial Package and the Reflections of it
I- Introduction
As is known, with the 8th Judicial Package accepted in the Grand National Assembly of Türkiye on March 2, 2024, and the Law No. 7499 published in the Official Gazette No. 32487 on March 12, 2024, titled the Law on Amendments to the Criminal Procedure Code and Certain Laws, several amendments were made to the Law on the Protection of Personal Data No. 6698 (the Law).
Accordingly, in order to address the difficulties experienced in the implementation of the Law, and taking into account the General Data Protection Regulation (GDPR) of the European Union, comprehensive amendments have been made especially in the conditions for processing special categories of personal data and the conditions for transferring personal data abroad. In this article, we have summarized the amendments made to the Law on the Protection of Personal Data No. 6698.
II- The Cases in Which Sensitive Personal Data Can Be Processed Have Been Expanded
What is sensitive (special categories of) personal data?
Sensitive Personal Data is specified in the 6th article of the Law, and data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are qualified as sensitive personal data.
With the amendment made in the Law, no change has been made in the definition of sensitive personal data above, only the conditions for processing such data have been expanded.
Situation Before the Amendments and Problems in Practice
In the previous regulation, as a general rule, special categories of personal data could not be processed without the explicit consent of the data subject, and the exceptions to this were quite limitedly regulated in the Law. Accordingly, there was a binary distinction:
- Personal data related to health and sexual life could only be processed by institutions for the provision of health services,
- other special categories of personal data could only be processed without the explicit consent of the data subject in cases explicitly stipulated by law.
This situation created difficulties in practice, especially regarding the processing of health data. On one hand, employers are required to process the health data of their employees due to occupational health and safety regulations, but on the other hand, under the Law, these data could only be processed by workplace physicians. In workplaces without a workplace physician, explicit consent from the employee was required to keep these data in personnel files. Consequently, employers had to direct employees to give explicit consent in order to fulfill their legal obligations, which was not compatible with the principle that consent should be given "freely."
Amendments in the Terms of Processing Sensitive Personal Data
First of all, the above-mentioned binary distinction between the types of sensitive personal data has been abolished and the way has been paved for the processing of such data without the explicit consent of the data owner in the following cases, which are stipulated in a limited number in the Law.
In addition to explicit consent, sensitive personal data may be processed without explicit consent from the data owner in the cases listed below:
- Explicitly provided by the laws,
- It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, (e.g., processing blood group data in order to protect the life of a person who cannot express his consent due to loss of consciousness),
- It is related to the personal data made public by the data subject and in accordance with the will of the data subject to make it public, (e.g., processing blood type and allergy information shared in a publicly accessible area in accordance with the purpose of use in emergency situations),
- Data processing is necessary for the establishment, exercise or protection of any right, (e.g., keeping the health data of the former employee in terms of exercising the right of defense in lawsuits that are likely to be filed after the termination of the employment relationship),
- Data processing is necessary by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing, (e.g., data processed by the Ministry of Health, all kinds of health institutions and SSI for these purposes),
- It is mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance, (e.g., processing of health data in order to fulfill the obligation of employers to employ people with disabilities in accordance with the Labor Law No. 4857),
- Current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties, (e.g., processing the personal data of people who donate to these organizations limited to and in connection with the fields of activity of these organizations).
Considering the established practice of the Personal Data Protection Authority ("KVKK"); only in cases where any of the above conditions are not present, the processing of sensitive personal data should be sought by obtaining the explicit consent of the data owner.
III- The Procedures for Transferring Personal Data Abroad Have Been Facilitated
Situation Before the Amendments and Problems in Practice
Although the Law stipulates that, if the legal conditions for processing data are met, data can be transferred to countries with adequate protection without the explicit consent of the data subject, the countries with adequate protection had not yet been announced by the Personal Data Protection Board (the "Board"). This left data controllers who wanted to transfer data abroad with two options:
- Obtaining explicit consent from each data subject,
- The data controllers in Türkiye and the recipient country providing a written commitment that adequate protection would be ensured and obtaining the Board's approval for the commitment.
However, as stated in the rationale for the amendment, to date, only eighty applications have been made to the Board, and only a few of these have been approved. As a result, in practice, the only option for data controllers wishing to transfer data abroad was to obtain explicit consent from the data subjects.
With the amendments made to the Law, the conditions for transferring data abroad have been simplified. Additionally, a regulation outlining the procedures and principles for data transfers abroad has been issued.
Amendments in the Legal Grounds for Transferring Personal Data Abroad
First, the Board has been granted the authority to make a decision on the presence of adequate protection not only concerning the country to which the data will be transferred but also specific sectors within a country or an international organization (adequacy decision). For example, it is now possible to make an adequacy decision for the automotive sector in a foreign country, rather than for the entire country, if the Turkish automotive sector has significant commercial relations with that sector. The Board will reassess its adequacy decisions at least every four years and may revoke, suspend, or amend these decisions as necessary.
Data Transfers Abroad with an Adequacy Decision
If the legal processing grounds outlined in Article 5 (and for special categories of personal data, Article 6) of the Law are met, personal data can be transferred without the explicit consent of the data subject to countries, international organizations, or specific sectors within countries for which the Board has issued an adequacy decision.
Data Transfers Abroad without an Adequacy Decision
In cases where there is no adequacy decision, data controllers may transfer personal data abroad without the explicit consent of the data subject, provided the following conditions are met:
- One of the legal processing grounds outlined in Article 5 (and for special categories of personal data, Article 6) of the Law is present, and
- The data subject must have the opportunity to exercise their rights and have access to effective legal remedies in the country where the data will be transferred, and
- One of the following safeguards must be provided:
- For data transfers between public institutions: An inter-agency cooperation protocol must be signed between the public institution or professional organization in Turkey and the public institution or international organization in the foreign country, and the Board's approval must be obtained for the data transfer.
- For data transfers between group companies: There must be binding corporate rules (BCR) that the companies are obliged to comply with regarding the protection of personal data, and these rules must be approved by the Board.
- For data transfers between data controllers in Türkiye and foreign countries: A standard contract issued by the Board must be signed; in this case, there is no need for additional approval from the Board.
- For transfers based on a written commitment ensuring adequate protection: A written commitment containing provisions ensuring adequate protection must be signed, and the Board's approval must be obtained for the data transfer.
Incidental Transfers
In some cases where there is no adequacy decision and one of the appropriate assurances listed above cannot be provided, data may be transferred abroad on a single or several occasions and on a continuous basis. However, such a data transfer may only be possible in the presence of one of the following situations:
- The data subject's explicit consent is obtained, provided they are informed about the potential risks.
- The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request.
- The transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the data controller and another natural or legal person.
- The transfer is necessary for important public interest reasons.
- The transfer is necessary for the establishment, exercise, or defense of legal claims.
- The transfer is necessary to protect the vital interests of the data subject or another person when the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that is open to the public or accessible to persons with a legitimate interest, provided that the conditions laid down by law for access to the register are fulfilled and the transfer is requested by a person with a legitimate interest.
How long can the current practice (data transfer abroad based on explicit consent) be continued?
Until September 1, 2024, data transfer abroad can continue based on explicit consent obtained in advance or after the amendment of the Law. However, after this date, it will not be possible to transfer data abroad with these explicit consent texts and it will be lawful to transfer with one of the above-mentioned transfer methods.
IV- A New Administrative Fine Has Been Added to The Violations and the Appeal Procedure Against Administrative Fines Has Been Amended
In cases where data is transferred abroad by signing the standard contract announced by the Board, the data controller or data processor must notify the KVKK within five working days from the signing of the standard contract, as a separate obligation. It is envisaged that administrative fines ranging from TRY 50,000 to TRY 1,000,000 (valid for 2024) will be imposed on data controllers or data processors who violate the notification obligation.
V- Uniformity in the Judicial Remedy Has Been Ensured
Another issue that has been amended in the KVKK Reform is the issue of judicial remedy against the decisions of the Board. With the third paragraph added to Article 18 of the KVKK, it is stipulated that "A lawsuit can be filed in the administrative courts against the administrative fines imposed by the Board." Considering the nature of the administrative fines imposed by the Board, it was ensured that these decisions were supervised by the administrative judicial authorities. Before the amendment, there was a dual supervision application against the decisions of the Board, and while the administrative fines of the Board were applied to the criminal courts of peace, the part other than the administrative fine was applied to the administrative judiciary. With the amendments made, a more effective procedure has been established in terms of the supervision of the decisions of the Board. It can be said that a more secure system has been established for individuals as legal certainty will increase and uniformity will be ensured.
VI- Conclusion
In conclusion, these sweeping amendments to the Personal Data Protection Law No. 6698 have taken important steps towards modernizing the data protection regime in Türkiye and bringing it in line with international standards. Expanding the conditions for processing sensitive personal data and facilitating the procedures for data transfer abroad will enable data controllers to fulfill their legal obligations more flexibly and effectively. At the same time, new regulations on administrative fines and uniformity in the judicial remedy will increase legal certainty and create a safer environment for the protection of personal data. These amendments are expected to provide a more effective regulation on data security by protecting the rights of both individuals and data controllers. You can find the detailed information article on the subject here.
Should you have any queries or need further details, please contact us.