The 8th Judicial Reform Package and Amendments to the Turkish Personal Data Protection Law (KVKK)
With the Law on the Amendment of the Code of Criminal Procedure and Certain Laws published in the Official Gazette dated March 12, 2024 and numbered 32487, a number of amendments were made to the Law No. 6698 on the Protection of Personal Data. The acceptance of this legislative proposal is expected to harmonize the KVKK with the European Union General Data Protection Regulation ("GDPR").
Processing of Special Categories of Personal Data
The new judicial package initially removes the distinction within special categories of personal data between those related to "health and sexual life" and those that are not. Reasons for processing all special categories of personal data have been anticipated. According to the proposal, special categories of personal data may only be processed in the following cases:
- Consent of the Data Subject: Processing is allowed if there is explicit consent from the data subject.
- Clearly Envisaged by Laws: Processing is permissible if explicitly provided for by laws.
- Protection of Life or Physical Integrity: In cases where the data subject is physically or legally incapable of giving consent, processing is necessary to protect the life or physical integrity of the data subject or another person.
- Data Made Public by the Data Subject: Processing is permissible for personal data that the data subject has made public, in accordance with the data subject's intention to make the data public.
- Establishment, Exercise, or Defense of Legal Claims: Processing is necessary for the establishment, exercise, or protection of legal claims.
- For Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services: Processing is necessary by individuals or authorized institutions and organizations under confidentiality obligation, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, as well as for the planning, management, and financing of health services.
- Employment, Occupational Health and Safety, Social Security, Social Services, and Social Assistance: Processing is necessary for legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
- Political, Philosophical, Religious, or Union Purposes: Processing is allowed for foundations, associations, and other non-profit organizations or formations for political, philosophical, religious, or union purposes, provided it is in compliance with their statutes and purposes, limited to their area of activity, and not disclosed to third parties.
Transfer of Personal Data Abroad
Under the current regulation, the transfer of personal data abroad is possible if the conditions specified in Articles 5 and 6 of the KVKK are met and if there is a "sufficiency" decision regarding the country to which the data is transferred. Sufficiency decisions are to be made by the KVKK Authority. In the absence of a sufficiency decision, explicit consent or sufficient protection commitment by the data controllers and approval by the Board are required. The new regulation introduces a tiered regulation for the transfer of personal data abroad under Article 9 of the KVKK.
- Existence of an Agreement Between Public Institutions or International Organizations: The transfer is permitted under an agreement between public institutions or international organizations in Turkey and abroad, and with the permission of the KVKK Authority.
- Binding Corporate Rules: The presence of binding corporate rules within enterprises engaged in joint economic activities, which include provisions on the protection of personal data approved by the KVKK Authority.
- Standard Contractual Clauses: The presence of a standard contract announced by the KVKK Authority, detailing data categories, recipients, purposes of data transfer, administrative and technical measures to be taken by the recipient, and additional measures for special categories of personal data.
- Written Undertakings: The presence of written undertakings that provide adequate protection and permission for the transfer by the KVKK Authority.
However, in cases where adequacy is not obtained and the conditions specified in the fourth point are not met, personal data may still be transferred abroad under certain conditions:
- Informed Consent of the Data Subject: The data subject is informed about the risks and gives explicit consent.
- Necessity for Contract Performance: The transfer is necessary for the performance of a contract or pre-contractual measures.
- Public Interest: The transfer is essential for the public interest.
- Conditions Specified in KVKK Articles 5/2-b and c: The transfer meets the conditions specified in these articles.
Administrative Fines and Judicial Recourse
The new KVKK amendment also regulates that KVKK administrative fines imposed by the Board can be contested in administrative courts. Although the 8th Judicial Reform Package designates administrative courts as the competent courts for appeals against decisions made under Article 18 of the KVKK, it is envisaged that cases currently being heard by peace criminal judgeships as of June 1, 2024, will continue to be heard in these judgeships.
Offenses
The previous version of Article 9 on offenses and the final version with amendments are as follows:
Offenses | Offenses |
---|---|
ARTICLE 18- (1) Law; a) From 5,000 TRY to 100,000 TRY for those who fail to fulfill the disclosure obligation stipulated in Article 10, b) 15,000 TRY to 1,000,000 TRY for those who fail to fulfill the obligations regarding data security stipulated in Article 12, c) 25,000 TRY to 1,000,000 TRY for those who fail to fulfill the decisions taken by the Board pursuant to Article 15, ç) From 20,000 TRY to 1,000,000,000 TRY for those who violate the obligation to register and notify the Data Controllers Registry stipulated in Article 16, administrative fine shall be imposed. (2) Administrative fines stipulated in this Article shall be imposed on natural persons and private legal entities who are data controllers. (3) In case the acts listed in the first paragraph are committed within public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, action shall be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations in the nature of public institutions in accordance with the disciplinary provisions and the result shall be notified to the Board. |
ARTICLE 18- (1) Law; a) From 5,000 TRY to 100,000 TRY for those who fail to fulfill the disclosure obligation stipulated in Article 10, b) 15,000 TRY to 1,000,000 TRY for those who fail to fulfill the obligations regarding data security stipulated in Article 12, c) 25,000 TRY to 1,000,000 TRY for those who fail to fulfill the decisions taken by the Board pursuant to Article 15, ç) From 20,000 TRY to 1,000,000,000 TRY for those who violate the obligation to register and notify the Data Controllers Registry stipulated in Article 16, d) 50,000 TRY to 1,000,000 TRY for those who fail to fulfill the notification obligation stipulated in the fifth paragraph of Article 9, administrative fine shall be imposed. (2) Administrative fines stipulated in subparagraphs (a), (b), (c) and (ç) of the first paragraph shall be imposed on data controllers, and administrative fines stipulated in subparagraph (d) shall be imposed on natural persons and private legal entities who are data controllers or data processors. (3) Administrative fines imposed by the Board may be appealed before administrative courts. (4) In the event that the acts listed in the first paragraph are committed within public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, action shall be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations in the nature of public institutions in accordance with the disciplinary provisions and the result shall be notified to the Board. |
You can access the Official Gazette regarding the subject matter here (In Turkish).
Should you have any queries or need further details, please contact your customer representative.
-
-
Notification!