Amendments to the Personal Data Protection Law

Amendments to the Personal Data Protection Law

July 2024

Marat Minasyan, Partner, and Bahar Esenturk, Associate

Kolcuoglu Demirkan Kocakli Attorneys at Law

The Turkish Personal Data Protection Law (“PDPL”) was amended by the Amendment Law on the Code of Criminal Procedure and Certain Laws (“Amendment Law”), published in March 2024. The Amendment Law changes the rules regarding cross-border data transfers, the processing of sensitive personal data, and the appeal process against the decisions of the Personal Data Protection Board (“Board”). It came into effect on June 1, 2024. However, the existing provisions concerning cross-border data transfer, along with the amendments, will remain in force until September 1, 2024.

Since the enactment of the PDPL, its alignment with the General Data Protection Regulation (“GDPR”) has been a topic of discussion. As a result, the Amendment Law has prioritized compliance with the GDPR’s rules on cross-border data transfers and the processing of sensitive personal data. Furthermore, a more comprehensive amendment is anticipated in the future to achieve full compliance with the GDPR.

Before the Amendment Law, under the PDPL, sensitive personal data – including health and sexual life data, biometric and genetic data, membership in associations, foundations, or trade unions, and criminal data – could only be processed with the explicit consent of the data subjects. There were also two additional legal grounds for processing such data without explicit consent. However, these previous regulations posed challenges, especially for employers who needed to process health data to comply with their legal obligations under various legislations.

With the Amendment Law, sensitive personal data can now be processed under several legal grounds, including explicit consent from data subjects, explicit provisions in laws, and the necessity to process such data for the establishment, exercise, or protection of a right. One of the newly introduced legal grounds is the “necessity of processing personal data to fulfill legal obligations in the
fields of employment, occupational health and safety, social security, social services, and social assistance”. This aims to alleviate the operational challenges faced by employers who are data controllers.

The previous provisions of the PDPL and the Board’s decisions regarding cross-border data transfers created challenges for data controllers wishing to transfer personal data abroad. In practice, data controllers often resolved these issues by obtaining explicit consent for such transfers.

The Amendment Law aims to align with the GDPR’s rules on cross-border data transfers. Under the new regulations, personal data can be transferred abroad, sectors, or international organizations for which the Board has made an adequacy decision. In the absence of an adequacy decision, personal data can be transferred to abroad only if the following appropriate safeguards are in place:

  • Existence of an agreement (not of an international agreement nature) and the Board’s approval,
  • Existence of binding corporate rules and the Board’s approval,
  • Signing the standard contractual clauses published by the Board and notifying the Board within 5 days, or
  • Executing a commitment between the transferring parties to ensure adequate protection and obtaining the Board’s approval.

Failure to notify the signing of standard contractual clauses with in 5 days may result in administrative fines ranging from TRY 50,000 to TRY 1,000,000. The Amendment Law also includes provisions for incidental and non-repetitive cross-border data transfers. A comprehensive regulation for cross-border data transfer is expected to enter into force soon.

Data controllers who wish to avoid administrative fines must ensure compliance with these new amendments.

* – The article was originally published by The Legal Industry Reviews.

July 2024

Marat Minasyan, Partner, and Bahar Esenturk, Associate

Kolcuoglu Demirkan Kocakli Attorneys at Law

The Turkish Personal Data Protection Law (“PDPL”) was amended by the Amendment Law on the Code of Criminal Procedure and Certain Laws (“Amendment Law”), published in March 2024. The Amendment Law changes the rules regarding cross-border data transfers, the processing of sensitive personal data, and the appeal process against the decisions of the Personal Data Protection Board (“Board”). It came into effect on June 1, 2024. However, the existing provisions concerning cross-border data transfer, along with the amendments, will remain in force until September 1, 2024.

Since the enactment of the PDPL, its alignment with the General Data Protection Regulation (“GDPR”) has been a topic of discussion. As a result, the Amendment Law has prioritized compliance with the GDPR’s rules on cross-border data transfers and the processing of sensitive personal data. Furthermore, a more comprehensive amendment is anticipated in the future to achieve full compliance with the GDPR.

Before the Amendment Law, under the PDPL, sensitive personal data – including health and sexual life data, biometric and genetic data, membership in associations, foundations, or trade unions, and criminal data – could only be processed with the explicit consent of the data subjects. There were also two additional legal grounds for processing such data without explicit consent. However, these previous regulations posed challenges, especially for employers who needed to process health data to comply with their legal obligations under various legislations.

With the Amendment Law, sensitive personal data can now be processed under several legal grounds, including explicit consent from data subjects, explicit provisions in laws, and the necessity to process such data for the establishment, exercise, or protection of a right. One of the newly introduced legal grounds is the “necessity of processing personal data to fulfill legal obligations in the
fields of employment, occupational health and safety, social security, social services, and social assistance”. This aims to alleviate the operational challenges faced by employers who are data controllers.

The previous provisions of the PDPL and the Board’s decisions regarding cross-border data transfers created challenges for data controllers wishing to transfer personal data abroad. In practice, data controllers often resolved these issues by obtaining explicit consent for such transfers.

The Amendment Law aims to align with the GDPR’s rules on cross-border data transfers. Under the new regulations, personal data can be transferred abroad, sectors, or international organizations for which the Board has made an adequacy decision. In the absence of an adequacy decision, personal data can be transferred to abroad only if the following appropriate safeguards are in place:

  • Existence of an agreement (not of an international agreement nature) and the Board’s approval,
  • Existence of binding corporate rules and the Board’s approval,
  • Signing the standard contractual clauses published by the Board and notifying the Board within 5 days, or
  • Executing a commitment between the transferring parties to ensure adequate protection and obtaining the Board’s approval.

Failure to notify the signing of standard contractual clauses with in 5 days may result in administrative fines ranging from TRY 50,000 to TRY 1,000,000. The Amendment Law also includes provisions for incidental and non-repetitive cross-border data transfers. A comprehensive regulation for cross-border data transfer is expected to enter into force soon.

Data controllers who wish to avoid administrative fines must ensure compliance with these new amendments.

* – The article was originally published by The Legal Industry Reviews.