The Turkish Personal Data Protection Law ("PDPL") was amended by the Amendment Law on the Code of Criminal Procedure and Certain Laws ("Amendment Law"), published in March 2024. The Amendment Law changes the rules regarding cross-border data transfers, the processing of sensitive personal data, and the appeal process against the decisions of the Personal Data Protection Board ("Board"). It came into effect on June 1, 2024. However, the existing provisions concerning cross-border data transfer, along with the amendments, will remain in force until September 1, 2024.
Since the enactment of the PDPL, its alignment with the General Data Protection Regulation ("GDPR") has been a topic of discussion. As a result, the Amendment Law has prioritized compliance with the GDPR's rules on crossborder data transfers and the processing of sensitive personal data. Furthermore, a more comprehensive amendment is anticipated in the future to achieve full compliance with the GDPR.
Before the Amendment Law, under the PDPL, sensitive personal data—including health and sexual life data, biometric and genetic data, membership in associations, foundations, or trade unions, and criminal data—could only be processed with the explicit consent of the data subjects. There were also two additional legal grounds for processing such data without explicit consent. However, these previous regulations posed challenges, especially for employers who needed to process health data to comply with their legal obligations under various legislations.
With the Amendment Law, sensitive personal data can now be processed under several legal grounds, including explicit consent from data subjects, explicit provisions in laws, and the necessity to process such data for the establishment, exercise, or protection of a right. One of the newly introduced legal grounds is the "necessity of processing personal data to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance." This aims to alleviate the operational challenges faced by employers who are data controllers.
The previous provisions of the PDPL and the Board's decisions regarding cross-border data transfers created challenges for data controllers wishing to transfer personal data abroad. In practice, data controllers often resolved these issues by obtaining explicit consent for such transfers.
The Amendment Law aims to align with the GDPR's rules on cross-border data transfers. Under the new regulations, personal data can be transferred abroad, sectors, or international organizations for which the Board has made an adequacy decision. In the absence of an adequacy decision, personal data can be transferred to abroad only if the following appropriate safeguards are in place:
- Existence of an agreement (not of an international agreement nature) and the Board's approval,
- Existence of binding corporate rules and the Board's approval,
- Signing the standard contractual clauses published by the Board and notifying the Board within 5 days, or
- Executing a commitment between the transferring parties to ensure adequate protection and obtaining the Board's approval.
Failure to notify the signing of standard contractual clauses within 5 days may result in administrative fines ranging from TRY 50,000 to TRY 1,000,000. The Amendment Law also includes provisions for incidental and non-repetitive crossborder data transfers. A comprehensive regulation for crossborder data transfer is expected to enter into force soon.
Data controllers who wish to avoid administrative fines must ensure compliance with these new amendments.
Originally published by The Legal Industry Reviews.
© Kolcuoğlu Demirkan Koçaklı Attorneys at Law 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.