SIGNIFICANT CHANGES IN TURKISH PERSONAL DATA PROTECTION LEGISLATION

The Law Draft (“Law Draft”) Amending the Personal Data Protection Law No. 6698 ("PDPL" or “Law”) within the Scope of Compliance with the European Union General Data Protection Regulation ("GDPR") was presented to the Turkish Grand National Assembly (“TBMM”) Commission

With the Bill of Law dated 16/02/2024 and numbered 2/2023 on the Amendment of the Code of Criminal Procedure and Certain Laws and the Decree Law No. 659 ("Bill of Law") presented to the Presidency of the Grand National Assembly of Turkey ("TBMM" or "Parliament"), it aims to update the Law based on the European Union General Data Protection Regulation No. 2016/679 ("Regulation" or "GDPR"), which entered into force on 28/5/2018 in the European Union GDPR and it is intended to bring the Human Rights Action Plan which were announced in 2021, Economic Reforms Action Plan and 2024-2026 Medium Term Program in line with the Law.

The main changes planned to be made to the PDPL with the Bill of Law are as follows:

  1. Cases of Processing of Special Categories of Personal Data:

In order to fulfill the legal obligations of employers, especially in the fields of insurance sector, labor legislation, occupational health and safety and social services, special categories of personal data, which are included in Article 6 of the Law and include data such as political opinion, religion, health, criminal conviction data and biometric and genetic data of individuals, Bill of Law introduces a limited number of amendments to Article 6, paragraph 2, without the explicit consent of the person concerned in cases where special categories of personal data are explicitly processed.

 

The Current Provision of Article 6 of the PDPL Titled "Conditions for Processing of Special Categories of Personal Data"

 

 

Examples of Cases Allowed for Processing Special Categories of Personal Data Introduced by the Bill of Law

ARTICLE 6 – (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.

 

(2) It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject.

 

(3) Personal data indicated in paragraph 1, other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.

 

(4) It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.

 

a) Explicit consent of the data subject

 

b) It is expressly permitted by any law

 

c) It being necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent due to an impossibility.

 

d) Being related to personal data made public by the data subject and being in accordance with the intention of making it public.

 

e) It being necessary for the establishment, exercise, or defense of a legal claim.

 

f) Being necessary for the protection of public health, including preventive medicine, medical diagnosis, treatment and care services, as well as for the planning, management, and financing of health services, carried out by individuals or authorized institutions or organizations subject to the obligation of confidentiality.

 

g) Being necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.

 

h) Being directed towards current or former members and affiliates of foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, provided that they comply with the relevant legislation and their objectives, are limited to their field of activity, and are not disclosed to third parties, or individuals who are in regular contact with such organizations.

 

 

  1. Transfer of Personal Data Out of Türkiye:

According to the amendments introduced by the Bill of Law, changes have been made to the procedure for the transfer of personal data abroad, stating that for personal data to be transferred abroad, in addition to the specific data processing conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law, it will be required that adequate protection is ensured in the country to which the data will be transferred.

According to the Law Draft, the Personal Data Protection Authority ("Authority") shall be authorised by the Board a country that has not been judged to provide adequate protection, international organisation or sectors within the country without seeking explicit consent transfer will only be possible if the following conditions are fulfilled:

a) One of the data processing conditions is met

b) The person concerned has the right to exercise his/her rights and to effective remedies in the country of transfer the possibility to apply for an application

c) Provision of one of the "appropriate safeguards"

The Bill of Law also addresses the concern that the current regulation in the Law and the limited number of applications approved by the Authority have made it nearly impossible for almost every company and individual involved in commercial activities, particularly those using servers located abroad and many cloud-based software and applications, to be used in compliance with the Law. Unlike the current practice of the Law, the Law Draft will allow for the possibility of granting adequacy decisions not only for the entire foreign country but also for a specific sector within that country or an international organization.

According to an example provided in the rationale of the Law Draft, instead of granting adequacy decisions for an entire foreign country with which the automotive sector in our country has extensive commercial relations, it will be possible to grant adequacy decisions specifically for the automotive sector in that country.

In some exceptional cases where there is no adequacy decision and one of the appropriate safeguards cannot be provided, it is possible to transfer data abroad for a single or several times and in a non-continuous manner. For example, a company in Turkey will be able to share information regarding its employees who will be in contact with the addressee company in terms of the commercial activity that the company intends to carry out with a company abroad on an incidental basis.

Pursuant to the transitional provision introduced by the Bill, it will be possible to transfer data abroad based on the explicit consent obtained before or after the entry into force of the amendment of the Law for three months after the entry into force of the amendment of the Law.

  1. Obligation to Notify the Contract:

As per the Law Bill, with the new regulation, data controllers or data processors are entitled to shall be obliged to notify the Board of the standard contract and in case of breach of this obligation in the event that the data controller or the natural persons who process data and private legal entities administrative fine will be imposed.

The regulation imposes responsibility on data processors for the first time in terms of notifying the standard contract.

 

 

 

  1. Administrative Lawsuit Against the Decisions of the Personal Data Protection Authority:

As a result of considering the importance of administrative sanction decisions given by the Authority for the proponents of the Proposal, with the entry into force of the new regulations, instead of resorting to criminal peace judgeship against these decisions, lawsuits will be filed in administrative courts.

Pursuant to the provisions of the transitional regulation, the files before the criminal judgeships of magistracy as of 1/6/2024 shall be finalised by these judgeships as of 1/6/2024.

 

You can access the full text of Articles 33-34-35 and 36 related to the Bill of Law dated 16/02/2024 and numbered 2/2023 on the Amendment of the Code of Criminal Procedure and Certain Laws and the Decree Law No. 659 regarding the Personal Data Protection Law regulation from here.

 

Kind regards,

Zumbul Attorneys-At-Law

info@zumbul.av.tr