The Turkish Parliament has recently enacted significant amendments (the “Amendments”) to the Turkish Personal Data Protection Law (“PDPL”). We present below a summary of these Amendments, which will enter into force on June 1, 2024.
1. Processing of Sensitive Personal Data[1]
1.1 Current Legislation
According to the current legislation (PDPL article 6), sensitive personal data cannot, as a rule, be processed without the data subject’s explicit consent. However, sensitive personal data can be processed without the explicit consent of the data subject in cases where:
– the processing of sensitive personal data (except for health and sexual life data) is permitted by applicable law; or
– the data subject’s health and sexual life data is processed with limited purposes and by persons who are under the obligation of confidentiality, or by authorized institutions and organizations.
1.2 Amendments
With the Amendments, the conditions for processing sensitive personal data, therefore article 6 of the PDPL, were amended to comprise the following cases:
– where the data subject has given explicit consent for the processing of sensitive personal data;
– processing of sensitive personal data, including health and sexual life data, is permitted by applicable law;
– processing of sensitive personal data is necessary to protect the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid;
– processing of sensitive personal data relates to data made public by the data subject and the processing is consistent with subject’s intention to make the data public;
– processing of sensitive personal data is necessary for the establishment, exercise or protection of a right;
– processing of sensitive personal data by persons who are under the obligation of confidentiality, or by authorized institutions and organizations is necessary for the protection of public health, preventative medicine, medical diagnosis, the delivery of treatment and care, and the planning, management and finance of healthcare services;
– processing of sensitive personal data is compulsory to fulfill legal obligations regarding employment, occupational health and safety, social security, social services, or social aid; and
– processing of sensitive personal data is undertaken by foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or union purposes with respect to their current or former members, or persons who are in regular contact with these organizations and entities, where the processing complies with applicable law and their purposes, is limited to their fields of activity and is not disclosed to third parties.
With the Amendments, the processing of the sensitive personal data of employees for employment, occupational health and safety purposes will be feasible.
2. Transfer of Personal Data Abroad
2.1 Current Legislation
Pursuant to the PDPL’s current provisions, transferring of personal data abroad is permitted in the following cases:
– where the data subject has given explicit consent;
– one of the lawful grounds listed in article 5/2[2] or article 6/3 [3] of the PDPL is met and the country where personal data will be transferred has adequate protection for personal data;
– in cases where there is no adequate protection, the data controller in Turkey and the relevant foreign country undertake to provide adequate protection in writing, and the transfer is approved by the Personal Data Protection Board (“Board”); or
– for multinational companies, where binding corporate rules with which all group companies are obliged to comply have been approved by the Board.
Because the Personal Data Protection Authority (“Authority”) has not yet published a list of countries with adequate protection, in practice, most personal data transfers abroad are currently based on the explicit consent of the data subjects.
2.2 Amendments
With the Amendments, the blanket explicit consent route for transfers abroad has been eliminated, and three categories for transfer of personal data abroad have instead been introduced:
(a) Data Transfer to Countries Where There is Adequate Protection
Personal data can be transferred abroad by data controllers and data processors if one of the conditions for data processing or sensitive personal data processing (PDPL article 5[4] or article 6[5]) is met and there is an adequate protection decision by the Board regarding the relevant country, sectors within the country or international organizations. The Board will weigh different factors including the principle of reciprocity when making an adequate protection decision.
With the Amendments, it has been made possible for the Board to decide on adequacy for specific sectors of a country and international organizations, as well as countries as a whole. That said, although the authority for declaring countries with adequate protection has been available since 2016, no country has yet been designated as such.
(b) Taking Adequate Measures (Appropriate Safeguards)
If there is no adequacy decision in accordance with paragraph (a) above, the transfer of personal data abroad will be possible if one of the conditions specified in article 5 or article 6 of PDPL for processing of personal data or sensitive personal data is met and the data subject has the right to exercise its rights and apply to legal remedies in the relevant country, and if one of the following conditions applies:
– if an agreement (that is not qualified as an international treaty) is signed between foreign public institutions or organizations, or international organizations on the one hand, and public institutions or professional organizations qualified as public institutions in Turkey on the other hand, and the transfer is approved by the Board,
– for multinational companies, where binding corporate rules with which all the undertakings are obliged to comply has been approved by the Board,
– if the standard contract published by the Board and containing the purposes of the personal data transfer, the transferred data categories, transferees and transferee groups, the technical and administrative measures to be taken by the transferee, and additional measures for sensitive personal data, is used;[6] or
– if the data controller in Turkey and in the relevant foreign country undertake to provide adequate protection in writing and the transfer is approved by the Board.
Among the various changes, the newly available option to transfer personal data with a standard contract is significant. Unlike the written undertaking or binding corporate rules, this option does not require approval from the Board and it is sufficient to notify the Board. However, the standard contract has not yet been published by the Board.
For all of the options described above, in addition to the requirement that one of the data processing conditions specified in article 5 or article 6 of the PDPL for processing personal data or sensitive personal data is met, it is also necessary for the data subject to have the right to be able to exercise their rights and apply to legal remedies in the jurisdiction to which the personal data will be transferred. The Authority has not yet announced which countries provide data subjects the right to exercise their rights and apply to legal remedies.
(c) Temporary Transfers Abroad
In case where neither the adequacy grounds described in paragraph (a) nor the appropriate safeguards route described in paragraph (b) is met, provided that it is non-repetitive,[7] transfer of personal data abroad will be possible if:
– explicit consent of the data subject is obtained, provided they have been informed about the potential risks;
– the transfer is necessary for the performance of a contract between the data subject and the data controller, or to perform the precautions requested by the data subject before the contract was executed;
– the transfer is necessary for establishment or performance of a contract for the benefit of the data subject that is signed between the data controller and another natural or legal person;
– the transfer is necessary for a superior public benefit;
– the transfer is necessary for the establishment, exercise or protection of a right;
– processing data is necessary for the protection of the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid; or
– the transfer is made from a registry open to the public or to persons with legitimate interests, provided that the necessary conditions set by the relevant legislation to access the registry are met and transfer is requested by a person with legitimate interest.
Data controllers and data subjects must first transfer personal data abroad in line with the general rules. If this is not possible, the transfer may be made temporarily (i.e., non-repetitively) in line with the above rules. In this context, transfer to a company located abroad is possible to carry out commercial activities, provided that this transfer will be made once or a few times, and not permanently. Accordingly, the Amendments should not be interpreted as allowing data controllers to use servers located abroad on a permanent basis.
3. Obligations for Ongoing Transfer of Personal Data
3.1 Current Legislation
According to the current regulation in the PDPL, no obligation is foreseen for data controllers or data processors for ongoing (further) transfer of personal data abroad, after the initial transfer is made.
3.2 Amendments
With the Amendments, regardless of the method used to transfer personal data abroad, data controllers and data processors are obligated to take the appropriate safeguards set forth in the PDPL, and ensure that the conditions for transfer abroad are applied for ongoing transfers after the initial transfer of personal data abroad.
With the Amendments, data controllers and data processors will be obliged to have more extensive and in-depth familiarity with the transferee country and its laws, and to monitor the transfer at every stage.
4. Administrative Fines for Data Controllers and Data Processors Who Do Not Fulfil Their Obligation to Notify
4.1 Current Legislation
In the current form of the PDPL, there is no possibility of transferring data abroad by signing a standard contract and there is no obligation of notification in this regard.
Additionally, the data controller is regulated as the main party responsible for the transfer of personal data abroad and is liable for all administrative fines. The direct liability of data processors is not mentioned.
4.2 Amendments
Pursuant to the Amendments, in case where personal data is transferred abroad in accordance with the standard contract announced by the Board, the contract must be reported to the Authority by the data controller or the data processor within five (5) business days following the signing of the contract. If the contract is not reported to the Authority, administrative fines ranging from TRY 50.000 to TRY 1.000.000 may be imposed on those who do not fulfil their obligation to notify.
Another important aspect of the said Amendment is that the data processor as well as the data controller is considered to be responsible for the transfer abroad, and accordingly, administrative fines are determined for data processors who do not fulfil their obligation to notify the Authority.
5. Legal Remedies Against Administrative Fines Imposed by the Board
5.1 Current Legislation
Pursuant to the current regulation in the PDPL, applications can be made to the criminal courts of peace against administrative fines imposed by the Board.
5.2 Amendments
With the Amendments, lawsuits against administrative fines will be filed in administrative courts.
6. Entry Into Force and Transitional Provisions
The Amendments to the PDPL will come into force on June 1, 2024. Accordingly, applications pending as of 1 June 2024 before the criminal courts of peace against the administrative fines will be decided by those courts.
However, transfers abroad with the explicit consent of the data subject pursuant to the current regulation in the PDPL will continue to be valid, together with the newly available routes, until September 1, 2024. Transfers abroad as of September 1, 2024 will need to be undertaken based on one of the conditions set forth by the Amendments.
________________
The foregoing is a general overview of the relevant topics and does not constitute legal advice or opinion. Each situation must be examined on its own merits and the relevant legal structure constructed accordingly.
Dr. Esin Çamlıbel ([email protected]), Beste Yıldızili Ergül ([email protected]) and Canberk Taze ([email protected]) would be happy to answer any questions you have about the above.
[1] Sensitive personal data (i.e., special categories of personal data) have been enumerated in the PDPL and include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, clothing choices/habits, trade union membership, health or sex life, criminal conviction and security measures, and biometric or genetic information.
[2] Per article 5/2 of the PDPL, personal data can be processed without the explicit consent of the data subject if (1) it is expressly permitted by law; (2) it is necessary for the protection of the life or physical integrity of the data subject or of any other person who is unable to provide their consent due to physical disability or whose consent is not legally valid; (3) processing of personal data is necessary for the establishment or performance of a contract; (4) it is necessary for compliance with a legal obligation to which the data controller is subject; (5) personal data have been made public by the data subject; (6) data processing is necessary for the establishment, exercise or protection of any right; and (7) processing of data is necessary for legitimate interests pursued by the data controller.
[3] For sensitive data processing conditions set forth in article 6/3 of the PDPL, please see “1.1 Current Legislation.”
[4] In addition to the data processing conditions stated in the footnote 2, article 5 of the PDPL also includes processing of personal data based on explicit consent.
[5] For sensitive data processing conditions set forth in article 6 of the PDPL, please see “1.2 Amendments.”
[6] If a standard contract is signed, the contract must be reported to the Authority by the data controller or the data processor within five (5) business days following the signing.
[7] The legislative history of the Amendments indicates that “non-repetitive” means “one or few times in a non-permanent manner.”