In a major step towards compliance with the EU's General Data Protection Regulation (GDPR), on February 16, 2024, lawmakers in Türkiye submitted a Law to the General Assembly of the Turkish Grand National Assembly (TGNA) as part of the 8th Legislative Package on long-awaited amendments to the Personal Data Protection Law No. 6698 (LPPD). The amendments were approved on March 1, 2024 by TGNA, and the Law was published in the Official Gazette on 12 March 2024 following confirmation by the President of the Republic of Türkiye.
The most important changes in the Law, which significantly facilitate compliance with global data protection standards, include the following:
- the provision of alternative bases for the processing of special categories of personal data;
- a new regime for cross-border data transfers;
- the provision of an additional administrative penalty; and
- transitional provisions.
Alternative Basis for Processing Special Categories of Personal Data
The law proposes significant changes to the regime for the processing of special categories of personal data.
First, there is now no explicit distinction between the processing of personal data relating to health and sexual life and the remaining sets of sensitive personal data, which means that the processing of all sensitive personal data will be subject to a more streamlined legal regime.
In addition, the legal basis for the processing of sensitive personal data has been broadened and the explicit consent of the data subject will not be required for the processing of sensitive personal data for the establishment, exercise and protection of a right and the fulfilment of legal obligations relating to employment, occupational health and safety, social security, social services and social welfare. In addition, foundations, associations or other non-profit organizations or entities established for political, philosophical, religious or trade union purposes may process the special categories of personal data of their current and former members and of persons who are in regular contact with these organizations and entities. This will be done in accordance with the activities of their establishment and the legislation to which they are subject, limited to their fields of activity and provided that they are not disclosed to third parties.
New regime for cross-border data transfers
Within the scope of the amendments, the area where GDPR compliance efforts are most noticeable are the changes to the conditions for cross-border data transfers.
Previously, the GDPR prioritized the requirement of explicit consent for cross-border transfers, which created a dead end in the operations of many multinational companies.
In the absence of explicit consent, it was possible to transfer personal data abroad on the basis of a written commitment by data controllers in Türkiye and the foreign recipient, whereby the data controller and the foreign recipient undertook to provide adequate protection for the personal data concerned. However, this has remained an exceptional method for cross-border data transfers as these undertakings are subject to approval by the Personal Data Protection Board, which has granted few approvals so far.
The amendments under the Law are designed to provide further relief for cross-border data transfers, particularly in the absence of explicit consent for such transfers.
Some of the key changes under the Law include the following:
- Personal data may be transferred abroad in accordance with the adequacy decision of the Personal Data Protection Board with respect to international organizations or sectors, as opposed to adequacy with respect to an entire country.
- Personal data may be transferred abroad on the basis of agreements concluded between public institutions and organizations or professional organizations in Türkiye and professional organizations with public institutions and organizations or international organizations located abroad, provided that the Personal Data Protection Board's approval is obtained.
- Group companies engaged in common economic activities may transfer personal data abroad if there are binding corporate rules approved by the Personal Data Protection Board.
- Personal data may be transferred abroad if a standard contract, the content of which is determined and announced by the Personal Data Protection Board, is signed between the parties to the data transfer, provided that these agreements are notified to the Personal Data Protection Board within five working days.
- In cases where the national interests of Türkiye and the data subject would be seriously damaged, personal data may be transferred abroad with the permission of the Personal Data Protection Board after obtaining the opinion of the relevant public institutions and organizations.
Additional administrative fine
Administrative fines ranging from TRY 50,000 to TRY 1 million may be imposed on both data controllers and data processors if the standard contracts concluded for cross-border data transfers are not notified to the authority within five working days of their execution.
Transitional provisions
The Law proposes transitional provisions for cross-border data transfers.
The previous provision regarding cross-border data transfers with explicit consent will remain in force until September 1, 2024.
Conclusion
By harmonizing with the GDPR, the Law aims to address the issues that have arisen in practice with respect to the processing of special categories of personal data and cross-border data transfers.
The Law's amendments signal a commitment to modernizing data protection rules. They aim to promote consistency with global data governance frameworks and facilitate compliance for multi-jurisdictional organizations.
As a result, the amendments are expected to eliminate the difficulties of cross-border data transfers and processing of sensitive data, and to facilitate the compliance process for multinational companies operating in Türkiye.
For more information on the data protection reform in Türkiye and its impact on your company or business, please contact your CMS partner or local CMS expert: Dr. Döne Yalçın or Sinan Abra.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.