Recent Amendments to law on protection of personal data
The Law No.7499 on Amending the Code of Criminal Procedure and Certain Laws (the “Amending Law”) which contains amendments to the Law No.6698 on the Protection of Personal Data (“LPPD”) was published on the Official Gazette dated 12.03.2024 and numbered 32487. The Amending Law introduces significant changes to the LPPD on processing special categories of personal data, the transfer of personal data abroad, administrative fines and legal remedies against administrative fines. The amendments on the LPPD entered into force as of 01.06.2024.
Amendments to Processing Special Categories of Personal Data:
Article 6 of the LPPD which regulates the conditions for processing special categories of personal data has been amended. As per the amended version of Article 6 processing of special categories of personal data is prohibited with the exception of following circumstances:
- Explicit consent,
- Explicitly stipulated by laws,
- Processing is necessary for the protection of the life or physical integrity of the data subject or another person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid,
- Processing in relation to the personal data that the data subject has made public and in accordance with the intention to make it public,
- Processing is mandatory for the establishment, exercise or protection of a right,
- Processing is necessary for the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services by persons or authorized institutions and organizations under the obligation of confidentiality,
- Processing is mandatory to fulfil legal obligations in the field of employment, occupational health and safety, social security, social services and social assistance,
- Processing is carried out by a foundation, association or other non-profit organization established for political, philosophical, religious or trade union purposes and relates to the members or former members of the organization or to persons who have regular contact with these associations and organizations provided that they comply with their purposes and the legislation they are subject to and are limited to their fields of activity and are not disclosed to third parties.
Amendments to the Transfer of Personal Data Abroad:
Article 9 of the LPPD governs the procedures and principles for transfer of personal data abroad. The Amending Law has made major changes to this Article and has established alternative transfer methods for the transfer of personal data abroad such as adequacy decisions, appropriate safeguards and exceptions for the incidental cases.
As per the modified version of Article 9/1 personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the LPPD which regulates the conditions for processing personal data and special categories of personal data is met and if there is an adequacy decision in relation to the country, sectors within the country or international organizations where the personal data will be transferred.
The adequacy decision is given by the Personal Data Protection Board (“Board”) and published in the Official Gazette. The Board will reevaluate the adequacy decisions at least every four years and may change, suspend or revoke the adequacy decisions with future effect if it deems necessary. The Board has not published the list of the countries having adequate level of protection yet.
In the absence of an adequacy decision personal data may be transferred abroad provided that one of the conditions specified in Articles 5 and 6 of the LPPD exists and the data subject has the opportunity to exercise his/her rights and has access to effective legal remedies in the country where the personal data will be transferred if one of the appropriate safeguards is provided by data controllers and data processors. The appropriate safeguards listed by the LPPD is as follows:
- Existence of an agreement that does not constitute an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations and professional organizations in the nature of a public institution in Turkey and the permission for the transfer by the Board.
- Existence of binding corporate rules containing provisions regarding the protection of personal data for companies within a group of undertakings engaged in joint economic activities and that binding corporate rules approved by the Board.
- Existence of a standard contract announced by the Board which covers matters such as data categories, purposes of the data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient and additional measures taken for the special categories of personal data.
- Existence of a written undertaking containing provisions that will provide adequate protection and the permission for the transfer by the Board.
The standard contract is notified to the Data Protection Authority by the data controller or data processor within five business days following signing the contract.
In the absence of an adequacy decision and if any of the appropriate safeguards cannot be provided, data controllers and data processors may transfer personal data abroad only in the existence of one of the following situations, provided that it is incidental:
- The data subject gives explicit consent to the transfer provided that he/she is informed about the possible risks.
- The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject.
- The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
- The transfer is mandatory for an overriding public interest.
- It is mandatory to transfer personal data for the establishment, exercise or protection of a right.
- It is mandatory to transfer personal data in order to protect the life or physical integrity of a person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid.
- Transfer from a registry which is open to public or persons with legitimate interest, provided that the conditions required to access the registry according to the relevant legislation are met and the person with legitimate interest requests it.
Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published on the Official Gazette dated 10.07.2024 and numbered 32598. Additionally, the Board published the templates of standard contracts, binding corporate rules application forms and guidelines for binding corporate rules on the website of the Data Protection Authority.
Amendments to the Administrative Fines and Legal Remedies:
Article 18 regulates administrative fines imposed by the Board as per the LPPD. The Amending Law established a new administrative fine in relation to the transfer of personal data abroad. Accordingly, those who do not fulfil their obligation to notify the standard contract to the Data Protection Authority within five business days as of the conclusion of the contract will be fined from 50.000 Turkish Liras to 1.000.000 Turkish Liras.
Another significant change worth to mention is that data controllers and data processors may apply to the administrative courts against administrative fines to be imposed by the Board.
Concluding Remarks
As a result, fundamental changes have been made with the Amending Law and new mechanisms have been introduced in relation to transferring personal data abroad. Particularly, multinational companies transferring data abroad need to overhaul their internal processes meticulously in order to comply with the new amendments under LPPD. The supporting documents on standard contracts and binding corporate rules along with the guidelines published by the Authority would facilitate the implementation of the new amendments within companies.
This Article aims to provide a brief and general overview of the amendments on Turkish data protection law, but does not intend to serve as a legal advice. Before taking any action or relying on the information given, addressees of this Article should seek specific advice on the matters which concern them.