Cybersecurity 2024 - Part 1
Contents
- 1. Basic National Regime
- 1.1 Laws
- 1.2 Regulators
- 1.3 Administration and Enforcement Process
- 1.4 Multilateral and Subnational Issues
- 1.5 Information Sharing Organisations and Government Cybersecurity Assistance
- 1.6 System Characteristics
- 1.7 Key Developments
- 1.8 Significant Pending Changes, Hot Topics and Issues
1. Basic National Regime
1.1 Laws
According to the International Telecommunication Union’s Global Cybersecurity Index, published in 2020, Türkiye is ranked 11th in the world on commitment to cybersecurity. Hence, it is fair to say that Türkiye is one of the most cybersecure countries in the world, and it is keen on making further significant improvements in this area. Increasing this rank up to ninth is part of Türkiye’s Development Plan for 2024–2028.
Currently, Türkiye does not have a standalone legal framework governing cybersecurity; the legal framework, in fact, is quite fragmented. It is possible to find relevant provisions related to cybersecurity, security, and confidentiality of electronic communications (“e-communication”), data breach notifications and incident response under various legislative pieces.
The most relevant legal instruments, as well as policy documents, are as follows.
General Regulations
The Constitution of the Turkish Republic (the “Constitution”)
The Constitution does not directly set out any provision on cybersecurity. However, as cybersecurity is an umbrella term covering data protection, whether it is personal or non-personal data, it can be considered that cybersecurity is partly and indirectly set out under:
— Article 20(3), which provides the right to protection of personal data; and
— Article 22, which provides the freedom of communication as an individual right to any person.
The Law on Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications No 5651 (the “Internet Law”)
The Internet Law aims to regulate the obligations and responsibilities of content providers, hosting providers, internet service providers, social network providers and access providers to combat crimes committed via the internet.
The Internet Law directs the Turkish Information and Communication Technologies Authority (ICTA) to establish co-ordination between the relevant public institutions, law enforcement agencies, above-mentioned providers and other related institutions and organisations to ensure the safe use of the internet, raise public awareness, and carry out necessary activities (such as conducting activities on taking necessary measures within the scope of national cybersecurity policies).
The Law on Electronic Communication No 5809 (the “E-Communication Law”)
As Türkiye does not yet have a general cybersecurity law, introduction of a network and information security regulation is planned, modelled mostly after the EU’s Network and Information Security (NIS) Directive (the “NIS Directive”). To establish the normative background for cybersecurity and institutional framework for overseeing cybersecurity, a special rule was incorporated into the E-Communication Law.
Information security is among the basic principles in the E-Communication Law, which provides the main framework for network security, confidentiality of communication, and protection of personal data. Detailed provisions concerning each may be found under the several secondary pieces of legislation enacted based on this law for the same purpose.
Although this law almost entirely regulates e-communication sectors, its Article 60(11) empowers ICTA to take measures or to ensure that all measures are taken to protect public institutions and organisations, and natural and legal persons, from cyber-attacks, and to provide deterrence against this.
Hence, not only is ICTA the authorised regulatory body in the e-communications sector, but it also has comprehensive authority over private and public organisations in relation to cybersecurity.
The Council of Ministers Decision on Carrying Out, Managing and Co-ordinating National Cybersecurity Activities, dated 11 June 2012 (the “Council of Ministers Decision on Cybersecurity”)
This decision is one of the landmarks of Türkiye’s cybersecurity policy.
It defines national cybersecurity as: “security of all services, transactions and data provided via information and communications technologies as well as systems used for provision thereof”.
This decision empowers the Ministry of Transport and Infrastructure (MTI) to oversee the national cybersecurity in Türkiye and to prepare policy, strategy and action plans to ensure cybersecurity on a nationwide scale (among other powers). The MTI carries out these tasks through ICTA and other public institutions.
The Communiqué on Procedures and Principles of the Establishment, Duties and Activities of Cyber-Incidents Response Centres (CERTs) (the “Communiqué on CERTs”)
The purpose and scope of this communiqué is to ensure CERTs carry out their services effectively and efficiently by determining the procedures and principles of their establishment, duties and work.
The Guideline for Establishment and Management of Institutional CERTs (the “Institutional CERT Guideline”) and the Guideline for Establishment and Management of Sectoral CERTs (the “Sectoral CERT Guideline”)
These guidelines, published by the National Cyber Incidents Response Centre (TR-CERT), provide guidance on:
— establishing and managing institutional CERTs and sectoral CERTs in relevant organisations;
— their relationship with each other and the TR-CERT;
— capacity planning;
— qualifications of the personnel (education level and experience);
— mandatory training; and
— the steps that personnel must take before, during and after a cybersecurity incident.
They also include the principles for communication with internal/external stakeholders and regarding establishment of institutional and sectoral CERTs.
The Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Türkiye (the “Presidency Decree”)
The Presidency Decree has set specific measures that were deemed appropriate to diminish and neutralise security risks – in particular, ensuring the security of critical data that may jeopardise national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised. The Presidency Decree provides an obligation to securely store critical data such as population, health and communication records, as well as genetic and biometric data, within Türkiye.
The Decree covers public institutions and organisations as well as businesses providing critical infrastructure services (ie, energy, electronic communications, banking and finance, critical public services, water management, transportation) for 2020–2023. The Information and Communication Security Guide details the obligations in the Decree. The Guide is extensive and defines asset groups (eg, network and systems, apps, devices, physical places, personnel), their criticality level, measures, application process, the compliance plan they must follow, and so on.
The Turkish Data Protection Law No 6698 (the “DP Law”) and its secondary legislation
The DP Law covers all personal data-processing activities in Türkiye. From a cybersecurity perspective, it also regulates security of personal data and full or partly automated and non-automated data-processing systems. According to the DP Law, controllers are obliged to take all necessary technical and organisational measures to provide a sufficient level of security to:
— prevent unlawful processing and accessing of personal data; and
— ensure the safekeeping of personal data.
A personal data breach notification duty for controllers is also set forth in the same provision.
The Turkish Criminal Code (TCrC)
The TCrC criminalises several actions in connection to cybersecurity and sets out criminal sanctions of imprisonment between six months and eight years for these actions. Some are as follows:
— unlawful access to a cyber-system;
— blocking or bricking the cyber-system or destroying, modifying or making inaccessible the data within a cyber-system;
— misuse of debit or credit cards;
— manufacturing, importing, dispatching, transporting, storing, accepting, selling, offering for sale, purchasing, giving to others or keeping forbidden devices and software that are used to break a computer program’s password or such a code in order to commit a crime described in the bullet points above;
— committing theft or fraud via cyber-systems;
— unlawful recording of personal data;
— unlawful transfer, publication or acquisition of personal data; and
— failure to destroy personal data after the retention period set forth in the applicable laws.
The Policy Framework
National cybersecurity strategy and action plans
2013–14 term
In accordance with this action plan, the TR-CERT, whose main task is to oversee cybersecurity incident response activities and reporting, was established.
In addition, sectoral CERTs were established for co-ordinating cybersecurity incident response activities for critical sectors, and institutional CERTs were established for carrying out cybersecurity incident response activities within certain organisations, such as governmental bodies and companies working in critical sectors.
2016–19 term
This action plan resulted from the need to update the previous one due to the development of information and communication technologies, the increasing need for cybersecurity and the experience gained.
The updated action plan set out:
— cybersecurity risks, such as unauthorised access and disclosure of citizens’ personal data or public information following an attack targeting the information systems used by public institutions or critical infrastructure; and
— the strategic objectives and actions for cybersecurity.
In this action plan, actions are grouped under five categories:
— strengthening cyber defence and protecting critical infrastructures;
— fighting against cybercrimes;
— improvement of awareness and human resources;
— developing the cybersecurity ecosystem; and
— integration of cybersecurity into national security.
2020–23 term
This action plan recognised international co-operation as an important part of national cybersecurity strategy due to the inherently cross-border nature of cybersecurity. Thus, the government pledges to show efforts to increase bilateral and multilateral co-operation, improve information sharing and contribute to the activities that are carried out for establishing international common norms and standards in cyberspace.
In this action plan, actions are grouped under eight categories:
— protecting critical infrastructure and increasing resilience;
— building national capacity;
— organic cybersecurity network;
— security of new generation technologies;
— fighting against cybercrime;
— developing and fostering national and domestic technologies;
— integrating cybersecurity into national security; and
— improving international co-operation.
For other legislation (eg, sectoral and specific legislation), please see 2.1 Key Laws.
Strategy and Budget
12th Development Plan (2024–2028)
Apart from certain sector-specific policies and measures (eg, financial markets, education and health), this plan sets out the following general policy goals for information technologies:
— strategic, regulatory and technological efforts to ensure national cybersecurity and strengthening institutional structures;
— updating the National Cyber Security Strategy and Action Plan in the context of new-generation cyber-threats and technological developments;
— enacting regulations in line with the EU’s “NIS2 Directive” and the best international practices;
— administrative structuring for high-level co-ordination of national cybersecurity activities;
— strengthening cybersecurity threat intelligence through the development of AI and big data analytics applications;
— strengthening the national cybersecurity infrastructure;
— enacting and implementing procedures and principles on the establishment of an information security system in critical infrastructures;
— introducing cybersecurity standards in the needed fields;
— improving the domestic cybersecurity ecosystem, spreading national solutions, and boosting competitiveness on an international scale;
— supporting domestic solutions to be developed in ways that enable them to have a competitive presence on international markets;
— developing test infrastructures for cybersecurity;
— increasing the use of domestic cybersecurity products, primarily in public institutions;
— raising cybersecurity awareness and training a competent workforce in Türkiye;
— building programmes aimed at cybersecurity training and betterment of career opportunities;
— making new business models to preserve the competent workforce;
— improving the content, quality and environment for training personnel fit for the sectoral needs; and
— activities for raising public awareness on cybersecurity.
1.2 Regulators
The Ministry of Transport and Infrastructure (MTI)
According to the Council of Ministers Decision on Cybersecurity, the MTI has been authorised for the implementation, administration and co-ordination of national cybersecurity actions and preparation and co-ordination of policy, strategy and action plans regarding the governance of national cybersecurity.
The MTI is the government agency overseeing all other cybersecurity organisations throughout Türkiye. It oversees and conducts cybersecurity activities at the strategic level through the TR-CERT.
The MTI’s responsibilities on cybersecurity include:
— preparing strategy and action plans to ensure national cybersecurity;
— preparing the procedures and principles necessary for ensuring the security and privacy of the information and data belonging to public institutions and organisations; and
— monitoring the establishment of the technical infrastructures in public institutions and organisations, ensuring verification, and testing the applications’ efficiency.
Information and Communication Technologies Authority
While policymaking is the responsibility of the MTI, the regulatory function is assigned to ICTA.
ICTA is an independent administrative institution and has administrative and financial autonomy.
In addition to its regulatory role in telecommunications, ICTA closely monitors cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns private companies concerning specific cybersecurity threats and technical vulnerabilities.
For this purpose, ICTA works in co-ordination with public and private organisations. In its “2024 External Business Plan”, ICTA lists measures for reducing the likelihood and potential impacts of cyber-incidents, and for ensuring the continuity of services and data security of critical infrastructures in Türkiye, such as:
— capacity building (training qualified personnel);
— implementing technological measures (early detection, alarm generation, preventative actions and other technical solutions);
— developing effective collaboration and ensuring efficient co-ordination; and
— protecting critical infrastructure and data (expansion of the identification of assets belonging to critical infrastructures, regulation, supervision, etc).
The Digital Transformation Office (DTO)
The DTO has played an active role in cybersecurity, big data, artificial intelligence, and digital transformation since its establishment in 2018.
Among other duties, the DTO focuses on developing projects supporting national cybersecurity and information security, monitoring the implementation of policies, strategies and action plans on cybersecurity throughout the country, and carrying out studies to identify critical infrastructures.
In July 2020, the DTO published an Information and Communication Security Guide. Please see 3.3 Legal Requirements and Specific Required Security Practices for the details and content of this guide.
TR-CERT
In 2013, the TR-CERT was established under ICTA to identify emerging threats, take measures to reduce and eliminate the effects of possible attacks and incidents on the national cyberspace, and share them with the relevant actors.
The TR-CERT oversees management of response to cybersecurity incidents from beginning until the resolution. It co-ordinates with CERTs who are required to report cybersecurity events to the TR-CERT.
The TR-CERT also carries out awareness-raising and guidance activities to increase the awareness of public institutions and organisations against cyber-attacks.
CERTs
Sectoral CERTs
Sectoral CERTs are established under:
— the regulatory and supervisory bodies; or
— the relevant ministries of critical sectors.
Sectoral CERTs are responsible for co-ordination, regulation and supervision of cybersecurity in their respective critical sectors.
Sectoral CERTs act in co-ordination with the TR-CERT and institutional CERTs operating in the sectors concerned.
Institutional CERTs
Institutional CERTs are established within public and private organisations.
All organisations operating in the critical infrastructure sectors must establish an institutional CERT thereunder. Nonetheless, ICTA has the authority to order a public or private organisation to establish and maintain a CERT, even if such organisation does not operate in critical infrastructure sectors.
Institutional CERTs also act in co-ordination with the TR-CERT and sectoral CERTs operating in the concerned sector, as applicable.
The personnel working in CERTs are under the obligation to maintain confidentiality of the information they have obtained owing to their duties. This obligation continues after the duty ends.
The Personal Data Protection Authority (the “DP Authority”)
The primary supervisory and regulatory authority for data protection matters in Türkiye is the DP Authority. It is an independent administrative institution that has administrative and financial autonomy.
The DP Authority has the power to regulate data protection activities and to take measures for protecting the rights of data subjects. The DP Authority is competent to receive data breach notices according to the DP Law.
The National Intelligence Agency
The National Intelligence Agency is entitled to collect, record and analyse information, documents, news and data by using any technical intelligence and human intelligence method, tool and system regarding foreign intelligence, national defence, counterterrorism, international crimes and cybersecurity, and to deliver the produced intelligence to the necessary institutions.
The Turkish National Police Department of Cybercrime Prevention
Established in 2011, this department provides support in the investigation of crimes committed using information technology. It gathers forensic data to fight cybercrime effectively and efficiently.
The Ministry of National Defence, the Presidency of Defence Industries, and the Turkish Armed Forces Cyber Defence Command
These entities ensure cybersecurity from a perspective of military and national defence.
Please see 2.4 Data Protection Authorities or Privacy Regulators and 10.2 Public Disclosure for further information.
The Ministry of Interior Disaster and Emergency Management Presidency
The Ministry of Interior Disaster and Emergency Management Presidency is responsible for crisis co-ordination and management to protect critical infrastructure in the event of a disaster.
Others
Apart from the above, sector-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB), the Energy Market Regulatory Authority (EMRA) and the Turkish Atom Energy Agency are entitled to regulate cybersecurity-related issues in their respective sectors.
1.3 Administration and Enforcement Process
The Information and Communication Technologies Authority (ICTA)
ICTA has broad powers to administrate and enforce the rules on cybersecurity. ICTA was given the unique authority to take measures or compel public institutions, organisations, natural and legal persons to take all precautions against cyber-attacks and to establish deterrence against this.
For this, ICTA is entitled to request any information, documents, data and records from relevant organisations, as well as to request access to archives, databases and the communication infrastructure thereof. Natural persons or private organisations cannot avoid fulfilling the requests of ICTA on grounds of being subject to certain legal instruments.
ICTA has a special regulation dealing with administrative fines – ie, the By-Law on Information Technologies and Communications Administrative Sanctions, which lays down special procedures for issuing administrative fines.
The administrative fines related to network and information security breaches are as follows:
— an administrative fine of up to 1% of its net sales in the previous calendar year may be imposed if the operator does not comply with the legislation on e-communications security, including network security;
— administrative fines ranging from TRY7,962 to TRY7,962,042 million are imposed on natural persons and private legal entities other than operators who fail to fulfil the obligations or to implement the measures that are determined by ICTA within the scope of its duties for the protection against cyber-attacks; and
— in cases where ICTA detects a violation of law, depending on the nature thereof, it may adopt other concrete measures in addition to these sanctions.
The Personal Data Protection Board (the “DP Board”)
The DP Board’s investigations may be initiated based on a data subject’s complaint or ex officio if it becomes aware of an alleged violation.
If the DP Board identifies a DP Law violation, it can impose administrative fines from TRY47,303 to TRY9,463,213 depending on the nature of the violation.
Criteria for administrative fines
The criteria which must be sought by ICTA when imposing administrative sanctions are:
— the presence of damage;
— the existence of unfair economic gain;
— the presence of recurrence; and
— administrative sanctions imposed on the operator in the last five years regarding the violation of the same article and presence of good will (or lack thereof).
As per the Misdemeanours Law No 5326, when determining the amounts of administrative fines, the DP Board must consider:
— the severity of the breach;
— the fault of the breaching party; and
— its economic condition.
Appeal to decisions of ICTA and the DP Board
The sanctioned party has a right to appeal against DP Board or ICTA decisions.
All decisions of ICTA, including administrative fines, can be appealed before the administrative courts.
On the other hand, if the DP Board’s decision includes only an administrative fine, the controller may object to this decision before the Magistrate Criminal Court within 15 days from the receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.
Where the decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions may be appealed to the Council of State.
From 1 June 2024, the appellate courts against DP Board decisions will be Administrative Courts instead of Magistrate Criminal Courts. Please see 1.8 Significant Pending Changes, Hot Topics and Issues for details.
Criminal Sanctions
As stated in 1.1 Laws, the TCrC criminalises certain actions that involve personal and non-personal data processing.
The investigation may commence without any complaint – ie, ex officio by public prosecutors. The final judicial sentence is held by courts. Under certain circumstances, it is possible to appeal the judgment of the first-tier court to the second-tier court, the Regional Criminal Court. As a final step, it is possible to appeal against the Regional Criminal Court’s judgment before the Court of Appeals if the sentence of the court meets specific criteria.
1.4 Multilateral and Subnational Issues
The Budapest Convention on Cybercrime of the Council of Europe (“CETS 185”)
Türkiye signed the Budapest Convention (with a few reservations) on 10 November 2010. The Convention was ratified on 29 September 2014 and came into force on 1 January 2015.
After accepting and ratifying the Convention, Türkiye amended related legislative instruments in line with the Convention, such as the TCrC. For instance, crimes against the confidentiality, integrity and accessibility of computer data or systems, which are regulated in the first title of the Convention, were reflected in the TCrC.
European Convention on Mutual Assistance in Criminal Matters
Türkiye is a party to the European Convention on Mutual Assistance in Criminal Matters. Furthermore, Türkiye has specific legislation in this regard – the Law on International Judicial Co-operation in Criminal Matters No 6706, dated 23 April 2016.
Convention No 108
Türkiye was one of the first countries to become a member of the Council of Europe and to sign Convention No 108. Although Türkiye signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before Türkiye’s adoption of the DP Law. However, Türkiye has not yet signed the Modernised Convention (also known as 108+).
Other
Türkiye has signed many co-operation agreements and memorandums with foreign countries – eg, Azerbaijan, Belarus, China, Georgia and Greece – to provide mutual assistance in the realm of cybersecurity.
1.5 Information Sharing Organisations and Government Cybersecurity Assistance
Data Protection
The DP Authority works collaboratively with public and private organisations to share information on privacy issues and encourage privacy compliance.
Cybersecurity
ICTA
ICTA closely monitors cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns companies concerning specific cybersecurity threats and technical vulnerabilities.
TR-CERT and CERTs
The TR-CERT and CERTs are vital structures in eliminating cyber-incidents; prioritising or reducing possible damages and performing cyber incident management at the national level. The co-ordination and co-operation between the TR-CERT and institutional CERTs and/or sectoral CERTs contribute greatly to Türkiye’s national cybersecurity.
1.6 System Characteristics
Cybersecurity
As mentioned in 1.1 Laws, Türkiye’s legal framework regarding cybersecurity is quite fragmented.
Sector-specific regulations (such as the By-Law on Information Systems Management of Capital Markets Board of Türkiye, the By-Law on Cybersecurity Competency Model in Energy Sector, the By-Law on Management Systems in Nuclear, Radiation and Radioactive Waste Facilities, and the By-Law on Internet Domain Names) mostly follow international information security standards. They require a risk-based approach and mandate notification of cyber-incidents. However, lack of a general law covering all sectors is a shortcoming of Turkish law.
Turkey also has and continues to adopt cybersecurity regulations for state institutions such as ministries – eg, the Ministry of Internal Affairs, the Ministry of Work and Social Security, the Ministry of Education and other public institutions.
Data Protection
Türkiye follows the EU’s omnibus model for data protection. As the DP Law was enacted only eight years ago, Türkiye’s data protection practice can be considered as a developing practice. However, Türkiye has made significant progress so far. Furthermore, data breaches continue to be a major threat, along with an escalation in ransomware attacks targeting critical infrastructure and businesses. The DP Authority’s decisions imposing a relatively high administrative fine are almost always based on controllers’ failure to ensure an adequate level of data security while processing personal data.
E-commerce
In 2021, ICTA published a guideline for information security measures to be adopted by e-commerce web operators. ICTA has not made this guideline publicly available. Rather, the guideline was directly sent to the Turkish e-commerce operators. The guideline covers:
— application security;
— system security;
— network security;
— audit and log control procedures;
— test procedures; and
— digital forensics procedures.
1.7 Key Developments
Cybersecurity
On 4 January 2023, the Information and Communication Security Compliance and Audit Monitoring System was launched as the centralised monitoring mechanism for compliance with the Information and Communication Security Guideline (the “ICS Guideline”).
Digital Governance
The OECD has published its “Digital Governance Review of Türkiye: Towards a Digitally-Enabled Government”, which includes an overview of the public sector organisation mandated to lead the digital government agenda, including cybersecurity. Based on this report, 86 of the 120 public sector organisations have professional specialists on cybersecurity available in their workforce.
Türkiye was ranked tenth out of 35 countries in the European Commission’s e-Government Benchmark 2023 Report.
Energy
The By-Law on Cybersecurity Competency Model in the Energy Sector
The purpose of this By-Law, which entered into force in June 2023, is to improve cybersecurity and define the minimum acceptable level of security of industrial control systems used in the energy sector, and to establish the procedures and principles related to the cyber-resilience, proficiency and maturity thereof.
The By-Law covers industrial control systems of organisations comprised of the licence holders specified in the By-Law.
The competency model sets out three basic competency levels. The applicable competency level will be identified with sectoral criticality degrees determined by the Energy Market Regulatory Authority. The obligated organisations must implement the competency model after EMRA determines the respective criticality degrees and notifies them.
Banking and Finance
Amendments to the Communiqué on Data-Sharing Services in the Payment Services Area of Payment and Electronic Money Institutions’ Information Systems and Payment Service Providers (the “Communiqué on Data-Sharing in Payment Services”)
The October 2023 amendment to the Communiqué introduces a criterion to be considered by institutions that engage external service providers for critical information systems and security: the service must either be developed or have R&D centres in Türkiye. These providers or developers are obliged to have response teams in Türkiye.
Additionally, if one of the parties of the payment transaction is abroad, the institution may only transfer data abroad with the following conditions:
— data must be stored domestically;
— the transferred data must be limited to what is necessary for the proper processing of the transaction and in compliance with the proportionality principle; and
— the transfer must be subject to the request or order received from the customer.
The Central Bank of Türkiye is authorized to stop or further restrict such transfers if, in its consideration, the payments area is deemed to be negatively affected.
Finally, the amendments provide further specifications for remote identity verification systems to be used by the institutions and for such to be identified as critical information systems.
1.8 Significant Pending Changes, Hot Topics and Issues
Cybersecurity
Türkiye, as a candidate country for EU membership, is closely monitoring any legal developments of the EU acquis. Türkiye has a plan to adopt the provisions of the NIS2 Directive into the Turkish Law as stated under Section 581.2 of the 12th Development Plan.
In the medium term, Türkiye is expected to have a standalone network and information security legislation.
Data Protection
The bill amending the DP Law was published in the Official Gazette on 12 March 2024. The bill includes some long-awaited amendments for the purpose of aligning the DP Law with the GDPR.
The amendments concern the following articles.
— Article 6 “Conditions for processing special categories of personal data”: the amendment extends the legal bases for processing special categories of personal data.
— Article 9 “Conditions for transfer of personal data”: for the cross-border data transfers, the amending bill introduces a new regime which is similar to that under the GDPR (ie, adequacy decision, BCRs, Standard Contractual Clauses, written undertaking and DP Board approval; and if these safeguards are inapplicable and the transfer is incidental, other legal bases legitimising the transfer). The previous cross-border data transfer rules will continue to be applicable until 1 September 2024.
— Article 18 “Appealing against the DP Board’s decisions and administrative fines”: the decisions of the DP Board may be appealed against before the Administrative Courts instead of Criminal Magistrate Courts. Files that are still before the Criminal Magistrate Judges as of 1 June 2024 will be resolved by them.
* Originally published by Chambers & Partners on 14 March 2024.