New Turkish Personal Data Protection Law, Data Transfers And Sensitive Data

22.02.2024

Contents

On 16.02.2024, the bill proposing amendments to the Personal Data Protection Law No. 6698 (the "KVKK") has been submitted to the Parliament (Law Proposal on the Amendment of the Criminal Procedure Law, Certain Laws and the Decree Law No. 659 ("Proposal" or "Amendment").

Purpose of the Amendment is to further harmonize an already aligned KVKK with the GDPR, which has been a priority for the Turkish regulators as stated in their strategy and policy documents for years.

We do not know exactly when the bill will be enacted, however we believe it will be sooner than later and the new provisions will enter into force immediately with a grace period of three months for all to comply.

Data Transfers

With the Amendment, personal data may be transferred abroad by data controllers and data processors if there is an adequacy decision on the recipient country, international organization or sectors within the country. The Turkish DPA will determine the adequacy based on certain conditions and the decision will be published in the Official Gazette.

Personal data may be transferred outside Turkey if there is an agreement between the recipient country, international organization or entity and public institutions, organizations or entities in Turkey. In this case, the transfer of personal data is permissible if the data subject can exercise her rights in the recipient effectively, pursue legal remedies, and obtain approval from the Turkish DPA.

Furthermore, controllers or processors may transfer personal data outside Turkey in cases where there are binding corporate rules or Standard Contractual Clauses standardized by the Turkish DPA. Rather than obtaining approval from the Turkish DPA, the data controller and the data processor shall notify the Turkish Standard Contractual Clauses to the DPA within five (5) business days. In case of failure to comply with the notification obligation, the Turkish DPA may impose administrative fines on the data controller and the data processor.

Moreover, the Amendment envisages that personal data may be transferred abroad in certain circumstances, which are exceptional. Personal data may also be transferred abroad if the data subject gives explicit consent to such exceptional transfer and where the controller is provided information regarding the possible risks.

Data controller may transfer personal data outside Turkey in exceptional situations if it is mandatory for the performance of a contract or for establishment of a contract between the data controller and another natural or legal person for the benefit of the data subject or if the transfer is mandatory for an overriding public interest or if the transfer is mandatory for the establishment, exercise or protection of a right.

Finally, transfer of data overseas is valid if the transfer of personal data is necessary to protect the vital interests of the data subject or another natural person, especially when the data subject is physically or legally incapable of giving consent, or when their consent is not legally valid.

Processing special categories of personal data?

The Amendment updates the conditions for processing special categories of personal data. According to the current law, processing special categories of personal data is permissible if the data subject provides explicit consent, if legal requirements mandate the processing of special categories of personal data other than health and sexual life, or if the processing of special categories of personal data relating to health and sexual life is processed by the persons subject to secrecy obligation or competent public institutions.

Despite the general prohibition on processing special categories of personal data proposed by the Amendment, controllers will process such data with specific exceptions.

The first general exception to processing of special categories of personal data is statutory requirements. For instance, processing of data on criminal convictions pursuant to the Judicial Registry Law No. 5352 and taking fingerprints of individuals pursuant to Article 5 of the Police Duties and Powers Law No. 2559 shall be considered within the scope of this condition.

With the Amendments, controllers may process special categories of personal data if the data subject has given explicit consent.

Processing of sensitive data is permitted in case the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

Controllers will be able to process special categories of personal data publicized by the data subject willingly.

As another exception, it is permitted to process special categories of personal data necessary for the protection of public health, the execution, planning, management and financing of health services by the persons subject to secrecy obligation or competent public institutions and organizations, if it is mandatory for the establishment, exercise or protection of a right. For instance, to exercise the right of defense in lawsuits that may be filed after the termination of the employment contract, the employer process a health data of the former employee.

Similarly, controllers may process special categories of personal data if it is necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance. For instance, the processing of health data or criminal conviction data by employers in order to fulfill the obligation to employ disabled or convicted persons under the Labor Law No. 4857 will be considered under this condition.

Finally, the processing of special categories of personal data relating to current or former members of foundations, associations and other non-profit organizations established for political, philosophical, religious or trade union purposes, or persons in regular contact with such organizations, in compliance with certain conditions and safeguards, will be permitted.

DPA's Actions are Subject to Judicial Review

Administrative fines or decisions of the Turkish DPA can be challenged by the controller, processor or data subject before administrative courts.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent