May 2024 – On 12 March 2024, significant amendments (“Amendments”) to the Turkish Personal Data Protection Law No. 6698 (the "DP Law") were published in the Official Gazette. The Amendments are intended to improve alignment with the GDPR and to ensure greater flexibility.
What are the key changes?
The Amendments include regulations concerning (i) the processing of sensitive personal data, (ii) cross-border data transfers, (iii) sanctions to be applied by the Turkish Data Protection Authority (“DPA”), and (iv) the new procedure for appealing DPA decisions. Following the Amendments, the DPA is expected to issue secondary legislation to facilitate the implementation of the new provisions, particularly for cross-border data transfers.
When will the Amendments take effect?
|
|
Amendments on Sensitive Data |
Amendments on Cross-border Data Transfer |
|
Effective Date |
1 June 2024 |
1 September 2024 |
What should data controllers do to ensure compliance?
Following the Amendments, the DPA issued an announcement on 12 March stating that during the transitional period, data controllers and data processors should carefully prepare for compliance with the new rules.
In this context, data controllers need to re-evaluate their compliance with the DP Law, primarily by updating their VERBIS records and revising compliance documents (e.g., privacy notices) upon the entry into force of these Amendments.
Overview of key changes introduced by the Amendments
1. Processing of sensitive personal data:
The Amendments broaden the conditions for processing sensitive personal data. According to the new scope, sensitive personal data may be processed without obtaining explicit consent if certain circumstances are present, such as, but not limited to:
- processing is necessary for the establishment, exercise, or protection of a right;
- processing is mandatory for the data controller to fulfil its legal obligations in employment, occupational health and safety, social security, social services, and social assistance; or
- data is made manifestly public by the data subject.
2. Cross-border personal data transfer
The Amendments aim to introduce more flexibility in the process of cross-border data transfers, making explicit consent an exception rather than the rule and stating that the details will be determined by secondary regulations.
It is also stated that cross-border data transfers can be carried out on the basis of explicit consent until 1 September 2024. However, after this time, a three-step assessment must be conducted, and reliance on explicit consent can only be valid if such processing is not repetitive.
Three-step assessment:
-
Existence of an adequacy decision: If such a decision is issued by the DPA, personal data can be transferred abroad based on this decision.
-
Existence of appropriate safeguards: In the absence of an adequacy decision by the DPA, personal data may be transferred abroad provided that one of the safeguards set out in the new provisions is in place.
-
If data controllers choose to execute the standard contractual clauses as a safeguard, this should be notified to the DPA, otherwise a new type of misdemeanour (i.e., a fine of TRY 50,000 to TRY 1,000,000 (approx. EUR 1,500 to EUR 29,000) may be imposed.
-
-
Absence of both an adequacy decision and appropriate safeguards: If the first two steps are not met, personal data may still be transferred abroad under occasional circumstances. However, the third step can only be relied upon for a non-systematic data transfer process.
For more information and to ensure your regulatory compliance, contact our Data Protection Team.