Overall: Agenda of the DPA in June
The agenda of the Turkish Data Protection Authority (“DPA”) was relatively quiet in June. However, preparations are underway for upcoming regulations and standard contractual clauses related to cross-border data flows.
A significant change is approaching for data processing activities involving cross-border data transfers based on explicit consent. From 1 September 2024, data controllers will no longer be allowed to continuously transfer personal data abroad solely relying on explicit consent.
The new process for the transfer of personal data abroad requires a three-step assessment, where data controllers must review their international data transfer activities, including the recipients, the transferring parties, and the appropriate safeguard methods outlined in the Turkish Personal Data Protection Law, such as implementing standard contractual clauses.
Dive into June updates
Bill on AI introduced before Turkish parliament
On 24 June 2024, the Turkish Grand National Assembly was presented with its first-ever bill specifically regulating artificial intelligence (“AI”) technology. Inspired by the EU AI Act, Turkey’s “AI Bill” comprises eight articles aimed at ensuring the safe, ethical, and fair use of AI technologies, the protection of personal data, and the establishment of regulatory frameworks for the development and use of AI systems.
DPA holds conference on amendments to Turkish data protection law
On 11 June 2024, the DPA held a conference titled “Amendments to the Personal Data Protection Law and Their Implications”. The conference addressed recent changes effective from 1 June 2024 aimed at preventing the unrestricted and random collection of personal data, unauthorised access, and misuse.
During the conference, the president of the DPA highlighted the ongoing reviews of data processing practices and announced that administrative fines totalling TRY 683,638,000 (approx. EUR 20 million) have been imposed to this date.
DPA hosts Data Protection Authorities Consultation Meeting
On 6 June 2024, the DPA hosted the Data Protection Authorities Consultation Meeting in Istanbul. Representatives from Azerbaijan, Algeria, Morocco, Qatar, Malaysia, and Mali attended the meeting. The president of the DPA emphasised the importance of a human-centered approach to privacy issues and stressed the need for strong communication channels among data protection authorities.
Data breach notification
Under Article 12(5) of Turkish DP Law, data controllers must promptly notify affected data subjects and the DPA of any unlawful acquisition of personal data. Following the assessment of a breach notification submitted to the DPA by Karakaya Kuruyemiş, it has been determined that:
- the data breach occurred through a cyber attack, resulting in the locking of a main server;
- the breach affected 200 data subjects, including employees, customers and users;
- the breach was discovered on 11 June 2024; and
- the personal data of the affected data subjects included sensitive personal data as well as financial, identity and communications data, among others.