Amendments Regarding Law on Protection of Personal Data Law
The amendments to the Law on Protection of Personal Data Law No. 6698 (“LPPD“) with the Law Proposal No. 7499 on the Amendment of the Criminal Procedure Law and Certain Laws (“Law Proposal“) is published at the Official Gazette of Türkiye on 12th of March, 2024. The referred amendments aim to harmonize the LPPD with the European Union General Data Protection Regulation (“GDPR“).
In brief, with the Law Proposal,
(I) the legal grounds for processing of special categories of personal data (sensitive data) have been redefined (Article 6 of the LPPD);
(II) a new legal regime has been established for cross-border data transfer (Article 9 of the LPPD); and
(III) an administrative judicial remedy has been introduced against all actions of the Turkish Personal Data Protection Board (“Board“) (Article 18 of the LPPD).
The amendments introduced in the Law Proposal are generally categorized under the following headings:
Ø The conditions for processing special categories of personal data have been eased.
Ø A new legal regime has been introduced for the transfer of personal data abroad. In particular, “explicit consent” has been transformed from a general requirement into an “exception”, and a new special transition period has been provided for transfers with explicit consent.
Ø Data processors may now be liable for administrative fines together with data controllers, in relation to cross-border data transfers.
Ø The administrative judicial remedy has been determined as the only judicial remedy against the Board’s actions.
1. SPECIAL CATEGORIES OF PERSONAL DATA
With the Law Proposal, the grounds for legal processing of sensitive data have been expanded. Special categories of personal data may now be processed in the following cases pursuant to the Law Proposal:
a) In case of explicit consent
b) If expressly provided for by law
c) In case of actual impossibility to obtain explicit consent
d) In case data made public by the data subject
e) If it is mandatory for the establishment, exercise or protection of a right
f) In the event that data is processed by persons or authorized institutions and organizations that are obliged to keep confidentiality for the protection of public health, to carry out preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services.
g) If processed for legal obligations in the field of employment, occupational health and safety, social security or social services and social assistance
h) In case there is a special processing reason for foundations, associations or other non-profit organizations or formations established for political, philosophical, religious or trade union purposes to process such sensitive data of its current or former members or data subjects that they are in constant communication with.
2. TRANSFER OF PERSONAL DATA ABROAD
The absence of any competency decision of the Board for any country and the acceptance of few undertaking applications filed with the Board so far have led to serious issues regarding cross-border data transfer. The amendments therefore, aim to completely amend the rules for cross-border data transfer as follows:
» Cross-border data transfer is permitted in case of the existence of one the conditions stated in Articles 5 and 6 of LPPD, and a competency decision issued by the Board regarding the relevant country, international organization, or sectors within such country; or
» Cross-border data transfer is permitted in case of the existence of one of the conditions stated in Articles 5 and 6 of LPPD, the ability of the data subject to exercise his/her rights in the country where the transfer will be made, and to resort to effective legal remedies, and one of the following safeguards being provided by one of the parties,
o The existence of an agreement, other than an international agreement, concluded between public institutions or international organizations abroad and public institutions or professional organizations with the status of public institutions in Turkey coupled with a permission granted by the Board for this transfer according to LPPD.
o The existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, to be fulfilled by companies within the framework of a business consortium engaged in joint economic activity.
o The existence of a standard agreement, template of which is announced by the Board, containing among other things, data categories, recipients and recipient groups, purposes of data transfer, administrative and technical measures to be taken by the recipient, additional measures taken for special categories of personal data.
o The existence of a written commitment providing sufficient protection and permission granted by the Board for the transfer.
» In the event that the following conditions are fulfilled, personal data may be transferred abroad, on a case by case basis:
o The data subject is informed about the risks and provides his/her explicit consent,
o The transfer is necessary for the performance of a contract or for pre-contractual measures between data subject and data controller,
o The transfer is essential for a higher public interest,
o The transfer is necessary for the performance of a contract or for pre-contractual measures between the data controller and another natural or legal person for the benefit of the data subject,
o The transfer is carried out via accessing a register open to the public or to persons with a legitimate interest provided that the conditions laid out in relevant legislation for accessing the registry are met and the transfer is requested by a person with a legitimate interest.
3. STATUS OF THE DATA PROCESSOR
With the new Law Proposal, data processors, like data controllers, will now be able to transfer data abroad if there is a legal processing reason. In addition, data processors will be liable of their violations of LPPD with respect to cross-border data transfer, similar to the data controllers and administrative fines may be imposed on data processors.
4. NEW ADMINISTRATIVE PENALTY
If no notification is made to the Personal Data Protection Authority (“Authority“) by the data controller or data processor within 5 (five) days from the signing of the above-mentioned standard agreement, an administrative fine from 50,000 Turkish Liras to 1,000,000 Turkish Liras may be imposed on the relevant persons.
5. REMEDIES
With the Law Proposal, administrative fines imposed by the Board may be challenged before the administrative courts.
6. ENFORCEMENT AND TRANSITION
In the Law Proposal, cross-border data transfer based on explicit consent will be implemented until September 1, 2024, after which no transfer of personal data abroad based on repeated standing explicit consent will be possible and data transfer based on explicit consent will be on exceptional basis. Other amendments will enter into force on June 1, 2024.
7. CONCLUSION
Following the enactment of the Law Proposal and entry into force of the new amendments, data controllers will need to revisit their data protection compliance programs and policies. Consent management will now require revising their privacy notices, consent forms as well as their data transfer agreements in order to be in line with the new rules and principles particularly in terms of cross-border data transfer matters.