AMENDMENTS UNDER THE PERSONAL DATA PROTECTION LAW
Amendments on the Code of Criminal Procedure Law No. 7499 and Certain Laws (“Amendment Law”) was published in the Official Gazette dated March 12, 2024 which introduces significant amendments to the Law No. 6698 on the Protection of Personal Data (“PDPL”). Particularly, the Amending Law provided amendments to Article (6), (9) and (18) of the PDPL along with an addition of Provisional Article 3 to the PDPL.
The proposed amendments outline a two-stage transition plan. In this regard, the regulations applied the transfer of data abroad based on explicit consent will remain in effect until September 1, 2024. Thereafter, personal data may no longer be transferred abroad based on explicit consent on a permanent basis. Further regulations will come into effect on June 1, 2024.
i. Article 6 of the PDPL, titled as “Conditions for Processing Sensitive Personal Data”, stated limits of the processing sensitive personal data by obtainment of data subject’s explicit consent and the existence of the conditions provided for by law. The amended clause has expanded the exceptional circumstances by defining eight separate provisions in which process of sensitive personal is possible. In this context, the processing of data regarding health and sexual life without an explicit consent is now legally possible not only to authorized institutions, organizations, or persons under confidentiality obligations but also to all data controllers who satisfy requirements provided under the Article.
ii. The amended Article 9 of the PDPL, titled as “Transfer of Personal Data Abroad”, has expanded the understanding of personal data transfer. New regulation mentions that personal data may be transferred abroad if certain requirements are met without obtaining explicit consent from the data subject.
The Amending Law eliminated the possibility of a transfer by means of general explicit consent and instead defined three categories of transfers to abroad. (i) Under the PDPL, data controllers and processors may transfer personal data abroad if one of the conditions for processing personal data or sensitive personal data (as outlined in Articles 5 and 6 of the PDPL) is satisfied, and if the Board has adopted an adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer shall be performed. (ii) If an adequacy decision is not adopted, data controllers and processors may transfer personal data abroad if they provide one of the appropriate safeguards (Commitment Letters, Binding Corporate Rules (BCR), Standard Contractual Clauses (SCC), Non-International Contracts) specified in the law. Aforementioned is only allowed if one of the processing conditions specified in Article 5 or Article 6 of the PDPL exists and provided that the person concerned also has the possibility to exercise her rights and to have recourse to effective remedies in the country of transfer. (iii) Lastly, in the absence of the aforementioned adequacy decision or appropriate safeguards, personal data shall only be transferred on an incidental basis which refers to only once or a few times.
However, under the current PDPL regulation, data transfers abroad based on explicit consent may continue until September 1, 2024. After the stated date, data transfers must comply with the amended provisions.
iii. According to the amendment, a new subparagraph has been included in Article 18 titles as "Misdemeanors" of the PDPL, which regulates that in case notification obligation is not satisfied set forth in Article 9 of the PDPL, the violating act shall be sentenced to an administrative fine from 50,000 Turkish Liras to 1,000,000 Turkish Liras.
Before the amendment, administrative fines were only imposed on natural persons and private legal entities who are data controllers according to Article 18(2) of the PDPL. However, the amendment regulates that the administrative fine provided for in relation to the notification obligation is imposed on natural persons and private legal entities who are data controllers or data processors. Furthermore, while objections to administrative fines imposed by the Board could be filed with criminal judgeships of peace, the Amendment Law provides that the administrative courts are now empowered to hear appeals against administrative fines.
Although the 8th Judicial Package has designated the administrative courts as the competent court for appeals against the decisions made under Article 18 of the PDPL, the applications pending before the criminal court of peace as of June 1, 2024 will be decided by the said courts.
Conclusion
Considering these amendments as a whole, it is clear that the PDPL is aligned with the General Data Protection Regulation (“GDPR”) implemented in the European Union, and that transitional solutions have been developed to facilitate the work of internationally active data controllers.