Pursuant to the Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws (“Amending Law”), published in the Official Gazette dated 12.03.2024 and numbered 32487, introduced significant amendments to the Personal Data Protection Law (“Law”) regarding the processing of special categories of personal data, the transfer of personal data abroad and the administrative fines imposed by the Personal Data Protection Board (“Board”). The Amending Law has increased the harmonisation of personal data protection legislation with the European Union General Data Protection Regulation.

1. Processing of Special Categories of Personal Data

Prior to the Amending Law, it was regulated that special categories of personal data could be processed with explicit consent. However, special categories of personal data, except for data concerning health and sexual life, could be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life could only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

With the Amending Law, the system stipulating the rules and exceptions that special categories of personal data cannot be processed without explicit consent has been completely changed. Instead, the scope of exceptions to the processing of special categories of personal data has been expanded in line with the general data processing grounds and the GDPR. Accordingly, it is regulated that special categories of personal data may be processed in cases where one of the following conditions is met:

i. The data subject has given explicit consent.

ii. It is expressly provided for by the laws.

iii. It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

iv. Processing relates to personal data which are manifestly made public by the data subject and is in accordance with his/her will to make it public.

v. Processing is necessary for the establishment, exercise, or protection of any right.

vi. Processing is necessary for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing provided by the persons subject to secrecy obligation or competent public institutions and organizations.

vii. Processing is necessary for the fulfilment of obligations regarding employment, occupational health and safety, social security, social services, and social assistance.

viii. Processing is carried out by a foundation, association or any other not-for-profit body with a political, philosophical or trade union aim in accordance with its purposes and the legislation to which it is subject and that the personal data are not disclosed outside that body without the consent of the data subjects and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it.

As stated in the general preamble and the preamble of the relevant article, the needs encountered in practice regarding the processing of special categories of personal data have also been taken into consideration. Accordingly, for instance, the fact that the employer can continue to store the health data of its former employee in order to exercise the right of defence in lawsuits that may be filed after the termination of the employment agreement, or that special categories of personal data such as blood type and previous illnesses can be processed for the purpose of protecting the life or physical integrity of a person who is unable to explain his/her consent due to loss of consciousness for any reason, can be considered as positive developments.

2. Transfer of Personal Data Abroad

Prior to the Amending Law, it was regulated that personal data could be transferred abroad with explicit consent. However, personal data could be transferred abroad without explicit consent of data subject upon the existence of one of the conditions of the general data processing or one of the conditions for the processing of special categories of personal data other than health and sexual life. Adequate protection is required in the country where the personal data are to be transferred. If adequate protection is not provided, the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board were required.

With the Amending Law, the system stipulating the rules and exceptions that personal data cannot be transferred abroad without explicit consent has been completely changed. Instead, it is regulated that in the presence of one of the general data processing conditions or special categories of personal data conditions and by providing one of the additional conditions gradually and by providing one of the additional conditions gradually explained below, personal data transfer abroad is permitted without explicit consent.

i. Firstly, it will be required that the Board has issued an adequacy decision on the third country, international organisation, or a specified sector within that third country. The Board will take into account criteria such as reciprocity, rules and protection mechanisms in the place of transfer, and international conventions when making an adequacy decision.

ii. In the absence of an adequacy decision made by the Board, it will be required that the controller or processor should provide appropriate safeguards such as commitment, binding corporate rules, standard data protection clauses, etc., provided that enforceable data subject rights and effective legal remedies for data subjects are available in the country where the personal data are to be transferred.

iii. Finally, in the absence of an adequacy decision, or of appropriate safeguards, transfer may be made on an incidental basis. However, it should be noted that this provision permits transfers to be made once or several times in certain compulsory cases listed in the Law, such as performance of a contract, superior public interest.

As stated in the general preamble and the preamble of the relevant article, the needs encountered in practice regarding the transfer of personal data abroad have also been taken into consideration. Accordingly, it has been pointed out that prior to the Amendment Law, the adequate protection commitment was not frequently applied, and the data transfer became dependent on obtaining explicit consent. This situation has made it almost impossible to legally use cloud-based software and applications, which are frequently used by almost every company and real person in commercial life and whose servers are located abroad and has become an obstacle to investments in the country. The amendments are intended to solve these problems.

3. Administrative Fines

Prior to the Amending Law, it was regulated that administrative fines imposed by the Board could be appealed to the criminal courts of peace. However, it was known that a significant portion of the applications made to the criminal courts of peace were not subject to inadequate judicial review due to workload and specialisation. In a recent Constitutional Court decision, the decision of violation on the grounds of insufficient examination brought the drawbacks of the appeal to the criminal courts of peace back to the agenda. The Amending Law regulates that administrative fines imposed by the Board may be appealed to administrative courts and thus aims to eliminate this issue.

The Amending Law introduces a new misdemeanour. As mentioned above, in the absence of an adequacy decision, personal data transfer abroad is permitted provided that there are effective remedies and one of the appropriate safeguards. The standard data protection clauses, which is listed among the appropriate safeguards, is regulated for the first time in the Law. If standard data protection clauses are signed, the controller or processor shall notify the Personal Data Protection Authority within five days. In case of breach of this notification obligation, the controller or processor will be imposed an administrative fine from TRY 50,000 to TRY 1,000,000.

4. Effective Date

The amendments regarding the transfer of personal data abroad will enter into force on 01.09.2024. Thus, it is possible to transfer data abroad for three more months based on the explicit consent obtained before or after the entry into force of the Amendment Law.

The appeals pending before the criminal courts of peace as of 01.06.2024 against the administrative fines imposed by the Board will be finalised by these judgeships.

Should you have any inquiries, please do not hesitate to contact us.