Despite challenges such as the COVID-19 pandemic, general elections, and changing legislative priorities, Turkey has remained committed to strengthening data protection laws through evolving personal data protection laws. On 12 March, the first part of the amendments to the PDPL was published in the Official Gazette and will come into force on 1 June. Law No. 7499 Amending the Code of Criminal Procedure and Certain Laws introduces amendments to Articles 6, 9 and 18 of the PDPL, and also includes interim Article 3 detailing when these amendments will come into force. Added.
regulatory reform
Turkey's first data protection law, introduced in 2016 and inspired by the EU's Directive 95/46, was a strategic choice aimed at promoting a culture of data protection with less complex standards. Since 2020, various policy documents, including the Human Rights Action Plan and the Medium Term Programme, have marked a significant shift towards alignment with the EU General Data Protection Regulation. This shift was driven by the evolving needs of the business ecosystem. Challenges such as the cumbersome use of cloud computing software and the processing of special categories of personal data, especially for employers and the healthcare sector, have highlighted the need for urgent reform.
By 2021, the establishment of a scientific committee by the Ministry of Justice marked an important stage in the drafting of the new law. This committee, of which I am a member, produced his two legislative packages on data protection reform. The first priority package, announced on March 12, covers the processing of special categories of personal data, the transfer of data abroad, and the jurisdiction of courts for fines imposed by the Turkish data protection authority, Kissel Velilleri Korma Krum. This is to deal with. A second reform package is underway to fill regulatory gaps, following Turkey's plan to overhaul the PDPL to bring it into full alignment with the GDPR.
Special categories of personal data
Under the existing framework, the PDPL divides special categories of personal data into two subgroups focused on the criteria for processing this data. The first concerns your health and sex life, and the second includes other special categories of personal data specifically enumerated in the law. In general, the processing of special categories of personal data without explicit consent is prohibited, with clear exceptions.
Special categories of personal data not related to health or sex life may be processed without your explicit consent where required by law. Conversely, processing data about your health and sex life without your explicit consent can only be carried out for specific purposes. These purposes include the protection of public health, preventive health care, medical diagnosis, treatment, and the administration and financing of health services. This exception only applies if such data is handled by individuals under a duty of confidentiality, such as a doctor, or by a competent institution or organization.
The PDPL presents challenges for employers and the health sector in particular when dealing with the complexities of handling special categories of personal data. A notable change in the revised version of the PDPL is the treatment of data about health and sex life. These are no longer distinct and are now governed by the same conditions as other special categories of personal data. The approach to the processing conditions for special categories of personal data has been fundamentally restructured.
The proposed amendments specify eight conditions under which such data may be processed, aligning it more closely with the GDPR in terms of the legal basis for processing special categories of personal data. These include the explicit consent of the data subject, where required by law, the necessity where the individual is unable to consent in order to preserve life or limb, personal data disclosed by the individual, and the establishment or protection of rights. Includes need, and employment. Related legal obligations.
Data transfer overseas
The current version of the PDPL relies primarily on explicit consent for data transfer outside Turkey, but this method is fraught with revocability issues and, in some cases, consent that is not freely given. there is. In the case of non-consensual transfers, an alternative legal basis and an adequacy determination was required to demonstrate that the foreign country provided adequate data protection or DPA-approved contractual terms. However, to date, the Turkish DPA has not deemed any country to have adequate protection, and only a few of the 80 total applications have been approved for contracts, and there is a need for a more practical framework. Gender is emphasized.
The revisions to the PDPL signal a significant shift in how personal data is transferred across borders, influenced by rapid digitization and changes in business practices. The proposed amendments move from a consent-based model to a structured approach consisting of three stages: adequacy determination, appropriate safeguards, and occasional cases. The goal is to focus on making data transfer more efficient, GDPR compliant, and streamlining processes while ensuring data protection. Future regulations from the Turkish DPA will detail the rules and procedures of this new framework for data transfers abroad.
Initially, data transfers abroad will require an “appropriateness determination” by the Turkish DPA. In the absence of such a determination, “appropriate safeguards” such as binding corporate rules or standard contractual clauses may be adopted. In exceptional cases, certain “in some cases” data transfers are permitted in the absence of both an adequacy decision and appropriate safeguards. These include explicit requests from data subjects informed of the risks, the necessity of contractually-related actions, legal claims, protection of life or physical integrity, or legitimate access to publicly available registers. This includes your consent.
The scope of adequacy decisions is extended to international organizations and specific domestic sectors, providing flexibility. This is exemplified by the possibility of adequacy decisions targeting specific sectors, such as automobiles, rather than the country as a whole. Due to complex international relations, the Turkish DPA has not yet issued an adequacy decision, but there is still hope for her future negotiations with the EU.
Importantly, the revised PDPL explicitly allows processors as well as controllers to make cross-border transfers, addressing a gap in previous versions of the PDPL. It also requires PDPL to ensure safeguards for future transfers. For standard contractual clauses, controllers and processors are obliged to notify their DPA in Turkey within five days after signing such clauses. This process is for informational purposes only, not for approval purposes.
Other fixes
The PDPL amendments introduce certain misdemeanors for controllers and processors who fail to report standard contractual clauses to the DPA within five days of signing, a requirement that does not exist in the GDPR. The fines for violations range from 50,000 Turkish Liras to 1,000,000 Turkish Liras.
Previously, responsibility for challenging fines issued by the DPA rested with the Criminal and Peace Court. However, concerns about the lack of detailed investigation were addressed by a recent Constitutional Court judgment published on 15 December 2023. In response, the Turkish legislature amended the PDPL to require administrative courts to review these fines instead, ensuring a fairer approach. Adjudication process.
effective
According to provisional Article 3, the PDPL amendments will come into force on June 1st. However, there are notable transitional measures regarding the requirement for explicit consent to transfer data abroad. Specifically, the current version of Article 9(1) of the PDPL, which requires the transfer of personal data abroad without explicit consent, remains in effect until September 1. This arrangement means that the original rules will remain in force until they come into force alongside the new rules. fixed date. Additionally, claims filed in the Criminal Court of the Peace before June 1 will be resolved there.
practical solutions
These changes provide practical solutions, in particular expanding the cases in which controllers can process special categories of personal data and transfer data abroad. These amendments bring PDPL closer to GDPR standards.