The Bill of Law on Amendments of the Code of Criminal Procedure and Certain Laws and the Decree Law No. 659 (“Bill of Law”) was accepted in the General Assembly of the Grand National Assembly of Turkey on 02.03.2024 and Article 41 of the Bill of Law became law. In this context, Amendments of the Code of Criminal Procedure Law No. 7499 and Certain Laws (“Law”) was published in the Official Gazette dated 12.03.2024 and numbered 32487.
The Law aims to harmonize the PDPL with the European Union General Data Protection Regulation and amends the provisions regarding the processing conditions and transfer of special categories of personal data abroad. In this context, the amendments made to Articles 6, 9, 18 of the PDPL and the Provisional Article 3 added to the PDPL will enter into force as of 01.06.2024 and these legislative amendments are analysed in detail below.
A. Amendments within Scope of “Conditions for Processing Special Categories of Personal Data”:
With the amendment made to Article 6 of the PDPL titled “Conditions for Processing Special Categories of Personal Data”, the distinction between data related to health and sexual life and other special categories of personal data under special categories of personal data has been removed. The provision that the processing of special categories of personal data is prohibited has been preserved and the following situations are listed and the situations in which personal data can be processed are specified;
- Explicit consent of the data subject,
- Clearly stipulated in the law,
- It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, himself/herself or someone else,
- Concerning the personal data made public by the data subject and in accordance with the will of the data subject to make it public,
- Being mandatory for the establishment, exercise, or protection of a right,
- It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
- Mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
- Foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; for current or former members and members or persons in regular contact with these organizations and formations,
Thus, the legal compliance reasons for the processing conditions of personal data have been expanded within the scope of the amendment made by the Law.
In other words, before the amendment made by the Law, special categories of personal data relating to health and sexual life could only be processed without seeking explicit consent in the presence of the situations listed in Article 6 of the PDPL, while other special categories of personal data could be processed without seeking the explicit consent of the data subject in cases stipulated by law. After the amendment made by the Law, the distinction within the special categories of personal data has been abolished and the conditions for processing all special categories of personal data have been expanded and regulated.
B. Amendments within the Scope of “Transfer of Personal Data Abroad”:
With the amendment made to Article 9 of the PDPL titled “Transfer of Personal Data Abroad”, the understanding that personal data cannot be transferred abroad without the explicit consent of the person concerned has been stretched and with the amendment made, it is regulated that personal data can be transferred abroad if certain requirements are met.
In this context, as a rule, personal data may be transferred abroad by data controllers and data processors if the following conditions exist together:
- the existence of one of the conditions specified in Articles 5 and 6 of the KVKK,
- There is an adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made,
Within the scope of the condition specified in Article (i), no change has been foreseen and the importance of the conditions for processing personal data continues to be preserved with the amendment.
In addition, the procedures and principles regarding the adequacy decision specified in Article (ii) are also regulated under Article 9 of the PDPL, and with the amendment, the uncertainties regarding adequate protection in the previous regulation have been eliminated to some extent.
In the absence of an adequacy decision, it is regulated that personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is provided by the parties, provided that one of the conditions specified in Articles 5 and 6 of the PDPL exists and the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made:
- The existence of an agreement that is not an international contract and the Personal Data Protection Board (“Board”) authorizes the transfer.
- The existence of binding company rules approved by the Board containing provisions on the protection of personal data.
- Existence of a standard contract containing the matters announced by the Board.
- Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.
It is also among the amendments that the data controller or data processor must notify the Personal Data Protection Authority (“Authority”) within 5 (five) business days regarding the execution of the standard contract regulated in Article (iii).
Finally, whereas before the amendment, data transfers abroad were only possible with the permission of the Board after obtaining the opinion of the relevant public institution or organization in cases where the interests of Turkey or the data subject would be seriously harmed, the amendment introduces some exceptions for incidental, one-off data transfers in the absence of an adequacy decision and in the absence of any of the appropriate safeguards envisaged in this case. It should be added at this point that these exceptions will not apply to continuous data transfers.
C. Amendments within the Scope of “Misdemeanors”:
As mentioned above, with Article 9 of the PDPL, a change has been made within the scope of the understanding regarding the transfer of personal data abroad, and in the absence of an adequacy decision, it is necessary to notify the Authority within 5 (five) business days regarding the conclusion of the standard contract concluded in accordance with the “existence of a standard contract containing the matters announced by the Board.”, which is stated as one of the appropriate safeguards specified.
With the amendment made within the scope of Article 18 of the PDPL titled “Misdemeanors”, it has been regulated that those who do not fulfil this notification obligation will be sentenced to an administrative fine from 50,000 Turkish Liras to 1,000,000 Turkish Liras, and while administrative fines were imposed only on natural persons who are data controllers and private legal entities pursuant to Article 18/2 of the PDPL before the amendment, with the amendment, it has been regulated that the administrative fine stipulated regarding the notification obligation will be imposed on the data controller or data processing natural persons and private legal entities.
In addition, while prior to the amendment, objections to administrative fines imposed by the Board could be filed to criminal judgeships of peace, after the amendment, administrative fines imposed by the Board may be appealed to administrative courts.
D. Examination of Provisional Article 3:
Although the amendments made under the PDPL will enter into force on 01.06.2024, pursuant to Provisional Article 3, the old version of Article 9 of the PDPL will be applied together with the new version until 01.09.2024. In other words, although data controllers will be able to transfer data abroad based on explicit consent until 01.09.2024, data transfer activities carried out based on explicit consent until this date must be made in accordance with the new rules introduced by the amendment. In addition, pursuant to Provisional Article 3, the applications pending before the criminal judgeships of peace as of 01.06.2024 will continue to be heard by the criminal judgeships of peace until they are finalized.