Guide on the Processing of Special Categories of Personal Data Published
The Guide on Processing Special Categories of Personal Data (Guide), prepared by the Personal Data Protection Authority (Authority), was published on February 26, 2025.
The amendments to the Code of Criminal Procedure and Some Other Laws (Law No. 7499), published in the Official Gazette on March 12, 2024, made changes to Article 6 of the Law No. 6698 on the Protection of Personal Data (Law), which regulates the Conditions for Processing Special Categories of Personal Data and these changes came into effect on June 1, 2024. Accordingly, the differences between special categories of personal data were eliminated, and new processing conditions were defined.
The Guide aims to clarify the approach of the Personal Data Protection Board regarding the processing conditions for special categories of personal data, assist data controllers in understanding the legal grounds for processing such data under the legislation, and help ensure that data controllers meet their obligations under the Law appropriately.
The Guide consists of three sections: (i) the first section provides information on special categories of personal data and explains which data are considered special categories, (ii) the second section details the conditions for processing such data, and (iii) the third section outlines what data controllers need to do to comply with the new regulations after the amendments made by Law No. 7499, along with other suggestions. Some of the key points covered in these sections are summarized below:
- Special categories of personal data are defined exhaustively in the Law and cannot be expanded by analogy. Data not listed in the Law cannot be considered special categories of personal data. For example, nationality data is not listed and therefore is not considered a special category of personal data. Political opinions and religious beliefs fall within the scope of special categories of personal data, and information about not believing in any religion or being apolitical is similarly considered. Data about employees' union memberships is also regarded as a special category of personal data, while blood group information on old passports and ID cards is considered health data.
- Compared to the previous regulation, the distinction between health and sexual life data and other special categories of personal data has been removed in the new regulation. The conditions under which special categories of personal data can be processed without explicit consent have been redefined. Under the new regulation, special categories of personal data can be processed when explicitly provided by law, necessary for protecting vital interests or bodily integrity, for public knowledge, or the establishment or protection of a right, as well as for fulfilling employment, occupational health and safety, and social security obligations, or as part of activities aligned with the purposes of associations and non-profit organizations. The Guide elaborates on each condition for processing special categories of personal data, provides guidance on how they should be interpreted, and offers practical examples to illuminate the application.
Lastly, the Guide clearly outlines the steps data controllers need to take to comply with the new conditions for processing special categories of personal data under the Law. These steps include updating the personal data processing inventory, regulating the explicit consent processes, changing the information texts, updating the data retention and destruction policy, and enhancing data security measures.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The Personal Data Protection Authority (the Authority) has published a public announcement regarding the rules to be followed in terms of content and format for standard contracts, which are...
The Personal Data Protection Authority (Authority) has published the Public Announcement on the Fulfillment of the Obligation of Information within the Scope of Mediation Activities (Announcement)...
The Banking Sector Best Practices Guide on Personal Data Protection (Guide), prepared in collaboration with the Personal Data Protection Authority (Authority) and the Banks Association of Turkey, has been updated. The Guide has been aligned with the amendments made to the Code of Criminal Procedure...
The Personal Data Protection Authority (Authority) published the Guide on Cross-Border Transfer of Personal Data (Guide) prepared by the Authority, on 2 January 2025. The Guide details the implementation principles and procedural requirements introduced by the comprehensive amendments to Article 9 of...
The Personal Data Protection Authority (Authority) has published the Information Note (Information Note) on the Application of Misdemeanors in Terms of Time Under the Amendments to the Personal Data Protection Law No. 6698 (KVKK) dated 2 March 2024...
On 08.11.2024, the Personal Data Protection Authority published an Information Note on Chatbots (Example: Chatgpt) (Information Note). According to the Information Note, a chatbot is software that attempts to simulate human conversation with the end-user through an interface, performing tasks and instructions...
By Article 9 of the Law No. 6698 on the Protection of Personal Data (the "Law"), titled "Transfer of Personal Data Abroad," significant amendments have been made by the Law on Amendments to the Criminal Procedure Code No. 7499 and Certain Other Laws. Within the scope of these amendments, "standard...
On 26.08.2024, the Personal Data Protection Authority published a Public Announcement on “Personal Data Processing Activities of Research Companies Using ‘Random Number Dialing and Telephone Interview Method’ for Statistical Research”...
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Regulation) entered into force through publication in the Official Gazette dated 10.07.2024 and numbered 32598. Important regulations are as follows...
On 17.05.2024, the Turkish Personal Data Protection Authority (Authority) released the draft documents concerning standard contracts and binding corporate rules, which are stipulated as appropriate safeguards for cross-border transfer under the amendments to the Law No. 6698 on the Protection of Personal Data...
On 09.05.2024, the Turkish Personal Data Protection Authority (Authority) published the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Draft) and opened the Draft for public opinion and assessment. In this context, opinions and suggestions regarding the...
On 18.04.2024, it was announced that a cooperation protocol (Protocol) was signed between the Turkish Personal Data Protection Authority and the Personal Data Protection Board of the Turkish Republic of Northern Cyprus...
The Law on Amendments to the Code of Criminal Procedure and Certain Acts numbered 7499 (Law), including Amendments to the Law on Personal Data Protection numbered 6698 (LPDP) was published in the Official Gazette dated 12.03.2024 and numbered 32487...
On 16.02.2024, the Justice Committee of the Turkish Grand National Assembly (TBMM) received the bill (Bill) on the long-awaited amendment to the Law on Personal Data Protection No. 6698 (LPDP). It can be said that the Bill, which introduces regulations similar to the European Union General Data Protection...
On 12.02.2024, the Information Note on Processing of Personal Data on the Legal Ground of Being Stipulated by Laws (Information Note) was published. The Information Note aims to clarify the scope and meaning of the personal data processing legal ground of “being expressly stipulated by law” in Article 5/2(a) of...
On 24.01.2024, the Personal Data Protection Authority published the Guidelines on the Protection of Personal Data in Election Activities (Guidelines). The Guidelines aim to remind public administrations, political parties, candidates, and voters involved in election activities of their obligations or rights under...
On 19.01.2024, the Personal Data Protection Authority published the Deepfake Information Note (Information Note). The purpose of the Information Note is to provide a better understanding of what Deepfake technology is, which is formed from the words deep learning and fake. The key points in the Information Note...
On 16.01.2024, the Personal Data Protection Authority published Guidelines on the Processing of Republic of Türkiye Identity Numbers (Guidelines). The purpose of the Guidelines are to provide guidance to data controllers by setting out the provisions of the legislation envisaging the processing of Turkish...
The Decision of the Personal Data Protection Board Regarding the Exemption of Village Legal Entities from the Registration Obligation in the Data Controllers Registry, dated 14/12/2023 and numbered 2023/2135 (Decision) is published in the Official Gazette dated 12.01.2024 and numbered 32427...
The Personal Data Protection Authority has published a public announcement dated 13.11.2023 regarding the personal data processed in order to send a verification code via SMS to the data subjects during the transactions at the cash register following shopping. You may find a brief explanation of the...
With the decision of the Personal Data Protection Board (Board) dated 06.07.2023 and numbered 2023/1154, the “annual financial balance sheet total” adopted by the Board as an exception criteria to the obligation to register to the Data Controllers’ Registry has been increased from 25 million Turkish Liras to...
The decision by the Irish Data Protection Authority (Authority) dated 12.05.2023 on Meta Platforms Ireland Limited (Meta Ireland) (Decision) has been announced on 22.05.2023. Pursuant to the Decision, an administrative fine of 1.200.000.000 Euros was imposed on Meta Ireland...
The Regulation on the Collection, Storage and Sharing of Insurance Data (Regulation) entered into force through publication in the Official Gazette dated 18.10.2022 and numbered 31987. Some of the important provisions introduced by the Regulation are summarized...
On 05.08.2022, the Personal Data Protection Authority (“Authority”), published Guideline on Banking Sector Good Practices Regarding the Personal Data Protection (“Guideline”). The purpose of the Guideline is guiding data controller banks regarding the personal data processing activities carried out...
On 14.07.2022, the European Parliament Research Service published a briefing (“Briefing”) for the impact assessment (“IA”) of the regulation of the European Parliament and the European Council on harmonised rules on fair access to and use of data (“Data Act”), submitted on 23.02.2022...
The Regulation on Processing of Land Registry and Cadastre Data and Transactions Held in Electronic Environment regulating the procedure and principles regarding the process of the data in the Central Database of the General Directorate of Land Registry and the transactions held in electronic...
The Regulation on Process and Protection of Personal Data by the Social Security Institution (“Regulation”) entered into force through its publication in the Official Gazette dated 19.02.2022 and numbered 31755.
Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector was Published
The Personal Data Protection Board Ex-Officio Initiated An Investigation against WhatsApp
The Personal Data Protection Authority’s New Resolution
The Board’s Decision Regarding Registration Obligation of Commercial Enterprises Affiliated to Associations, Foundations and Unions to the VERBIS has been Published
The Personal Data Protection Board Announced Its Decision Regarding the WhatsApp Investigation Initiated Ex-Officio