What Has Changed in the Personal Data Protection Law Numbered 6698?
Introduction
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016. The said directive, on the other hand, was repealed by the General Data Protection Regulation (“GDPR”), and legislative amendments to ensure PDPL – GDPR compliance have been long-awaited. Certain amendments were finally stipulated under the Law numbered 7499 on the Amendment to the Code of Criminal Procedure and Certain Laws (“Law”), also known as the 8th Judicial Package which was published in the Official Gazette dated 12.03.2024. The relevant articles amending the PDPL entered into force on 01.06.2024, and at the same time, a transition period was introduced for data transfers abroad. Accordingly, explicit consents obtained for data transfers abroad will be deemed valid until 01.09.2024.
Article 6 (Processing special categories of personal data)
Within the scope of the amendments to Article 6, while the definition of special categories of personal data is preserved, the conditions for processing are reformulated in detail; new and alternative legal grounds have been introduced. Prior to the amendment, it was prohibited to process special categories of personal data without the explicit consent of the data subject. However, (i) special categories of personal data, excluding personal data relating to health and sexual life, could be processed without explicit consent if explicitly stipulated by law; (ii) personal data relating to health and sexual life could be processed without explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality to protect public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
The third paragraph of the article amended, on the other hand, prohibits processing of special categories of personal data and stipulates the legal grounds for processing in detail:
- Explicit consent of the data subject,
- Processing is expressly stipulated by law,
- Processing is necessary for the protection of life or physical integrity of the data subject or someone else, in case the data subject is unable to disclose her consent due to actual impossibility or her consent is not legally valid,
- Processing of personal data made public, provided that processing is in accordance with the intention of the data subject,
- Processing is necessary for the establishment, exercise, or protection of a right,
- Processing by persons or authorized institutions and organizations under the obligation of confidentiality,
- Processing is necessary for the fulfillment of legal obligations for employment, occupational health and safety, social security, social services, and social assistance,
- Processing by foundations, associations and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, by the applicable legislation and purposes and limited to their fields of activity.
Concerning the amendments, it is evaluated that the problems experienced during the implementation of Article 6, and with a specific focus on the employers, the needs that arise are taken into consideration. For example, before the amendment, employers could only process personal data relating to the health and sexual life of their employees with explicit consent to fulfill their legal obligations. Following the amendment, employers are allowed to process personal data relating to health and sexual life relating to their employees without explicit consent where mandatory for fulfilling their legal obligations for issues such as employment and social security. Under an example provided with the preamble of the Law, employers are allowed to process reports and documents relating to the employees to fulfill their obligations to employ persons with disability.
Article 9 (Transferring data abroad)
In brief, before the amendment, personal data could be transferred abroad (i) with the explicit consent of the data subject; or (ii) with the existence of one of the legal grounds under Articles 5 and 6 of the PDPL and the decision of the Personal Data Protection Board (“Board”) that there is adequate protection in the country of transfer; or (iii) in the absence of adequate protection, with the existence of one of the legal grounds under Articles 5 and 6 of the PDPL, an undertaking for adequate protection by the data controllers in Türkiye and the country of transfer and the Board’s permission.
However, there has been no country for which the Board issued an adequacy decision. Since the effective date of the PDPL, there have been very few successful undertaking applications. According to the 2023 Activity Report published by the Personal Data Protection Authority (“Authority”), 81 undertakings were submitted and only 7 were successful in 2023. Because other mechanisms stipulated under the PDPL were not applicable in practice, data controllers heavily relied on explicit consent by necessity when transferring data abroad. As emphasized in the preamble of the amending law, before the amendment, it was almost impossible to legally use popular cloud-based software and applications, most of whose servers are located abroad and prevented investments from being made in Türkiye.
The mechanisms for transfer abroad stipulated under the new Article 9 can be handled in three groups:
Data transfer abroad as per adequacy decision
Under the new regulation, personal data may be transferred abroad by data controllers and data processors if (i) one of the legal grounds under Articles 5 and 6 of the PDPL exists and (ii) there is an adequacy decision on the country, sectors or international organizations within the country to which the transfer will be made. The adequacy decision is adopted by the Board and evaluated every four years at the latest. If no evaluation is made within the period determined, the adequacy decision remains valid as established with the preamble of Law. Within the scope of the article amended, the issues to be taken into consideration by the Board when adopting an adequacy decision have also been reformulated.
A noteworthy amendment is that the Board may issue an adequacy decision on international organizations or sectors within a country, as well as the countries to which data will be transferred as per the amended article.
Data transfer abroad with convenient safeguards
In the absence of an adequacy decision, data may be transferred abroad by data controllers and data processors, provided that (i) one of the legal grounds within the scope of Articles 5 and 6 of the PDPL is applicable, (ii) the data subject has the opportunity to exercise her rights and to apply for effective remedies in the country of transfer, and (iii) one of the appropriate safeguards down below is applied by the parties:
- Execution of agreements, not like an international agreement, between public institutions and organizations or international organizations abroad, and public institutions and organizations or professional organizations having the status of a public institution in Türkiye, and the permission by the Board;
- Execution of binding corporate rules by the companies within a group of undertakings engaged in joint economic activities which are to be approved by the Board;
- Execution of the standard contract announced by the Board;
- A written undertaking for adequate protection and permission by the Board.
Standard contracts shall be notified to the Authority by the data controller or data processor within five business days from the date of signature. Therefore, it has become possible to transfer data abroad upon execution and notification of standard agreements by the data controller or processors without the Board’s permission.
Incidental data transfers abroad
Data controllers and data processors may transfer personal data abroad in the absence of an adequacy decision and in case one of the appropriate safeguards listed above cannot be provided, with the condition that it is incidental and in the presence of one of the following situations:
- Explicit consent of the data subject provided that the data subject is informed about the potential risks,
- The transfer is necessary for the performance of the contract between the data subject and the data controller or for pre-contractual measures taken following the request of the data subject;
- The transfer is necessary for the establishment or performance of the contract between the data controller and the third party to the benefit of the data subject;
- The transfer is necessary for the overriding public interest;
- The transfer is necessary for the establishment, exercise or protection of a right;
- The transfer is necessary for the protection of the life or physical integrity of the data subject or another person who cannot disclose her consent due to an actual impossibility or whose consent is not legally valid,
- The transfer from a registry open to the public or to persons with legitimate interests, provided that the conditions required to access the registry as per the relevant legislation are met and the person with a legitimate interest requests it.
It should be emphasized that the above-mentioned methods are applicable for transfers occurring a number of times or one-time transfers that are not continuous. An example of an incidental transfer is provided with the preamble of the Law where a company in Türkiye shares information with a company abroad of its employees who will be in contact with the company for the commercial activity to be carried out incidentally.
Another important amendment is that the safeguards under the PDPL will be ensured for subsequent transfers of personal data transferred abroad and Article 9 will be applicable.
Article 18 (Misdemeanors)
With the amendments to Article 9, certain obligations have been stipulated for data processors in addition to data controllers. In line with this development, Article 18 has been amended and it has been stipulated that those who fail to comply with the notification obligation regarding standard contracts will be subject to administrative fines. This may be imposed on the data controller or data processors.
Finally, prior to the amendment, disputes regarding administrative fines imposed by the Board were brought before the criminal courts of peace. The existing remedy was frequently criticized for not providing effective protection. Considering the nature of the decisions adopted by the Board regarding administrative sanctions, it has been explicitly regulated that administrative fines imposed by the Board may be challenged before administrative courts.
Conclusion
As a result, fundamental changes have been made in terms of processing special categories of personal data and data transfers abroad under the PDPL. These amendments, as introduced in general terms, may be considered to be the first step towards full compliance with the GDPR. In particular, new mechanisms have been introduced for data transfers abroad to ease the process and meet the needs. On the other hand, mechanisms to be adopted in terms of transfers abroad will be understood better with the secondary regulations to be published. In this context, the announcement regarding the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad was published on the Authority’s website on 09.05.2024 and the draft was opened for public opinion. In addition, the draft documents concerning standard contracts and binding corporate rules which are envisaged as appropriate safeguards for data transfers abroad were published on the Authority’s website on 17.05.2024 and was opened for public opinion.
- The Official Gazette dated 12.03.2024 and numbered 32487.
- Preamble of the Law Amending the Code of Criminal Procedure and Certain Laws, Article 33.
- Personal Data Protection Authority, the 2023 Activity Report, 2023, Ankara, (https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/1ee4f609-711f-4a85-aefc-69181bbcdf3a.pdf).
- Preamble, Article 34.
- Preamble, Article 34.
- Preamble, Article 34.
- Preamble, Article 35.
- Please see for the said annoucement in Turkish. https://www.kvkk.gov.tr/Icerik/7906/Kisisel-Verilerin-Yurt-Disina-Aktarilmasina-Iliskin-Usul-ve-Esaslar-Hakkinda-Yonetmelik-Taslagi-Hakkinda-Kamuoyu-Duyurusu.
- Please see for the said annoucement in Turkish. https://www.kvkk.gov.tr/Icerik/7909/Standart-Sozlesme-ve-Baglayici-Sirket-Kurallarina-Iliskin-Taslak-Dokumanlar-Hakkinda-Kamuoyu-Duyurusu.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
