The Law on Amending the Criminal Procedure Law and Some Other Laws no. 7499 is published in the Official Gazette on March 12, 2024 bringing significant changes to the Personal Data Protection Law no. 6698 (“KVKK”) regarding the processing conditions of sensitive personal data and data transfer abroad by taking into account the GDPR.

These changes are one of the steps taken to ensure compatibility between the KVKK and the GDPR especially regarding the transfer of personal data outside of Türkiye. The amendments relate to Articles 6, 9, and 18 of the KVKK.

Amendments to Article 6 of the KVKK

With the amendments made to Article 6 of the KVKK, the lawful grounds for the processing of sensitive personal data have been expanded.

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature. According to the effective Article 6, personal data relating to health and sexual life can be processed without the explicit consent of the data subject if stipulated by the laws and personal data relating to health and sexual life can be processed without the explicit consent of the data subject only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons under the obligation of confidentiality or by authorized institutions and organizations.

With the amendments made, it will now be possible to process sensitive personal data based on one of the following lawful grounds:

Explicit consent of data subject,

It is explicitly stipulated by the laws,

It is mandatory for the protection of the life or physical integrity of the person or of another person who is unable to disclose consent due to actual impossibility or whose consent is deemed legally invalid,

It is related to the personal data made public by the data subject and in accordance with the will of the data subject to make it public,

It is mandatory for the establishment, exercise, or protection of a right,

It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of confidentiality or authorized institutions and organizations,

It is mandatory for the fulfilment of legal obligations in the field of employment, occupational health and safety, social security or social services and social aid,

It is related to current or former members of foundations, associations and other non-profit organizations or formations or persons who are in regular contact with these organizations and formations established for political, philosophical, religious or trade union purposes, provided that they are in compliance with the legislation to which they are subject, limited to their fields of activity and not disclosed to third parties.

This amendment will enter into force on 1st June 2024.

What needs to be done by data controllers?

As per the Personal Data Protection Board (“Board”) decisions, in the presence of other lawful grounds, seeking explicit consent is deceptive and an abuse of right by the data controller.

Since it is now possible to process personal data for various lawful grounds other than explicit consent, data controllers should check whether the sensitive personal data they have processed so far based on explicit consent can be processed based on any other lawful grounds other than explicit consent. If the answer to such question is yes, then the data controller shall terminate the explicit consent effective as of 1st June 2024 and continue its processing activities based on other lawful grounds. Termination of explicit consent does not invalidate the data processing activities carried out up to that point.

Amendments to Article 9 of the KVKK

In the effective Article 9 of the KVKK, the transfer of personal data abroad is permitted if the following conditions exists:

Explicit consent, or

The presence of one of the lawful grounds specified in Articles 5/1 or 6/3 and the existence of an adequacy decision regarding the country where the transfer will be made, sectors within the country, or international organizations.

In the amended version of the article, the methods have been expanded, an alternative-based system for transferring data abroad has been introduced, and explicit consent is regulated as an exception.

Adequacy Decision

The amended provision expands the scope of the previous one in terms of adequacy decisions. With the amended provision, in addition to the entire foreign country, an adequacy decision can also be rendered regarding a sector or international organization within that country.

Adequacy decisions are rendered by the Board, published in the Official Gazette and evaluated at least once every four years.

When evaluating adequacy, the following non-exhaustive criteria are considered (other factors could be considered during evaluation based on the discretion of the Board):

The reciprocity status regarding the transfer of personal data between Türkiye and the country, sectors, or international organizations to which personal data will be transferred,

The relevant legislation and practice of the country to which the personal data will be transferred and the rules governing the international organization to which the personal data will be transferred,

The presence of an independent and effective data protection authority and administrative and judicial remedies in the country or international organization to which personal data will be transferred,

Whether the country or international organization to which personal data will be transferred is a party to international conventions or a member of international organizations on the protection of personal data,

Whether the country or international organization to which personal data will be transferred is a member of global or regional organizations of which Türkiye is a member,

International treaties to which Türkiye is a party.

Some of the listed criteria are already present in the current KVKK. However, the criteria introduced in the above subparagraphs (c), (d), and (e) as part of the amendment are quite important in demonstrating the aspects that Türkiye prioritizes in data transfer abroad.

Appropriate Safeguards

The amended regulation does not solely rely on obtaining an adequacy decision for data to be transferred abroad.

As a second option, in cases where no adequacy decision is granted, data controllers or data processors may transfer personal data abroad by providing appropriate safeguards, as long as one of the conditions specified in Articles 5 and 6 of the KVKK exists and the data subject in the destination country has the opportunity to exercise their rights and seek effective legal remedies.

In addition to the above, the parties shall provide one of the following appropriate safeguards:

The existence of a non-international treaty between foreign public institutions or international organizations and public institutions or public professional organizations in Türkiye, and approval granted by the Board,

Binding corporate rules,

Existence of standard contractual clauses,

Written commitments and approval granted by the Board.

With regard to safeguards based on standard contractual clauses, data controllers and data processors are obligated to notify the Board within five business days from the execution of the standard contractual clauses.

Derogations

Under the amendment, even if there is no adequacy decision regarding the transfer of personal data abroad and none of the appropriate safeguards mentioned above are provided, data controllers and processors are allowed to transfer personal data abroad in exceptional cases stated below, provided that it is occasional (not systematic, not continuous). Since the phrase “only if one of the following conditions exist” is included in the wording of the law, it is clear that this provision is limited to the listed ones. Therefore, when interpreting this provision, it is necessary to act in a manner that is suitable for the rights and interests of the data owner, by interpreting narrowly.

The situations for derogations are regulated in Article 9/6 as follows:

Explicit consent provided that data subjects are informed about possible risks.

The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request.

The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.

The transfer is mandatory for an overriding public interest.

The transfer is mandatory for the establishment, exercise, or protection of a right.

The transfer is mandatory for the protection of the life or physical integrity of the person or of another person who is unable to disclose consent due to actual impossibility or whose consent is deemed legally invalid,

Transfer from a publicly available register accessible to the public or to individuals with legitimate interests, provided that the conditions required by the relevant legislation for accessing the register are met, and upon request of the individual with legitimate interests.

Exceptional Transfers Based on Special Circumstances

With the amended regulation, it is possible to transfer personal data abroad in cases where Türkiye's or the data subject's interests could be seriously harmed. In order for this situation to occur, the opinion of the relevant public institution or organization must be obtained, and permission must be granted by the Board for the transfer.

The same provision includes the phrase "subject to international treaty provisions," indicating that transfers based on international treaties are also applicable.

Finally, transfers based on circumstances foreseen in other laws regarding the transfer of personal data abroad are also reserved.

What needs to be done by data controllers?

The amendment regarding Article 9 will enter into force on 1st September 2024. The data controllers will be able to transfer personal data abroad based on explicit consent until this date. After this date, if the transfer is not based on derogations, even with informing relevant data subjects about potential risks, the data controllers cannot rely on explicit consent.

Where an adequacy decision is not present, data controllers and data processors must adhere to the appropriate safeguards stated and outlined in the KVKK for transfers abroad. Derogations are to be used only in non-continuous and non-repetitive manner.

Data controllers and data processors shall familiarize themselves with the amendment and should prepare one of the appropriate safeguards until 1st September.

Amendments to Article 18 of the KVKK

Administrative fine ranging from 50,000 TRY to 1,000,000 TRY will be imposed on data controllers and data processors that fail to fulfil the inform the data subjects on the potential risks of transfer abroad.

Currently, court actions against the administrative fines imposed by the Board are filed to the criminal courts of peace. With the amendment, these court actions shall be filed before the administrative courts. The pending court actions before the criminal courts will continue to be heard by criminal courts and new court actions filed before the entry into force shall still be filed before the criminal courts.

This amendment will enter into force on 1st June 2024.

Conclusion

Aside from the advantage of ensuring compatibility with the GDPR, the amendments also clarify transfers abroad which had been the most problematic provision of the KVKK that brought many data controllers to a halt in their data processing activities. We hope the amendments will secure a safe processing environment for data subjects and legal certainty in implementation of these amendments for data controllers and data processors.