The Law on the Amendment of the Code of Criminal Procedure and Certain Laws (“Law“), published in Official Gazette dated 12 March 2024 and numbered 32487, important amendments have been made to the Law on the Protection of Personal Data No. 6698 (“KVKK“), especially the conditions for the transfer of data abroad, the existence of the adequacy decision of the Personal Data Protection Board (“Board“) and the conditions for the processing of special categories of personal data.

Notable line headings in the Law are as follows:

  • With the amendment made to Article 6 of the KVKK titled “Conditions for the processing of special categories of personal data”, the conditions for the processing of special categories of personal data have been expanded. Special categories of personal data may be processed if the data subject has explicit consent, if such processing is expressly provided for by law, if it is necessary for the life or bodily integrity of the person, if there is publicized data or there is a will to make it public, if it is necessary for the establishment or protection of rights, if it is necessary for legal obligations in the fields of public health or social security, if non-proift organizations operate in accordance with the law and limited to its fields of activity, not disclosed to third parties, special categories of personal data may be processed.
  • With the amendment made by the Law to Article 9 of the KVKK titled “Transfer of personal data abroad”, the principle of prior explicit consent has been abolished in the transfer of personal data abroad.
  • With the amendment, new conditions have been introduced for all transfers to be made by data controllers and data processors.
  • It is regulated that data controllers and data processors must first transfer personal data abroad in accordance with the general rules, and in such cases where this is not possible, incidental data transfer must be made.
  • In addition, the new regulation introduces the possibility to issue adequacy decisions on foreign countries and sectors or international organizations within countries.
  • While making the adequacy decision, the following issues are taken into consideration the reciprocity status between Turkey and the country to which the personal data will be transferred, the legislation and practice of the country to which the personal data will be transferred and the rules of the international organization, the existence of an independent and effective data protection institution and administrative and judicial remedies in the country or international organization to which the personal data will be transferred, whether the country or international organization to which the personal data will be transferred is a party to international conventions or a member of international organizations, whether the country or international organization to which the personal data will be transferred is a member of global or regional organizations to which Turkey is a member, and international conventions to which Turkey is a party.
  • In cases where there is an adequacy decision of the Board or there are effective legal remedies where the data subject can exercise his/her rights, one of the specified conditions must be met, as follows: the existence of an agreement in the form of an international contract authorized by the Board, the existence of binding company rules approved by the Board, the requirement of notification of the conclusion of the standard contract announced by the Board and the imposition of an administrative fine in case of failure to notify, a written undertaking containing provisions to provide adequate protection and the Board’s authorization of the transfer.
  • In the event that the contract is not notified to the Personal Data Protection Authority, an administrative fine of 50,000 Turkish Liras to 1,000,000 Turkish Liras will be imposed on the data controller and data processors who do not fulfill the notification obligation.
  • Therefore, while the current regulation regulates the data controller as the main responsible party for the transfer of personal data abroad, the new regulation also imposes direct responsibility on data processors.
  • In addition, under the current regulation, administrative fines are appealed to magistrates’ court, whereas under the new regulation, administrative fines will henceforth be appealed to administrative courts.
  • In the absence of an adequacy decision and failure to provide any of the adequate measures, the transfer of personal data abroad has been made possible, on the condition that it is incidental. If the data subject gives explicit consent by being informed about the possible risks, if data transfer is required for the performance of a contract between the data controller and the data subject or for the implementation of measures taken upon the request of the data subject, if the transfer is mandatory for the establishment or performance of a contract for the benefit of the data subject, if there is a superior public interest, If the transfer is necessary for the establishment, exercise or protection of a right, if the transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of another person, if information is requested from a registry open to the public or persons with legitimate interests, the transfer of personal data abroad has been made possible.
  • For transfers made after the transfer of personal data abroad, the obligation to provide the safeguards in the KVKK and to comply with the conditions for transfer abroad introduced by the new regulation has been introduced.
  • The amendments to the KVKK will enter into force on June 1, 2024. In this framework, the applications regarding administrative fines imposed by the Board will be finalized by the magistrates’ court as of June 1, 2024.

In addition, according to the current KVKK regulations, transfers abroad with the general explicit consent of the data subject can continue until September 1, 2024. However, as of September 1, 2024, the transfer of personal data abroad must be carried out in accordance with the principles specified in the new regulation.

The full text of the Law is available at this link. (Only available in Turkish).

Share:

Share on Linkedin Share on Twitter Share on Facebook Share in Email Share