Amendments in the Law on Protection of Personal Data

Changes to the Law on Protection of Personal Data (“LPPD”) has been accepted by the Turkish Grand National Assembly on 2 March 2024, which was published in the Official Gazette on 12 March 2024. The amendments will come into force as of 1 June 2024.
Two matters – mainly, processing of special categories of personal data (or sensitive data) and cross-border data transfers – that have been regarded as obstacles as of the enactment of the LPPD are addressed – because the GDPR was enacted after the entry into force of the LPPD.

1- The sensitive data is defined as data related to racial or ethnic origin, political opinions, religious or philosophical beliefs or other beliefs, dress, membership of association, foundation and trade union, health, sexual life, criminal custody and security measures and genetic and biometric data.
In terms of processing sensitive data, the definition remains the same, but the processing conditions are re-designated in line with the structure in the GDPR. At the current stage (until 01.06.2024), it is in principle prohibited to process sensitive data without explicit consent.

To process without explicit consent, there is a differentiation between data re. health and sexual life and other sensitive data – which will be removed with the entry into force of the amended LPPD. While it is possible to process other sensitive data in the situations where the law allows; processing of data re. health and sexual life is rather restricted. Currently, personal data re. health and sexual life may only be processed without the explicit consent by persons who are under the obligation of confidentiality or authorised institutions and organisations only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. The amended LPPD in principle prohibits the processing of sensitive data, then sets the following processing conditions in limited numbers and scope:

  • Explicit consent;
  • Processing is allowed with the law;
  • Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • Processing relates to personal data which are made public by the data subject;
  • Processing is necessary for the establishment, exercise or defence of a right;
  • Processing is necessary for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services conducted by people who are under confidentiality obligation or authorized persons or institutions;
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

2- The second matter is cross-border data transfers – considering its importance especially in the use of cloud systems / applications whose servers are located abroad as such is deemed as a transfer of personal data. In the absence of an adequacy decision, transfers have been heavliy based on the explicit consent considering the rejections of the undertaking applications by the Turkish DPA as well. Transfers on the grounds of explicit consent is aimed to be reduced son that with the amendment the following gradual structure (ie adequacy decision, if not, appropriate safeguards, if not, derogations) is planned to be established – structure similar to the GDPR. Bearing in mind that the GDPR includes more detailed arrangements regarding transfers, secondary legislation in Türkiye will assumably come into force to place detailed arrangements, as the amendment also states that this matter shall be covered by a regulation.

Option 1 – Transfers on the basis of an adequacy decision:
A transfer of personal data to a third country or an international organisation may take place where the Turkish DPA has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. The criteria to be considered when assessing the level of protection is also envisaged with the amendment (such as reciprocity situation between the country to which data is transferred, provisions which are applicable in the country to which data is transferred, the provisions that the international organization is subject to, the existence and effective functioning of data protection authority and administrative and judiciary remedies the international commitments the third country / international organisation concerned has entered into, participation in multilateral or regional systems etc.)

Option 2: Appropriate Safeguards in the absence of adequacy decision:
With the entry into force of the LPPD on 1 June 2024, it will be possible to transfer data if the following appropriate safeguards exist in the absence of an adequacy decision, provided that the conditions set out in articles 5 and 6, data subjecthas the possibility to use its rights and effective legal remedies within the country to which the data is transferred:

  • A legally binding and enforceable instrument between public authorities or bodies of abroad and of Türkiye;
  • Binding corporate rules including the provisions on the protection of personal data, which the companies within the group of undertakings engaged in joint economic activities are obliged to comply with, and which are approved by the Turkish DPA;
  • Standard data protection clauses adopted by the Turkish DPA
  • A written undertaking with provisions to ensure adequate protection and authorisation of the transfer by the Turkish DPA.

In line with the GDPR, the amendment also includes derogations for specific limited cases. Accordingly, in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • Explicit consent after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • For the performance of a contract or the implementation of pre-contractual measures taken at the data subject’s request;
  • For the conclusion or performance of a contract concluded in the interest of the data subject;
  • For important reasons of public interest;
  • For the establishment, exercise or defence of legal claims;
  • For the protection of the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • The transfer is made from a register to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.

Other Considerations:

  • The safeguards set forth in the amendment shall also be provided by the data controller and data processors for the subsequent transfers of personal data transferred abroad and transfers to international organisations and the provisions of this Article shall apply.
  • Without prejudice to the provisions of international agreements, personal data may be transferred abroad in cases where the interests of Türkiye or the data subject would be seriously harmed, only with the permission of the Turkish DPA by obtaining the opinion of the relevant public institution or organisation, if the amendment is enacted.
  • Apart from the above mentioned issues addressed with the amendment in the LPPD; it is also envisaged that TRY 50.000 to TRY 1.000.000 for those who fail to notify the Turkish DPA regarding the signature of standard clauses within 5 days.
  • With the entry into force of the amended LPPD on 01.06.2024, it will be possible to sue administrative fines before administrative courts instead of criminal judgeships of peace. On the same date, pending cases are continued to be seen before the criminal judgeships of peace.
  • Finally, the former version of the first paragraph of Article 9 shall continue to apply until 01.09.2024 with the amended version of the Article that entered into force – so that it will be possible to transfer data abroad on the explicit consent ground by 1 September 2024 – to facilitate the transition period. From then on, explicit consent will be a basis only as a derogation which can only be used if there is no adequacy decision or appropriate safeguards.
  • Considering that the LPPD has been adopted in March 2024, the legislator has granted a three-month compliance period for the harmonisation process – other than the period granted with the provisional article for explicit consent in the cross border data transfers. Until the entry into force, required steps should be taken to ensure compliance with the amended LPPD to avoid any inconveniences, considering how fundamental the changes are.

Best regards,