Amendments to the PDP Law with The 8th Judicial Package
The Law No. 7499 on Amendments to the Code of Criminal Procedure and Various Laws ("Law No. 7499"), known in the public as the "8th Judicial Package", is published in the Official Gazette on March 12, 2024.
With the Law No. 7499, significant amendments were made to Law No. 6698 on the Protection of Personal Data ("PDP Law").
Law No. 7499, which ws published in the Official Gazette on March 12, 2024, introduced significant amendments to the PDP Law. As detailed below, the amendments will enter into force on June 1, 2024.
The amendments aim to harmonize the PDP Law with the European Union General Data Protection Regulation ("GDPR") and are mainly related to the (i) processing of sensitive personal data, (ii) transfer of personal data abroad, and (iii) sanctions to be applied in case of breach of the obligations set out in the PDP Law.
Processing of Sensitive Personal Data
The amendments expand the conditions for processing sensitive personal data without the explicit consent of the data subject. Pursuant to the PDP Law in force, sensitive personal data, other than personal data relating to health and sexual life, can only be processed (i) with the explicit consent of the data subject or (ii) without the explicit consent of the data subject in cases stipulated by law. Sensitive personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, providing services related to preventive medicine, medical diagnosis, treatment and care, planning and management of health services and their financing, without obtaining the explicit consent of the data subject.
With the amendment made under the Law No. 7499, the regime of strictly protecting personal data on health and sexual life compared to other sensitive personal data is abandoned and the circumstances in which sensitive personal data can be processed without the explicit consent of the data subject is expanded. Accordingly, it became possible to process personal data on health and sexual life, with any of the purposes regulated under the PDP Law, as same as the other sensitive personal data. With the entry into force of the Law No. 7499, sensitive personal data can be processed if it is;
a) explicitly stipulated in the law,
b) mandatory for the protection of the life or physical integrity of the persons who are unable to disclose their consent due to actual impossibility or whose consent is not legally valid,
c) related to the personal data made public by the data subject provided that it is compliant with the intention of the data subject related to the publication,
d) mandatory for the establishment, exercise, or protection of a right,
e) necessary for the protection of public health, providing services related to preventive medicine, medical diagnosis, treatment and care, and the planning, management, and financing of health services by persons or authorized institutions and organizations under the obligation of confidentiality,
f) mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance,
g) related to the current or former members of foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or trade union purposes, or persons who are in regular contact with such entities, provided that the processing is compliant with the legislation applicable to such entities and its purpose, limited with the fields of activity of such entities and not disclosed to third parties,
without the explicit consent of the data subject.
Transfer of Personal Data Abroad
Pursuant to the PDP Law in force, personal data may be transferred abroad (i) with the explicit consent of the data subject or (ii) in the presence of the conditions stipulated in the PDP Law, without obtaining the explicit consent of the data subject provided that (a) there is adequate protection in the foreign country to which the personal data will be transferred or, in the absence of adequate protection, if the data controllers in Türkiye and the relevant foreign country undertake in writing an adequate protection and (b) the Personal Data Protection Board ("Board") provides its consent. It is also regulated by the PDP Law in force that the Board will determine and announce the countries with adequate protection. However, since the date of entry into force of the PDP Law, the Board has not determined the countries with adequate protection, therefore, the data controllers are forced to transfer data abroad based on explicit consent.
With the amendments introduced by the Law No. 7499, a to abandon an explicit consent-centered approach in the regime of transferring personal data abroad. With the amendments, personal data can be transferred abroad without the explicit consent of the data subject;
- with the qualification decision of the Board on the transferred country, sectors, or international organizations within such country,
- in the absence of a qualification decision;
- by executing the standard contracts announced by the Board; or
- by having a binding corporate policy approved by the Board containing provisions on the protection of personal data with respect to transfer within group companies; or
- with the existence of a written undertaking containing provisions to ensure adequate protection and consent of the Board to such transfer,
- in the absence of an adequacy decision and any of the appropriate safeguards provided by law, on a temporarybasis[1];
- with the explicit consent of the data subject; or
- in the presence of other transfer conditions listed in paragraph 6 of Article 9 of the PDP Law amended by Law No. 7499, e.g. the transfer i mandatory for the establishment or performance of a contract, for the superior public interest, for the establishment, use, or protection of a right.
With the new regulation, data transfers abroad cannot be made on a continuous basis in the absence of a qualification decision to be issued by the Board and the assurances such as a standard contract, binding company policies or a written undertaking to be approved by the Board. Additionally, it is no longer possible for data controllers to transfer personal data abroad with the explicit consent of the data subject, which is the current market practice, and data can only be transferred abroad temporarily with explicit consent.
The new regulation envisages a two-stage transition period for data transfers. Accordingly, the first paragraph of Article 9 of the PDP Law in force, which enables data transfer abroad based on explicit consent, will continue to apply until September 1, 2024. However, after September 1, 2024, it will not be possible to permanently transfer personal data abroad based on explicit consent.
Other provisions of the Law No. 7499 related to the PDP Law will enter into force on June 1, 2024. Once the legalization process is completed, data controllers and processors must review their existing data protection compliance policies and establish new compliance policies in accordance with the new regulations until the above-mentioned periods.
Misdemeanors
With the amendments introduced by the Law No. 7499, standard contracts signed for the purpose of data transfer abroad must be notified to the Board within 5 business days following the date of signing, and if this notification is not made, an administrative fine of 50,000 Turkish Liras to 1,000,000 Turkish Liras may be imposed on the data controller or data processor.
In addition, the new regulation assigns administrative courts with jurisdiction over administrative fines imposed by the Board.
Zeynep Tezcan | Partner Melih Kara | Associate
zeynep.tezcan@tuncfiratdereli.com melih.kara@tuncfiratdereli.com
[1] The temporary data transfer activity should not be understood as the retention period of the transferred data, but as the continuity of the data transfer and whether the data transfer activity is repeated or not.