Back to Insights

Amendments to Turkish Personal Data Protection Law

Notable developments in data protection in Türkiye as the bill, featuring key amendments to the Personal Data Protection Law, has been given the green light in the Turkish Grand National Assembly. Pending the President's approval, the changes are set to take effect upon publication in the Official Gazette.

05.03.2024

Amendments to Turkish Personal Data Protection Law

 You can find the unofficial translation of the amendments below.

 

Conditions for processing of special categories of personal data 

ARTICLE 6 - (1) Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without the explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

Processing of special categories of personal data is prohibited. However, such data may be processed only in cases where ;

a) Explicit consent of the data subject is obtained,

b) It is expressly provided for by the laws.

c) It is necessary for the protection of the life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.,

ç) It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public

d) It is necessary for the establishment, exercise or protection of any right,

e) It is necessary for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing, by the persons subject to secrecy obligation or competent public institutions and organizations.

f) It is necessary for the fulfillment of legal obligations in employment, occupational health and safety, social security, social services and social assistance,

g) It is in compliance with applicable legislation and the objectives of foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, is limited to their fields of activity, and is not disclosed to third parties; provided that it is intended for their current or former members and members or persons who are in regular contact with these organizations and entities.

(4) Adequate measures determined by the Board shall also be taken while processing the special categories of personal data

Transfer of personal data abroad

ARTICLE 9- (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of the data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

a)  Adequate protection is provided.

b)  Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.

(3)  The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of the second paragraph by evaluating the following and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Türkiye is a party,

b) the state of reciprocity relating to data transfer between the requesting country and Türkiye,

c) the nature of the data, the purpose, and duration of processing regarding each concrete, individual case of data transfer,

ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

d) the measures committed by the data controller in the country to which the personal data are to be transferred,

(5) Without prejudice to the provisions of international agreements, in cases where the interest of Türkiye or the data subject will seriously get harmed, personal data may only be transferred abroad upon the authorization given by the Board after receiving the opinions of the relevant public institutions and organizations.

(6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

(1) Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 exists and there is an adequacy decision about the country, international organization, or sectors within the country where the transfer will be made.

(2) The adequacy decision shall be made by the Board and published in the Official Gazette. If necessary, the Board shall seek the opinion of the relevant institutions and organizations. The adequacy decision shall be evaluated every four years at the latest. As a result of the evaluation or in other cases deemed necessary, the Board may amend, suspend, or revoke the adequacy decision with future effect.

(3) When making an adequacy decision, the following points are primarily taken into consideration:

a) The reciprocity status regarding the transfer of personal data between Türkiye and the country, sectors within the country, or international organizations to which personal data will be transferred.

b) The relevant legislation and practice of the country to which the personal data will be transferred and the rules governing the international organization to which the personal data will be transferred.

c) The existence of an independent and effective data protection authority in the country or international organization to which the personal data will be transferred and the existence of administrative and judicial remedies.

ç) The status of the country or international organization to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organizations.

d) The membership status of the country or international organization to which personal data will be transferred to global or regional organizations of which Türkiye is a member.

e) International conventions to which Turkey is a party.

(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is provided by the parties, provided that one of the conditions specified in Articles 5 and 6 exists, the data subject has the opportunity to exercise his rights and to apply for effective legal remedies in the country where the transfer will be made:

a) Existence of an agreement that is not in the nature of an international treaty between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of a public institution in Türkiye and the Board's authorization of the transfer

b) Existence of binding corporate rules approved by the Board, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.

c) Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data.

ç) Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.

(5) The standard contract shall be notified to the Authority by the data controller or data processor within five business days of its signature.

(6) Data controllers and data processors may transfer personal data abroad only in the presence of one of the following cases, provided that it is incidental, in the absence of an adequacy decision, and in the absence of any of the appropriate safeguards provided for in the fourth paragraph:

a) The data subject's explicit consent to the transfer, provided that he/she is informed about the possible risks.

b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.

c) The transfer is mandatory for the establishment or performance of a contract between the data controller and another real or legal person for the benefit of the data subject.

ç) The transfer is necessary for an overriding public interest.

d) The transfer of personal data is mandatory for the establishment, exercise, or protection of a right.

e) The transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid.

f) Transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions for access to the registry are met in the relevant legislation and the person with a legitimate interest requests it.

(7) Subparagraphs (a), (b),   and (c) of the sixth paragraph shall not apply to the activities of public institutions and organizations subject to public law.

(8) The safeguards set forth in this Law shall also be provided by the data controllers and data processors in respect of subsequent transfers of personal data transferred abroad and transfers to international organizations, and the provisions of this Article shall apply.

(9) Without prejudice to the provisions of international conventions, personal data may be transferred abroad only with the permission of the Board by obtaining the opinion of the relevant public institution or organization in cases where the interests of Türkiye or the data subject would be seriously damaged

(10) The provisions of other laws regarding the transfer of personal data abroad are reserved.

(11) The procedures and principles regarding the implementation of this article shall be regulated by a by-law.

Misdemeanors

ARTICLE 18- (1) For the purposes of this Law;

a) For those who do not fulfill the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,

b) For those who do not fulfill the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,

c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,

ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL,

d) For those who do not fulfill the notification obligation provided for in the fifth paragraph of Article 9 shall be imposed to pay an administrative fine of 50.000 to 1.000.000 TL.

(2) The administrative fines provided for in this article shall apply to the natural persons and private law legal persons who are the data controllers.

(2) The administrative fines provided for in subparagraphs (a), (b), (c), and (ç) of the first paragraph shall be applied to the data controller, and the administrative fine provided for in subparagraph (d) shall be applied to the data controller or natural persons and private law legal persons who process data.

(3) Administrative fines imposed by the Board may be challenged before administrative courts.

(3) (4) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organizations and those employed in public, professional organizations upon the notice of the Board and the result is reported to the Board.

 

PROVISIONAL ARTICLE 3 - (1) The first paragraph of Article 9 before it was amended by the Law enacting this Article shall continue to be applied until 1/9/2024 with the amended version of the Article entering into force.

(2) Applications pending before criminal judgeships of peace as of 1/6/2024 shall continue to be heard by these judgeships.