News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | The long-awaited amendments in Turkish data protection law Related reading: Comparing the role of the DPO under the GDPR and Turkish law

rss_feed

""

The Turkish data protection authority, Kişisel Verileri Koruma Kurumu, has proposed amendments to the most controversial provisions of the Law on Personal Data Protection numbered 6698. The provisions have been heavily criticized by academia and business circles due to their inapplicability and inadequacy to meet needs. The amendments were actually part of the Economic Reforms, and specific tasks were introduced under the Economic Reforms to comply with the EU General Data Protection Regulation.

The DPA submitted a proposal Aug. 10 to amend the LPDP relating to (i) Article 6 (processing special category of personal data) and (ii) Article 9 (cross border data transfers) of the LPDP.

Article 6 of the LPDP — Processing special categories of personal data

Article 6 of the LPDP regulates the processing of special categories of personal data. The personal data related to the data subject's race; ethnicity; political opinion; philosophical belief; religion; sect or other belief; clothing; memberships to associations, foundations or trade-unions; health; sexual life; convictions and security measures; and biometric and genetic data all fall within the definition of a special category of personal data.

Special categories of personal data can be processed upon obtaining the data subject's explicit consent if and when the provisions of laws require the processing (applicable to special categories of personal data other than health and sexual life data). For health and sexual life data, the legal ground is even more restricted. Health and sexual life data can only be processed without explicit consent to protect public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health care services, and financing by authorized entities or persons under secrecy obligation.

Such restricted application of the LPDP for processing special categories of personal data, particularly for health data, has caused difficulties in practice for data controllers processing health data in line with legal obligations to prevent risks, etc.

What does the proposal introduce?

The proposal removes the difference between sexual and health data from the other special categories of personal data sets and introduces additional legal grounds for processing. So when the LPDP refers to special categories of personal data, health data and sexual life data will not be treated differently.  

The proposal introduces a new set of legal grounds for the lawful processing of special categories of personal data.

Accordingly, processing special categories of personal data will be held lawful when processing (i) is made upon obtaining explicit consent of the data subject (ii) is required by laws, (iii) is related to personal data made public by the data subject itself, (iv) is necessary to protect the vital interests of the data subject or another natural person, (v) is carried out for the establishment, exercise or protection of a legal right, (vi) is necessary to carry out the obligations in the field of employment and social security or social services, and (vii) is made by a foundation, association, union or any other not-for-profit body relating to its members on condition that the processing relates solely to their activities and purposes, and that personal data is not disclosed to third parties.

The proposal does not cover all legal grounds that the GDPR has for processing special categories of personal data. We believe the legal grounds are still limited compared to the GDPR structure.

Article 9 of the LPDP — Cross-border data transfers

Article 9 of the LPDP regulates cross-border data transfers. Accordingly, personal data can be transferred abroad upon obtaining the data subject's explicit consent or in the presence of legal grounds (other than explicit consent) outlined under Article 5 of the LPDP to countries where there are adequate measures to protect personal data. Having said that, as the KVKK has not issued a safe country list yet, the application of the latter is not possible. Therefore, if there are legal grounds (other than explicit consent), the data controller must apply to the KVKK with an undertaking and obtain permission. Further, the KVKK has announced the application of binding corporate rules as an accepted method based on Article 9.

Obtaining explicit consent is the only viable method for the time being to legalize cross-border transfers. Data controllers can always apply to the KVKK with an undertaking to obtain a permit or approve BCRs; however, these procedures may take at least one year.

The current cross-border transfer regime is problematic and forces companies to settle their infrastructure in Turkey since the transfer is, in practice, solely based on the explicit consent of the data subject and restricts the ability to transfer data abroad. Industry players and academics have intensively criticized the current regime. Thus, amendments introduced with the proposal have been long waited and are a serious need for the data controllers in Turkey.

What does the proposal introduce?

Under the proposal, personal data will be transferred to countries, specific sectors or international institutions in such countries based on legal grounds outlined in Articles 5 and 6 (including onward transfers) upon issuance of an adequacy decision. The board will grant an adequacy decision based on the reciprocity rule and will take into account other aspects. “Reciprocity" is added explicitly to the law as one of the measures evaluated while evaluating the adequacy decision. The DPA representatives have already relied on the "Reciprocity" rule on various occasions to justify transfer restrictions to the EU countries.

In the absence of an adequacy decision held by the KVKK, personal data will be transferred based on the following:

  • Notification to the KVKK with a standard undertaking.
  • Submission of a written agreement to the KVKK, including protective measures that will be applicable, and obtaining a permit.
  • Approval of BCRs.
  • Agreement between public entities and bodies in Turkey with compatible ones in the transferred country.

The most significant changes to international data transfers will be the submission of the standardized undertaking to the DPA, which will no longer require any permit to be granted. This means that with the use of the standard undertaking mechanism, transfer of personal data abroad will be straightforward.

In the absence of an adequacy decision and relevant undertakings provided by the data controller, personal data can be transferred in exceptional/particular cases based on the following tools: (i) upon explicit consent of the data subject after informing them on the absence of precautions and possible risks, (ii) conclusion or performance of a contract that is executed for the benefit of this party data subject, (ii) vital interests of the data subject or another natural person, (iii) for the establishment, exercise or protection of a legal right, and (iv) for the execution of the duties of state bodies or professional institutions with public duties.

Conclusion

The proposal has been shared with the related public institutions and associations to collect their opinion but has not yet been submitted to the National Assembly. The acceptance of the proposal would be seen as a big step in getting closer to the GDPR, which was previously set as a target with the 11th Development Plan of the Turkish Presidency. When compared to the GDPR, the LPDP is still limited in many aspects; however, such development in parallel with the GPDR will be a relief for Turkey. The proposal is expected to come into force in 2022 and data controllers will need to take active actions to align with the LPDP.

Photo by Tarik Haiga on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Authors
Headshot Begüm Yavuzdogan Okumus, CIPP/E IAPP Member Contributor
Headshot Direnç Bada, CIPP/E IAPP Member Contributor
Tags
Government
Europe
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
On the methodology behind the Turkish DPA's fines
When Facebook's director of privacy and public policy and director of public policy visited Turkey in May 2019 for an IAPP KnowledgeNet event, it was right after the Personal Data Protection Board had fined the social networking company 1,650,000 TL because of an application programming interface er...
Read More queue Save This
Related Stories
Tags
Government
Europe
Privacy Law
Recent Comments