Despite challenges like the COVID-19 pandemic, general elections and shifting legislative priorities, Turkey has maintained a commitment to enhancing its data protection laws through the evolving Personal Data Protection Law. On 12 March, the first segment of amendments to the PDPL published in the Official Gazette and will be effective 1 June. Law No. 7499, Amending the Code of Criminal Procedure and Certain Laws, introduced amendments to Articles 6, 9 and 18 of the PDPL, and also added Provisional Article 3, which details the time these amendments enter into force.
Regulatory reform
Turkey's first data protection law, introduced in 2016 and inspired by the EU's 95/46 Directive, was a strategic choice aimed at fostering a culture of data protection with less complex norms. After 2020, various policy documents, including the Human Rights Action Plan and the Medium Term Program, demonstrated a significant shift toward alignment with the EU General Data Protection Regulation. This pivot was driven by the evolving needs of the business ecosystem. Challenges, such as the cumbersome use of cloud computing software and the processing of special categories of personal data, particularly for employers and the health care sector, underscored the urgent need for reform.
By 2021, the Ministry of Justice's formation of a Science Committee marked an important phase in drafting new legislation. The committee, of which I am a member, prepared two legislative packages regarding data protection reform. The first prioritized package, published 12 March, addresses the processing of special categories of personal data, data transfers abroad and the competent court for monetary fines imposed by Turkey's data protection authority, Kişisel Verileri Koruma Kurumu. In accordance with Turkey's plans to overhaul the PDPL to fully align with the GDPR, a second reform package is in progress to bridge the regulatory gap.
Special categories of personal data
Under the existing framework, the PDPL classifies special categories of personal data in two subgroups focused on the criteria for processing this data. The first pertains to health and sexual life, while the second encompasses other special categories of personal data, which are listed in the law in a limited manner. Generally, processing special categories of personal data without explicit consent is prohibited, with notable exceptions.
Special categories of personal data not related to health or sexual life can be processed without explicit consent in cases stipulated by law. Conversely, the processing of data concerning health and sexual life without explicit consent can only be carried out for specific purposes. These purposes include safeguarding public health, preventative health care, medical diagnosis, treatments, and managing and funding health services. This exception is applicable only when such data is handled by individuals bound by confidentiality obligations like physicians, or competent institutions and organizations.
The PDPL presents challenges, particularly for employers and the health care sector as they navigate the complexities of handling special categories of personal data. In the revised version of the PDPL, a notable change is the treatment of data concerning health and sexual life. These are no longer distinct and are now governed by the same conditions as other special categories of personal data. The approach to conditions for the processing of special categories of personal data has been fundamentally restructured.
The amendments specify eight conditions under which such data can be processed, aligning more closely with the GDPR in terms of legal grounds for processing special categories of personal data. These include the explicit consent of the data subject, cases stipulated by laws, necessity for the protection of life or physical integrity where the individual cannot consent, personal data made public by the individual, the necessity for establishing or protecting a right, and employment-related legal obligations.
Data transfers abroad
The current version of the PDPL primarily relies on explicit consent for data transfers outside Turkey, a method challenged by issues of revocability and sometimes consent that is not freely given. For transfers without consent, alternative legal grounds and an adequacy decision indicating the foreign country offers adequate data protection or DPA-approved contractual clauses were required. To date, however, the Turkish DPA has not deemed any country as having adequate protection and only approved a few were contracts out of 80 total applications, underscoring the need for a more practical framework.
The revision of the PDPL marks a significant shift in how personal data transfers across borders are handled, influenced by rapid digitalization and changes in commercial practices. This amendment transitions from a consent-based model to a structured approach with three tiers: adequacy decisions, appropriate safeguards and occasional cases. The goal is to make data transfers more efficient and in line with the GDPR, focusing on streamlining processes while ensuring data protection. A forthcoming bylaw from the Turkish DPA is expected to detail the rules and procedures of this new framework for data transfers abroad.
Initially, an "adequacy decision" by the Turkish DPA is required for data transfers abroad. In the absence of such a decision, "appropriate safeguards" like binding corporate rules or standard contractual clauses may be employed. Exceptionally, in the absence of both an adequacy decision and appropriate safeguards, certain "occasional cases" allow for data transfers. These include explicit consent from the data subject, who is informed about the risks, the necessity of contract-related actions, legal claims, protection of life or physical integrity, or legitimate access to publicly available registers.
The scope of adequacy decisions expands to include international organizations or specific sectors within a country, offering flexibility. This is exemplified by the possibility of targeting an adequacy decision toward a specific sector, such as automotive, rather than an entire country. While the Turkish DPA has not issued an adequacy decision yet, due to complex international relations, there is still hope for upcoming negotiations with the EU.
Significantly, the revised PDPL now expressly permits not just controllers but also processors to engage in cross-border transfers, addressing a gap in the previous version of the PDPL. It also mandates that they ensure the PDPL's safeguards for onward transfers. For standard contractual clauses, controllers and processors are obliged to notify Turkey's DPA within five days after the signature of such clauses. This process is merely for notification rather than authorization purposes.
Other amendments
The revision of the PDPL introduces a specific misdemeanor for controllers and processors who fail to report standard contractual clauses to the DPA within five days of signing, a requirement absent in the GDPR. Fines for noncompliance range from TRY50,000 to TRY1,000,000.
Previously, the responsibility of challenging monetary fines issued by the DPA fell to criminal courts of peace. However, concerns over their lack of in-depth examination have been addressed by a recent Constitutional Court decision, published 15 Dec. 2023. In response, Turkey's legislature amended the PDPL so administrative courts review these fines instead, seeking to ensure a fairer approach in the adjudication process.
Entry into force
According to Provisional Article 3, the PDPL amendments are set to be implemented 1 June. There is, however, a notable transitional measure concerning the requirement for explicit consent for data transfers abroad. Specifically, the current version of PDPL Article 9(1), which mandates personal data cannot be transferred outside the country without explicit consent, will remain in effect until 1 Sept. This arrangement means the original rule will be in force alongside the new regulations until the stipulated date. Additionally, requests made to the criminal courts of peace prior to 1 June will be resolved therein.
Practical solutions
These changes provide practical solutions, notably broadening the cases under which controllers can process special categories of personal data and transfer data abroad. Through these amendments, the PDPL now moves closer to the GDPR's standards.