An Update from Gokce Attorney Partnership (Turkey): Draft Amendment in Turkish Data Protection Law

There is a critical amendment planned for implementation in the Turkish Personal Data Protection Law (KVKK).

KVKK set forths obligations that data controllers must adhere to concerning the processing of personal data. In this regard, the Draft Law Proposal (Draft Law), submitted to the Turkish Justice Commission on February 16, 2024, addresses significant changes concerning the longstanding issues of transferring personal data abroad and the processing conditions of sensitive personal data within the KVKK. It is crucial to anticipate and understand these substantive changes in advance. Below, we have outlined the key points for your reference:

KVKK Alignment with GDPR through Amended Regulations

Draft Law primarily aims to amend two regulations: The conditions for transferring personal data abroad and the processing conditions of sensitive personal data.

Notably, the proposed new system for data transfer abroad seeks substantial alignment with the General Data Protection Regulation (GDPR) currently enforced in the European Union. Consequently, KVKK, under the new regulation, will adopt a distinct perspective and systematic approach.

Changes in the Processing Conditions of Sensitive Personal Data

Sensitive personal data, including health, sexual life, union and foundation membership information, and biometric data, are regulated under the KVKK. Draft Law largely eliminates the current distinction between health and sexual life data and other sensitive personal data.

A significant innovation introduced by Draft Law pertains to data processing activities in various fields such as employment, occupational health and safety, social security, social services, and social assistance. Herein, data processing may be permissible for legal obligation fulfillment, even without explicit consent, provided necessary conditions are met. Consequently, legal grounds for processing sensitive personal data will be broadened, rendering them more suitable for practical application.

Comprehensive Revision of Personal Data Transfer Regulations

Draft Law proposes a completely new and distinct systematic approach for the transfer of personal data abroad compared to existing regulations. It outlines a three-tiered and alternative transfer regime:

• Transfer based on adequacy decision
• Transfer based on appropriate safeguards
• Transfer based on occasional circumstances

Under current KVKK regulations, several systems facilitate personal data transfer abroad. These include adequacy decisions by the Personal Data Protection Board (Board), written commitments among data controllers ensuring adequate protection, and obtaining explicit consent from individuals concerned. However, to date, the Board has not issued any adequacy decisions for countries. Additionally, only a few commitment applications for data transfer have been approved. Thus, the only operational system for data transfer abroad has been obtaining explicit consent from relevant individuals.

Under the proposed regulations, explicit consent alone will not authorize data transfer abroad. Instead, data controllers and processors will:

• Verify whether the Board has issued an adequacy decision for the country or specific sectors to which personal data will be transferred.
• In the absence of an adequacy decision, data transfer may proceed only if specified safeguards are provided.
• In instances where safeguards cannot be ensured, personal data may be transferred abroad solely for occasional circumstances. Continuous data transfers based on explicit consent will no longer suffice.

One notable innovation is the inclusion of Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC), long implemented in GDPR, within the Draft Law. These are stipulated as requirements for safeguard-based data transfers abroad.

Upon enactment of the Draft Law, regulations governing data transfers abroad will largely align with GDPR standards for data protection.

Notification of Standard Contracts for Transfers Abroad

One of the safeguard methods for data transfers abroad, standard contracts, requires notification to the Board by data controllers or processors within five business days. Failure to comply may result in administrative fines ranging from 50,000 Turkish Liras to 1,000,000 Turkish Liras under the Draft Law.

Imposing responsibility on data processors for this notification underscores the necessity for thorough and meticulous planning when data transfers abroad are based on standard contracts.

Recourse against Administrative Fines

The Draft Law introduces the option to appeal administrative fines imposed by the Board to administrative courts.

Presently, under the KVKK, appeals against administrative fines imposed by the Board can be made to criminal peace judgeships. Appeals against remaining decisions can be lodged with administrative jurisdiction. Enactment of the Draft Law may facilitate more comprehensive legal deliberations before administrative courts regarding administrative fines.

Transitional Provisions: Review of Compliance Efforts

The Draft Law outlines a two-stage transition:

• Regulations for data transfers abroad based on explicit consent will apply until September 1, 2024. After this date, continuous personal data transfers abroad based on explicit consent should cease.
• Remaining regulations will take effect on June 1, 2024.

Compliance Measures

Data transfer abroad has been a significant practical challenge in implementing the KVKK. The Draft Law proposes comprehensive regulations to address this issue.

Should the Draft Law be enacted, all stakeholders, including data processors, will need to revise their data transfer processes. Notably, data transfers based solely on explicit consent (unless under occasional circumstances) will no longer suffice.

Data controllers and processors must assimilate these fundamental changes, devise new enlightenment processes compliant with the new regulations, and restructure data transfer commitments accordingly. Instances where explicit consent of the data subject may be sought should be reassessed, and suitable methods determined.

Although the proposed changes affect only a few articles, they will necessitate significant alterations in personal data processing procedures.

The Draft Law, also referred to as the 8th Judicial Package, is yet to be discussed in the Justice Commission. However, discussions are scheduled to commence shortly.

You can access the Draft Law via: https://cdn.tbmm.gov.tr/KKBSPublicFile/D28/Y2/T2/WebOnergeMetni/6e8b6477-2942-49d1-acf1-cfa13bcac252.pdf (only available in Turkish).

If you have any questions, you can reach to Elif Aksoz, a senior associate in Gokce’s TMC & Privacy team via elif.aksoz@gokce.av.tr.

Click here to learn more about our Istanbul, Turkey member firm Gökçe Attorney Partnership.