Newsletter on Important Changes in the Transfer of Personal Data Abroad and Processing of Sensitive Personal Data
With the Law No. 7499, significant amendments have been made to the Law No. 6698 on the Protection of Personal Data (“Law“) regarding (i) the conditions for sensitive personal data processing and (ii) the conditions for the transfer of personal data abroad.
Aforementioned amendments will enter into force on 1 June 2024; details thereof are provided below.
1. Sensitive Personal Data:
In the present form, with very limited exceptions, sensitive personal data[1] cannot be processed without explicit consent.
With the amendments, many additions have been made to the exceptions to the processing of sensitive personal data and in this context, the conditions for processing sensitive personal data have been considerably expanded.
With the amendment, sensitive personal data may be processed if:
-
- There is explicit consent of the data subject,
- Explicitly stipulated in the laws,
- It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social aid,
- It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, or for the protection of the life or bodily integrity of another person,
- It is mandatory for the establishment, exercise or protection of a right,
- It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
- It is necessary for the protection of public health, implementation of preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services by persons or authorised institutions and organisations who are under the obligation to keep secrets,
- It is oriented towards current or former members of foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes or persons who are in regular contact with these organisations and formations, provided that it complies with their purposes and the legislation which such organizations and formations are subject to, is limited to their fields of activity and is not disclosed to third parties.
2. Transfer Abroad:
In the present form, in order to transfer personal data abroad, it is necessary to obtain the explicit consent of the data subject or a general permit from the Personal Data Protection Board (“Board“) (since the third alternative, transfer to safe countries, cannot be operated due to the non-disclosure of safe countries by the Board).
Since it is not always possible to obtain the explicit consent of the data subject and until now (in the last 8 years) the Board has authorised only a small number of companies to transfer personal data abroad, the transfer of personal data abroad was a very problematic process, especially for global companies.
With the amendments, many more options have been added for the transfer of personal data abroad, but the transfer with the explicit consent of the data subject (provided that it is temporary) has been limited. In this respect, the current provision on the transfer of personal data abroad with the explicit consent of the data subject will remain in force until 1 September 2024 (in other words, the abovementioned limitation regarding consent shall be effective as from 1 September 2024).
In addition, thereto, it is stated that the procedures and principles regarding the following shall be stipulated by regulation; with the mentioned regulation, the following options will become clearer (because there are many issues that are not clear at the moment). We hope that issues that are not yet clear shall be clarified until the date of entry into force of the amendments, i.e. 1 June 2024.
Below is the detailed information on options:
a) Transfer with the Adequacy Decision of the Board:
It is regulated that personal data may be transferred to countries/sectors deemed sufficient (and announced) by the Board (without the need for further consent/permit of the data subject or the Board), in the presence of data processing conditions.
The provisions also include stipulations on what will be taken into consideration when the adequacy decision is taken by the Board and the method and time of announcement of the decisions. However, there is no information on when this decision will be made; this option will not be available until this decision is made.
b) Transfer by Assurance:
If there will not be a transfer within the scope of the above-mentioned adequacy decision, it is stated that personal data may be transferred without the explicit consent of the data subject if one of the following assurances is provided (again in the presence of data processing conditions and that the data subject is able to exercise his or her rights and seek redress in the country of transfer).
- Existence of binding corporate rules[2] approved by the Board and containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with,
- Existence of a standard contract[3] to be announced by the Board,
- Existence of a written undertaking[4] containing provisions to ensure adequate protection and authorisation of the transfer by the Board,
- The existence of an agreement, that is not an international agreement, between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of public institutions in Turkey, and the Board’s permit for the transfer.
c) Temporary Transfer Options:
If the transfer does not fall within the scope of the above options, it is stated that personal data may be transferred abroad in the presence of one of the following cases, provided that it is temporary[5]:
- Explicit consent of the data subject, provided that they have been informed about the possible risks,
- The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject,
- The transfer is mandatory for the formation or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject,
- The transfer is necessary for an overriding public interest,
- Transfer of personal data is mandatory for the establishment, exercise or protection of a right,
- The transfer of personal data is mandatory for the protection of the life or bodily integrity of the person himself/herself who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, or of another person,
- Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
Finally, the above provisions shall also apply to subsequent transfers after the first transfer of personal data abroad by data controllers and data processors.
Should you have any questions, you are welcome to contact us.
[1] Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
[2] It is not clear whether the binding corporate rules previously published by the Board at https://www.kvkk.gov.tr/Icerik/2053/Yurtdisina-Aktarim will be valid or not. The Board will probably prepare new information/documents.
[3] This contract should be submitted to the Board within 5 business days; in case of failure to submit, the data processor and data controller shall be subject to administrative fine.
[4] It is not clear whether the undertaking templates previously published by the Board at https://www.kvkk.gov.tr/Icerik/2053/Yurtdisina-Aktarim will be valid or not. The Board will probably prepare new information and templates.
[5] In other words, it means a single or several times and in a non-continuous manner.