New Era in Cross-Border Transfer of Personal Data and Processing of Sensitive Personal Data in Türkiye

The Law №7499 on the Amendment of the Code of Criminal Procedure and Certain Laws (“Regulation”), published in the Official Gazette dated 12.03.2024, introduced a number of important amendments to the Law №6698 on the Protection of Personal Data (“Law”), which has been the subject of a long period of work to eliminate the problems seen in practice.

As may be remembered, the commencement of work on the Regulation was officially announced in the Eleventh Development Plan (“DevelopmentPlan”) prepared by the Presidential Strategy and Budget Directorate for the years 2019–2023, which was approved by the Turkish Grand National Assembly on 18.07.2019.

In line with the innovations in technology and new approaches adopted in international platforms, the Development Plan states that the Law will be updated by taking into account the European Union General Data Protection Regulation and technological development in this field will be encouraged.

Why did the Law, which entered into force in 2016 and provided a transition period until 2018, need to be amended in 2019?

The European Union’s Directive 95/46 of 1995 (“Directive”) was taken as a basis when the Law was drafted, even the Directive underwent a radical change in 2016 and the European Data General Protection Regulation (“GDPR”) was introduced. This preference of the legislator has been justified by the reasons of accelerating the European Union activities and/or the fact that a legislation that has already been implemented is safer than a legislation that includes uncertainties in terms of its implementation.

1. Processing of Sensitive Personal Data

As it is known, in the article 6 of the Law, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data are accepted as sensitive personal data.

With the Regulation, the conditions required for the processing of the limited number of sensitive personal data that we have shared above have been amended.

The main rule before the Regulation was to obtain explicit consent for the processing of sensitive personal data. As an exception to this, it was stipulated that;

  • sensitive personal data other than health and sexual life must be prescribed by law,
  • and sensitive personal data related to health and sexual life may be processed for a limited purpose by persons or authorized institutions and organizations under the obligation of confidentiality.

The Regulation eliminates the distinction between health and sexual life personal data and stipulates that all sensitive personal data may be processed in the following cases:

· Explicit Consent:

The explicit consent of the data subject should be obtained. Explicit consent, which was the main rule before the Regulation, is regulated as one of the processing conditions.

· Explicit Provision in the Laws:

Example: In cases where the data controller employer processes the health data included in the records of occupational accidents and occupational diseases of its employees, which it is obliged to keep within the scope of Law №6331.

· Actual Impossibility:

In cases where it is necessary to protect the life or physical integrity of oneself or another person who is unable to give consent due to actual impossibility or whose consent is not legally valid,

Example: Processing personal data such as blood type and disease history etc. for the purpose of protecting the life or bodily integrity of the data subject concerned who is unable to disclose his/her consent due to loss of consciousness.

· Publicization:

In cases where it is related to the personal data publicized by the data subject and is in accordance with the will of publicization.

· The establishment, exercise or protection of a right:

In case it is mandatory for the establishment, exercise or protection of a right.

Example: In the event that the data controller employer continues to store the sensitive personal data of the data subject (former employee) whose employment relationship has ended during the statute of limitations (in case no lawsuit is filed), in order to be used in possible legal disputes from the date of termination of the employment relationship.

· Public Health Protection, Preventive Medicine, Medical Diagnosis, Treatment and Care:

When necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of health services by persons or authorized institutions and organizations under the obligation of secrecy.

· Employment, Occupational Health and Safety, Social Security, Social Services and Social Aid:

Where it is necessary for the fulfillment of legal obligations for the employment, occupational health and safety, social security, social services and social aid.

Example: The data controller employers, who are obliged to employ disabled or convicted persons pursuant to Article 30 of the Labor Law, processing the health data and/or criminal conviction data of the data subject employees in order to fulfill their legal obligations.

The data controller employer processing the sensitive data in the personal health file of the data subject employee.

The data controller new employer processing the sensitive personal data of the data subject in the personal health file of the employee in the former workplace.

· Associations and Foundations:

In case the foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes are intended for their current or former members and members or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties.

Example: Processing of sensitive personal data of current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or of the relevant persons who are in regular contact with these organizations and formations regarding their relevant processes.

In the other words, explicit consent is no longer the main rule but is regulated among the processing conditions.

Especially for employers, it may be said that the Regulation eliminates the problem of not being able to process health data that must be processed in accordance with Law №6331 and its secondary regulations, even if it is explicitly stipulated in the legislation.

We would like to point out that we are of the opinion that criminal record data, which has become a general practice by companies in our country, can still be processed with explicit consent, except for the matters specified in Article 30 of the Labor Law.

As may be remembered that the Personal Data Protection Board (“Board”) has published a guide on identity data. We believe that it would be very useful in case the Board to conduct a similar guideline limited to criminal record information in terms of awareness. In fact, we believe that it would be more comprehensive and useful if this study were conducted in a framework similar to the “Recruitment and Selection Guide” that the ICO continues to work on, rather than data specific.

2. Transfer of Personal Data Abroad

With the development of technology, it has become inevitable for companies to transfer their records to digital media and/or contact their customers through these media. This has led to the use of personal data in the cloud environment or the servers of third-party global companies with serious investments in security.

As may be remembered, it can be evaluated that the transfer of personal data abroad can only be made with explicit consent within the scope of the first paragraph of Article 9 of the Law due to the fact that the safe country list, which is one of the other foreign transfer options in the Law, can not be published by the Board, the commitment letters can not be obtained from the global companies and only some of the commitment letters received are approved.

The use of products and services sourced from abroad, which companies preferred due to security, cost and sometimes lack of alternatives, was causing major problems for the following reasons;

  • Consideration by the Board as a foreign transfer,
  • explicit consent can not be offered as a condition of a service and/or evaluation of the presumption regarding the explicit consent processes between the employee and the employer that the explicit consent will is not healthy
  • the fact that obtaining explicit consent almost exclusively under the first paragraph of Article 9 of the Law remains the only option for transfers abroad,

The justification of the Regulation as

“it makes it almost impossible to use cloud-based software and applications, which are frequently used by almost every company and real person in commercial life and whose servers are located abroad, in accordance with the law”

are very valuable and serve the goal of compliance with the GDPR as a result of these findings.

The Regulation stipulates an Adequacy Decision, Availability of Appropriate Safeguards (the possibility of exercising one’s rights and resorting to effective remedies in the country of transfer) and Exceptional Circumstances for the transfer of personal data and sensitive personal data abroad.

Without prejudice to the provisions of international conventions, the Legislator has made an exception for cases where the interests of Turkey or the data subject would be seriously harmed, and in such a case, personal data may only be transferred abroad by obtaining the opinion of the relevant public institution or organization and with the permission of the Board.

We would like to point out that the procedures and principles regarding the implementation of Article 9 of the Law will be regulated by a separate regulation.

Availability of an Adequacy Decision

In order to transfer data abroad under the Adequacy Decision, the following conditions must be met together;

  • the existence of one of the processing conditions provided for in the article 5 of the Law on personal data and in the article 6 of the Law on sensitive personal data.
  • an adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made.

In a differentiation from the existing article of the Law, it has been regulated that a adequacy decision can be made for a sector or international organization within that country instead of the entire country to which the transfer will be made. The Regulation is justified by the provision that “it will be possible to make an adequacy decision in respect of the automotive sector in a foreign country with which our automotive sector has intensive trade relations, rather than in the entire foreign country.”

It is regulated that the adequacy decision will be evaluated by the Board every 4 years at the latest.

Availability of Appropriate Safeguards

In the absence of an Adequacy Decision, the transfer of data abroad is not prohibited, instead it is regulated that the following conditions must be met for the transfer;

  • the existence of one of the processing conditions provided for in the fifth article of the Law on personal data and in the sixth article of the Law on sensitive personal data.
  • the person concerned has the possibility to exercise his or her rights and to have recourse to effective remedies in the country of transfer

In addition to these, it is regulated that it will be sufficient to meet one of the following conditions.

a) Agreement Between Public Institutions and Organizations or International Organizations and Public Institutions and Organizations or Professional Organizations in the Nature of Public Institutions in Turkey

The existence of an agreement that does not constitute an international agreement between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of public institutions in Turkey and the transfer must be authorized by the Board.

b) Binding Corporate Rules

The existence of binding corporate rules, must be approved by the Board, which include provisions on the protection of personal data and which must be observed by the companies within the group of companies engaged in joint economic activities.

c) Standard Contract

Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for sensitive personal data.

We would like to point out that the standard contract must be notified to the Board by one of the parties within 5 working days from the date of signing, otherwise an administrative fine between 50,000 and 1,000,000 Turkish Liras may be imposed.

The addressee of the administrative fine can be the data controller or the data processor.

d) Written commitment

There must be a written commitment letter containing provisions to ensure adequate protection and the transfer must be authorized by the Board.

Exceptional Circumstances

It is regulated by the Legislator that personal data may be transferred abroad only in the presence of one of the following cases, provided that it is incidental in the absence of an Adequacy Decision and in the event that any of the appropriate safeguards cannot be provided.

  • The data subject’s explicit consent to the transfer, provided that data subject is informed about the possible risks.*
  • The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.*
  • The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject. *
  • The transfer is necessary for an overriding public interest.
  • The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
  • The transfer of personal data is mandatory for the protection of the life or physical integrity of the data subject or of another person who is unable to give his/her consent due to actual impossibility or whose consent is not legally valid.
  • Transfer from a register that is open to the public or to persons with a legitimate interest, in order to provided that the conditions for access to the register are fulfilled in the relevant legislation and the person with a legitimate interest requests it.

* does not apply to the activities of public institutions and organizations subject to public law.

3. Remedies Against The Decisions Of The Board

It has been regulated that against to administrative fines imposed by the Board shall be filed before administrative courts instead of the civil courts of peace, and a transition period has been stipulated for this change of remedy.

As of 01.06.2024, the appeals pending in front of the criminal judgeships of peace will continue to be heard by these judgeships.

4. Transition Period (Provisional Article 3)

A transition period has been established to allow the Regulations to come into effect and is regulated as follows:

· The regulations will enter into force on 01.06.2024,

· The first paragraph of the article 9 of the Law, where the condition for the transfer of personal data abroad is accepted as explicit consent, will continue to be applied until 01.09.2024 with as amended form.

5. Frequently Asked Questions

5.1. Have the problems regarding the use of foreign servers and/or SaaS by companies been eliminated?

The current version of the regulation does not directly allow the transfer of personal data abroad. In order to make an assessment in this regard, the Board must make an adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made. We are also of the opinion that it may be necessary to wait for secondary regulations to be issued in this regard.

The Legislator’s determination in the justification of the Regulation that “it makes it almost impossible to use cloud-based software and applications, which are frequently used by almost every company and real person in commercial life and whose servers are located abroad, in accordance with the law” takes of great importance in this regard, and we are of the opinion that it will not remain unsolved like the safe country list before the Regulation.

We would like to share our opinion that if the transitional provision in the Provisional Article 3 of the Law will not be amended, the process will become more evident by 01.09.2024.

5.2. Can the employer process criminal records without explicit consent?

We would like to point out that, in our opinion, data controllers who are required to employ convicted persons under Article 30 of the Labor Code may, in exceptional circumstances, process the criminal records of convicted employees without explicit consent.

5.3. Has the reason for Paypal Holding Inc.’s (“Paypal”) halting its operations in Turkey disappeared?

Paypal Inc. provides services that fall within the definition of payment and electronic money services according to the legal regulations in Turkey and many other countries.

In order for PayPal or any third party to provide payment services in Turkey, it must obtain an operating license from the Central Bank of the Republic of Turkey within the framework of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“6493”), which entered into force in 2013, or cooperate with a payment service provider that has a license.

Even if it is accepted that PayPal has made a commercial decision not to operate in Turkey due to the transfer of personal data abroad as claimed, it cannot be accepted that a development has occurred that will change its current decision, since the obligation of payment service providers to operate within the scope of 6493 and its secondary regulations to have their primary and secondary systems in Turkey has not disappeared.

5.4. Do companies need to work on compliance from the beginning due to regulations? What needs to be done?

Although it is difficult to provide a clear and standardized answer for this question for each company or case, it can be assessed that the constructs regarding sensitive data should be addressed within the scope of the Regulations and reflected in the data inventory and privacy notice.

We are of the opinion that the Board’s adequacy decision on the country, sectors within the country or international organizations should be awaited for the action plan regarding the transfer processes abroad. We are of the opinion that the secondary regulations to be issued by the Board should be awaited regarding the transfer processes for which no adequacy decision has been made or for which there is no adequacy decision.

6. Evaluation

We believe that these provisions, together with the valuable insights contained in the preamble of the Regulation, will have a significant positive impact on the problems that have arisen since the Law came into force, particularly as regards the transfer of personal data abroad and the processing of sensitive personal data.

We recommend that companies start analyzing their special categories of data processing and data transfer processes abroad within the framework of the Regulations and start preparations to make updates for the findings identified as a result of these studies.