Recently, with the announcement of the 8th Judicial Package, a proposed amendment to the Personal Data Protection Law No. 6698 (KVKK) included in the package was introduced. The proposed amendment covers issues such as the conditions for processing special categories of personal data, which companies often struggle with in practice, and the conditions for data transfer. As understood from the rationale of the proposal, the existing personal data protection legislation in Turkey is being aligned one step closer to the European Union’s General Data Protection Regulation (GDPR). This development is expected to alleviate the difficulties Turkish companies face in commercial life and the challenges arising from the use of foreign IT systems, as well as to facilitate the processes of companies in close contact with the European Union. Many companies have encountered obstacles under data protection laws at every stage, from human resources to procurement processes. Therefore, there was a need for an amendment that meets the requirements of commercial life and keeps pace with its speed, while balancing the protection of individuals’ rights and the execution of companies’ activities. Whether the proposal will effectively resolve data protection issues in commercial practice will be answered in the coming days as we observe practical examples.

In this article, we will discuss what the changes in personal data protection legislation mean for companies and the key points they need to pay attention to regarding compliance with the law.

We can examine the proposed changes in the legislation under four main headings:

1- Article 6 of the Personal Data Protection Law (KVKK): Processing of Special Categories of Personal Data

Although the proposed amendment regarding the processing of special categories of personal data is included in the draft text, it should be remembered that the processing of such data should still be avoided as much as possible. However, with the changes made, certain exceptions have been introduced to the processing of special categories of personal data in an effort to facilitate business processes. The exceptions are as follows:

- The explicit consent of the data subject

- Cases explicitly stipulated by laws

- Necessity for protecting the life or physical integrity of the data subject or another person when the data subject is unable to express consent due to actual impossibility or when the consent lacks legal validity

- The data subject’s disclosure of their own special categories of personal data to the public

- Necessity for establishing, exercising, or protecting a right

- Processing by persons bound to confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, management, and financing of health services

- Necessity for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, or social assistance

- Processing of certain special categories of personal data by foundations, associations, or other non-profit organizations or entities established for political, philosophical, religious, or union-related purposes

2- Article 9 of the Personal Data Protection Law (KVKK): Transfer of Personal Data Abroad

The existence of one of the situations specified in Articles 5/2 and 6/3 of the Law and the issuance of an adequacy decision regarding the country to which personal data will be transferred, the international organization, or the sectors within the country are required.

Unlike the current regulation, it is now possible to issue an adequacy decision not only for an entire foreign country but also specifically for a sector within that country or an international organization.

Regarding the transfer of data to a country without an adequacy decision;

- In the case of international organizations or sectors within a country, personal data may be transferred if one of the data processing conditions specified in Articles 5 and 6 is met, provided that the data subject has the ability to exercise their rights and access effective legal remedies in the destination country, and one of the "appropriate safeguards" listed in the paragraph is ensured.

- If there are binding corporate rules approved by the Board, which contain provisions on personal data protection and are obligatory for companies within the same corporate group, data transfer between these companies can take place without the need for additional permission from the Board, provided that one of the data processing conditions specified in Articles 5 and 6 is met.

- It will be possible to transfer data without the need for additional permission by signing the standard contract announced by the Board.

- Personal data may be transferred to a country without an adequacy decision if there is a written commitment containing provisions to ensure adequate protection and the transfer is authorized by the Board.

If there is no adequacy decision or appropriate safeguards, but only on an incidental basis;

- The data subject has given explicit consent for the transfer

- The transfer activity is necessary for the performance of a contract or for taking pre-contractual measures at the request of the data subject

- There is a public interest

- The transfer is necessary for the establishment, exercise, or protection of a right

- The transfer is essential to protect the life or physical integrity of the data subject or another person who cannot declare consent due to actual impossibility or whose consent lacks legal validity

- The transfer is made from a public register accessible to the public or to persons with a legitimate interest, provided that the specified conditions are met

3- Article 18 of the Personal Data Protection Law (KVKK): Misdemeanors

With the amendment and pursuant to Article 9/5, data controllers or data processors are obliged to notify the Authority of the signed standard contract. Failure to fulfill this notification obligation is subject to administrative sanctions. We observe that the Law introduces a new misdemeanor in this regard.

In addition, the administrative fines stipulated in subparagraphs (a), (b), (c), and (ç) of the first paragraph will apply to natural persons who are data controllers as well as private law legal entities; the administrative fine stipulated in subparagraph (d) will apply to natural persons who are data controllers or data processors and private law legal entities. With this amendment, a notification obligation regarding the standard contract has been imposed on data processors for the first time.

Additionally, considering the nature of the administrative sanction decisions issued by the Board, it is now possible to file a lawsuit with administrative courts instead of applying to the criminal peace judge against these decisions.

4- Additional Provisional Article 3:

The existing Article 9/1 and the amended/repealed Article 9/1 will be applied concurrently until September 1, 2024.

As of June 1, 2024, applications currently being heard by criminal peace judges will continue to be heard by these judges.