Table of Contents

KVKK Amendments Information Report

1. GENERAL INFORMATION ON THE AMENDMENTS TO KVKK UNDER THE 8TH JUDICIAL REFORM PACKAGE

1.1. Scope and Purpose of Information

As is known, several amendments to the Law on the Protection of Personal Data No. 6698 have been made under Law No. 7499, which amends the Criminal Procedure Law and other laws. These changes were published in the Official Gazette on March 12, 2024, numbered 32487, and are part of the 8th Judicial Package adopted by the Turkish Grand National Assembly on March 2, 2024.

The recent amendments to the KVKK (Law on the Protection of Personal Data) have introduced significant changes to Turkish data privacy law. These changes impact how organizations manage personal data transfers and ensure legal compliance. They are crucial for businesses aiming to align with international data protection standards.

1.2. Overview of the Recent Amendments to the KVKK: Enhancing Data Protection and Compliance and About the Content of Information

As part of the 8th Judicial Reform Package, several key amendments have been made to the Turkish Law on the Protection of Personal Data (KVKK). These amendments, under Law No. 7499, were published in the Official Gazette on March 12, 2024. They bring significant updates aimed at enhancing data protection and compliance for organizations operating in Türkiye.

Key Changes in the KVKK Amendments

New Grounds for Processing Sensitive Personal Data

Expanded Legal Grounds: The revised Article 6 outlines new legal bases for processing sensitive personal data, including the protection of life, public interest processing, and the necessity for fulfilling legal obligations in employment and social services.

Detailed Regulations: Specific scenarios, such as data processing by individuals under confidentiality obligations and public institutions for health-related purposes, are maintained to ensure compliance with GDPR standards.

Enhanced Regulations for International Data Transfers

Standard Contractual Clauses (SCCs): Under the new regime, Standard Contractual Clauses (SCCs) must be notified to the Turkish Data Protection Authority (DPA) within five business days. Non-compliance may result in fines ranging from 50,000 to 1,000,000 Turkish Liras.

Binding Corporate Rules and Adequacy Decisions: The amendments also clarify the use of binding corporate rules and adequacy decisions for transferring personal data abroad.

Updated Administrative Fines and Liabilities

Broadened Scope of Fines: Administrative fines now apply not only to data controllers but also to data processors who fail to meet their notification obligations. This change ensures accountability for all parties involved in handling personal data.

Unified Judicial Remedies

Administrative Court Appeals: The amendments introduce a unified procedure for challenging DPA decisions, streamlining the appeal process to administrative courts. This reform enhances legal certainty and uniformity in data protection cases.

Impact on Organizations

Organizations must reassess their data protection strategies to comply with these new regulations. The emphasis on timely notifications, expanded legal processing grounds, and broader administrative fines necessitates a proactive approach to data management and legal compliance.

Text Content

Chapter Two of this Information Text addresses the new legal grounds for processing special categories of personal data. Chapter Three examines the revised regulations concerning the transfer of personal data abroad. Chapter Four reviews the reforms related to administrative fines. Chapter Five discusses the updates to judicial remedies. Chapter Six analyzes the enforcement of the new provisions and the transition period. Chapter Seven summarizes the amendments and concludes the study.

2. AMENDMENTS REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA (AMENDMENTS TO ARTICLE 6)

2.1. Former version of Article 6

The former version of the article 6 is as:

Conditions for processing of Special categories of personal data

Article 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

According to Article 6, it is prohibited to process sensitive personal data without the explicit consent of the data subject. An exception is recognized for data other than health and sexual life data for the cases stipulated in the relevant laws in terms of the legal reason for processing. It is stipulated that personal data relating to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons under the obligation of confidentiality or authorized institutions and organizations without seeking the explicit consent of the data subject. In other words, explicit consent and processing by persons or authorized institutions and organizations under the obligation of confidentiality are the main legal grounds for processing.

2.2. The new version of article 6

Article 6, as amended by the KVKK Reform Law, is as follows:

Conditions for processing of Special categories of personal data

Article 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) (Repealed paragraph)

(3) It is prohibited to process special categories of personal data, however, they may be processed if;

a) presence of explicit consent of the data subject,

b) Explicitly provided for by the laws,

c) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,

ç) It is related to the personal data made public by the data subject and in accordance with the will of the data subject to make it public,

d) Data processing is necessary for the establishment, exercise or protection of any right,

e) Data processing is necessary by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

f) It is mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance,

g) Current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties,

2.3. Amendments

As outlined in the reasoning behind the KVKK Reform Law, the current Article 6 stipulates that the processing of sensitive personal data, other than those related to health and sexual life, is permissible only with the explicit consent of the data subject or if provided for by law. Special categories of personal data related to health and sexual life can be processed without explicit consent solely for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, financing, and the management and planning of health services. The reasoning emphasizes that, under the current regulation, only the Social Security Institution, the Ministry of Health, and health institutions are authorized to process health data. However, there is a recognized need for health data in the insurance sector, labor legislation, occupational health and safety, and social services.

The amendment, as stated in the reasoning, reorganizes the conditions for processing sensitive personal data to address current needs and align with the GDPR. The second paragraph of the Article maintains the provision prohibiting the processing of special categories of personal data and enumerates the specific cases in which such data may be processed. When one of the listed conditions is met, the processing of special categories of personal data will be permitted.

2.3.1. The definition of sensitive personal data has been retained.

The first paragraph of Article 6 retains the definition of special categories of personal data as: "Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are considered special categories of personal data." No additions or deletions have been made to these categories.

2.3.2. The grounds for legal processing have been expanded.

The second paragraph of Article 6 has expanded the reasons for legal processing. The conditions for processing special categories of personal data are listed in a limited manner. In making these amendments, alignment with the legal processing grounds in Article 5 has been maintained. With a holistic approach, it is envisaged that both sensitive and non-sensitive personal data will be processed based on similar legal grounds. According to the new Article 6, the legal grounds for processing sensitive personal data are as follows:

1. Explicit Consent

2. Explicitly provided for by law

3. Actual impossibility

4. Publicization

5. Necessity for the establishment, exercise or protection of a right

6. Processing by persons under confidentiality obligation or authorized institutions and organizations

7. Processing for legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance

8. Reason for special processing regarding foundations, associations or other non-profit organizations or entities established for political, philosophical, religious or trade union purposes

2.3.3. The legal processing ground for the processing of special categories of personal data by persons under the obligation of secrecy or authorized institutions and organizations without requiring explicit consent has been preserved.

The legal basis for processing is maintained when it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of health services by individuals bound by confidentiality obligations or by authorized institutions and organizations. Within this context, data and records maintained by the Ministry of Health, various health institutions, and the Social Security Institution for the specified purposes will be evaluated accordingly. Therefore, is it possible to process all types of special categories of personal data under this exception? In light of the provision's purpose, it is not permissible to process all special categories of personal data based on this exception; only health data may be processed.

2.3.4. Processing of sensitive personal data in case of actual impossibility is defined as a new legal ground for processing.

The processing of special categories of personal data is permitted when it is necessary to protect the life or physical integrity of an individual who is unable to provide consent due to actual impossibility or whose consent is not legally valid. This ensures alignment with Article 5. As outlined in the reasoning, special categories of personal data, such as blood type and previous medical conditions, may be processed to protect the life or physical integrity of an individual who is unable to provide consent due to unconsciousness or any other reason, within the framework of the legal basis of actual impossibility.

2.3.5. Public processing of sensitive personal data is defined as a new legal ground for processing.

The processing of personal data made public by the data subject, in accordance with their will, has been established as a new legal basis for processing. For instance, it will be lawful to process and use personal data, such as blood type and allergy information, that a person has shared in a publicly accessible area for emergency purposes, consistent with this intent.

In each specific case, it is essential to ascertain the intention to make the data public and to ensure that processing is limited. The principle stated in subparagraph (ç) of the second paragraph of Article 5 of the KVKK mandates that personal data must be relevant, limited, and proportionate to the purpose for which it is processed. This principle should be applied with respect to the intention behind making personal data public. In other words, this principle reinforces the concept of limited processing of personal data. It is important to note that, to process publicly available sensitive personal data, the act of making the data public must comply with legal requirements. Sensitive personal data that has become public due to an unlawful disclosure cannot be processed under this exception.

2.3.6. The necessity of data processing for the establishment, exercise or protection of a right is defined as a new legal processing reason for the processing of special categories of personal data.

The necessity of data processing for the establishment, exercise, or protection of a right is defined as a legal basis for processing special categories of personal data. This ensures compliance with Article 5 of the KVKK. The most critical legal basis for processing special categories of personal data is when it is essential for the establishment, exercise, or protection of a right. For example, it may be necessary for an employer to retain the health data of a former employee to exercise the right of defense in lawsuits that may arise after the termination of the employment contract. Similarly, to enable a disabled person to benefit from the right to purchase a vehicle exempt from special consumption tax, it will be permissible for the tax office to process the individual's disability report.

This amendment will eliminate many contradictory situations encountered in practice. For instance, before the amendment, it was considered unlawful for a doctor to submit evidence to the court in a malpractice lawsuit filed against them or to retain relevant documents and records within the statute of limitations. With the amendment, since it is now permissible to process special categories of personal data for the establishment, exercise, or protection of a right, an equitable solution is provided for such scenarios.

2.3.7. Fulfillment of legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance is defined as a new legal processing ground for the processing of sensitive personal data.

The processing of special categories of personal data is legally justified when it is mandatory for fulfilling obligations in employment, occupational health and safety, labor and social security, or social services and assistance. The relationship between the Turkish Code of Obligations No. 6098 and Labor Law No. 4857, which frequently causes practical issues, and the Turkish Personal Data Protection Law (KVKK) is explicitly defined. For instance, under Labor Law No. 4857, the processing of health data or data on criminal convictions to meet employers' obligations to employ disabled or convicted individuals, and the processing of health reports for the provision of transportation services to dialysis patients, fall within the scope of this new legal processing rationale.

The data controller's obligations may arise from various legislations. For example, the Road Transport Regulation mandates that vehicle drivers must not have convictions for drug offenses, weapons, human and customs smuggling, or terrorist crimes, and they must obtain a health report every five years from authorized health institutions verifying their physical and psycho-technical fitness for driving. Consequently, the criminal records and health data of drivers can be processed based on this legal ground within the scope of the employment relationship.

If evaluating an employee’s “work competence” during the establishment of the employment relationship requires data processing due to a legal obligation, such processing should be assessed under the new legal processing ground stipulated in Article 6 of the KVKK. Similarly, if it is necessary to process health data such as disability rate or psycho-technical health status due to a legal obligation, the processing of such data for prospective employees falls within the scope of the employment relationship and can be conducted based on the new legal processing ground outlined in Article 6 of the KVKK.

The amendment to Article 6 of the KVKK should be understood in conjunction with Article 419 of the Turkish Code of Obligations No. 6098, which specifies that employers may use employees' personal data only to the extent that it relates to the employees' suitability for work or is necessary for the execution of the employment contract. Therefore, considering the protected legal interests and potential risks to data subjects, the legal processing ground related to fulfilling legal obligations in employment, occupational health and safety, labor and social security, or social services and assistance should be interpreted narrowly. It is crucial to note that the legal processing ground for non-sensitive personal data is broader than for sensitive personal data under Article 5 of the KVKK. While any legal obligation can justify processing non-sensitive personal data, processing sensitive personal data requires the legal obligation to specifically arise from the fields of employment, occupational health and safety, labor and social security, or social services and assistance.

2.3.8. A new legal cause of action has been defined for members of foundations, associations or other non-profit organizations or formations established for political, philosophical, religious or trade union purposes.

The processing of personal data of current or former members, as well as individuals who are in regular contact with foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, is regulated under a new legal processing ground. This provision allows such organizations to process certain special categories of personal data, provided that the processing complies with the applicable legislation, aligns with their purposes, is limited to their fields of activity, and is not disclosed to third parties.

Under this new legal framework, these organizations may process the special categories of personal data of their current and former members and those regularly in contact with them, in line with their foundational purposes and relevant legislation, as long as it remains within their operational scope and is not shared with third parties. For instance, this includes the processing of information regarding current and former members and individuals who regularly engage with these organizations, such as through donations.

However, a trade union may only process data related to trade union membership within the context of its activities and objectives. It cannot process personal data concerning the health, religion, or sect of its members, as such data is unrelated to its operational scope and purpose.

2.3.9. Table 1: Legal Grounds for Processing Sensitive Personal Data

Legal Grounds for Processing OLD REGULATION NEW REGULATION
Explicit Consent Yes Yes
Clearly stipulated in the laws for all special categories of personal data No Yes
Provided for by law for data other than health and sexual life Yes No
Actual impossibility No Yes
Publicization No Yes
Necessity for the establishment, exercise or protection of a right No Yes
Processing by persons under confidentiality obligation or authorized institutions and organizations Yes Yes
Processing for legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance No Yes
Special processing grounds for foundations, associations or other non-profit organizations or entities established for political, philosophical, religious or trade union purposes No Yes

3. AMENDMENTS REGARDING THE TRANSFER OF PERSONAL DATA ABROAD (AMENDMENTS TO ARTICLE 9)

3.1. General

One of the significant updates under the KVKK amendments is the revised framework for personal data transfer. Organizations can now transfer data abroad based on an adequacy decision, binding corporate rules, or standard contractual clauses, ensuring robust legal compliance.

The former Article 9 of the KVKK governed the procedure for transferring personal data abroad. Under the current first paragraph of this Article, it is stipulated that personal data can be transferred abroad with the explicit consent of the data subject. According to the current second paragraph, in order to transfer personal data abroad without the explicit consent of the data subject, one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the KVKK must be met, and the Turkish Data Protection Board must determine that the destination country provides adequate protection (adequacy decision). However, transferring personal data to countries that do not offer adequate protection without the explicit consent of the data subject is permissible only if the data controllers in Türkiye and the relevant country provide written undertakings to ensure adequate protection and the Turkish Data Protection Board grants permission, provided that one of the data processing conditions is fulfilled.

To date, no country has issued an adequacy decision regarding Türkiye, nor has Türkiye issued an adequacy decision for any other country under the KVKK. As a result, the transfer of personal data from Türkiye to foreign countries is currently possible only with the written commitment from the data controllers in both Türkiye and the respective foreign country to ensure adequate protection, and with the authorization of the Turkish Data Protection Authority (DPA), aside from obtaining the explicit consent of the data subjects. So far, more than eighty undertaking applications have been submitted to the Board, with only a few receiving authorization. Consequently, in practice, the transfer of personal data abroad has largely depended on obtaining the explicit consent of the data subjects.

This situation has rendered the legal use of cloud-based software and applications, which are widely utilized by companies and individuals in commercial activities and have servers located abroad, nearly impossible. It has also posed a significant barrier to investments in Türkiye. In light of these observations, the GDPR, implemented by the European Union in 2018, introduced new methods for transferring data outside the EU. These methods aim to protect the rights of data subjects while addressing the needs arising from ever-evolving technology, digitalization, and the dynamism of commercial life. Consequently, Article 9 of the KVKK has been amended based on the relevant provisions of the GDPR.

3.2.9 Former version of Article 9

The former version of Article 9 of the KVKK is as follows:

Transfer of personal data abroad;

ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Türkiye is a party,

b) the state of reciprocity relating to data transfer between the requesting country and Türkiye,

c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

d) the measures committed by the data controller in the country to which the personal data are to be transferred,

5) Without prejudice to the provisions of international agreements, in cases where interest of Türkiye or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.

6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

3.3.9. The new version of Article 9

Article 9, which has been substantially amended by the KVKK Reform Law, reads as follows:

Transfer of personal data abroad;

ARTICLE 9- (1) Personal data may be transferred abroad by data controllers and data processors in the presence of one of the conditions specified in Articles 5 and 6 and if there is a adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made.

(2) The adequacy decision shall be made by the Board and published in the Official Gazette. The Board shall take the opinion of the relevant institutions and organizations if necessary. The adequacy decision shall be evaluated every four years at the latest. As a result of the evaluation or in other cases deemed necessary, the Board may change, suspend or revoke the adequacy decision with future effect.

(3) The following issues are primarily taken into consideration when making a adequacy decision:

a) The reciprocity status regarding the transfer of personal data between Türkiye and the country, sectors within the country or international organizations to which personal data will be transferred.

b) The relevant legislation and practice of the country to which personal data will be transferred and the rules governing the international organization to which personal data will be transferred.

c) The existence of an independent and effective data protection institution in the country to which personal data will be transferred or to which the international organization is subject and the existence of administrative and judicial remedies.

ç) The status of the country or international organization to which personal data will be transferred as a party to international conventions on the protection of personal data or as a member of international organizations.

d) The membership status of the country or international organization to which personal data will be transferred to global or regional organizations of which Türkiye is a member.

e) International conventions to which Türkiye is a party.

(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate assurances is provided by the parties, provided that one of the conditions specified in Articles 5 and 6 exists and the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made:

a) Existence of an agreement that is not in the nature of an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations in Türkiye or professional organizations in the nature of public institutions and the Board permits the transfer.

b) Existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.

c) Existence of a standard contract announced by the Board, containing data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.

ç) Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board.

(5) The standard contract shall be notified to the Board by the data controller or data processor within five business days following its signature.

(6) Data controllers and data processors may transfer personal data abroad only in the presence of one of the following cases, provided that it is incidental, in the absence of an adequacy decision and if any of the appropriate assurances stipulated in the fourth paragraph cannot be provided:

a) The data subject gives explicit consent to the transfer, provided that he/she is informed about the possible risks.

b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.

c) The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.

ç) The transfer is mandatory for a superior public interest.

d) The transfer of personal data is mandatory for the establishment, exercise or protection of a right.

e) The transfer of personal data is mandatory for the protection of the life or bodily integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, or of another person.

f) Transfer from a registry that is open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

(7) Subparagraphs (a), (b) and (c) of the sixth paragraph shall not apply to the activities of public institutions and organizations subject to public law.

(8) The assurances set forth in this Law shall also be provided by data controllers and data processors for subsequent transfers of personal data transferred abroad and transfers to international organizations and the provisions of this Article shall apply.

(9) Without prejudice to the provisions of international agreements, personal data may be transferred abroad in cases where the interests of Türkiye or the data subject would be seriously harmed, only with the permission of the Board by obtaining the opinion of the relevant public institution or organization.

(10) The provisions of other laws regarding the transfer of personal data abroad are reserved.

(11) The procedures and principles regarding the implementation of this Article shall be regulated by a regulation.

3.4. Amendments

The new regulation establishes a gradual and alternative data transfer regime. Under the new regulation, there are three different alternatives for the transfer of personal data abroad:

(1) Transfer based on an adequacy decision

(2) Transfer based on appropriate assurances

(3) Transfer based on incidental circumstances

3.4.1. Transfer based on an adequacy decision

The procedure for transfers based on an adequacy decision has been retained, enabling international organizations and specific sectors, rather than entire countries, to be subject to these decisions. In the former version of Article 9, it was stipulated that personal data could not be transferred abroad without the explicit consent of the data subject. The new regulation amends this by allowing data controllers and processors to transfer personal data abroad if one of the conditions specified in Articles 5 and 6 of the KVKK is met, alongside an adequacy decision concerning the country, international organization, or specific sectors within the country to which the data is being transferred. Since the transfer of personal data abroad constitutes personal data processing, it has been emphasized that the legal processing grounds outlined in Articles 5 and 6 should be relied upon for such transfers.

The new regulation maintains the fundamental principle of requiring an adequacy decision for the transfer of personal data abroad, but it expands the scope regarding adequacy. The updated regulation permits an adequacy decision to be issued individually for a country, international organization, or specific sectors within a country. Other words, unlike the existing provision, it is now possible to issue an adequacy decision for a specific sector or international organization within a foreign country instead of applying it to the entire foreign country. For instance, it is now feasible to issue an adequacy decision for the automotive sector in a foreign country with which the Turkish automotive sector maintains extensive commercial relations, rather than extending it to the entire foreign country.

In the absence of an adequacy decision, it is possible to resort to the assurances-based transfer method without explicit consent. The most significant amendment to Article 9 of the KVKK pertains to the scenario where there is no adequacy decision in place. Under the new regulation, in the absence of an adequacy decision, personal data may still be transferred abroad if appropriate assurances are provided. Consequently, if there is no adequacy decision, data controllers and processors have the option to transfer personal data abroad by furnishing one of the appropriate assurances, as long as one of the conditions specified in Articles 5 and 6 of the KVKK is met. Additionally, it is imperative that the data subject retains the opportunity to exercise their rights and seek effective legal remedies in the country of transfer.

It is crucial to underscore that there are three essential prerequisites to be met in all cases for a "transfer based on assurances":

1. One of the conditions specified in Articles 5 and 6 of the KVKK must be present.

2. The rights of the data subject must be enforceable in the country of transfer.

3. There must be provisions for effective legal remedies concerning the protection of personal data in the country of transfer.

In accordance with the new regulations, data controllers and processors are mandated to possess comprehensive information regarding the destination country, international organization, or sector to which personal data will be transferred. It is imperative to note that the new system prohibits indiscriminate data transfers abroad. Contrary to the previous emphasis on explicit consent, the new text prioritizes enhanced security measures. In essence, in the presence of one of the data processing conditions outlined in Articles 5 and 6 of the KVKK, the transfer of personal data to a country, international organization, or sectors within a country lacking an adequacy decision will be permissible. However, this is subject to the condition that the data subject retains the ability to exercise their rights and seek effective legal remedies in the destination country. This provision underscores the necessity of providing one of the "appropriate assurances," which serve as a crucial limitation in facilitating such transfers.

3.4.2. Transfer Based on Appropriate Assurances

In the absence of an adequacy decision, it is feasible to pursue the transfer method based on assurances without explicit consent. The significant amendment to Article 9 of the KVKK revolves around the absence of an adequacy decision. According to the KVKK amendment law, in the event of such absence, personal data may be transferred abroad provided there are appropriate assurances in place.

In the absence of an adequacy decision, provided that one of the conditions specified in Articles 5 and 6 of the KVKK exists, and the data subject has the opportunity to exercise their rights and seek effective legal remedies in the country of transfer, data controllers and processors are now able to transfer personal data abroad if appropriate assurances are provided by the involved parties. Under the new system, both data controllers and data processors are regarded as principal entities in the transfer of personal data abroad, thereby opening the pathway for data processors to engage in such transfers based on appropriate assurances.

It is imperative to emphasize the three prerequisites for a "transfer based on assurances" in all cases:

1. The presence of one of the conditions specified in Articles 5 and 6 of the KVKK

2. Ensuring the capability to exercise the rights of the data subject in the destination country.

3. Providing avenues for effective legal recourse concerning the protection of personal data in the country of transfer.

These provisions are mandatory and must be adhered to, alongside other sub-conditions, as elaborated below.

In essence, if one of the data processing conditions outlined in Articles 5 and 6 of the KVKK is met, it becomes feasible to transfer personal data to a country, international organization, or sectors within a country lacking an adequacy decision. This is permissible under the condition that the data subject retains the ability to exercise their rights and seek effective legal remedies in the destination country, provided that one of the "appropriate assurances" is furnished.

3.4.2.1. The existence of an agreement that is not in the nature of an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations in Türkiye or professional organizations in the nature of public institutions, and this transfer is allowed by the Turkish Data Protection Board

The initial situation wherein personal data may be transferred abroad relies on the presence of an agreement that does not constitute an international contract between public institutions or international organizations abroad and their counterparts in Türkiye, or professional organizations akin to public entities. Such transfer necessitates approval from the Turkish Data Protection Board. Furthermore, according to the rationale behind the KVKK Reform Law, the transfer of personal data essential for collaborative endeavors to a foreign public institution is feasible, contingent upon authorization from the Turkish Data Protection Board within the framework of a cooperation protocol established between a Turkish public institution and its relevant counterpart in a foreign nation.

3.4.2.2. Binding Corporate Rules

The second situation facilitating the transfer of personal data abroad is contingent upon the existence of binding corporate rules endorsed by the Turkish Data Protection Board. These rules must encompass provisions safeguarding personal data, which are obligatory for compliance by companies within a conglomerate engaged in collective economic endeavors. This transfer mechanism, commonly referred to as binding corporate rules (BCR), has received legal backing through an amendment to the KVKK Reform Law, thereby endowing administrative regulatory actions of the Turkish Data Protection Board with legal legitimacy.

Under this amendment, data transfer from a Turkish-based company within a conglomerate possessing approved binding corporate rules by the Turkish Data Protection Board to another company within the same group situated in a foreign jurisdiction can be executed without necessitating separate authorization from the Turkish Data Protection Board. However, for such a transfer based on binding corporate rules to occur, three prerequisites must be met. Additionally, the rules must contain provisions for personal data protection, be binding for all companies within the conglomerate engaged in economic activities, and be officially sanctioned by the Turkish Data Protection Board.

Should these conditions remain unmet, including the absence of binding applicability to all companies within the conglomerate, the omission of provisions pertaining to personal data protection within the rules, or lacking approval from the Turkish Data Protection Board, the transfer of personal data abroad based on assurances cannot proceed. Furthermore, in addition to the three prerequisites, a specialized transfer protocol has been established by incorporating three sub-conditions.

It should be noted that the Authority has published a public announcement on the draft documents for the Binding Corporate Rules and you can access the draft documents on our website.

3.4.2.3. Standard Contractual Clauses

The third situation enabling the transfer of personal data abroad entails the utilization of standard contracts as endorsed by the Turkish Data Protection Board. Standard contractual clauses (SCC) represent a well-established mechanism for secure data transfers within the European Union, having been practiced for numerous years. Through the execution of the standard contract delineated by the European Commission, it becomes feasible to transmit personal data overseas without necessitating separate authorization.

In accordance with the fourth paragraph of the newly amended Article 9 of the KVKK, the transfer of personal data abroad, based on assurances, is permissible provided there exists a standard contract sanctioned by the Turkish Data Protection Board. This standard contract comprehensively addresses various aspects including data categories, purposes of data transfer, recipients and recipient groups, as well as the technical and administrative measures to be implemented by the data recipient, alongside any additional safeguards pertaining to sensitive personal data.

The standard contract must encompass various critical elements, including but not limited to data categories, purposes of data transfer, recipient and recipient groups, as well as the technical and administrative measures to be implemented by the data recipient. Additionally, it should incorporate supplementary measures tailored for handling sensitive personal data. Upon negotiation between the party intending to transfer personal data from Türkiye and the recipient entity abroad—whether acting as a data controller or processor—a joint decision is reached regarding the feasibility of fulfilling the obligations mandated by the KVKK. If the overseas party can assure compliance with these obligations, guaranteeing protection for personal data akin to Türkiye, and can substantiate the existence of minimum safeguards regarding personal data within its jurisdiction, then the data transfer process may commence under this framework.

It is imperative to note that this obligation extends to subsequent transfers of personal data abroad, emphasizing the necessity for consistent assurances not only at the outset but also throughout the entirety of the data transfer process.

While the recent amendment to the KVKK aligns closely with the GDPR, there exists a notable distinction concerning the rules governing standard contracts. In the GDPR framework, standard contracts utilized for assurance-based transfers do not necessitate reporting to national data protection authorities or the European Commission. As per the principle of accountability outlined in the second paragraph of Article 5 of the GDPR, data controllers or processors can promptly execute data transfers outside the EU upon signing such standard contracts.

However, pursuant to the fifth paragraph incorporated into the new Article 9 of the KVKK, it is mandated that standard contracts be reported to the Turkish Data Protection Board by the data controller or processor within five working days of their execution. Failure to adhere to this notification requirement incurs sanctions, with subparagraph (d) appended to the first paragraph of Article 18 stipulating that administrative fines ranging from 50,000 Turkish liras to 1,000,000 Turkish liras shall be imposed on entities failing to fulfill this notification obligation.

The primary method of transferring personal data abroad within the new regime is via standard contracts. In such instances, direct transfer is permissible without the necessity of prior authorization from the Turkish Data Protection Board.

In the absence of an adequacy decision, data controllers and processors may undertake the transfer of personal data abroad through the utilization of standard contracts, provided that one of the conditions outlined in Articles 5 and 6 of the KVKK is met. Additionally, individuals affected by such transfers must be afforded the opportunity to exercise their rights and seek effective legal recourse in the destination country.

In essence, the introduction of a sub-condition alongside the three prerequisites has established a specialized transfer procedure within the framework.

It should be noted that the Authority has published a public announcement on the draft documents regarding the Standard Contracts and you can access the draft documents on our website.

3.4.2.4. Existence of Written Undertaking and Permission of the Board

The fourth situation facilitating the transfer of personal data abroad involves the presence of a written undertaking incorporating provisions for ensuring adequate protection, alongside authorization from the Turkish Data Protection Board. In cases where such a written undertaking exists, accompanied by approval from the Turkish Data Protection Board, personal data may be transferred to countries lacking an adequacy decision. This type of transfer, retained from the initial version of Article 9, maintains the existing transfer procedure.

3.4.3. Transfer Abroad in Incidental Cases

In instances where neither an adequacy decision nor the conditions for transferring personal data abroad based on appropriate assurances can be met, a novel method of transfer termed "incidental transfer" has been introduced. This represents a specialized and newly defined rationale for transfer, addressing scenarios where traditional adequacy decisions or appropriate safeguards outlined in the fourth paragraph of Article 9 of the KVKK are unattainable.

The incidental transfer method permits the transfer of data abroad in exceptional cases where the transfer is incidental, meaning it occurs sporadically and without continuity. For example, sharing information concerning employees who will engage with a foreign company as part of a commercial activity pursued by a Turkish company would fall within this scope. Notably, incidental transfer does not necessarily denote a one-time transfer; rather, it signifies that regular and systematic data transfers are not conducted. Each transfer scenario must be assessed individually to determine compliance with this principle.

3.4.3.1. Transfer of Personal Data Abroad Based on Explicit Consent

The first circumstance allowing for the incidental transfer of personal data abroad occurs when the data subject provides explicit consent for the transfer, provided they are duly informed about potential risks. Explicit consent, previously addressed in the initial version of Article 9, has undergone reformulation, resulting in a narrowed scope. This alteration stands as one of the pivotal changes within the KVKK.

The recent amendments to the KVKK demonstrate a commitment to aligning with the GDPR. Under the previous regime, explicit consent served as a broad legal basis for action, irrespective of whether the transfer was incidental. However, the revised amendments restrict the use of transfer procedures solely based on explicit consent.

Regarding the transition process concerning explicit consents obtained for transfers abroad prior to the law's amendment, the Legislature has introduced a specific transition mechanism to address these concerns. Temporary Article 3 appended to the KVKK stipulates that the first paragraph of Article 9, as amended by the law instituting this provision, shall remain applicable until September 1, 2024, alongside the amended version. Consequently, data transfers abroad can continue for an additional three months following the enactment of the law's amendment, based on explicit consent obtained either before or after its enactment.

3.4.3.2. Being mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject

The second circumstance permitting the incidental transfer of personal data abroad arises when such transfer is deemed mandatory for the execution of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures at the data subject's request. To qualify for transfer based on this exception, it is essential that the transfer is both incidental and obligatory. For instance, consider a scenario where a travel agency has pre-booked accommodations for a client at a hotel located in a third country. In this case, an incidental relationship is established with the hotel in the respective country.

3.4.3.3. Being mandatory for the establisment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject

The third circumstance permitting the incidental transfer of personal data abroad occurs when such transfer is imperative for the establishment or execution of a contract between the data controller and another natural or legal entity, for the benefit of the data subject. To warrant transfer under this rationale, the data subject must not be a party to the contract, and the said contract must serve the interests of the data subject.

For instance, activities such as a data subject benefiting from an international bank transfer initiated by a third party, or a travel agency conveying flight details to an airline company, fall within this purview. Additionally, incomplete or finalized contracts benefiting a third party should be assessed under this framework, contingent upon the specifics of the individual case.

3.4.3.4. Being personal data transfer mandatory for a superior public interest

The fourth circumstance permitting the incidental transfer of personal data abroad arises when such transfer is deemed mandatory for a paramount public interest. This may manifest within the context of a transfer based on an international treaty aimed at enhancing global cooperation. Additionally, incidental data transfers required for humanitarian aid, exchanges in the public interest among competition authorities, tax authorities, or social security institutions, as well as transfers for disease monitoring or doping prevention in sports, exemplify instances warranting such transfers. It is imperative to underscore that this constitutes an incidental basis for transfer, thereby precluding large-scale or systematic data transfers under this provision.

3.4.3.5. Being mandatory for the establishment, exercise or protection of a right

The fifth circumstance permitting the incidental transfer of personal data abroad arises when such transfer is essential for the establishment, exercise, or safeguarding of a right. This encompasses the assertion and utilization of any right stemming from contractual, legal, or administrative arrangements. Notably, the source of this right—be it a court ruling, an alternative dispute resolution decision, or an arbitration award—is inconsequential. For instance, this exception may be invoked in scenarios where the parent company of a multinational corporation, headquartered in a third country, faces litigation initiated by an employee temporarily stationed at one of its subsidiary entities. In such cases, data transfer is necessitated for evidentiary purposes. It is crucial to emphasize that this provision serves as a ground for incidental transfers, thus precluding large-scale or routine data transfers under its purview.

3.4.3.6. Transfer of personal data abroad in cases of actual impossibility

The sixth circumstance permitting the incidental transfer of personal data abroad arises when such transfer is imperative for safeguarding the life or physical well-being of an individual, or another individual who is unable to provide consent due to actual impossibility or legal incapacity. This provision may be invoked in situations where urgent medical treatment necessitates the transfer of a patient's medical data to a third country. It is crucial to note that this ground for incidental transfer is contingent upon the presence of a significant threat to life and physical well-being. Therefore, it cannot be relied upon for the general transfer of health data.

3.4.3.7. Transfer of personal data from open registers to abroad upon the request of the person with legitimate interest

The seventh circumstance allowing for the incidental transfer of personal data abroad pertains to transfers from publicly accessible registries or those accessible to individuals with legitimate interests. This provision permits the transfer of data from such registries to a third country upon the request of a person with legitimate interest, provided that the conditions for accessing the registry, as stipulated in relevant legislation, are met. Examples of such registries include trade registers, professional association registers, criminal conviction registers, land registers, or vehicle registers.

It is important to note that this exception does not serve as a basis for the wholesale transfer of entire registries or all categories of data contained therein. Additionally, the request for transfer must originate from the data subject, and the data subjects themselves must be the recipients of this request.

Consequently, while the new regulation outlines a three-tiered data transfer procedure, it is apparent from the structure of the law that the existence of these conditions should be evaluated sequentially.


kişisel verilerin yurt dışına aktarılması

4. AMENDMENTS ON MISDEMEANORS (ARTICLE 18 AMENDMENTS)

A new framework for the transfer of personal data abroad has been established under the recent amendments to the KVKK (Personal Data Protection Law). In our view, the type of transfer abroad that will be most commonly utilized under this new regime is the transfer based on standard contracts. Consequently, a specific notification obligation has been introduced for such standard contracts.

According to the newly added paragraph 5 to Article 9 of the KVKK, the data controller or data processor must submit the Turkish Data Protection Authority of the standard contract within five business days following its execution. This submission obligation for standard contracts is subject to sanctions. Subparagraph (d) added to the first paragraph of Article 18 stipulates that failure to fulfill the five business day notification requirement will result in an administrative fine ranging from 50,000 to 1,000,000 Turkish Liras.

In addition to data controllers, data processors are also recognized as key participants in the process of transferring personal data abroad. Consequently, both data controllers and data processors may transfer personal data internationally based on various legal grounds. However, identifying data processors as subjects in this process introduces additional responsibilities. Under the KVKK, the primary subjects of obligations and administrative fines are traditionally data controllers. Article 18, titled "Misdemeanors," stipulates that administrative fines are imposed on natural persons and private legal entities acting as data controllers. Significantly, recent amendments to the KVKK have introduced an important exception to this provision. The amendment to Article 18 now states that administrative fines specified in subparagraphs (a), (b), (c), and (ç) of the first paragraph are to be imposed on data controllers, while administrative fines specified in subparagraph (d) are to be imposed on either data controllers or data processors, including natural persons and private legal entities.

According to the agreement between the data controller and the data processor, the responsibility to notify the standard contract may be assigned to one party. However, failure by one party to fulfill this contractual obligation does not absolve them of legal liability.

As a result, for the first time in the KVKK, an administrative fine has been defined for a special case regarding the transfer of data abroad. By introducing a new misdemeanor, the Personal Data Protection Board will impose an administrative fine from 50.000 Turkish Liras to 1.000.000.000 Turkish Liras against the data controller or data processors if the standard contracts are not notified to the Turkish Data Protection Authority within 5 business days, and the principle has been introduced that data controllers as well as data processors will be the addressee of the administrative fine for not notifying the standard contracts.

5. AMENDMENTS REGARDING THE JUDICIAL REMEDY

Another significant amendment in the KVKK Reform concerns the judicial remedies available against decisions made by the Turkish Data Protection Board. With the addition of the third paragraph to Article 18 of the KVKK, a new provision has been introduced: "Administrative fines imposed by the Board may be challenged before administrative courts." This change ensures that decisions involving administrative fines are reviewed by administrative judicial authorities, aligning with the nature of these fines.

Previously, the review process for decisions by the Turkish Data Protection Board was bifurcated. Administrative fines imposed by the Board could be appealed to the criminal courts of peace, while other administrative decisions could be appealed to the administrative courts. The amendments have streamlined this process, creating a more effective procedure for reviewing the Board's decisions. This enhancement promotes legal certainty and uniformity, establishing a more secure system for individuals.

6. IMPLEMENTATION AND TRANSITION PROCESS

The text of the amendment provides for the above-mentioned provisions to enter into force on June 1, 2024, and the reform law contains two different transitional provisions.

6.1. Explicit Consent Transition Provision for Transfers Abroad

Pursuant to the first paragraph of the Provisional Article 3 of the KVKK, the first paragraph of Article 9 of the KVKK before it was amended by the KVKK Reform Law will continue to be applied with the amended version of the article that entered into force until September 1, 2024 from the date of entry into force of the amendment of Article 9.

As explained in Chapter Three, taking into account the problems that may occur during the transition period after the amendment enters into force, it is envisaged that the first paragraph of the existing Article 9 of the KVKK, which states that "Personal data cannot be transferred abroad without the explicit consent of the data subject", will be applied for another three months. During this transition period, data controllers and data processors will be able to transfer personal data abroad based on general explicit consent, or they will be able to transfer personal data abroad by using the instruments in the new amended provision.

As of September 1, 2024, explicit consent to transfer personal data abroad will be applied only in incidental cases and provided that the data subjects are informed about the possible risks.

6.2. Transition Process Regarding Pending Cases

Another transitional provision relates to pending lawsuits. As explained in Chapter 5, one of the most important benefits of the amendments to the KVKK is the rule introducing a single judicial remedy provision, which stipulates that administrative fines imposed by the Turkish Data Protection Board can be filed before administrative courts.

A special transitional provision has been introduced in order to provide legal certainty for pending cases during the transition period. Pursuant to the second paragraph of Provisional Article 3, "The applications pending before the criminal courts of peace as of 1/6/2024 shall continue to be heard by these courts." This provision clarifies the application of the third paragraph of Article 18 of the KVKK in terms of time. Thus, since it is envisaged to file a lawsuit against administrative fines imposed by the Turkish Data Protection Board before administrative courts instead of criminal courts of peace, a transitional arrangement has been made regarding this provision. As explained in the preamble, since it is envisaged to file a lawsuit before administrative courts instead of criminal courts of peace against administrative fines imposed by the Turkish Data Protection Board, a special transitional arrangement has been made and accordingly, the files before the criminal courts of peace as of 1 June 2024 will be finalized by these courts.

7. SUMMARY AND CONCLUSION

7.1. SUMMARY

The amendments to the KVKK can be summarized as follows:

  1. The conditions for processing special categories of personal data have been expanded.
  2. A new and alternative regime has been established for the transfer of personal data abroad.
  3. Explicit consent is no longer a general reason for transferring personal data abroad; it has been made exceptional. A special transition period is envisaged for transfers based on explicit consent.
  4. The principle that data processors are liable for administrative fines together with data controllers for the transfer of personal data abroad has been accepted.
  5. A single judicial remedy - the administrative judicial remedy - has been determined against all the actions of the Turkish Data Protection Board.
  6. A new misdemeanor has been introduced regarding the transfer of personal data abroad (failure to notify the Turkish Data Protection Board of standard contracts within 5 business days).

Amendments Regarding Sensitive Personal Data (Article 6)

  1. The definition of sensitive personal data has been preserved.
  2. The emphasis that the processing of sensitive personal data is prohibited is preserved.
  3. The grounds for legal processing have been expanded.
  4. The legal processing ground of explicit consent has been preserved.
  5. The phrase "explicitly" has been added to the phrase "prescribed by law".
  6. The legal grounds for processing of special categories of personal data by persons under the obligation of secrecy or authorized institutions and organizations without requiring explicit consent have been preserved.
  7. Processing of sensitive personal data in case of actual impossibility has been defined as a new legal processing ground.
  8. Processing of sensitive personal data which is publicized is defined as a new legal processing ground.
  9. The necessity of data processing for the establishment, exercise or protection of a right is defined as a new legal processing ground for the processing of sensitive personal data.
  10. Fulfillment of legal obligations in the field of employment, occupational health and safety, labor and social security or social services and social assistance is defined as a new legal processing ground for the processing of sensitive personal data.
  11. A new legal processing ground has been defined for members of foundations, associations or other non-profit organizations or formations established for political, philosophical, religious or trade union purposes.
  12. The provision that adequate measures determined by the Turkish Data Protection Board must be taken in the processing of special categories of personal data has been preserved.

Amendments Regarding the Transfer of Personal Data Abroad (Article 9)

  1. Transfer based on an adequacy decision is preserved and international organizations and sectors other than countries are allowed to be subject to the adequacy decision.
  2. In addition to data controllers, data processors are listed as the main subjects of the process of transferring personal data abroad.
  3. The principles regarding the adequacy decision have been preserved.
  4. A rule has been introduced regarding the evaluation of the adequacy decision every four years at the latest.
  5. The issues to be taken into consideration when making an adequacy decision have been revised.
  6. In the absence of an adequacy decision, the possibility to resort to the assurances-based transfer method without explicit consent has been introduced.
  7. The possibility of transferring personal data abroad based on assurances has been introduced in the event that the prerequisites are met and there is an agreement that is not an international agreement between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of public institutions in Türkiye and the Turkish Data Protection Board permits this transfer.
  8. Binding Company Rules have been given a legal basis.
  9. In case the prerequisites are met and standard contracts are used, the possibility of transferring personal data abroad based on assurances has been introduced.
  10. The procedure of submitting a written commitment to the Turkish Data Protection Board has been preserved.
  11. The incidental transfer method, where personal data may be transferred abroad in cases where there is no adequacy decision and one of the appropriate assurances cannot be provided, has been defined for the first time.
  12. The transfer of personal data abroad based on explicit consent has been limited to incidental cases and the element of informing about possible risks has been added to explicit consent.
  13. Provided that it is incidental, the possibility of transferring personal data abroad has been introduced in the event of the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken upon the request of the data subject.
  14. Provided that it is incidental, personal data may be transferred abroad if it is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
  15. Provided that it is incidental, the possibility of transferring personal data abroad has been introduced in cases where it is mandatory for a superior public interest.
  16. Provided that it is incidental, the possibility of transferring personal data abroad has been introduced in cases where it is mandatory for the establishment, exercise or protection of a right.
  17. Provided that it is incidental, the possibility of transferring personal data abroad in cases of actual impossibility has been introduced.
  18. Provided that it is incidental, the possibility of transferring personal data from open registers to abroad upon the request of the person with a legitimate interest has been introduced.
  19. In the transfer for incidental reasons, a special restriction has been introduced for public institutions and organizations to transfer personal data abroad in their activities subject to public law.
  20. A special obligation has been imposed on data controllers and data processors for subsequent transfers of personal data abroad.
  21. The provision that personal data may be transferred abroad with the permission of the Turkish Data Protection Board in cases where the interests of Türkiye or the data subject would be seriously harmed has been preserved.
  22. The provision that the provisions of other laws regarding the transfer of personal data abroad are reserved has been preserved.
  23. The Turkish Data Protection Board has been authorized to determine the procedures and principles regarding the transfer of personal data abroad.

Amendments on Misdemeanors

  1. By introducing a new misdemeanor, the Turkish Data Protection Board will impose an administrative fine from 50.000 Turkish Liras to 1.000.000.000 Turkish Liras if the standard standard contracts are not notified within 5 business days.
  2. In addition to data controllers, data processors are also subject to administrative fines.

Amendments Regarding Judicial Review of PDP Board Decisions

  1. Taking into account the nature of the administrative fines imposed by the Turkish Data Protection Board, these decisions are now subject to review by administrative judicial authorities.
  2. A provisionary article has been introduced to provide legal certainty for pending cases during the transition period. It has been decided that the applications pending before the criminal courts of peace as of the date of entry into force of the provisions of the amendment to the KVKK will continue to be heard by these courts.

Amendments Regarding Effectiveness and Transition Period

  1. The KVKK Reform Law is envisaged to enter into force on June 1, 2024.

2. It is allowed to continue to transfer personal data abroad based on explicit consent until September 1, 2024.

7.2. CONCLUSION

Upon the imminent enforcement of the KVKK amendments, it is imperative for organizations to diligently reassess their internal processes. Adherence to the updated legal framework is paramount to ensure compliance with the evolving regulatory landscape. Data processing activities must be meticulously scrutinized and adapted in accordance with the newly introduced provisions.

Furthermore, in light of the recent amendments to the Criminal Procedure Law and Certain Laws under Law No. 7499, particularly concerning the Transfer of Personal Data Abroad, it is essential to anticipate forthcoming regulatory guidelines. The forthcoming Regulation is expected to delineate the procedural intricacies and operational modalities concerning the application of these statutory modifications.

In anticipation of the regulatory guidance, stakeholders are advised to remain vigilant and proactive. Clarifications elucidating the scope and procedural nuances are anticipated to be disseminated either through a forthcoming Communiqué issued by the relevant regulatory authority or through official publication in the Official Gazette. Such elucidations will serve to furnish organizations with clear directives, facilitating seamless compliance and operational alignment with the statutory amendments.

As organizations navigate the intricacies of compliance, it is incumbent upon them to remain abreast of regulatory developments and to foster a culture of robust data governance. Embracing a proactive approach to compliance not only mitigates legal risks but also instills trust and confidence among stakeholders. In essence, by aligning with regulatory imperatives and best practices, organizations can fortify their resilience and reputation in an increasingly data-centric landscape.To maintain legal compliance with the Turkish data protection law, businesses must understand and implement these changes. The amendments provide a clearer path for managing data protection and personal data transfer while mitigating legal risks.

Conclusion

These amendments to the KVKK represent a significant step towards aligning Türkiye data protection framework with international standards. Organizations must stay informed and adapt to these changes to ensure robust data protection and avoid substantial fines.

For more detailed information on how these amendments may affect your business, contact us at Boss Yönetişim Hizmetleri A.Ş.

Contact Information

Boss Yönetişim Hizmetleri A.Ş.

Astoria Towers Kempinski Residence

Büyükdere Caddesi No:127 B Blok Kat:8 34394 Esentepe / Şişli / İstanbul / TÜRKİYE

+90 212 244 92 22

www.cottgroup.com - www.verisistem.com