Amendments to Law Numbered 6698 on the Protection of Personal Data

3/12/2024

All News
  • Home Page
  • |
  • News
  • |
  • Amendments to Law Numbered 6698 on the Protection of Personal Data
Law Numbered 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws introduced long-awaited amendments to the Law Numbered 6698 on the Protection of Personal Data ("KVKK"). Law Numbered 7499 was published in the Official Gazette dated March 12, 2024 and numbered 32487. The provisions amending the KVKK will enter into force as of June 1, 2024.

Key Changes Introduced by the Amendments

The amendments made to Articles 6, 9 and 18 of the KVKK bring important innovations, especially in terms of data transfer abroad and the conditions for the processing of special categories of personal data. This amendment, forming part of the long-awaited reform of the KVKK, is considered a significant step toward aligning Turkey's personal data protection legislation with the General Data Protection Regulation (GDPR) implemented in the European Union.

Newly introduced data processing conditions for the processing of special categories of personal data The amendments have abolished the distinction between data relating to health and sexual life and other special categories of personal data. Additionally, the grounds of lawfulness foreseen for processing conditions have been expanded.

Accordingly, processing of special categories of personal data is possible when:

  • There is explicit consent of the person concerned.
  • It is explicitly stipulated in the law.
  • It is mandatory for the protection of the life or physical integrity of the person (or another person) who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
  • It is related to the personal data made public by the data subject and in accordance with the will of the data subject to make it public,
  • It is mandatory for the establishment, exercise or protection of a right.
  • It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as planning, management and financing of health services by persons under the obligation to keep information in secrecy or by authorized institutions and organizations.
  • Mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.
  • It is aimed at current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties..


Processing of health data in the employee-employer relationship
It is essential to evaluate how the newly introduced data processing conditions will address the challenges encountered while Article 6 of the KVKK was in force, particularly concerning the processing of health data solely by the employer, either based on explicit consent or through the workplace physician.

  • The new data processing conditions to be considered in employment relationships are as follows:
    • Data processing is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.
    • Explicit stipulations in the law mandate such processing.
  • What needs to be done: Data controllers should identify their legal obligations in the areas of occupational health and safety, social security, social services and social assistance, as well as the purposes of data processing explicitly stipulated by law. Additionally, a review of previously conducted health data processing procedures based on explicit consent is necessary. Failure to do so may lead to scrutiny by the Personal Data Protection Board (“Board”), potentially resulting in the determination that "seeking explicit consent in the presence of other personal data processing conditions could mislead the data subject and, consequently, be deemed an abuse of right by the data controller."

New Era in the Transfer of Personal Data Abroad

The approach that prioritizes explicit consent in the transfer of personal data abroad has been abandoned, and with the amendment, the requirements indicated below are sought for transfers to be carried out by both data controllers and data processors in the transfer of personal data abroad. Therefore, new transfer mechanisms will also need to be evaluated in this context.

Newly introduced data transfer methods abroad:
  1. The Board's adequacy decision on the country to which the transfer will be made.
  2. In the absence of an adequacy decision, but provided that the person concerned is also able to exercise his or her rights and have effective remedies in the country of transfer, one of the following conditions:
    1. The existence of an agreement, that is not qualified as an international agreement, between public institutions and organizations abroad or international organizations, and public institutions and organizations or professional organizations with public entity status in Turkey, and the permission granted by the Board for such transfer.
    2. The existence of binding corporate rules approved by the Board,
    3. The existence of a standard contract declared by the Board and notification made to the Personal Data Protection Authority ("Authority") within 5 (five) business days regarding the conclusion of the standard contract (administrative fines from 50,000 Turkish Lira to 1,000,000 Turkish Lira may be imposed for failure to make a notification), or
    4. The existence of a written undertaking containing provisions ensuring adequate protection and the permission granted by the Board for such transfer.


Some exceptions are provided for one-off, incidental data transfers. However, it should be noted that these exceptions shall not apply to continuous data transfers.

Another important point is that the data transfer rules will also apply to onward transfers.

It is indicated that the procedures and principles regarding the data transfer abroad will be further regulated separately by a regulation to be issued.

• What needs to be done: It is important to note that the amendments to the KVKK will come into effect on June 1, 2024. Until September 1, 2024, data transfer activities abroad based on explicit consent will need to be revised to align with the new regulations. During this transition period, data controllers may continue to transfer data abroad based on explicit consent.

In this context, before September 1, 2024, the following steps should be taken:
  • Identify the transfers abroad.
  • Control if there is an adequacy decision for the country and/or sector to which the transfer is intended.
  • Determine the purposes of transfer and the nature of the recipient as data controller/data processor.
  • Consider negotiating the signing of a standard contract, binding corporate rules, or a letter of undertaking with the other party. In this regard:
    • If a standard contract is executed, notification to the Authority must be provided within five business days.
    • Implementing Board-approved binding corporate rules may be advisable for groups of undertakings engaged in joint economic activity.
    • Signing a letter of undertaking containing provisions to ensure adequate protection and submitting it to the Board for authorization could be a viable option.


Appeal Against Board Decisions

Prior to the amendments, appeals against administrative fines imposed by the Board could be filed with criminal courts of peace. With the amendments, it is now possible to file a lawsuit before the administrative courts against administrative fines imposed by the Board.

Final Remarks and Next Steps

The amendments aim to harmonize the rules governing cross-border data transfers with the GDPR, a long-awaited goal that has been highlighted in various government action plans and programs, including the Human Rights Action Plan, the Economic Reforms Action Plan and the 2024-2026 Medium Term Program. These amendments will pave the way for clarifying the gray areas surrounding cross-border data transfers in Turkey and increasing the ability to comply with personal data protection legislation.

The regulation to be issued in order to regulate the data transfer process abroad in detail and to clearly set out the procedures will also be enlightening for data controllers and data processors and will accelerate the compliance process. It is expected that the Board will announce standard contracts suitable for different types of transfers: from data controller to data controller, from data controller to data processor and from data processor to data processor.
Other News
4/16/2024
Export Restrictions Have Been Imposed on Israel
The Ministry of Trade announced that export restrictions had been imposed on fifty-four product groups exported from Turkey to Israel, effective from April 9, 2024.
News| Legal Updates
4/5/2024
The Constitutional Court Decides on Effective Criminal Investigation for Unlawful Seizure of Personal Data.
In the Official Gazette of 22 March 2024, number 32497, was published the decision of the Constitutional Court of 13 February 2024, number 2020/36976, regarding the claim that the right to request the protection of personal data had been violated due to the lack of an effective criminal investigation into the complaint that personal data had been unlawfully obtained.
News| Legal Updates
3/20/2024
2023 Corporate Tax Reservation and Litigation Matters
In our 2023 Corporate Tax Reservation and Litigation note; we have examined the issues of "application of reduced corporate tax rate to earnings from services provided to foreigners in Türkiye (accommodation, health, etc.)" and "excess profit declared due to not subjecting the assets sold in 2023 to inflation adjustment".
News| Legal Updates
2/29/2024
Exceptions to Foreign Currency Payment Prohibition in Movable Sales Agreements Have Been Introduced
Communiqué (No: 2024-32/69) ("Communiqué") amending the Communiqué (Communiqué No: 2008-32/34) on Decree No: 32 on the Protection of the Value of the Turkish Currency was published in the Official Gazette dated February 28, 2024 and numbered 32474. The Communiqué introduced some exceptions to the prohibition of payment in foreign currency in certain agreements.
News| Legal Updates
1/23/2024
Strategic Shift: Administrative Cancellation of Trademarks
As of 10.01.2024, the authority to cancel trademarks, which was temporarily given to the courts by Article 26 of the Industrial Property Law No. 6769 ("IPL"), which entered into force on 10.01.2017, has been given to the Turkish Patent and Trademark Office ("TPTO"), whose founding purpose is to contribute to the effective protection and commercialization of industrial property rights by increasing industrial property awareness in all segments of society.
News| Legal Updates
1/18/2024
Amendments to the Principles and Rules to be Applied in Retail Trade
The "Regulation Amending the Regulation on Principles and Rules to be Applied in Retail Trade" ("Regulation"), which has been subject to a long period of study by the Ministry of Trade, was published in the Official Gazette dated December 14, 2023 and numbered 32399.
News| Legal Updates
12/28/2023
Significant Amendments to the Price Label Regulation
With the amendment published in the Official Gazette on December 19, 2023, effective as of 01.01.2024, the Regulation Amending the Price Labeling Regulation ("Regulation") introduced the obligation for establishments providing food and beverage services such as restaurants, cafes, patisseries, etc. to display tariffs and price lists in places where consumers can easily see them. The primary objective of the Regulation is to ensure that consumers are informed in a correct and transparent manner.
News| Legal Updates
12/13/2023
Amendments Introduced to Reduce Losses as a Result of the Earthquake
With the Law No. 7471 on the Amendment of the Law to the Transformation of Areas under Disaster Risk and Certain Laws and the Decree Law No. 375 (the “Law”), which was published in the Official Gazette on November 9, 2023, a number of significant amendments were made in urban transformation practices.
News| Legal Updates
11/15/2023
The Constitutional Court Upholds Amendments to the E-Commerce Law
The decision on the annulment case filed in the Constitutional Court (“CC”) regarding the Law No. 7416, which made substantial amendments to the Law No. 6563 ("E-Commerce Law") and entered into force on 07.07.2022, has been published in the Official Gazette No. 32317 dated 22.09.2023. The CC uphold the amendments related to the provisions of the E-Commerce Law and rejected the request for annulment by a majority vote.
News| Legal Updates
11/7/2023
The Law Introduced for Short-Term Leases
The Law on the Leasing of Residences for Tourism Purposes and Amendments to Certain Laws ("Law") published in the Official Gazette dated 02.11.2023 sets forth significant obligations for lessors, intermediaries, and intermediary service providers enabling the electronic commerce platforms promoting short-term residence leases. This legislation mandates that residences leased for periods less than 100 days must be registered with the Ministry of Culture and Tourism ("Ministry") and non-compliance with the obligations thereto will result in administrative penalties. Further, lessors are required to obtain an authorization document from the Ministry and a plaque indicating the qualification of the residence. Non-adherence to these requirements will cause to incurrence of administrative fines. The Law will come into effect on 01.01.2024.
News| Legal Updates
10/28/2023
Matters To Be Considered For Roofed Workplace Leases
In accordance with the Turkish Code of Obligations No. 6098 ("TCO"), lease relations are categorised under three main headings: (i) general provisions, (ii) residential and roofed workplace leases, and (iii) product leases. Properties to be leased as offices, warehouses, etc. for the purpose of conducting commercial activities will be subject to the provisions of "Residential and Roofed Workplace Leases".
News| Legal Updates
9/20/2023
Sale of Real Estate Before Notary Public Has Begun
The amendment made to the Notary Public Law numbered 1512 regulated that, real estate sale agreements, which could previously only be executed before the land registry offices, could now be executed at the offices of the notary public, as of 2023. With the public announcement made by the Union of Notaries of Turkey, the sale of real estate in the offices of the notary public has begun as of July 3rd, 2023, and actively implemented as of September.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020