Amendments to the Law on the Protection of Personal Data ("Law") entered into force as of June 1, 2024. Please review our detailed article here about the amendments to the Law.
The main actions to be taken by data controllers within the framework of the amendments are briefly as follows:
1. Providing Appropriate Safeguards for Transfers Abroad
Except for cross-border transfers that are irregular, occur on one or a few occasions, are not continuous and are not in the ordinary course of business of the relevant data controller, data controllers and processors must provide one of the following appropriate safeguards for all cross-border transfers by September 1, 2024:
- Binding Corporate Rules: Data controllers that are part of a multinational group of organizations may prepare binding corporate rules regarding intercompany data transfers in accordance with the guidelines on binding corporate rules to be published by the Personal Data Protection Authority ("Authority") and submit them to the Personal Data Protection Board ("Board") for approval. Within the framework of the binding corporate rules approved by the Board, data may be transferred to the parent company and its affiliates located abroad.
- Undertaking: Data exporter and importer may prepare a written undertaking providing adequate protection for personal data in accordance with the Law and the secondary regulations of the Authority, and apply for the permission of the Board. In the existence of a permission by the Board, data may be transferred to the parties of such undertaking(s).
- Standard Contracts: In the absence of the aforementioned approvals and permissions, it is also possible to sign standard contracts that will be announced by the Board. The standard contracts to be announced by the Board must be executed without making any amendments and the standard contracts to be executed must be notified to the Board (with the documents showing the signatures powers of signatories to sign such contracts and notarized Turkish translations of such documents) within 5 business days from the date of execution. The drafts of standard contracts have been published by the Board and the final versions of the contracts are also expected to be announced soon. In order to implement the standard contracts, the final versions shall be waited. On the other hand, as a preliminary preparation when waiting for the final versions, it is extremely important for data controllers which wish to continue their transfers abroad by providing this assurance to map their transfers abroad. These contracts should include the parties, the activities of the data exporter and data importer regarding personal data to be transferred, the relevant groups of data subjects, the scope of the transferred personal data, the legal grounds for the transfers, the frequency of the transfers, the nature of the processing activity, the purposes of the transfer and subsequent processing activities, the retention periods, the recipient groups and the data transferor's Data Controllers' Registry information (if available).
At least one of the above safeguards should also be provided for the subsequent cross-border transfers of personal data.
2. Update of Privacy Notices
New regulations have been made regarding processing of sensitive personal data and new legal grounds have been determined. All data controllers, which are obliged to specify the legal grounds for collecting data in their privacy notices, should update their privacy notices by considering the purposes for collecting such sensitive personal data. For example, employers which collect and process the health data of their employees within the scope of occupational health and safety obligations will no longer need to obtain explicit consent on the grounds that 'such processing is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social aid'. Privacy notices indicating such data based on consent rather than this new legal ground will be misleading.
Similarly, data controllers which provide one of the above-mentioned safeguards for transfers abroad will need to update their privacy notices for transfers covered by the safeguards.
3. Registration of Data Controllers Located outside Turkey
As it is known, all data controllers located abroad which process personal data of natural persons resident in Turkey are required to appoint a representative in Turkey and register their data processing inventories with the Data Controllers Registry. Although there is no change in the Law in this regard, we recommend that foreign data controllers not registered yet complete this process as soon as possible. Otherwise, there is a risk of administrative fines for such data controllers, which may be triggered by notification of standard contracts to the Authority for transfers to those.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.