Amendments to the Turkish Data Protection Law

1440020a.jpg

1440020b.jpg

Effective Date

Amendments

The amendments to the Law on the Protection of Personal Data ("LPPD") will enter into force on June 1, 2024.

Our Comments and Potential Effects

Within the scope of the amendments, new mechanisms are stipulated, especially for cross-border transfers. In order for these mechanisms to be implemented, the Personal Data Protection Authority ("Authority") is expected to publish the standard contractual clauses and provide guidance and actions to clarify how these mechanisms will work together with the existing transfer mechanisms.

Processing of Sensitive Personal Data

Amendments

The amendments introduce new and alternative legal grounds for the processing of sensitive personal data under the LPPD.

Accordingly, the processing of sensitive personal data will only be allowed if one of the following legal grounds is relied upon:

i. The explicit consent of the data subject;

ii. It is expressly stipulated by law

Example: Processing of data on criminal convictions in accordance with the Law No. 5352 on Judicial Records; collection of people's fingerprints in accordance with Article 5 of the Law No. 2559 on Police Duties and Powers

iii. Processing is necessary to protect the life or physical integrity of the data subject or of another natural person where the data subject cannot disclose their consent due to actual impossibility or whose consent is not legally valid;

Example: Processing of sensitive personal data such as blood type and previous illnesses for the purpose of protecting the life or bodily integrity of a person who is unable to disclose their consent due to loss of consciousness for any reason

iv. Processing of personal data made public by the data subject in accordance with the intention of the data subject;

Example: Processing and use of personal data such as blood type and allergy information that a person has shared in a publicly accessible environment for use in emergencies, provided that the processing is in accordance with such purpose

v. Processing is mandatory for the establishment, exercise or protection of a right;

Example: Ongoing retention by employers of the health data of their former employees in order to exercise their defence rights in lawsuits that may be filed after the termination of the employment contract; processing of a disabled person's disability report by the tax office in order for a disabled person to benefit from the right to purchase a vehicle by being exempt from special consumption tax

vi. For the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services, processing by persons or authorized institutions and organizations under the obligation of confidentiality;

Example: Data and records kept by the Ministry of Health and all kinds of health institutions and the Social Security Institution for the purposes set out in this subparagraph

vii. Processing is mandatory for the fulfilment of legal obligations in the field of employment, occupational health and safety, labour and social security or social services and social assistance

Example: Processing of individuals' health data or criminal conviction data by employers in order to fulfil the obligation to employ disabled or convicted persons as per the Labour Law No. 4857; processing of the person's health report in order to fulfil the transportation service to health institutions provided to dialysis patients

viii.Processing of personal data of current or former members of foundations, associations or other non-profit organizations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations under certain conditions.

Example: Processing of information about current members of such organizations and entities, as well as former members and persons who are in regular contact with them by making donations; processing by a trade union of data relating to its field of activity and purpose only on trade union membership (however, personal data relating to the health or religion of trade union members cannot be processed as it is not related to its field of activity and purpose)

Our Comments and Potential Effects

The categories for sensitive personal data have been retained as is under Article 6 of the LPPD. However, obtaining explicit consent is no longer appears as the main rule and explicit consent is now listed as an option among other legal grounds for processing of sensitive personal data.

The amendments eliminate the binary distinction between the exceptions for sensitive personal data relating to health and sexual life and other sensitive personal data. In this respect, it is possible to say that the regulation is in line with Article 9 of the European General Data Protection Regulation ("GDPR").

Accordingly, it is now possible for data controllers to process sensitive personal data based on new mechanisms without obtaining explicit consent, especially for employment and occupational health and safety processes. Therefore, explicit consent may not be required in all cases for the processing of sensitive personal data of employees and that employee privacy notices may need to be revised accordingly in the future.

However, unlike the GDPR, the requirement of "expressly provided by law", which is stipulated in the previous version of the LPPD, is also preserved.

Nevertheless, unlike the amendments, the GDPR also includes "public interest" and "processing of sensitive personal data for archiving, scientific or historical research and statistical purposes within the scope of public interest" as processing grounds. Although such legal grounds are not specifically listed under Article 6 among the options in the LPPD, please note that the anonymous processing of personal data for research, planning and statistical purposes is subject to a general exception pursuant to Article 28 of the LPPD.

In the amendments, the requirement to take adequate measures determined by the Personal Data Protection Board ("Board") for the processing of sensitive personal data in the existing Article 6 is preserved.

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.