Spotlight: Amendments to Türkiye’s Data Protection Law (An Overview)

The Republic of Türkiye has undertaken significant steps to enhance its data protection regime by amending the Law on the Protection of Personal Data No. 6698 ("KVKK"). These amendments align Türkiye’s framework with international data protection laws and regulations, while also addressing evolving data protection concerns. This article explores the critical aspects of these changes, including the roles of the Personal Data Protection Board, DPO responsibilities, legal bases, data subject rights, the obligations of data controllers and processors, fines and penalties, and other topics.

Enactment and Enforcement Dates

The amendments took effect on March 12, 2024, with phased implementation periods for specific provisions to allow organizations to achieve compliance. Full enforcement commenced on June 1, 2024. Note: The first paragraph of the amended DPL’s Article 9, which stated that personal data could not be transferred abroad without the data subject’s explicit consent, remained in force through September 1, 2024.

The Personal Data Protection Board’s Expanded Role

The Personal Data Protection Board (the “Board”) has received expanded powers under the amendments. These include:

1. Regulatory Oversight: Authority to issue more detailed guidelines on data processing activities.

2. Enforcement Powers: Increased ability to impose administrative fines and penalties for non-compliance.

3. Investigative Powers: Broader authority to conduct audits and initiate investigations proactively or based on complaints.

4. Cross-Border Collaboration: Enhanced mechanisms for cooperation with foreign data protection authorities.

   
   

Legal Bases for Processing Personal Data

The KVKK amendments outline specific legal bases for processing personal data, ensuring the compliance and the protection of individuals' rights:

1. Explicit Consent: Processing based on the data subject's informed and explicit consent.

2. Contractual Necessity: Data processing required for the performance of a contract to which the data subject is a party.

3. Legal Obligation: Compliance with the data controller's legal obligations.

4. Vital Interests: Protecting the vital interests of the data subject or another individual.

5. Public Interest: Processing necessary for tasks conducted in the public interest or in the exercise of official authority.

6. Legitimate Interests: Processing is based on the legitimate interests of the data controller, provided it does not override the data subject's rights and freedoms.

Individual Rights and Freedoms of Data Subjects

Under the amended KVKK, data subjects—referred to as “relevant persons”—enjoy the following reinforced rights:

1. Access: The right to know whether their personal data is processed and to access such data.

2. Correction: The right to request rectification of inaccurate or incomplete data.

3. Deletion: The right to request deletion or anonymization of personal data under specific conditions.

4. Restriction: The ability to restrict data processing activities in certain situations.

5. Portability: New rights enabling individuals to transfer their data to another controller.

6. Objection: The right to object to data processing, especially in profiling or automated decision-making contexts.

7. Complaint Filing: The ability to lodge complaints with the Board.

Obligations of Data Controllers and Data Processors

Data controllers and data processors have expanded obligations under the amendments:

1. Data Inventory: Data controllers must maintain detailed inventories of data processing activities.

2. Privacy by Design: Data controllers are obligated to integrate data protection measures at the design stage of systems.

3. Contractual Obligations: Data controllers must ensure processors comply with KVKK through binding agreements.

4. Accountability: Data controllers must implement demonstrable compliance mechanisms, including regular audits.

5. Registration with VERBIS: Data controllers are required to register with the Data Controllers' Registry (VERBIS) to ensure transparency. Certain exemptions apply, such as for small-scale operations or entities processing non-sensitive data in limited contexts.

   
   

Special Categories of Personal Data

The amendments prohibit the processing of special categories of personal data. They stipulate the following legal grounds for processing:

1.      Explicit consent of the data subject

2.      Processing is expressly stipulated by law.

3.      Processing is necessary for the protection of life or physical integrity of the data subject or someone else.

4.      Processing of personal data made public provided the processing is in accordance with the data subject's intention.

5.      Processing is necessary for the establishment, exercise, or the protection of a right.

6.      Processing by persons or authorized institutions and organizations under the obligation of confidentiality

7.      Processing is necessary for the fulfillment of legal obligations for employment, occupational health and safety, social security, social services, and social assistance.

8.      Processing by foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, by the application legislation and purposes and limited to their fields of activity.

Cross-Border Data Transfers

Under the amendments, cross-border data transfers are subject to stricter requirements:

1. Definition: A transfer of personal data to a third country involves transmitting personal data from Türkiye to a recipient located outside its borders, especially if the recipient resides in a country not recognized by Türkiye as providing adequate data protection.

2. Adequate Safeguards: Data can only be transferred to countries deemed to provide an “adequate level of protection” or with Board-approved safeguards (e.g., standard contractual clauses, binding corporate rules, etc.).

3. Explicit Consent: In the absence of adequate safeguards, data transfers require explicit consent from data subjects.

4. Binding Corporate Rules (BCRs): Introduction of BCRs as a mechanism for multinational entities to facilitate data transfers.

As of now, the Board has not published a list of countries deemed to provide an adequate level of data protection. Consequently, all countries are currently considered to not provide adequate protection for data transfers. (Source)

In the absence of such a list, data controllers must:

1. Obtain Explicit Consent: Secure explicit consent from data subjects for the transfer.

2. Implement Adequate Safeguards: Establish binding corporate rules or standard contractual clauses approved by the Board to ensure data protection during the transfer.

The amendments allow for the transfer of personal data to third parties without obtaining explicit consent when:

1.      The presence of the Board’s adequacy decision regarding the country, sectors, or international organizations.

2.      The presence of the following appropriate safeguards:

a.       The existence of an agreement that is not of international agreement nature with the Board’s approval.

b.      The existence of BCRs with the Board’s approval.

c.       The SCCs signing and its publication by the Board or the Board’s notification.

d.      The execution of a commitment between the transferer parties to ensure the adequate protections are in place and with the Board’s approval.

Types of Standard Contractual Clauses (SCCs)

1. Controller-to-Controller (C2C): Regulates data transfers between two data controllers, where each entity determines its own data processing purposes and means.

2. Controller-to-Processor (C2P): Applies when a controller transfers personal data to a processor that processes the data solely on behalf of the controller.

3. Processor-to-Processor (P2P): Used when a processor engages another processor (sub-processor) to handle data under a controller's instructions.

4. Processor-to-Controller (P2C): Addresses situations where a processor sends data back to a controller, especially when the controller is in a different jurisdiction.

   
   

Notification Process to the Board Following the Signing of a Standard Contract

1. Filing the Contract: Data controllers must submit the signed standard contractual clauses (SCCs) to the Personal Data Protection Board for review.

2. Submission Details: The submission should include:

a.       A copy of the signed SCCs.

b.      Details of the parties involved in the transfer.

c.       A description of the data categories and processing purposes.

d.      Any additional safeguards implemented.

3. Approval Timeline: The Board reviews the submission to ensure compliance and may request additional information or amendments.

   
   

Exceptional Transfers

Exceptional transfers allow personal data to be transferred to third countries without adequate protection under limited circumstances, such as:

1. Explicit Consent: The data subject has given explicit consent for the transfer, after being informed of the potential risks due to the lack of adequate protection.

2. Performance of Contracts: The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures.

3. Public Interest: The transfer is required for reasons of public interest as recognized under Turkish law.

4. Legal Claims: The transfer is necessary for the establishment, exercise, or defense of legal claims.

5. Protection of Vital Interests: The transfer is required to protect the vital interests of the data subject or another person when the data subject is incapable of providing consent.

These conditions ensure that exceptional transfers are used sparingly and with due regard to the rights and freedoms of the data subjects.

Data Breach Notification Requirements

The amendments establish precise rules for notifying breaches:

1. Timeline: Breaches must be reported to the Board and affected data subjects within 72 hours of becoming aware of the incident.

2. Submission Method: Notifications must be submitted through the official electronic system designated by the Board. Currently, data controllers are required to use the "Data Breach Notification Form," which can be submitted via email to ihlalbildirimi@kvkk.gov.tr with the subject line "Kışisel veri ihlali bildirimi." Alternatively, the form can be sent by post to the Board's official address.

3. Content Requirements: The report must include:

a.       The nature and scope of the breach.

b.      Categories of data and individuals affected.

c.       Possible consequences and risks for data subjects.

d.      Measures taken to address and mitigate the breach.

4. Contact Information: Contact information for the responsible party or DPO.

5. Record-Keeping: Controllers must maintain a breach register for accountability purposes.

Data Protection Impact Assessments (DPIAs)

A key addition is the requirement for DPIAs:

1. Scope: Mandatory for high-risk processing activities, such as large-scale profiling.

2. Process: DPIAs must assess risks to data subjects and outline mitigation strategies.

3. Submission: The Board may request submission of DPIAs for review.

Data Protection Officer (DPO) Requirements

The revised KVKK mandates DPO appointments for certain organizations:

1. Criteria: Obligatory for entities engaged in large-scale or high-risk processing.

2. Qualifications: DPOs must possess expertise in data protection laws and practices.

3. Role: Serving as the primary liaison with the Board and ensuring organizational compliance.

Administrative Fines and Penalties

The Board’s authority to impose fines has been significantly enhanced:

1. Failure to Fulfill the Obligation to Inform: Fines ranging from TRY 47,303 to TRY 946,308.

2. Non-Compliance with Data Security Obligations: Fines ranging from TRY 141,934 to TRY 9,463,213.

3. Failure to Comply with the Decisions of the Board: Fines ranging from TRY 236,557 to TRY 9,463,213.

4. Failure to Register with the Data Controllers' Registry (VERBIS): Fines ranging from TRY 189,245 to TRY 9,463,213.

5. Daily Fines: Introduction of daily fines for ongoing violations until compliance is achieved.

6. Review Process: Administrative courts conduct reviews of fines in support of the adjudication process.

These fines are subject to annual adjustments based on revaluation rates set by the Turkish Ministry of Finance.

Conclusion

The amendments to Türkiye’s data protection law represent a pivotal step towards stronger privacy protections and enhanced alignment with global standards. Organizations operating in Türkiye or processing the data of Turkish residents must adapt swiftly to these changes, ensuring comprehensive compliance frameworks. The enhanced role of the Board, coupled with stringent obligations for controllers and processors, underscores the importance of robust data governance practices.

Questions

1.      How can businesses ensure compliance with cross-border data transfer requirements, given the absence of a list of adequate countries recognized by the Board?

2.      What processes and tools should businesses implement to fulfill the new DPIA obligations for high-risk processing activities?

3.      What steps should organizations take to ensure timely and complete data breach notifications to the Board and affected individuals?

References

1. DLA Piper Data Protection Handbook

2. KVKK Official Website - Breach Notification Guidelines

3. Esin Attorney Partnership Article on KVKK Amendments

4. Turkey's Data Protection Amendments for 2024: A Closer Look

5. The Long-Awaited Amendments in Turkish Data Protection Law

6. Turkey Amends PDPL Provisions

7. GDPR Matchup: Turkey's Data Protection Law

8. What’s Past is Prologue: Year One of Turkey's Data Protection Law and the Path Ahead