New Era In The Protection Of Personal Data Begins

ARTICLE 6

(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data

ARTICLE 6

(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data. However, such data may be processed in case: a) the data subject provides his/her explicit consent, b) it is expressly provided for by the laws, c) it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, ç) it is related to the personal data made public by the data subject and is in conformity with the will of the data subject to publicize, d) data processing is necessary for the establishment, exercise or protection of any right, e) it is necessary for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, and the planning, management and financing of health-care services, by the persons subject to secrecy obligation or competent public institutions and organizations, f) it is necessary for the fulfillment of legal obligations in the field of employment, occupational health and safety, social security or social services and social assistance, g) the processing is carried out for current or former members or persons who are regularly in contact with foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that such processing is in conformity with the legislation to which they are subject and their purposes, limited to their fields of activity and not disclosed to third parties.

(3) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

ARTICLE 9-

(1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Türkiye is a party,

b) the state of reciprocity relating to  data transfer between the requesting country and Türkiye ,

c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

d) the measures committed by the data controller in the country to which the personal data are to be transferred,

(5)  Without prejudice to the provisions of international agreements, in cases where interest of Türkiye or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.

(6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

ARTICLE 9-

(1) Personal data may be transferred abroad by data controllers and data processors upon the existence of one of the conditions specified in Articles 5 and 6 and the existence of an adequacy decision on the country, international organization or sectors within the country to which the transfer will be made.

(2) The adequacy decision shall be made by the Board and published in the Official Gazette. The Board shall take the opinion of the relevant institutions and organizations if necessary. The adequacy decision shall be evaluated every four years at the latest. The Board may change, suspend or revoke the adequacy decision prospective effect as a result of the assessment or in other cases it deems necessary.

(3) The following issues are primarily considered while making an adequacy decision: a) The reciprocity status regarding the transfer of personal data between Turkey and the recipient country, sectors within the country or international organizations. b) the relevant legislation and practice of the recipient country and the rules governing the international organization which the personal data will be transferred. c) the existence of an independent and effective data protection authority in the country to which the personal data will be transferred or the international organization to which the personal data will be transferred is subject to, and the existence of administrative and judicial remedies. ç) the status of the country or international organization to which the personal data will be transferred, as a party to international conventions on the protection of personal data or as a member of international organizations. d) The membership status of the country or international organization to which personal data will be transferred, to global or regional organizations of which Turkey is a member. e) international agreements to which Turkey is a party.

(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is ensured by the parties, provided that one of the conditions specified in Articles 5 and 6 is met and the data subject has the possibility to exercise his/her rights and to apply for effective legal remedies in the country of transfer:

a) Existence of an agreement, which is not in nature of an international agreement, concluded between the public institutions and organizations or international organizations abroad and the public institutions and organizations or public professional organizations in Turkey, provided that Board permits such transfer. b) Existence of corporate binding rules approved by the Board containing provisions on the protection of personal data, that the companies within the undertaking group engaged in common economic activities are obliged to fulfill. c) Existence of a standard contract that includes issues such as data categories, recipient and recipient groups, purposes of data transfer, administrative and technical administrative measures to be taken by the recipient, additional measures taken for special categories of personal data, which will be announced by the Board, ç) Existence of a written undertaking including the provisions to ensure adequate protection, provided that Board permits such transfer.

(5) The standard contract shall be notified to the Authority by the data controller or data processor within five business days following its signature.

(6) In the absence of an adequacy decision and if any of the appropriate safeguards stipulated in the fourth paragraph cannot be provided, data controllers and data processors may transfer personal data abroad only if one of the following conditions is met, provided that such transfer is incidental: a) The data subject is informed about the possible risks and gives explicit consent, b) Transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject, c) Transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject, ç) Transfer is necessary for an overriding public interest, d) Transfer of personal data is necessary for the establishment, exercise or protection of a right, e) Transfer of personal data is necessary for the protection of the life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,  f) Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests the transfer.

(7) Subparagraphs (a), (b) and (c) of the sixth paragraph shall not apply to the activities of public institutions and organizations subject to public law.

(8) The safeguards set forth in this Law shall also be provided by data controllers and data processors in respect of subsequent transfers of personal data transferred abroad and transfers to international organizations and the provisions of this Article shall apply.

(9) Without prejudice to the provisions of international agreements, personal data may be transferred abroad in cases where the interests of Turkey or the data subject will be seriously harmed, only with the permission of the Board by obtaining the opinion of the relevant public institution or organization.

(10) The provisions of other laws regarding the transfer of personal data abroad are reserved.

(11) The procedures and principles regarding the implementation of this Article shall be governed by a regulation.

ARTICLE 18-

(1) For the purposes of this Law; a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL, b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL, c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL, ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.

(2) Administrative fines stipulated in this Article shall be imposed on natural persons and private legal entities who are data controllers.

(3) In the event that the acts listed in the first paragraph are committed within public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, action shall be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations in the nature of public institutions in accordance with the disciplinary provisions and the result shall be notified to the Board.

ARTICLE 18-

a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL, b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL, c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL, ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL. d) For those who do not fulfil the obligation to notify provided for in the fifth paragraph of Article 9 shall be imposed to pay an administrative fine of 50.000 Turkish Liras to 1.000.000 Turkish Liras.

(2) The administrative fines stipulated in subparagraphs (a), (b), (c) and (ç) of the first paragraph shall be imposed on the data controller, and the administrative fine stipulated in subparagraph (d) shall be imposed on the data controller or natural persons and the private law legal persons, who process data.

(3) Administrative fines imposed by the Board may be challenged before administrative courts.

(4) In the event that the acts listed in the first paragraph are committed within public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, action shall be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations in the nature of public institutions in accordance with the disciplinary provisions and the result shall be notified to the Board.

(1) The first paragraph of Article 9 before it was amended by the Law enacting this Article shall continue to be applied until 1/9/2024 with the amended version of the Article that entered into force.

(2) The applications pending before the criminal judicature of peace as of 1/6/2024 shall continue to be heard by these judicature.