Kemal Kumkumoğlu
Selin Çetin Kumkumoğlu
Last week, the Bill of Law on Amendments to the Code of Criminal Procedure and Certain Laws and Statutory Decrees was submitted to the Justice Commission of the Grand National Assembly of Türkiye. The Bill of Law also includes important amendments to Personal Data Protection Law No. 6698 ("PDPL" or "Law"). The issues addressed by these proposed amendments have long been discussed in the doctrine and practice regarding the difficulties experienced in the application of the Law. We briefly set out the amendments that will be implemented if the Bill is approved by the Assembly as it is.
Bill Of Law on Amendment Regarding the Conditions for The Processing of Special Categories of Personal Data (Article 6 of the PDPL)
Article 6 of the PDPL, regulating the conditions for the processing of special categories of personal data, currently stipulates that personal data other than health and sexual life may be processed only if it is stipulated by law or with explicit consent.
Personal data concerning health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning, management of health-care services as well as their financing, without the explicit consent of the data subject. With the Bill of Law on amendment, it is envisaged to expand the scope of the conditions for the processing of special categories of personal data by taking into consideration the needs in practice and the approach of the European Union General Data Protection Regulation. Primarily, the provision prohibiting the processing of sensitive personal data without the explicit consent of the data subject is maintained as a rule in the Article. However, the conditions under which sensitive personal data may be processed without explicit consent are expanded. Accordingly, sensitive personal data may be processed without explicit consent under the following conditions:
In cases where it is expressly provided for by the laws (For example, Law on Judicial Records, Law on the Duties and Powers of the Police)
In cases where explicit consent cannot be given due to actual impossibility or it is compulsory for the protection of the life or physical integrity of the person or another person whose consent is not legally valid (For example, processing data on blood type or diseases to protect the life or physical integrity of the person who cannot give consent due to loss of consciousness)
In cases where sensitive personal data is made public by the data subject, provided that it is processed in accordance with the purpose of publicization. (For example, sharing blood group information in publicly accessible are as to be used for emergencies and processing it in accordance with the purpose of sharing)
Where it is obligatory for the establishment, exercise or protection of a right (e.g. retention of a former employee's health data in order to exercise the right of defense in possible lawsuits after the employment contract).
In cases where it is necessary for the fulfilment of legal obligations in the field of employment, occupational health and safety, social security or social services and social welfare (For example, processing of data on health and criminal convictions in accordance with the obligation of employers to employ disabled or convicted persons under the Labour Law).
In cases of processing special categories of personal data of current or former members of the foundation, association or other non-profit institution/organization established for political, philosophical, religious and syndicate purposes, and of persons who are in continuous contact with the institution/organization; in accordance with the establishment purpose and the legislation to which they are subject, limited to their fields of activity, provided that they are not transferred to third parties (For example, contacting current or former members to collect donations).
Provisions on "taking adequate measures determined by the Personal Data Protection Board" for the processing of special categories of personal data are reserved.
Bill Of Law on Amendment Regarding the Conditions for The Processing of Special Categories of Personal Data (Article 6 of the PDPL)
According to the Article 9 of the PDPL, which regulates the conditions for the transfer of personal data abroad, as a rule, personal data may be transferred abroad with the explicit consent of the data subject. On the other hand, if one of the conditions in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law is fulfilled and if there is an announcement of the Personal Data Protection Board ensuring that the country to which personal data will be transferred provides adequate protection, personal data may be transferred abroad without explicit consent. Additionally, personal data may also be transferred abroad without explicit consent upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorization of the Board.
In the justification for the amendment of the Article, the difficulties experienced in the transfer of personal data abroad, in particular, the fact that personal data transfers depending on the explicit consent of data subject causes major problems in workflow and management in practice, restricting the use of cloud-based applications, most of which are located abroad, and the reasons for the adverse impact on investments in the country, are emphasized. Correspondingly, the amendments are anticipated in the Article by taking into account the approach of the European Union General Data Protection Regulation. In this respect, the following conditions must be met in order for personal data to be transferred abroad without explicit consent:
The existence of one of the conditions referred to in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law, and a decision of adequacy must have been issued for the country, international organization, or sectors within the country to which the personal data will be transferred,
The existence of one of the conditions referred to in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law, providing one of the appropriate safeguards for the transfer of personal data to countries, international organizations, or sectors within a country without a decision of adequacy, and the allowance to the data subject is to exercise his/her rights and to have recourse to effective remedies.
It is also listed in the Bill of Law on amendment what would constitute appropriate safeguards. Accordingly, appropriate safeguards will be deemed to be granted in the presence of one of the following situations;
In the transfer of personal data required by mutual activities, the existence of contracts that are not in the nature of international agreements between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations with public institution status in Türkiye and the authorization of the Board,
The existence of one of the conditions referred to in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law in terms of the cross-border transfer between group companies with the binding corporate rules approved by the Board,
Signing of the standard contract announced by the Board and notifying the Board by the data controller or data processor within five business days (In case the data controller or data processor fails to fulfill the notification, an administrative fine will be imposed with an article included in the Bill of Law on amendment).
Signing a commitment for adequate protection and authorization of the Board.
If there is no decision regarding adequacy protection provided by the country, international organization or sectors within the country to which personal data will be transferred, and if one of the above-mentioned safeguards cannot be provided, it is also envisaged with the amendment that personal data can be transferred abroad in exceptional cases, in a non-continuous (for once) manner. For example, a company in Türkiye transferring the personal data of its employees for the purposes of contacting to a company abroad with which it has a potential commercial relationship.
The Bill of Law on amendment also sets out the procedure for the decision on granting adequate protection. In this context, the criteria to be considered by the Board in rendering a decision of adequacy are specified in detail. However, these criteria are not limited, and the Board may take into consideration other issues as it deems necessary. The Board will evaluate the decision on adequacy every four years. As a result of its evaluations, it may change, revoke or suspend the decision of adequacy. The Board may also review the decision before the four-year period expires. On the other hand, if the decision is not re-evaluated despite the expiry of the four-year period, the decision will remain valid. The Board may also seek opinions from relevant institutions and organizations when setting the decision of adequacy.
The Bill of Law on amendment also introduces a provisional article in respect to Article 9. In this regard, the existing provision of the first paragraph of Article 9 (Personal data shall not be transferred abroad without the explicit consent of the data subject) and the provisions of the amendment will be applied together for a period of three months. It seems that this transitional provision aims to avoid any confusion in terms of the practice of previous "explicit consent" during the process of adaptation to the amendment.
Finally, while objections against administrative fines imposed by the Board can be filed before criminal judgeships of peace in the existing version of the Law, the proposed amendment envisages the filing of a lawsuit before administrative courts. Thus, the decisions of the criminal judgeships of peace, which constitute fundamental problems and are based on inadequate examination, will be replaced by the administrative courts and procedural safeguards will be enhanced in terms of personal data protection decisions regarding fundamental rights.
With All Eyes on The Grand National Assembly of Türkiye...
Since the entry into force of the PDPL, the difficulties it poses in ensuring compliance in practice due to its problematic structure have long been expressed. Although it is promising that the long- awaited work on the amendment of the Law has been finalized, facilitating the circulation of sensitive personal data to such an extent may pose great threats to individuals in environments where the protection of personal data is not internalized. It should be remembered that sensitive personal data are data that, if disclosed, may lead to discrimination or victimization of the data subject.
Correlatively, eliminating the difficulties in transferring personal data abroad will be an important step for many sectors. Yet, the reasons why the conditions for transferring personal data abroad other than explicit consent have become inapplicable or can only be applied in a difficult manner should also be taken into consideration. In this respect, in the event that the possible amendment detailed above is adopted, the decisions by the Board on the countries, international organizations or sectors within the country that provide adequate protection and the announcement of the standard contract, which is considered among the appropriate safeguards, will be important for the actors who transfer personal data abroad within the scope of their transactions.
In parallel with all these, such bending of conditions and safeguards in the processing of special categories of personal data and the transfer of personal data abroad will undoubtedly increase the burden and responsibility of the Personal Data Protection Authority in terms of ensuring compliance with the Law and protecting fundamental rights.
Comments