Law No. 7499 Amending the Code of Criminal Procedure and Certain Other Laws

The Law No. 7499 on Amending the Code of Criminal Procedure and Certain Other Laws, published in the Official Gazette No. 32487 dated 12/03/2024, introduces amendments to the Personal Data Protection Law No. 6698 (the “KVKK”). The amendment aims to harmonize the KVKK with the EU General Data Protection Regulation (GDPR) and address practical needs. Accordingly, three articles of the KVKK (Articles 6, 9, and 18) have been revised.

KVKK Article 6 – Conditions for Processing Special Categories of Personal Data:

With Article 33 of Law No. 7499, the second paragraph of Article 6 of the Personal Data Protection Law No. 6698, which stated that “personal data relating to health and sexual life shall only be processed by persons or authorized institutions and organizations subject to confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning and management of health services and their financing,” has been repealed. The third paragraph was amended to stipulate that the processing of special categories of personal data is prohibited, except under the following conditions:

1. a) With the explicit consent of the data subject,
2. b) When explicitly prescribed by law,
3. c) When it is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to express their consent due to actual impossibility or whose consent is legally invalid,
4. d) When the data has been made public by the data subject and is processed in line with their intention to make it public,
5. e) When processing is mandatory for the establishment, exercise, or protection of a right,
6. f) When processing is necessary for the purposes of public health protection, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning, management, and financing of health services by persons or authorized institutions and organizations subject to confidentiality obligations,
7. g) When processing is necessary for compliance with legal obligations related to employment, occupational health and safety, social security, social services, and social assistance,
8. h) When processing is conducted by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, in line with their respective laws and purposes, limited to their areas of activity, and not disclosed to third parties, targeting their current or former members or persons in regular contact with such entities.

Thus, the conditions for processing have been broadened compared to the previous version of the KVKK, and uniformity has been introduced by eliminating the distinction between the conditions for processing personal data related to health and sexual life versus other special categories of personal data without explicit consent.

KVKK Article 9 – Transfer of Personal Data Abroad:

Article 34 of Law No. 7499 revises Article 9 of the KVKK to transition from a consent-based approach for cross-border data transfers to a systematic approach involving “adequacy decision > appropriate safeguards > exceptional circumstances.” This change aims to simplify cross-border transfer mechanisms and align them with the GDPR.

Under the previous regulation, cross-border data transfers required either sufficient protection in the recipient country, a written commitment approved by the Personal Data Protection Board in cases where adequate protection was absent, or the explicit consent of the data subject in the absence of such commitments.

With the amendment, cross-border data transfers are now subject to the existence of one of the conditions specified in Articles 5 and 6 of the KVKK, as well as an adequacy decision issued by the Board regarding the country, sector, or international organization. In the absence of an adequacy decision, the following appropriate safeguards must be provided by the parties to ensure data transfer while maintaining the rights of the data subject in the recipient country:

1. a) The existence of agreements between public institutions and organizations or professional organizations with public institution status in Turkey and their counterparts abroad, subject to approval by the Board,
2. b) Binding corporate rules containing provisions on data protection approved by the Board, applicable within corporate groups engaged in joint economic activities,
3. c) Standard contractual clauses addressing data categories, transfer purposes, recipients, and technical and administrative measures, as announced by the Board,
4. d) Written commitments ensuring adequate protection, approved by the Board.

In the absence of an adequacy decision or appropriate safeguards, data may be transferred abroad on an exceptional basis, provided it is not a continuous process and one of the following conditions applies:

1. a) The data subject provides explicit consent after being informed of potential risks,
2. b) The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures,
3. c) The transfer is necessary for the conclusion or performance of a contract benefiting the data subject between the data controller and another party,
4. d) The transfer is essential for overriding public interest,
5. e) The transfer is necessary for the establishment, exercise, or protection of a right,
6. f) The transfer is required to protect the life or physical integrity of the data subject or another person unable to provide consent due to actual impossibility,
7. g) The transfer is from a public registry accessible to legitimate interests, provided the requirements for accessing the registry are met.

This amendment acknowledges the dynamic needs of evolving technology and digitalization in commercial life, addressing the challenges of the previous regulation, which often rendered cross-border data transfers impractical. It introduces new methods for transferring data outside the European Union while safeguarding the rights of data subjects.

KVKK Article 18 – Misdemeanors

Article 35 of the amendment adds a new clause to Article 18 of the KVKK, stipulating administrative fines for failure to fulfill the notification obligation under the amended Article 9. Accordingly, failure to notify the Board within 5 business days of the use of standard contracts for cross-border data transfers will result in administrative fines ranging from 50,000 to 1,000,000 Turkish Lira for data controllers or processors.

Furthermore, the amendment changes the jurisdiction for appeals against administrative fines imposed by the Board, allowing lawsuits to be filed in administrative courts instead of magistrate courts.

Effective Date and Transitional Provisions

The amendments are set to take effect on 1/6/2024. Notably, the previous version of Article 9 will remain applicable alongside the amended version until 1/9/2024, and ongoing appeals in magistrate courts as of 1/6/2024 will continue in those courts.