The long-awaited amendments to Turkey's Personal Data Protection Law, numbered 6698 (PDPL), were implemented through the Amendment Law on the Code of Criminal Procedure and Certain Laws and published on 12 March 2024. The amendments took effect on 1 June 2024, whereas the current first paragraph of Article 9 PDPL, which regulates the procedures and principles governing the transfer of personal data abroad, will continue to be applied until 1 September 2024 along with its amended version.

Generally, the Amendment Law introduced new legal grounds for processing sensitive personal data (Article 6), established new principles and procedures on cross-border data transfers (Article 9), added a new ground for administrative fines (Article 18(1)-(2)), and designated administrative courts as the appeal authority against decisions by the Personal Data Protection Board of Turkey (“Board”) (Article 18(3)).

The amendments of Articles 6 and 9 seek to align PDPL provisions on cross-border data transfer and sensitive data with the GDPR, while also aiming to eliminate operational challenges. The amendment to Article 18(1)-(2) introduces administrative fines ranging from TRY 50,000 to TRY 1,000,000 for data controllers and processors and aims to enforce the obligation to notify the Board of standard contractual clauses within five days of their signing. Lastly, the new provision in Article 18(3) seeks to enhance the depth of the adjudication process.

As known, PDPL follows the GDPR approach and applies to data controllers, both in and outside Turkey, who process data which affect individuals in Turkey or are addressed to data subjects in Turkey (through provision of goods or services in or to Turkey). Under the PDPL, data controllers are required to process data in accordance with the PDPL and fulfill the obligations stated below:

• Inform data subjects (Article 10)
• Respond to the data subjects’ requests (Article 11)
• Take administrative and technical measures for data security (Article 12)
• Notify of data breaches (Article 12(5))
• Implement the Board’s decisions (Article 15)
• Register with the Data Controllers’ Registry (Article 16)
• Appoint a data controller representative in Turkey (exclusively for data controllers located abroad)

In compliance with these obligations, data controllers must, among other requirements, maintain a Personal Data Processing Inventory, issue Data Privacy Notices, establish Policies concerning the Processing and Erasure of Personal Data, develop Procedures for breach notifications both internally and to the Board, and implement training and awareness programmes.

Under the amendments, data controllers must update their Policies and Procedures to align with the current PDPL, and when engaging in cross-border transfers on the grounds of standard contractual clauses in accordance with Article 9(4) must notify the Board within five days of their signing.

More information and further details on the registration obligations may be found in one of our earlier articles from July 2016, July 2018 and January 2020.

Please feel free to contact us if you have any questions or if we can be of any assistance.