Usluel | Ünal | Özbilen, November 2024
The 2024 amendments to the Turkish Personal Data Protection Law (KVKK) have introduced significant updates to businesses' data processing practices. In particular, regulations concerning the processing of sensitive personal data, cross-border data transfers, and administrative fines have increased corporate obligations, ushering in a new compliance process that demands careful attention.
Processing of Sensitive Data
With the amendments made to Article 6 of the KVKK, the conditions for processing sensitive personal data have been redefined. In this context:
Data Related to Health and Sexual Life: The processing of such data can only be carried out with the explicit consent of the individual concerned or in cases stipulated by law.
Other Types of Sensitive Data The law has introduced similar regulations for the processing of other types of sensitive personal data.
These changes require businesses to tighten their processes for obtaining explicit consent when processing sensitive personal data and to document such consents. Additionally, supplementary administrative and technical measures must be implemented as part of data security protocols.
Transfer of Personal Data Abroad
With the amendments made to Article 9 of the Law, stricter rules have been introduced for the transfer of data abroad:
Adequate Protection It must be verified whether the country to which the data will be transferred has been declared by the Personal Data Protection Board as a country with adequate protection.
Appropriate Safeguards In cases where adequate protection is not provided, data controllers must implement appropriate safeguard mechanisms such as binding corporate rules or standard contractual clauses.
Explicit Consent Alternatively, data transfers can be carried out with the explicit consent of the data subject. Obtaining this consent in a clear and written form is crucial for ensuring legal compliance for businesses.
Standard Contracts and Binding Corporate Rules
The relevant documents related to standard contractual clauses and binding corporate rules to be used in the transfer of personal data abroad have been published by the Personal Data Protection Board. These documents offer the following advantages to businesses:
They provide legal assurance in data transfer processes.
They support aligning corporate policies with international data transfer standards.
These changes particularly require companies operating internationally to revise their data transfer procedures.
Amendments Related to Administrative Fines
Article 18 of the KVKK has revised the provisions related to administrative fines. Under the new regulations, administrative fines imposed on businesses in cases of non-compliance range from 50,000 TL to 1,500,000 TL. In this context:
New Legal Remedy: Administrative fines can now only be appealed through administrative courts. The option to file an appeal with criminal courts of peace has been removed.
Ongoing Appeals Applications pending before the criminal courts of peace as of June 1, 2024, will continue to be adjudicated by these courts.
This regulation requires businesses to manage their appeal processes against administrative fines more carefully and to seek legal support when necessary.
Steps to Be Taken for Compliance
In line with the 2024 KVKK amendments, the key steps businesses need to consider are as follows:
Conclusion
2024 KVKK regulations require businesses to reassess their data processing practices and initiate a comprehensive compliance process. Adhering to these regulations not only reduces legal risks but also enhances customer trust, providing a competitive edge. It is crucial for businesses to seek professional legal support during this process to ensure compliance while safeguarding their long-term commercial objectives.