Tur­key: Adap­t­ati­on to the GDPR; report­ing obli­ga­ti­on for TK-SCC

Tur­ki­sh data pro­tec­tion law is pri­ma­ri­ly set out in the “Law on the Pro­tec­tion of Per­so­nal Data” (Law No. 6698). In March 2024, the law was com­pre­hen­si­ve­ly revi­sedto ali­gn it with the GDPR, among other things. The adjust­ments affect, among other things, the Trans­mis­si­on of per­so­nal data from Tur­key to other count­ries. Such a trans­fer is permitted

  • in count­ries with an ade­qua­cy decis­i­on (a list is not yet available, but ade­qua­cy decis­i­ons will be published in the Offi­ci­al Journal);
  • on the basis of sui­ta­ble gua­ran­tees such as stan­dard con­tracts or BCRs (gui­de­lines have been published on the latter);
  • in cer­tain excep­tio­nal cases (essen­ti­al­ly Art. 17 FADP and Art. 49 GDPR accordingly).

The Stan­dard con­tracts of the Tur­ki­sh Data Pro­tec­tion Super­vi­so­ry Aut­ho­ri­ty (the KVKKThe struc­tu­re of the SCCs is almost iden­ti­cal to the EU Commission’s SCCs. They also use the fami­li­ar four modu­les, but each as a sepa­ra­te con­tract. Howe­ver, the­re are various dif­fe­ren­ces, which is why the EU SCCs can­not be used for exports from Tur­key. Unli­ke under the old law, the use of Tur­ki­sh SCCs no lon­ger needs to be appro­ved by the super­vi­so­ry aut­ho­ri­ty. Howe­ver, it must repor­ted within five days of com­ple­ti­on other­wi­se a fine may be impo­sed. Joi­ning, chan­ging and ter­mi­na­ting the TK-SCC must also be reported.

The amend­ments ente­red into force on June 1, 2024. Exi­sting regu­la­ti­ons on data trans­fer remain­ed in force until Sep­tem­ber 1, 2024 The same appar­ent­ly applies to expli­cit con­sent, which was pre­vious­ly a stron­ger basis for trans­fers abroad. Importers out­side Tur­key have been and con­ti­n­ue to be asked by Tur­ki­sh ser­vice pro­vi­ders and other export­ers to pro­vi­de the to con­clude TK-SCC. Intra­group Data Transfer/Data Pro­tec­tion Agree­ments (IGDTA; IDPA) must also be adapted.

A fur­ther chan­ge con­cerns the Pro­ce­s­sing of per­so­nal data requi­ring spe­cial pro­tec­tion (wher­eby the defi­ni­ti­on more or less cor­re­sponds to that of the GDPR, but is broa­der – infor­ma­ti­on about clot­hing or appear­ance or mem­ber­ship of an asso­cia­ti­on or foun­da­ti­on is also cover­ed). Under the old law, expli­cit con­sent was gene­ral­ly requi­red; now, in par­ti­cu­lar, the legal obli­ga­ti­on to pro­cess is suf­fi­ci­ent, and pro­ce­s­sing by foun­da­ti­ons, asso­cia­ti­ons and NGOs has been made easier.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be