Turkish data protection law is primarily set out in the “Law on the Protection of Personal Data” (Law No. 6698). In March 2024, the law was comprehensively revisedto align it with the GDPR, among other things. The adjustments affect, among other things, the Transmission of personal data from Turkey to other countries. Such a transfer is permitted
- in countries with an adequacy decision (a list is not yet available, but adequacy decisions will be published in the Official Journal);
- on the basis of suitable guarantees such as standard contracts or BCRs (guidelines have been published on the latter);
- in certain exceptional cases (essentially Art. 17 FADP and Art. 49 GDPR accordingly).
The Standard contracts of the Turkish Data Protection Supervisory Authority (the KVKKThe structure of the SCCs is almost identical to the EU Commission’s SCCs. They also use the familiar four modules, but each as a separate contract. However, there are various differences, which is why the EU SCCs cannot be used for exports from Turkey. Unlike under the old law, the use of Turkish SCCs no longer needs to be approved by the supervisory authority. However, it must reported within five days of completion otherwise a fine may be imposed. Joining, changing and terminating the TK-SCC must also be reported.
The amendments entered into force on June 1, 2024. Existing regulations on data transfer remained in force until September 1, 2024 The same apparently applies to explicit consent, which was previously a stronger basis for transfers abroad. Importers outside Turkey have been and continue to be asked by Turkish service providers and other exporters to provide the to conclude TK-SCC. Intragroup Data Transfer/Data Protection Agreements (IGDTA; IDPA) must also be adapted.
A further change concerns the Processing of personal data requiring special protection (whereby the definition more or less corresponds to that of the GDPR, but is broader – information about clothing or appearance or membership of an association or foundation is also covered). Under the old law, explicit consent was generally required; now, in particular, the legal obligation to process is sufficient, and processing by foundations, associations and NGOs has been made easier.