The 8th Judicial Package, which also includes changes to the Personal Data Protection Law, entered into force by being published in the Official Gazette on 12 March 2024. In the 8th Judicial Package created within the scope of GDPR compliance, there are new regulations regarding special personal data, transfer of personal data abroad and misdemeanors. With the changes made, KVKK has come one step closer to compliance with GDPR.

The changes in question can be listed as follows:

Processing of Special Personal Data

While before the amendment, it was possible to process special personal data other than health and sexual life without explicit consent if it was stipulated by law, with the changes made in the 2nd paragraph of Article 6 of the KVKK. The processing conditions for special data have been expanded, and special personal data about health and sexual life have not been kept separately. In this context, special personal data can now be processed if the relevant person has explicit consent or if it is covered by the law.

Another condition for processing special personal data is that it is necessary for the person in certain respects, that it is essential for publicization, that it is essential for the establishment, implementation or protection of a right, that it is mandatory for employment, that it is necessary for a foundation or other non-profit organization established for political, philosophical, religious or union purposes. It will be possible to process special personal data if one of the conditions of compliance with the establishment will of the organizations is met.

Personal Data Transfer Abroad

With the amendments made in Article 9 of the KVKK, personal data transfer abroad is also possible in case the conditions in Articles 5 and 6 of the KVKK are met and in terms of the place where the data is transferred. “sufficiency” will be possible if there is a decision. Qualification decisions will be made by KVKK.

Again, even if there is no "adequacy" decision by KVKK, the following conditions will make it possible to transfer personal data abroad:

• Existence of an agreement that is not an international agreement, concluded with organizations or international organizations abroad and public institutions and organizations in Turkey, and this transfer is allowed by KVKK.
• Existence of binding company rules, which contain provisions on the protection of personal data and are approved by KVKK, that companies engaging in joint economic activities are obliged to fulfill.
• Existence of a standard contract that includes issues such as data categories declared by KVKK, recipient and recipient groups, purposes of data transfer, administrative and technical administrative measures to be taken by the recipient, additional measures taken for special personal data. Existence of a written undertaking containing provisions that will provide adequate protection.
• Existence of a written undertaking containing provisions that will provide adequate protection and permission for the transfer by KVKK.

In addition, if qualification is not obtained and the above conditions are not met, personal data may be transferred abroad in some cases:

• Informing the relevant person about the risks and giving explicit consent,
• The transfer is necessary for the performance of a contract or as a pre-contractual measure.
• The transfer is essential for the overriding public interest.
• The conditions in KVKK article 5/2-b and c are present.
• Existence of certain conditions to access open registry.

Board Decisions, Penalties and Misdemeanors

In addition to all these, if the notification obligation is not fulfilled, 50,000 TL and 1,000,000 TL.

Again, with the new KVKK amendment, it has been regulated that administrative fines imposed by the Personal Data Protection Board can be appealed in administrative courts.

To review all the changes published in the Official Gazette dated March 12, 2024 here.