The Personal Data Protection Law came into effect in Turkey on April 7, 2016, marking the beginning of a new era. A regulation amendment in 2018 decided to celebrate April 7th as “Personal Data Protection Day.” The President of the Personal Data Protection Authority (KVKK) stated that April 7, 2016, marked the start of a new phase in the protection of personal data in Turkey.
The purpose of Personal Data Protection Day is to raise awareness about personal data and emphasize the importance of individual measures that can be taken to protect personal information. This year’s theme, as announced by Bilir, is “Technology and the Protection of Children’s Personal Data.” The KVKK President provided information on applications made to the authority and decisions taken so far, stating that applications, notifications, and complaints are carefully examined and resolved.
Bilir disclosed that out of 40,503 reports, complaints, and applications received, 38,753 have been resolved. Additionally, 1,352 data breach reports were submitted to the authority, with 295 of them being publicized. A total of 573 million 25 thousand lira in administrative fines were imposed as a result of investigations. The law has provided 1104 legal opinions, and 8 commitments for data transfers abroad that meet the required standards have been approved by the authority.
Bilir emphasized the increasing importance of personal data and the proportional rise in risks to individual privacy. With technological advancements and digitization, processes that used to take days can now be completed in minutes or even seconds. He highlighted how the rapid and efficient processing of personal data through technology has led to an increased need to protect privacy. It is crucial that personal data is processed lawfully, ensuring the protection of fundamental rights and freedoms in accordance with data protection laws worldwide.
The President of the KVKK, Faruk Bilir, provided insight into the changes made to the Personal Data Protection Law through the 8th Judicial Package. He explained that special categories of personal data include information related to individuals’ race, ethnic origin, political opinion, religion, health, sexual life, and biometric or genetic data. Significant changes were made regarding the processing conditions, data transfers abroad, and offenses related to the protection of personal data.
One key amendment was the removal of distinctions among special categories of data and the introduction of new processing conditions for such data. In cases where consent cannot be obtained due to physical impossibility, or where it is necessary for the protection of an individual’s or another person’s life or physical integrity, special category personal data may be processed. Bilir emphasized that while the protection of personal data is essential, there are circumstances where data processing and transfers are necessary.
Bilir explained that the article in the law regulating the transfer of personal data abroad was amended by considering the relevant provisions of the EU General Data Protection Regulation (GDPR) and the requirements of data-driven life influenced by technology and digitization. New methods were introduced to ensure the protection of individuals’ rights when transferring data abroad. While no secure country has been declared by the authority, efforts are ongoing to identify such countries. Therefore, if adequate protection is not ensured, one of the appropriate safeguards specified in the law must be provided. The legal changes are set to come into effect on June 1, with the provision allowing data transfers based on explicit consent set to continue until September 1, 2024.
