ARTICLE
13 March 2025
Contributor
CBC Law (Formerly Cetinkaya) is a full-service law firm based in Istanbul servicing local and international clients. Our lawyers have extensive expertise in advising on dispute resolution, business crime, technology, data protection and intellectual property. CBC Law prides itself on helping clients navigate their way through a constantly changing and challenging legal landscape. With a seamless multidisciplinary approach positioned at the intersection of industry knowledge and legal expertise, we provide our clients with legal solutions that are tailored to their needs in Turkey.
Explore Firm Details
The Turkish Data Protection Authority's new Guideline refines processing conditions for special categories of personal data, removing distinctions and expanding legal grounds.
Turkey Privacy
To print this article, all you need is to be registered or login on Mondaq.com.
The Turkish Data Protection Authority's new Guidelinerefines processing conditions for special categories of personaldata, removing distinctions and expanding legal grounds. Itprovides clarity on compliance steps, updates to processingconditions, and data security measures. Data controllers mustrevise policies to align with these changes.
The Turkish Personal Data Protection Authority("Authority") published the Guideline onthe Processing of Special Categories of Personal Data1("Guideline") on 26.02.2025. Accordingto the Law on the Protection of Personal Data No. 6698("Law"), personal data related to race,ethnic origin, political opinion, philosophical belief, religion,religious sect or other beliefs, appearance, membership inassociations, foundations or trade unions, health data, sexuallife, criminal convictions and security measures, as well asbiometric and genetic data, are considered special categories ofpersonal data. The conditions for processing such data areregulated in detail under the Law.
The Guideline states that the conditions for processing specialcategories of personal data were previously divided into "datarelating to health and sexual life" and "other specialcategories of personal data." This distinction has now beenremoved, and new processing conditions have been introduced. Whilenew conditions have been set, the existing categories of specialcategories of personal data remain unchanged. Furthermore, thelegislator has explicitly clarified that the scope of specialcategories of personal data cannot be expanded through analogy. Aspart of these amendments, the Authority has prepared the Guidelineto assist data controllers in managing compliance processes andfulfilling their obligations.
Special Categories of Personal Data
The Guideline provides comprehensive explanations for each typeof special category of personal data. For example, data on race andethnic origin are defined, with references to decisions by theEuropean Court of Human Rights ("ECHR").Additionally, the question of whether "nationality" fallswithin this scope—a frequent issue in practice—isaddressed, clarifying that nationality is not included in thelimited list of special categories of personal data. Each categoryincludes useful examples, references to ECHR decisions, andcomparisons with the General Data Protection Regulation. Theopinions of the Court of Cassation and the Council of Stateregarding the application of Turkish law are also included.
Conditions for Processing Special Categories of PersonalData
As previously mentioned, the distinction between personal datarelating to health and sexual life and other special categories ofpersonal data has been eliminated under the amendments to the Law.The processing conditions have been revised to apply uniformly toall special categories of personal data, with additional conditionsintroduced. Most notably, it is now recognized that there is nohierarchical difference between explicit consent and otherprocessing conditions. The provision stating that specialcategories of personal data cannot be processed without explicitconsent has been removed.
The Guideline explains that the amendments to the Law establishclearer and more comprehensible processing conditions withwell-defined boundaries, facilitating better protection of personaldata while simplifying compliance for both data subjects and datacontrollers. It also emphasizes that the processing conditionsoutlined in the Guideline should be assessed alongside the generalprinciples set out in Article 4 of the Law to ensure legalintegrity.
Each processing requirement is detailed with examples in theGuideline. For instance, it states that "blood type"information on a driver's license can only be processed inemergency situations and in line with the individual'sintention to make it public. Processing data contrary to thisintention would not be considered lawful. Another examplehighlights that processing special categories of personal data tofulfil an employer's obligation to maintain an employee'spersonnel file under Article 75 of the Labor Law No. 4857 fallsunder the processing condition of "being mandatory for thefulfilment of legal obligations in employment, occupational healthand safety, social security, social services, and socialassistance."
Additionally, the terms "mandatory" and"necessary" in the relevant subparagraphs of Article 6 ofthe Law were deliberately chosen, and their meanings have beenemphasized in the Guideline.
Actions Data Controllers Must Take to Ensure Compliancewith the Law
The Guideline outlines the steps data controllers must take toensure compliance following the recent amendments to the Law. Thesesteps include updating the personal data processing inventory,revising procedures for obtaining explicit consent, amendingprivacy notices, updating data storage and disposal policies, andimplementing appropriate data security measures.
1. Revision and Update of the PersonalData Processing Inventory
Under the Regulation on the Data Controllers' Registry, datacontrollers must register with the Data Controllers' Registry("VERBIS") and maintain a personal dataprocessing inventory. Following the amendments to Article 6 of theLaw, data controllers must identify any changes in their dataprocessing activities, determine the personal data they processwithin their business processes, and document the legal basis forprocessing special categories of personal data in theirinventory.
Additionally, as stipulated in Article 13 of this Regulation,any changes in the information registered in VERBIS must bereported within seven days. Therefore, personal data processinginventories should be regularly reviewed and updated to reflect thecurrent status of data processing activities.
2. Reviewing and Revising Proceduresfor Obtaining Explicit Consent
The amendments to Article 6 of the Law have expanded theconditions for processing special categories of personal data.Previously, such data could only be processed based on the datasubject's explicit consent, but additional legal grounds nowallow processing under specific conditions. Data controllers mustcarefully monitor and adapt to these changes in their complianceprocesses. If processing will no longer rely on explicit consent,existing explicit consent texts should be updated accordingly, anddata subjects must be informed of these changes and theirimplications.
3. Amending and Aligning PrivacyNotices with Legal Changes
As the legal basis for processing personal data must be clearlystated in privacy notices, any changes to the processing conditionsof special categories of personal data must be reflected in thesenotices.
The Guideline emphasizes that after updating privacy notices,data subjects must be notified. It also clarifies that simplyposting an updated privacy notice on a website is insufficient;data subjects must be directly informed to ensure awareness of theupdates.
4. Updating the Data Storage andDisposal Policy
Data controllers registered with VERBIS must prepare a personaldata storage and disposal policy aligned with their personal dataprocessing inventory. Following the amendments to the Law, thesepolicies must be reviewed and revised. If the legal basis forprocessing special categories of personal data changes, storage anddisposal policies must be updated to ensure such data is notretained longer than necessary.
5. Ensuring the Implementation ofAppropriate Data Security Measures
Data controllers and processors must implement necessarytechnical and administrative measures to protect personal data.This includes assessing the types of data processed and associatedrisks and implementing additional safeguards for special categoriesof personal data.
Particularly, those processing special categories of personaldata must comply with the Personal Data Protection Board'sdecision dated 31.01.2018 and numbered 2018/10 regarding"Adequate Measures to be Taken by Data Controllers in theProcessing of Special Categories of Personal Data"2and the Guideline on Personal Data Security (Technical andAdministrative Measures)3.
Conclusion
This Guideline is among the most comprehensive issued to date,offering significant insights for implementation. Data controllersand processors handling special categories of personal data mustreview it carefully. It is also emphasized that the Board willcontinue to assess the lawfulness of processing special categoriesof personal data on a case-by-case basis.
Footnotes
1 Guideline on the Processing of Special Categories ofPersonal Data (Only in Turkish). (2025, February 26). Retrievedfrom Personal Data Protection Authority:https://kvkk.gov.tr/SharedFolderServer/CMSFiles/70f95c73-06a2-44dc-81e9-34201bdd7f5c.pdf
2 Personal Data Protection Board's decision numbered2018/10 regarding "Adequate Measures to be Taken by DataControllers in the Processing of Special Categories of PersonalData". (2018, January 31). Retrieved from Personal DataProtection Authority:https://kvkk.gov.tr/Icerik/4110/2018-10
3 Guideline on Personal Data Security (Technical andAdministrative Measures) (Only in Turkish). (2018, January).Retrieved from Personal Data Protection Authority:https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.
