Significant amendments to Law No. 6698 on the Protection of Personal Data ("KVKK") regarding the transfer of personal data abroad were introduced through Law No. 7499, published in the Official Gazette dated March 12, 2024, No. 32487. Additionally, the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad ("By-Law") was published in the Official Gazette dated July 10, 2024, No. 32598 and entered into force.

I- Introduction

As is known, with the 8th Judicial Package accepted in the Grand National Assembly of Türkiye on March 2, 2024, and the Law No. 7499 published in the Official Gazette No. 32487 on March 12, 2024, titled the Law on Amendments to the Criminal Procedure Code and Certain Laws, several amendments were made to the Law on the Protection of Personal Data No. 6698 (the Law).

1. Introduction

The intersection of personal data protection law with various legal fields is evident. Any interference with personal data is generally considered illegal. According to our Constitution, the primary exception for processing personal data is the explicit consent of the individual. The Law on the Protection of Personal Data No. 6698 (KVKK) provides a framework for explicit consent without considering the personal characteristics of the data subject. If the data subject is a consumer, the general principles of consumer law and protective provisions established by other laws apply directly. The "power imbalance" between the data controller and the consumer must be considered, and an appropriate approach must be adopted. This article will discuss the explicit consents obtained from consumers by data controllers and the validity conditions of such consent.

I. Obligation To Protect Personal Data

Personal data is any information relating to an identified or identifiable natural person. This information may be related to the personal values of the person, his/her assets or the physical and social environment in which he/she lives. Although personal data is not a secret most of the time, real persons, as they are social beings, disclose many of their data to other real and even legal persons with whom they are in contact.

Law No. 6698 on the Personal Data Protection ("Law") stipulates its purpose in Article 1 titled "Purpose" as follows: “The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.” This provision regulates how personal data will be processed. Personal data is defined as "any information relating to an identified or identifiable natural person" in subparagraph d of Article 3 of the Law. Personal data are divided into special and general categories. In Article 6 of the Law titled "Conditions for processing of Special categories of personal data", special categories of personal data are defined as follows: "Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data."

Elections are one of the important elements of healthy and well-functioning democracies in terms of the exercise of political rights and the direct and/or indirect participation of citizens in the administration.

Today, elections are of great importance for the healthy functioning of democratic processes and public participation. However, it is of great importance to be careful about the protection of personal data and to take the necessary precautions during the activities. The protection of personal data should be considered as an essential element of democratic processes.

Technology, which develops day by day, has carried people's daily life to a different dimension. Conveniences that did not exist before have emerged. People have started to carry out many of their business online. Private sector and even public institutions carry out many transactions in this way. For this reason, almost everyone has information registered in multiple websites and databases. Many information such as T.R. identity numbers, home addresses, height of the person are included and stored in the systems. In other words, data is obtained, stored, or more accurately, processed. In the face of this convenience, mankind, which continues many of its business through the internet, has of course met some dangers that it has not faced before. One of these is personal data breaches.

Personal Data is any data relating to an identified or identifiable natural person. The Personal Data Protection Law (KVKK) defines "personal data" as follows. KVKK, which entered into force in 2016 and is a law that can be said to be young, makes many regulations in this regard. Issues such as personal data and processing of personal data are stipulated in this law. The purpose of the KVKK is stated in the first article as "The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data." With the regulations made in line with this purpose, KVKK has also examined the processing of personal data by grouping them. While the conditions for the processing of personal data are analysed in Article 5, the " Conditions for processing of Special categories of personal data" are included in Article 6. Biometric data is also mentioned in this article. For this reason, it should be said that biometric data are special categories of personal data.

The Personal Data Protection Law ("KVKK") is a young law adopted in 2016 and published in the Official Gazette. Personal data is clearly defined in Article 3 of the Law as "any information relating to an identified or identifiable natural person". In today's world where technology is developing every day, personal data and protection of personal data are becoming more and more important day by day. As social media platforms, systems used in corporate life and digital communication develop, people are in a difficult position to protect their personal data. The Personal Data Protection Law reveals its main purpose at this point.