Turkey’s Data Protection and Privacy Law

28 April 2017
Kerem Turunç
Esin Çamlıbel
Grace Maral Burnett

Turkey’s first data protection and privacy law (the “Law”) came into force on April 7, 2016. The Law, which is largely in line with the EU’s Data Protection Directive, aims to safeguard the fundamental rights and freedoms of individuals, in particular their right to privacy, with respect to the processing of their personal data.

The Law sets forth the principles that apply to the processing, use, and transfer of personal data. Any person or entity that processes, by automatic means or otherwise, personal data as part of a data recording/filing system is subject to the Law. The Law defines the “processing of personal data” broadly to include the collection, recording, storage, alteration, reorganization, disclosure, transfer, classification, and restriction of the use of such data, or making such data retrievable.

Under the Law, personal data must be processed lawfully and fairly; be accurate and, where necessary, up to date; be collected for specified, explicit, and legitimate purposes; and not be excessive in relation to the purposes for which it is collected. Also, personal data must be kept no longer than is necessary for the purpose for which it was collected or processed. The processing of personal data requires the explicit consent of the data subject unless the processing falls under one of the allowed exceptions laid out in the Law. Under the Law, personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, clothing choices/habits, trade-union membership, health or sex life, criminal conviction and security measures, or biometric or genetic information is defined as “sensitive personal data” and cannot be processed without the consent of the data subject. Further, subject to certain specific exceptions, the Law prohibits the transfer of the personal data to third parties in Turkey or abroad without the consent of the data subject.

The Data Protection Authority and Board

The Data Protection Authority acts as a supervisory authority that monitors the compliance of data controllers and processors and will promulgate secondary legislation under the Law (it has yet to issue any secondary legislation but is required to do so by April 2017). The Authority also provides certain approvals required by the Law (such as approval of specific types of transfers of personal data abroad). The newly sworn-in Data Protection Board is the executive body of the Authority, holding broad regulatory and enforcement powers including the power to investigate alleged violations sua sponte. In response to complaints and as a result of its investigations, it may impose fees and sanctions on persons or entities who have failed to comply with the Law. Misdemeanor violations of the Law are subject to administrative fines ranging from TRY 5,000 to TRY 1,000,000 (approx. EUR 1,500 to EUR 310,000). Certain provisions of the Turkish Criminal Code also apply to some violations of the Law.

Compliance Recommendations

An entity or person who determines the purposes and means of the processing of personal data and who is responsible for establishment and management of the filing system is referred to as a Data Controller under the Law. Data Controllers have the responsibility to comply with the provisions of the Law. Data subjects, on the other hand, have the right to apply to Data Controllers in order to obtain information on whether and how their personal data is being processed, correct or destroy any incomplete or inaccurately processed data, and object to the results obtained by analyzing the processed data. The Authority and Board together administer the Data Controllers’ Registry with which all Data Controllers must register. Entities subject to the Law should immediately take steps to register with the Data Controllers’ Registry.

Any personal data processed prior to the publication of the Law must be made compliant with the Law no later than April 2018, and any currently non-compliant personal data kept must be immediately deleted or anonymized.

In light of the above, entities that are subject to the Law should be aware at all times of, and monitor, what types of personal data they collected and process; establish clear guidelines and requirements for the disclosure or other transmittal of personal data to third parties; designate a Data Controller and a representative of the Data Controller; review and, if necessary, revise their agreements to comply with the Law; obtain the explicit consent of all data subjects in writing; establish adequate security and storage measures for the processed data; prepare an internal guideline on how to collect, process and protect personal data; be aware of the timelines imposed by the Law; stay abreast of forthcoming secondary legislation; and be in coordination with affiliates in other jurisdictions in order to ensure their compliance, to the extent necessary, with the Law.

This article was originally published in CEE Legal Matters, a publication covering law firm news and legal developments in Central and Eastern Europe, and is available in the magazine’s print version and online.

Update: Links updated.