Many years in the making, the Turkish Data Protection Law, Turkey’s first data protection and privacy law, recently entered into force. The Law generally follows the Data Protection Directive (95/46/EC) with certain differences.
The aim of the Data Protection Law is to safeguard the fundamental rights and freedoms of individuals, in particular their right to privacy, with respect to the processing of their personal data. Accordingly, the Law sets forth the principles that apply to the processing, use and transfer of personal data. Any legal or natural person who processes the personal data of others in whole or in part by automatic means, or non-automatic means which form part of a data recording/filing system, are subject to these principles.
Any personal data processed prior to the publication of the Law must be made compliant with the law within two years of the publication. Furthermore, any personal data in violation of the Law must immediately be deleted or anonymized. Having said that, any consent received legally prior to the publication of the Law will be deemed to have been obtained properly under the Law unless the data subject retracts such consent within a year of the publication of the Law.
Special provisions apply to the transfer of personal data to outside of Turkey. Accordingly, multinational companies with subsidiaries or operations in Turkey will find it necessary to review their data processing practices and implement measures to comply with the Law.
Click here to read our note on the subject.