Governing the liabilities, principles and procedures with respect to personal data processing by real persons and legal entities, the Personal Data Protection Law ("Law No. 6698") protects, in particular, the right to privacy and other fundamental rights and freedoms of real persons whose personal data is processed.

Note: The Personal Data Protection Law (published in the Official Gazette dated April 07, 2016 and numbered 29677) ("Law No. 6698") (“Data Protection Law”) is the key privacy legislation. The objective of the Data Protection Law is to protect fundamental rights and freedoms of persons, especially the right of privacy of the real persons, with respect to the processing of personal data and to regulate the procedures and principles to be followed by the real and legal persons processing personal data and their obligations.

Processing personal data means any process on personal data, by automatic and other means, being a part of any data filing system, such as collection, recording, storage, protection or alteration, retrieval, disclosure, transfer, acquisition, dissemination, making available, alignment or blocking, wholly or partly. 

The provisions of the Data Protection Law shall apply to real persons whose personal data is processed and impose obligations on real and legal persons who process wholly or partly personal data by automatic and other means, being a part of any data filing system.

On the other hand, the following falls out of the scope of the Data Protection Law (Article 28);

• processing of personal data by natural persons in the course of a solely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties;
• processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar;
• processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated;
• processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations that are assigned and authorized for providing national defense, national security, public safety, public order or economic safety; and
• processing of personal data by judicial authorities and execution agencies with regard to the investigation, prosecution, adjudication or execution procedures. 

Provided that data processing is compliant and proportionate to the purpose and general principles of the Data Protection Law, (i) Article 10 of the Data Protection Law which regulates the obligation of the data controller to inform the data subject; (ii) Article 11 of the Data Protection Law which regulates the rights of the data subject (except for the right to request compensation); and (iii) Article 16 of the Data Protection Law which regulates the obligation to register with the Data Controllers Registry shall not be applied if:

• processing of personal data is necessary for the prevention of crime or investigation of a crime;
• processing of personal data revealed to the public by the data subject herself/himself;
• processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status; and/or
• processing of personal data is necessary for the protection of the economic and financial interests of the state related to budgeting, tax, and financial matters.

Along with the Data Protection Law, which is a general framework law, there are also specific provisions pertaining to data protection in different legislation, including but not limited to:

• The Labour Code;
• The Banking Law and its secondary legislation;
• The Electronic Communication Law;
• The Internet Regulation and Regulation on the Internet Bulk Use Providers; and
• The Regulation on Personal Health Data.

The Data Protection Law has been enacted with the Official Gazette dated 07.04.2016 and numbered 29677.

Under the Data Protection Law, any data relating to an identified or identifiable natural person is defined as “personal data” whereas “sensitive personal data” means personal data concerning the racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, health, sexual life, criminal conviction or punitive measures and the biometric and genetic data of a person. 

In February 2025, the Board published guidance on Sensitive Personal Data which details about the different categories of sensitive personal data and different conditions of processing such as: (i) “nationality” data would not would not be considered sensitive data; (iii) the rationale for the inclusion of “dress and attire” is to prevent discrimination based on appearance; (iv) blood group is a form of health data, and sensitive personal data will be processed where this information is contained in old forms of passports or other ID documents; and (v) the way a person walks, presses the keyboard, drives a car are also considered as behavioural biometric data. 

Under the Data Protection Law, data controllers must take the necessary technical and administrative measures in order to: (i) ensure the protection of the personal data; (ii) prevent unlawful processing of personal data; and (iii) prevent unlawful access to personal data. Data controllers are jointly responsible with data processors for taking these measures in respect of data processing by the data processor.

There is a published Guidance on Personal Data Security explaining that the data controllers shall adopt the administrative and technical measures which are detailed in the Guidance to protect the personal data, as appropriate to their particular case. Such administrative and technical measures are, in a nutshell, as follows:

• Administrative measures are: preparation of a personal data inventory, corporate policies of security, access, use, storage and destruction of information; agreements with other Data Controllers and Data Processors; non-disclosure agreements; internal periodic and random inspections; risk analysis; employment agreements and disciplinary procedures including provisions for Personal Data security and strong corporate communication such as internal notification procedures, crisis management etc. 
• Technical measures are: authorization matrix, checks on authorizations, access logs, management of users’ accounts, network security, application security, encryption, leakage tests, attack identification and prevention systems, log records, Personal Data masking, software to prevent Personal Data loss, back-ups, firewalls, up-to-date antivirus systems, deletion, destruction and anonymization, two phased verification, encryption and key management.

The data processor and the data controller are subject to privacy obligations set out under the Data Protection Law. As per Article 3 of the Data Protection Law, the data processor means real or legal person processing personal data based on the authorization given by and on behalf of the data controller. Further to the same article, the controller means real or legal persons determining the purpose and instruments of data processing, which is in charge of the establishment and management of the data filing system.

Processing personal data means any process on personal data, by automatic and other means, being a part of any data filing system, such as collection, recording, storage, protection or alteration, retrieval, disclosure, transfer, acquisition, dissemination, making available, alignment or blocking, wholly or partly. 

Article 4 of the Data Protection Law sets out certain data protection principles. Personal data can only be processed according to the procedures and principles set forth in the Data Protection Law and in other laws.

Personal data must be:

• processed in compliance with the laws and in good faith,
•  accurate and where necessary kept up to date,
• processed for specified, explicit, and legitimate purposes,
• relevant, limited, and temperate to the purpose of processing,
• kept for the time stipulated by the relevant legislation or necessitated by the purpose of processing.

In line with the principle of good faith, the data controller must take into account the interests and legitimate expectations of data subjects while pursuing its objectives through data processing. The data controller is expected to act in a manner that avoids causing harm to data subjects and ensures that processing activities are carried out with transparency.

Under the Data Protection Law, personal data may only be processed where the individual has given their explicit consent, unless another ground for processing applies. Such grounds for processing are stipulated under Article 5 of the Data Protection Law:

• It is explicitly foreseen by law;
• In case processing is mandatory to protect the vital interests or the bodily integrity of the data subject or of another person that is physically or legally incapable of giving his/her consent;
• If the processing of personal data of contracting parties is mandatory in a contractual relationship, on the condition that such processing is directly related to the execution or fulfillment of such contract;
• If processing is mandatory for the fulfillment of the data controller’s legal obligation;
• In case the data has been made public by the data subject, provided that such personal data may only be processed for the purposes of being made public;
• If processing is mandatory for the establishment, exercise or defense of a legal claim; or
• If processing is mandatory for the data controller’s legitimate interests, provided that it does not violate the data subject’s fundamental rights and freedoms.

Conditions of processing of sensitive personal data are set out under Article 6 of the Data Protection Law in a slightly different manner.  

Sensitive Personal Data may be processed if:

• The explicit consent of the data subject has been obtained;
• it is explicitly stipulated by Turkish law; 
• in case processing is mandatory to protect the vital interests or the bodily integrity of the data subject or of another person that is physically or legally incapable of giving his/her consent;
• in case the data has been made public by the data subject, provided that such personal data may only be processed for the purposes of being made public;
• processing is mandatory for the establishment, exercise or preservation of a legal claim;
• processing is conducted by persons or authorized institutions under a confidentiality obligation is necessary for the purposes of (i) protection of public health, (ii) preventive medicine, (iii) medical diagnosis, (iv) exercise of treatment and care activities and (v) planning, management and financing of health services; 
• processing is mandatory for the fulfilment of legal obligations pertaining to the areas of employment, occupational health and safety, social security, social services and social assistance; 
• processing is related to current or former members and associates or persons in regular interaction with foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or trade union purposes, provided that they comply with the applicable legislation, their purposes are limited to their fields and sensitive personal data is not being disclosed to third parties.

For processing sensitive personal data according to Paragraph 4 of Article 6, as mentioned in the preamble of the Data Protection Law, it is necessary to take the adequate measures determined by the Board for the processing of sensitive data.

In the relevant decision, the Board required the following measures:

• Adoption of separate systemized, clear, manageable and sustainable policies and procedures on the security of sensitive personal data.
• Actions for employees
• provision of regular training on sensitive personal data security (execution of confidentiality agreements, a clear definition of the scope and period of authority for users granted with access to sensitive personal data, periodic evaluation of authority for users granted with access to sensitive personal data, immediate cancellation of the authority of employees to access sensitive personal data where their job description has changed or employment agreement is terminated by any means, as well as ensuring the return of any sensitive personal data from such employee).
• If sensitive personal data is processed/stored/accessed by electronic means, the following actions must be taken: such personal data shall be conserved by cryptographic methods, cryptographic keys shall be kept securely and separately, all actions regarding sensitive personal data shall be securely logged, security updates and tests on the means by which the personal data is collected must be duly made and the results of the same shall be recorded and where remote access is necessary, a two phased identification verification process must be set up.
• If sensitive personal data will be processed by physical means, necessary precautions must be taken against risks such as theft, electrical leakages, floods, etc.
• Unauthorized entrances to such physical means shall be prevented.
• If sensitive personal data will be transferred by means of e-mail, it must be transferred through an encrypted corporate e-mail address or by using a Registered Electronic Mail (KEP) account, 
• If sensitive personal data will be transferred through platforms such as memory stick, CD, DVD, it must be encoded by cryptographic methods and the cryptographic key must be held in a separate platform.
• If sensitive personal data will be transferred between different servers, the personal data must be transferred by establishing a VPN (virtual private network) or through sFTP (secure file transfer protocol) method.
• If Sensitive Personal Data will be transferred by means of paper, necessary precautions to avoid disclosure of Sensitive Personal Data to unauthorized third persons must be taken against the risks, such as documents being stolen, lost or seen by unauthorised persons. Documents must also be sent in “classified document” format. Classified documents must bear a confidential imprint in red color on each document and must be kept in an envelope.

The data controller is obliged to take all technical and administrative measures in order to provide an adequate level of data security. In the event that the reasons for which personal data are processed are no longer valid, despite being processed pursuant to the Data Protection Law or any other applicable law, personal data shall be deleted, destroyed or anonymized by the data controller directly or upon the demand of the data subject.

According to Article 12 of the Data Protection Law, the data controller is obliged to take all technical and administrative measures in order to provide an adequate level of security, more precisely (i) to prevent unlawful processing of personal data; (ii) to prevent unlawful access to personal data; and (iii) to provide protection of personal data. However, there is no specific definition of an adequate level of security under the law. The technical and administrative measures suggested and advised by the Board in the Guidance on Personal Data Security are provided in detail in the above Section 2.

The data controller and the data processor shall be jointly liable to take the measures referred to in the above paragraph; in the event that the personal data are processed by a real or legal person on behalf of the data controller. The data controller is obliged to have required inspections carried out within their own institution or organization in order to ensure that the provisions of the Data Protection Law are implemented. The data controller and the data processor cannot disclose the data to third parties or cannot abuse it contrary to the provisions of the Data Protection Law. This obligation shall remain after the expiration of duty.

In the event that the processed data are unlawfully obtained, the data controller shall immediately notify the data subject and the Board. If necessary, the Board may announce this situation on its website or via other appropriate means. The Board shed light on this obligation with its decision dated September 18, 2019, and numbered 2019/271. The Board held that the notification of the infringement to be made by the data controller to the data subject shall be in clear and plain language, and at least the following elements must be included:

• The date on which the violation occurred;
• The personal data affected by the violation in categories of personal data (by distinguishing personal data/special personal data);
• Possible consequences of a personal data breach;
• Measures taken or proposed to be taken to reduce the negative effects of the data breach; and
• The name and contact details of the contact persons who will provide information about the data breach or the call center, the full address of the data controller’s website, etc. ways of communication.

On the other hand, Article 7 of the Data Protection Law regulates deletion, destruction, and anonymization of the data. In the event that the reasons for which personal data are processed are no longer valid, despite being processed pursuant to this law or any other applicable law, personal data shall be deleted, destroyed or anonymized by the data controller directly or upon the demand of the data subject. This article shall apply without prejudice to the relevant legal provisions concerning the deletion, destruction or anonymization of personal data abroad.

Procedures and principles related to the deletion, destruction or anonymization of personal data are determined under the Regulation Regarding Deletion, Destruction and Anonymization of Personal Data (published in the Official Gazette dated October 28, 2017, and numbered 30224) as amended by an amendment regulation (published in the Official Gazette dated April 28, 2019, and numbered 30758). 

In addition to the foregoing, the Guidelines on the Deletion, Destruction, or Anonymization of Personal Data published by the Data Protection Authority provide for appropriate forms of anonymization of personal data in compliance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this regard, the Guidelines note that anonymization should be used as an alternative to deletion or destruction only if:

• The anonymization cannot be corrupted by combining or aggregating the anonymized dataset with another dataset;
• One or more input values cannot be combined or aggregated to create a substantive or meaningful grouping that could enable the isolation and de-anonymization of a specific record; and
• The values in the anonymized dataset cannot be combined or aggregated in such a way as to allow data users to create assumptions or reach conclusions.

Moreover, the Board published the Guide on the Right to be Forgotten on its official website on October 20, 2021. In this regard, the data subject may request that the results shown by a search with his/her own name and surname be removed from the index of the search engines and this request will be examined under certain criteria.

According to Article 11 of the Data Protection Law, everyone has the right to apply to the data controller to:

• learn whether the data relating to one is being processed;
• request further information if personal data relating to oneself is processed;
• obtain information as to the purpose of processing and whether the data relating to one is used accordingly;
• obtain information as to the third persons within or outside the country to whom data relating to one is transferred;
• demand the rectification of any incomplete or incorrect data relating to one;
• demand the deletion or destruction of the data related to one pursuant to the conditions referred to in the above-mentioned Article 7 of the Data Protection Law;
• demand the notification of any transaction carried out in accordance with bullets five and six to the third parties to whom the personal data are transferred;
• object to any negative consequences, which might occur against him, caused by the analysis of the processed personal data exclusively by means of automatic systems;
• demand compensation for the damages suffered as a result of unlawful processing of personal data.

Furthermore, the Communique on Application to Data Controller specifies that Data Subject requests must be made in Turkish, in written form or via registered electronic mail, secured e-signature, mobile signature or the e-mail address previously notified to the Data Controller and contain the following information: (i) name and surname, (ii) ID number, for Turkish citizens, and nationality and passport number of non-Turkish citizens, (iii) residence or workplace address, (iv) contact information and (v) subject of the request. An additional supporting document should also be included in the request.

Pursuant to such Communiqué, once a request is received, Data Controllers are required to:

• make every reasonable effort to implement all necessary technical and administrative measures to handle the request effectively, in accordance with legal requirements and the principle of good faith (see Article 4 – General Principles);
• either accept or reject the request;
• communicate their response to the Data Subject in writing or through electronic means. If the request is denied, the Data Controller must provide the reasoning behind the refusal. The response must also include the following details:
  1. information about the Data Controller or its representative,
  2. identifying details of the Data Subject (including name, surname, and ID number for Turkish citizens, or nationality and passport number for non-citizens, along with address and contact information),
  3. the subject of the request, and
  4. the Data Controller’s explanations regarding the matter.

Under the Data Protection Law, “explicit consent” must be

1. Specific and explicit: The consent should be obtained in relation to a specific purpose and processing event. Hence, general, open-ended ended or implied statements are invalid.
2. Based upon sufficient prior information: Prior to obtaining consent, data subjects must be informed of the identity of the data controller -and its representative if any-, together with contact information, the type of personal data to be processed, the specific purposes for which the personal data will be processed and the third person recipiens which the personal data will be shared with. 
3. Expressed with free will: The free will of the data subject should not be impaired. Any deception, coercion, etc., shall invalidate the consent. Furthermore, if the parties to a contract are not equals and one party is capable of influencing the will of the other, the existence of free will should be diligently evaluated (especially in employment contracts).

In addition, the Communiqué on Obligation to Inform sets forth that data controllers are required to fulfil their obligation to inform the data subject and to obtain explicit consent separately.

Please note that explicit consent does not necessarily have to be given in written form. It is possible to obtain explicit consent via electronic means or phone correspondence (e.g., call centers). In any case, it is the data controller who is obliged to prove that the consent is obtained from the data subjects in line with the Data Protection Law.

First of all, it is the data controller who decides on the following: the collection of personal data and the method of collection, the types of personal data to be collected, the individuals whose personal data will be collected, the processing of personal data, and who will process it. Furthermore, the Guidance on Security indicates that access to systems containing personal data must also be restricted. Within this scope, employees should be granted access rights only to the extent necessary for the performance of their duties, responsibilities, and authorities, and access to the relevant systems should be provided through the use of a username and password. 

Accordingly, it is recommended that data controllers establish an access authorization and control matrix and develop separate access policies and procedures, ensuring that these policies and procedures are implemented within the data controller’s organization.

In addition to the use of strong passwords, measures should be taken to protect against common attacks such as brute force algorithms ("BFA"), including limiting the number of login attempts, ensuring that passwords are changed at regular intervals, granting administrator accounts and admin privileges only when necessary, and promptly deleting or disabling accounts of employees whose relationship with the data controller has been terminated, in order to restrict access. The use of access control authorizations and/or encryption methods in cases such as the loss or theft of devices containing personal data will help ensure the security of personal data. Within this scope, the encryption key must be stored in an environment accessible only to authorized persons, and unauthorized access must be prevented. Similarly, physical documents containing personal data must be stored in a locked environment accessible only to authorized persons, and unauthorized access to such documents must be prevented.

In any case, in the event of unauthorized access and/or use of data, the data controller’s liability. 

Significant amendments to the conditions for the transfer of personal data abroad were introduced by Law No. 7499 on Amendments to the Criminal Procedure Code and Certain Laws, published in the Official Gazette dated 12 March 2024. Under the new regulation, a three-alternative system for the transfer of data abroad has been adopted. A new paragraph has also been added stipulating that the procedures and principles regarding the implementation of this article shall be regulated by a by-law. In this context, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation”) was published in the Official Gazette dated 10 July 2024 and entered into force.

1. First of these alternatives is the presence of an adequacy decision: personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 exists and there is an adequacy decision on the country, sectors within the country or international organizations to which the transfer will be made.
   
   The adequacy decision shall be made by the Board and published in the Official Gazette. However, no adequacy decision has yet been issued by the Board and none is expected to be issued in the near future.
2. Secondly, in the absence of an adequacy decision, provided that one of the conditions set forth in Articles 5 and 6 of the Data Protection Law is met and the data subject has the possibility to exercise their rights and to seek effective legal remedies in the country to which the transfer will be made (transfer impact assessment), one of the parties must provide one of the international safeguards.
   
   In addition to the transfer impact assessment, one of the four exhaustive safeguards specified in the relevant article must also be in place.
   
   These safeguards are as follows:
   1. Binding and Enforceable Instrument Between Public Institutions or Public Authorities: applicable when the transfer is carried out between public entities or authorities, based on an instrument that is binding and enforceable under the law.
   2. Binding Corporate Rules (“BCRs”): internal rules adopted by multinational group companies that provide adequate safeguards for intra-group transfers of personal data, approved by the Board.
   3. Standard Contractual Clauses (“SCCs”): contractual provisions prepared and announced by the Board, to be signed by the parties to the transfer without making any amendments except for those allowed under the Regulation.
   4. Written Undertaking Approved by the Board: a commitment prepared and signed by the data exporter and the data importer, containing adequate safeguards for data protection, and submitted to and approved by the Board.
      
      As indicated below, the sole method for which the Board’s approval is not required is the SCCs. However, the SCCs must be notified to the Authority by one of the parties within 5 (five) business days following the execution of the SCCs. Failure to make such notification has been introduced as a new misdemeanor and an administrative fine has been stipulated. Importantly, it has been established that, in the transfer of personal data abroad, data processors are jointly liable with data controllers for administrative fines. It should be emphasized that the standard contract must be used without any modifications, and it is expected that the contracts will be implemented exactly as prescribed.
3. In the absence of an adequacy decision and in the absence of any of the appropriate safeguards provided for in the paragraph above, provided that it is incidental (transfers which are “irregular, occurring once or a few times, not continuous, and not part of the ordinary course of business”), data controllers and data processors may transfer personal data abroad only in the presence of one of the events stipulated in the relevant article.
   
   In past practice, cross-border data transfers were mostly carried out based on explicit consent; however, under the current regulation, transfers of personal data abroad based on explicit consent have been limited to incidental cases, and an additional element of “informing the data subject about potential risks” has been introduced. It should be noted that such information is separate from the existing obligation to inform (under the disclosure requirement) and must specifically address the particular risks associated with the transfer abroad.

An “incident” is usually defined as a security event that compromises the integrity, confidentiality, or availability of an information asset, while a “breach” is an incident that results in the confirmed disclosure of data to an unauthorized party. 

On the other hand, under the Turkish data protection legislation, the terms "data breach" and "incident" are not directly defined. However, the Board constantly refers to the term “data breach” in its decisions. Also, Article 12/5 of the Data Protection Law stipulates the obligations of the data controller in case of a “breach”.  

The phrase “obtained by others through unlawful means,” as stated in Article 12/5, can be interpreted to mean that a data breach only occurs when the processed personal data is acquired as a result of cyberattacks or various unlawful interventions carried out by third parties. However, for a data breach, the condition of personal data being obtained by a third party through unlawful means should not be interpreted solely as situations where the data is acquired through attacks or interventions by third parties. For example, if a data controller accidentally discloses personal data belonging to data subjects, the data will have fallen into the hands of third parties unlawfully, even though no external attack or intervention took place.

Pursuant to Article 12/5 of the Data Protection Law, in case the data processed are obtained by others through unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board as soon as possible.

In Board’s Decision dated 24.01.2019 and numbered 2019/10, the expression “as soon as possible” found in Article 12/5 of the Data Protection Law was interpreted to mean 72 hours, and it was stated that the data controller must notify the Board without delay and, at the latest, within 72 hours from the date on which they become aware of the situation. After the data controller fulfills the notification obligation, the Board may decide to make an examination.

The Board shall be notified through the Data Breach Notification Form published by the Board. The data controller may submit such a form through the online portal of the Board, fill out its PDF version, and then send it via e-mail to the Board’s relevant e-mail address or send via courier to its postal address.

Following the identification of the individuals affected by the data breach, those affected must also be notified within the shortest reasonable time. If the contact information of the data subject is available, the notification should be made directly; if not, an appropriate method such as publishing the notice on the data controller’s own website should be used.

There is a two-tier system consisting of regulatory and supervisory authorities. In Türkiye, the primary privacy regulator is the Personal Data Protection Authority. The Authority has administrative and financial autonomy and is an independent administrative body established under the Data Protection Law.

Key responsibilities of the Authority include:

• Monitoring and enforcing compliance with the Data Protection Law,
• Investigating complaints related to personal data processing,
• Imposing administrative sanctions and fines,
• Issuing guidelines and decisions clarifying obligations for data controllers and processors,
• Ensuring public awareness and education regarding data protection rights.

The Personal Data Protection Board operates as the decision-making body within the Authority.

Key responsibilities of the Board include:

• Issuing binding decisions on complaints and breaches,
• Interpreting the law and issuing guidance,
• Imposing administrative sanctions and fines,
• Overseeing the enforcement of the Data Protection Law.

The Data Protection Board is the decision-making body of the Data Protection Authority:

• The Data Protection Authority oversees legislative developments, works with government institutions and other international bodies and generally deals with data protection at a governmental level.
• The Data Protection Board deals with processing at the individual and company level and acts to ensure that data is processed in accordance with the relevant legislation. It can determine measures in relation to the processing of sensitive data, it controls the Registry of Data Controllers and it performs regulatory data protection activities. It also deals with compliance and sanctions. For the purposes of data privacy in specific sectors, relevant bodies are also entitled to issue regulations. For instance, the Ministry of Health issued a regulation regarding personal health data referring to the Data Protection Law.

The legal consequences envisaged under the law are imprisonment and administrative fines. Only specific crimes regulated under the Criminal Code are related to personal data protection. 

For the crimes envisaged under the Criminal Code between Articles 135 and 140, the sanction is imprisonment ranging between one to four years. Article 140 of the Criminal Code states that security measures specific to legal entities shall be imposed where offenses defined in the above articles are committed by legal entities. This may include (amongst other things) the revocation of licenses granted by public institutions or the confiscation of the illegally generated income.

In addition to the foregoing, persons who fail to perform the obligations as stated under Article 18 of the Data Protection Law shall be subject to administrative fines ranging from TRY 68,083 and TRY 13,620,402 for the year of 2025.

Electronic marketing is regulated under the Law on Regulation of Electronic Commerce and its secondary legislation. According to Article 6 of the Law on Regulation of Electronic Commerce, unsolicited electronic marketing messages are forbidden. Consent of the customer or the target is required, except for merchants and artisans, and a few other exceptions. Under the relevant Law, the scope of electronic commerce activities is defined quite broadly, and includes many types of communications such as campaigns, promotions, notifications, surveys, service introductions, and special occasion greeting messages. Such consent may be obtained in written form or by electronic means. Pursuant to the Regulation on Commercial Communication and Commercial Electronic Messages, real persons and legal entities that use commercial electronic messages (“Service Providers”) are required to register the Electronic Messages Management System ("İYS"), and all Service Providers sending commercial electronic messages shall insert the relevant information (date of approval, communication address, etc.) to İYS. The option to unsubscribe shall be included in all commercial electronic messages sent. 

Furthermore, information such as name, surname, e-mail address, and/or telephone number used in the course of such commercial communication processes constitutes “personal data” within the scope of the Data Protection Law.  Therefore, pursuant to Article 10 of the Data Protection Law, the data controllers must fulfill their obligation to inform by providing an information notice at the time personal data is obtained in the context of their commercial communication activities. The Board also sets forth that service providers shall obtain both approval under the Law on Regulation of Electronic Commerce and explicit consent for the processing of personal data.  

While the primary data protection legislation is the Data Protection Law, certain sectors are also subject to additional, sector-specific privacy and data protection requirements. Such may arise from regulatory bodies’ overseeing those industries or from sectoral laws and their secondary legislation. These sectors are usually regulated ones like banking and financial services, insurance, telecommunication, health and e-commerce.  
For example, the “Banking Law numbered 5411” and related “Banking Regulation and Supervision Agency” (“BRSA”) regulations impose confidentiality obligations on banks regarding customer data. The banks must ensure that customer information is kept confidential and such data cannot be disclosed without explicit consent or legal obligation. BRSA also imposes strict cybersecurity and data localization rules, including requirements that critical IT systems and data be stored in Türkiye.  

The “Electronic Communications Law numbered 5809” and related “Information and Communication Technologies Authority” regulations also impose detailed requirements on data retention, lawful interception and user privacy. 

In Türkiye, entities are not obligated to designate an individual responsible for governance or for matters related to the processing of personal data.

As per the Communique on the Procedures and Principles Regarding the Personnel Certification Mechanism (published in the Official Gazette dated December 6, 2021, and numbered 31681), the certification of the Data Protection Officer Program has been determined in accordance with the standard numbered (TS) EN ISO/IEC 17024. After participating in this program and succeeding in the exam, the data protection officer will be deemed to have sufficient knowledge regarding data protection legislation and the validity period to use this title is 4 years from the announcement of the exam results. However, employing a data protection officer within the data controller and/or data processor will not remove the responsibility of the data controller and the data processor to comply with Data Protection Law and the relevant legislation.
In addition, data controllers located within or outside Türkiye must appoint a designated contact person to liaise with the Board regarding their obligations under the Data Protection Law and its secondary regulations. This individual: (i) must be a natural person who is a Turkish citizen and resident in Türkiye; (ii) must be at least eighteen years old; and (iii) may not serve as the contact person for more than one data controller at the same time.

Pursuant to Article 4(1)(ç) of the Data Protection Law, personal data must be relevant, limited, and proportionate to the purpose for which it is processed. This reflects the principles of proportionality and data minimization, requiring that only data necessary for the specified purpose be collected, retained, and documented. In addition, Article 4(1)(d) of the Data Protection Law provides that personal data may only be stored for as long as required by the applicable legislation or necessary for the purpose of processing.
In addition to the Data Protection Law, the Board also issued the secondary legislation, namely the Regulation on the Deletion, Destruction and Anonymization of Personal Data published in the Official Gazette on October 28, 2017, and numbered 30224 (“Deletion Regulation”) to determine principles and procedures regarding erasure, destruction and anonymization of personal data. Accordingly, under the Deletion Regulation, data controllers who are obliged to register with the VERBIS system must issue a personal data storage and disposal policy which at least includes;

• The purpose of issuing personal data storage and disposal policy,
• Recording medium arranged in accordance with personal data storage and disposal policy,
• Definitions of technical and legal terms indicated in personal data storage and disposal policy,
• Explanations relating to legal, technical or other reasons requiring storage and disposal of personal data,
• Technical and organizational measures taken against unlawful processing of and access to personal data and for storing personal data securely,
• Technical and organizational measures taken for lawful disposal of personal data,
• Definitions of titles, units and tasks of those who are involved in personal data storage and disposal processes
• Table that shows storage and disposal periods,
• Time period for periodic disposal,
• Any alterations being made in the current personal data storage and disposal policy, if any. 

The data controller that issued a data storage and disposal policy must erase, destroy or anonymize the personal data in the first periodic disposal process following the date when the obligation of erasure, destruction or anonymization of personal data arises. 

Even though the time interval for periodic disposal must be defined in the personal data storage and disposal policy by the data controller, this time interval shall exceed six months in any case, as per Article 11 of the Deletion Regulation.

However, the data controllers who are not obliged to issue a personal data storage and disposal policy must erase, destroy or anonymize personal data within three months following the date on which the obligation of erasure, destruction or anonymization of personal data arises. Further, according to Article 7 of the Deletion Regulation, all operations relating to erasure, destruction and anonymization of personal data shall be recorded and those records shall be stored for a minimum of three years, excluding other legal obligations.

Also, the data controllers who are obliged to register with VERBIS shall also create an inventory where the personal data processing activities carried out by data controllers in accordance with their business processes; the purposes and legal basis for processing personal data, the data category, the recipient group to which the data is transferred, and the group of data subjects to which the data relates, along with the maximum retention period necessary for the purposes for which the personal data is processed, the personal data intended for transfer to foreign countries, and the measures taken regarding data security shall be detailed.

As a separate note, data controllers processing sensitive personal data shall establish a separate policy and procedure for the security of sensitive personal data that is systematic, clearly defined, manageable, and sustainable.

Although not an obligation, data controllers may also adopt policies regarding the procedures to be followed in case of a data breach or a data subject application alongside the organization’s main principles with regard to personal data processing and the internal rules. 

It is also highly recommended to keep all records and reports in relation to the measures taken for the protection of the personal data such as the training records for the employees, the outputs of the penetration tests and audit reports etc. in case of a data breach for submission to the Board’s review to prove that the data controller has adopted all necessary technical and administrative measures. Such may also include written agreements, inclusive of data protection measures with third parties.

Pursuant to Article 10 of the Data Protection Law, the data controller is obliged to provide the following information to data subjects for the purposes of the processing of personal data; (i) the identity of the data controller and of a contact person, (ii) the purposes of the processing, (iii) the destination and the purpose of the transfer of processed personal data, (iv) the method and legal reason of collection of personal data, and (v) other rights of the data subject referred to in Article 11 (please refer to the question relating to rights of the data subject hereinbelow). The Communiqué Regarding the Principles and Procedures to be Followed Relating to Information Obligation (published in the Official Gazette dated March 10, 2018, and numbered 30356) has been issued by the Board. The said communiqué regulates the minimum content of the information to be provided to the data subject by the data controllers before the respective processing activity. Therefore, the information texts that the data controller shall submit to the data subjects for various processing purposes shall also be documented. 

Lastly, even though there is no required form of explicit consent, since the liability lies with the data controllers, they may keep records of the obtained explicit consents.

DPIA is not explicitly regulated under the Data Protection Law. However, the Board also takes into account the principles of transparency and accountability, which it has adopted as its fundamental principles and values. The Data Protection Board decision No. 2019/78 refers directly to the principle of accountability by stating that when assessing legitimate interest, factors such as the broader impact of the interest, its purpose not being solely profit-driven or economically motivated, and its contribution to facilitating business operations (such as affecting the organization as a whole rather than a specific unit or a limited number of employees) should be considered and this assessment should be guided by the principles of transparency and accountability.

Within the scope of Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence published by the Board, in artificial intelligence studies based on personal data processing, if a high risk is anticipated in terms of personal data protection, an impact assessment should be carried out and the legality of the data processing activity should be determined within this framework.

Importantly, one of the alternatives for cross-border transfers stipulates that in the absence of an adequacy decision, as long as one of the conditions set forth in Articles 5 and 6 of the Data Protection Law is met and the data subject has the possibility to exercise their rights and to seek effective legal remedies in the country to which the transfer will be made one of the parties, personal data may be transferred by provision of one of the international safeguards. In this way, the data controller or data processor transferring the personal data must determine that the data subject has the right to exercise their rights and seek effective legal remedies in the country to which the data will be transferred. This matter is referred to in European Union legislation as a “transfer impact assessment ("TIA")”.

In the Supplementary Document on Essential Points to be Included in Binding Corporate Rules for Data Controllers published by the Board for use in applications to be made within the scope of binding corporate rules for cross-border transfers, under the heading “Accountability and Other Principles/Tools”, it is stated that the data controllers must increase compliance and, where necessary, conduct a risk analysis for data processing activities that are likely to pose a high risk to the rights and freedoms of natural persons. It also states that, based on the risk analysis, if the data controller has not taken the necessary measures to mitigate the risk and it is determined that the data processing will pose a high risk, the data controller must consult with the Board prior to the data processing activity.

Other than the above, it may be interpreted that, based on the Board’s practices, the principle of accountability and related compliance tools are interpreted in parallel with European Union data protection laws.

Under the Data Protection Law, the explicit consent of the individual is required to share personal data with another data controller, unless another lawful basis for processing applies. These bases are set out in Article 5 for personal data and Article 6 for sensitive personal data, as further detailed in Section 6 above.

Although the Data Protection Law and its secondary legislation do not impose specific obligations regarding third-party vendor management, data controllers are jointly liable with data processors for ensuring that necessary technical and administrative safeguards are in place. Therefore, it is advisable for data controllers to enter into written agreements with data processors to clearly define the scope of these security measures and to include liability clauses addressing potential failures to ensure adequate protection.

In case of violation of the liabilities relating to personal data protection, the amounts of administrative fines set forth in Article 18 of the Data Protection Law are as follows for the year 2025:

In addition, under Articles 135 to 138 of the Turkish Criminal Code No. 5237, unlawful recording of personal data and unlawful transfer or seizure of personal data are regulated as crimes. Accordingly:

• Any person who illegally records personal data shall be sentenced to a penalty of imprisonment for a term of one to three years. If personal data relates to individuals' political, philosophical or religious views, racial origins, moral tendencies, sexual life, health status or trade union affiliations in violation of the law, the penalty to be imposed in accordance with the first sentence shall be increased by half.
• Any person who illegally obtains, disseminates or gives to another person someone’s personal data shall be sentenced to a penalty of imprisonment for a term of two to four years.
• Where the offences defined in the above paragraphs are committed by a public official misusing his power derived from his/her public post, or by benefiting from the privileges derived from a profession or trade, the penalty to be imposed shall be increased by one-half.
• Any person who fails to destroy data in accordance with the prescribed procedures, before the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of one to two years. Where the subject of the offence remains within the scope of the information to be removed or eliminated under the provisions of the Code of Criminal Procedure No. 5271, the penalty to be imposed shall be increased by one-fold.

According to Article 12 of the Data Protection Law titled “Obligations regarding data security”, the data controller must take all necessary technical and administrative measures to ensure an appropriate level of security to (i) prevent the unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the protection of personal data. Where personal data is processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly responsible with such persons for taking the measures specified in the first sentence. Even though the Data Protection Law does not explicitly require or refer to a compliance program, these obligations set for the data controllers may be conducted through a compliance program.

Further, according to Article 12 of the Data Protection Law, the data controller is obliged to carry out or have carried out the necessary audits within their institution or organization to ensure compliance with the provisions of the Data Protection Law. Pursuant to the Guidance of Security, the data controller shall carry out or have carried out the necessary audits on the system containing personal data, and may review the resulting audit reports as well as conduct on-site inspections of the service provider.

The Medium-Term Program (2024–2026) issued by the Presidency of Strategy and Budget indicates that efforts are underway to align the Data Protection Law with EU data protection legislation, particularly the GDPR.

Similarly, the “2025 Presidential Annual Program,” published in the Official Gazette on October 30, 2024, identifies as Measure 359.2.355 the finalization of these harmonization efforts between the Data Protection Law and the GDPR.