Top

Want to find a lawyer or firm?
Use Lex Directory

Top

Global Data Privacy Guide

Turkey
(Europe) Firm Pekin Attorney Partnership Updated 01 Mar 2022
What is the key legislation?

Governing the liabilities, principles and procedures with respect to personal data processing by real persons and legal entities, the Personal Data Protection Law ("Law No. 6698") protects, in particular, the right to privacy and other fundamental rights and freedoms of real persons whose personal data is processed.

Note: The Personal Data Protection Law (published in the Official Gazette dated April 07, 2016 and numbered 29677) ("Law No. 6698") (“Data Protection Law”) is the key privacy legislation. The objective of Data Protection Law is to protect fundamental rights and freedoms of the persons especially the right of privacy of the real persons with respect to the processing of personal data and to regulate the procedures and principles to be followed by the real and legal persons processing personal data and their obligations.

Processing personal data means any process on personal data, by automatic and other means being a part of any data filing system, such as collection, recording, storage, protection or alteration, retrieval, disclosure, transfer, acquisition, dissemination, making available, alignment or blocking, wholly or partly. 

The provisions of the Data Protection Law shall apply to real persons whose personal data is processed and impose obligations on real and legal persons who process wholly or partly personal data by automatic and other means being a part of any data filing system.

On the other hand, the following falls out of the scope of the Data Protection Law (Article 28);

  • processing of personal data by natural persons in the course of a solely personal or household activity provided that obligations relating to data security are complied with and data are not transferred to third parties;
  • processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar;
  • processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated;
  • processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order or economic safety; and
  • processing of personal data by judicial authorities and execution agencies with regard to the investigation, prosecution, adjudication or execution procedures. 

Provided that data processing is compliant and proportionate to the purpose and general principles of the Data Protection Law, (i) Article 10 of the Data Protection Law which regulates the obligation of the data controller to inform the data subject; (ii) Article 11 of the Data Protection Law which regulates the rights of the data subject (except for the right to request compensation); and (iii) Article 16 of the Data Protection Law which regulates the obligation to register with the Data Controllers Registry shall not be applied if:

  • processing of personal data is necessary for the prevention of crime or investigation of a crime;
  • processing of personal data revealed to the public by the data subject herself/himself;
  • processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status; and/or
  • processing of personal data is necessary for the protection of the economic and financial interests of the state related to budgeting, tax, and financial matters.

Along with the Data Protection Law which is a general framework law, there are also specific provisions pertaining to the data protection in different legislation including but not limited to:

  • the Labour Code;
  • the Banking Law and its secondary legislation;
  • the Electronic Communication Law;
  • the Internet Regulation and Regulation on the Internet Bulk Use Providers; and
  • the Regulation on Personal Health Data
What data is protected?

Any information relating to an identified or identifiable real person (the data subject) is protected under the law. 

In terms of the law, the data subject means the real person whose data is processed.

Note: Personal data is protected under the Data Protection Law. According to Article 3 of the Data Protection Law, personal data means any information relating to an identified or identifiable real person. Further to the Turkish Parliament’s Commission of Justice Report on the Draft Personal Data Protection Law (numbered 117, legislative term of 26, 1st year of legislation), the definition of personal data provided by Data Protection Law derived from the definition of personal data provided by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, January 28, 1981, as “any information relating to an identified or identifiable individual (the data subject).

For the purpose of the aforementioned definition, based on the publications of the Personal Data Protection Authority, personal data refers to as, not only name, surname, date of birth, place of birth but also bank account information, employee’s performance test results, IP addresses, etc. and the special category of personal data as racial or ethnic origin, political opinions, beliefs, health, the sexual life of a real person, memberships of unions, associations or foundations, biometric and genetic data. 
Who is subject to privacy obligations?

The controller and the data processor are subject to privacy obligations.

Note: The data processor and the data controller are subject to privacy obligations set out under the Data Protection Law. As per Article 3 of the Data Protection Law, the data processor means real or legal person processing personal data based on the authorization given by and on behalf of the data controller. Further to the same article, the controller means real or legal persons determining the purpose and instruments of data processing, which is in charge of the establishment and management of the data filing system.

Data Security Measures: Please refer to our explanations under the question relating to the storage, security and retention of personal data.

Data Controllers’ Registry: All data controllers shall be registered with the Data Controllers’ Registry (“VERBIS”) before commencing their data processing activities. VERBIS has been established and commenced to be operated as of October 1, 2018, as per Article 16 of the Data Protection Law.

The deadlines for registration to VERBIS have been extended several times by the Board and finally expired as of December 31, 2021. 

Pursuant to the Board’s decision dated April 2, 2018, and numbered 2018/32, (i) data controllers who are processing personal data only by unautomated means; (ii) notaries; (iii) foundations; (iv) associations; (v) labor unions; (vi) political parties; (vii) lawyers; and (viii) public accountants are exempt from the requirement of registration to the Data Controller Registry.

Real and legal entity data controllers having less than fifty employees per annum and generating less than twenty-five million Turkish Liras total annual balance sheet which is not principally active in processing special categories of personal data are also exempt from the requirement of registration to Data Controllers Registry in accordance with the Board’s decision dated July 19, 2018, and numbered 2018/87.

The registration application shall be made in accordance with the regulation regarding registration of the VERBIS and by a notification including (i) the identifying and address information of the data controller or its contact person; (ii) the purposes of the processing; (iii) statements on data subject group and groups and data categories related to them; (iv) data receiving recipients or groups of the recipient; (v) personal data predicted to be transferred abroad; (vi) measures taken related to the personal data security, and (vii) maximum period of time required for the purpose of processing.

Please note that if the data controller is not a Turkish resident pursuant to the relevant regulation, it shall appoint a Turkish resident representative. Pursuant to the decision of the Personal Data Protection Board dated July 16, 2020, and numbered 2020/542 one Turkish resident representative may represent to more than one foreign data controller. 

In addition, as per the Communique on the Procedures and Principles Regarding the Personnel Certification Mechanism (published in Official Gazette dated December 6, 2021, and numbered 31681), the certification of the Data Protection Officer Program has been determined in accordance with the standard numbered (TS) EN ISO/IEC 17024. After participating in this program and succeeding in the exam, the data protection officer will be deemed to have sufficient knowledge regarding data protection legislation and the validity period to use this title is 4 years from the announcement of the exam results. However, employing a data protection officer within the data controller and/or data processor will not remove the responsibility of the data controller and the data processor to comply with Data Protection Law and the relevant legislation.
What are the principles applicable to personal data processing?

Data processing principles are as follows: 

  • processed in compliance with the laws and good faith;
  • accurate and where necessary kept up to date;
  • processed for specified, explicit and legitimate purposes;
  • relevant, limited and temperate to the purpose of the processing; and
  • kept for the time stipulated by the relevant legislation or necessitated by the purpose of processing.

Note: Article 4 of the Data Protection Law, set out certain data protection principles as follows: 

  • Personal data can only be processed according to the procedures and principles set forth in the Data Protection Law and in other laws.
  • Personal data must be:
    • processed in compliance with the laws and good faith,
    • accurate and where necessary kept up to date,
    • processed for specified, explicit and legitimate purposes,
    • relevant, limited and temperate to the purpose of processing,
    • kept for the time stipulated by the relevant legislation or necessitated by the purpose of processing.

The collection of personal data is also considered the processing of personal data. Subject to the above-mentioned general principles, the general principle for data processing and thus the collection of personal data is to obtain the explicit consent of the data subject. Please refer to the below question relating to disclosure of personal for general rules relating to data processing.  

Information on processing/collection: 

Pursuant to Article 10 of the Data Protection Law, the data controller is obliged to provide the following information to data subjects for the purposes of the processing of personal data; (i) the identity of the data controller and of a contact person, (ii) the purposes of the processing, (iii) the destination and the purpose of the transfer of processed personal data, (iv) the method and legal reason of collection of personal data, and (v) other rights of the data subject referred to in Article 11 (please refer to the question relating to rights of the data subject hereinbelow). The Communiqué Regarding the Principles and Procedures to be Followed Relating to Information Obligation (published in the Official Gazette dated March 10, 2018, and numbered 30356) as amended by an amendment communique (published in the Official Gazette dated April 28, 2019, and numbered 30758) has been issued by the Board. The said communiqué regulates the minimum content of the information to be provided to the data subject by the data controllers before the respective processing activity. 
How is the processing of personal data regulated?

The general principle is to obtain explicit consent of the data subject. There are certain exceptions also envisaged under the law.

Note: The general principle of processing personal data is to obtain “explicit consent” (the consent which is given by the data subject with free will and based on the information related to the certain matter) of the data subject set out under Article 5 of the Data Protection Law.

Nevertheless, the Data Protection Law allows personal data processing without the “explicit consent” of the data subject under one of the following conditions is met:

  • It is explicitly foreseen by law;
  • In case processing is mandatory to protect the vital interests or the bodily integrity of the data subject or of another person that is physically or legally incapable of giving his/her consent;
  • If the processing of personal data of contracting parties is mandatory in a contractual relationship, on the condition that such processing is directly related to the execution or fulfillment of such contract;
  • If processing is mandatory for the fulfillment of the data controller’s legal obligation;
  • In case the data has been made public by the data subject. In such a case, the personal data may only be processed for the purposes of being made public;
  • If processing is mandatory for the establishment, exercise or defense of a legal claim; or
  • If processing is mandatory for data controller’s legitimate interests provided that it does not violate data subject’s fundamental rights and freedoms.

Conditions of processing a special category of personal data are set out under Article 6 of the Data Protection Law in a slightly different manner. Data Protection Law provides that data concerning the racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothes, association, foundation or union membership, health, sexual life, criminal conviction or punitive measures and the biometric and genetic data of a person are a special category of personal data.

The first condition for processing special category of personal data according to Paragraph 4 of Article 6, as mentioned in the preamble of the Data Protection Law, is to take the adequate measures determined by the Board for the processing of sensitive data, although the “explicit consent” of the data subject is obtained. Secondly, sensitive data shall not be processed without the explicit consent of the data subject.

Under certain exhaustive conditions as mentioned in Article 6 of the Data Protection Law, it is possible to process data without the explicit consent of the data subject. However, under the conditions set out by the said article regarding data processing on health and sexual life and other sensitive data are separated. Sensitive data except for the health and sexual life may be processed without the explicit consent of the data subject as stipulated by laws whereas the special category of personal data concerning the health and sexual life shall only be processed for the purpose of the protection of public health, preventive medicine, medical diagnosis, execution of treatment and nursing services, planning and management of healthcare services and finance, by the persons or authorized institutions and organizations being under the confidentiality obligation.
How are storage, security and retention of personal data regulated?

The data controller is obliged to take all technical and administrative measures in order to provide an adequate level of data security. In the event that the reasons for which personal data are processed are no longer valid, despite being processed pursuant to the Data Protection Law or any other applicable law, personal data shall be deleted, destroyed or anonymized by the data controller directly or upon the demand of the data subject.

Note: According to Article 12 of the Data Protection Law, the data controller is obliged to take all technical and administrative measures in order to provide an adequate level of security, more precisely (i) to prevent unlawful processing of personal data; (ii) to prevent unlawful access to personal data; and (iii) to provide protection of personal data. However, there is no specific definition of an adequate level of security under the law.

The data controller and the data processor shall be jointly liable to take the measures referred to in above paragraph; in the event that the personal data are processed by a real or legal person on behalf of the data controller. The data controller is obliged to have required inspections carried out within his own institution or organization in order to ensure that the provisions of the Data Protection Law are implemented. The data controller and the data processor cannot disclose the data to third parties or cannot abuse it contrary to the provisions of the Data Protection Law. This obligation shall remain after the expiration of duty.

In the event that the processed data are unlawfully obtained, the data controller shall immediately notify the data subject and the board. If necessary, the board may announce this situation on its website or via other appropriate means. The Board shed light on this obligation with its decision dated September 18, 2019, and numbered 2019/271. The Board held that the notification of the infringement to be made by the data controller to the data subject shall be in a clear and plain language and at least the following elements must be included;

  • The date which the violation occurred;
  • The personal data affected by the violation in categories of personal data (by distinguishing personal data/special personal data);
  • Possible consequences of a personal data breach;
  • Measures taken or proposed to be taken to reduce the negative effects of the data breach; and
  • The name and contact details of the contact persons who will provide information about the data breach or the call center, full address of the data controller’s website, etc. ways of communication.

On the other hand, Article 7 of the Data Protection Law, regulates deletion, destruction, and anonymization of the data. In the event that the reasons for which personal data are processed are no longer valid, despite being processed pursuant to this law or any other applicable law, personal data shall be deleted, destroyed or anonymized by the data controller directly or upon the demand of the data subject. This article shall apply without prejudice to the relevant legal provisions concerning the deletion, destruction or anonymization of personal data abroad.

Procedures and principles related to the deletion, destruction or anonymization of personal data are determined under the Regulation Regarding Deletion, Destruction and Anonymization of Personal Data (published in the Official Gazette dated October 28, 2017, and numbered 30224) as amended by an amendment regulation (published in Official Gazette dated April 28, 2019, and numbered 30758). 

In addition to the foregoing, the Guidelines on the Deletion, Destruction, or Anonymization of Personal Data published by the Data Protection Authority provides for appropriate forms of anonymization of personal data in compliance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this regard, the Guidelines notes that anonymization should be used as an alternative to deletion or destruction only if:

  • The anonymization cannot be corrupted by combining or aggregating the anonymized dataset with another dataset;
  • One or more input values cannot be combined or aggregated to create a substantive or meaningful grouping that could enable the isolation and de-anonymization of a specific record; and
  • The values in the anonymized dataset cannot be combined or aggregated in such a way as to allow data users to create assumptions or reach conclusions.

Moreover, the Board published the Guide of Right to be Forgotten on its official website on October 20, 2021. In this regard, the data subject may request that the results shown by a search with his/her own name and surname be removed from the index of the search engines and this request will be examined under certain criteria.
What are the data subjects' rights?

The data subject is entitled to request information on his/her personal data and demand correction or deletion thereof.

Note: According to Article 11 of the Data Protection Law, everyone has the right to apply to the data controller to:

  • learn whether the data relating to one are being processed;
  • request further information if personal data relating to one is processed;
  • obtain information as to the purpose of processing and whether the data relating to one are used accordingly;
  • obtain information as to the third persons within or outside the country to whom data relating to one are transferred;
  • demand the rectification of any incomplete or incorrect data relating to one;
  • demand the deletion or destruction of the data related to one pursuant to the conditions referred to in above-mentioned Article 7 of the Data Protection Law;
  • demand the notification of any transaction carried out in accordance with bullets five and six to the third parties to whom the personal data are transferred;
  • object to any negative consequences, which might occur against him, caused by the analysis of the processed personal data exclusively by means of automatic systems;
  • demand compensation for the damages suffered as a result of unlawful processing of personal data.

In accordance with the aforementioned Article 11 and Article 10 of the Data Protection Law, the data controller or the authorized person (data processor) is obliged to provide the following information to data subjects in the collection of personal data;

  • the identity of the data controller and of his representative, if any;
  • the purposes of the processing;
  • the destination and the purpose of the transfer of processed personal data;
  • the method and legal reason for the collection of personal data; and
  • other rights of the data subject referred to in Article 11.
Are there restrictions on cross-border data transfers?

The Data Protection Law envisages several principles for data transfer within and outside of Turkey. The main principle is to obtain the explicit consent of the data subject and exceptions are regulated under the provisions pertaining to the transfer of data within and outside of Turkey.

Note: Personal Data Transfer Within Turkey:

As per the general principle set forth under Article 8 of the Data Protection Law, personal data cannot be transferred without the explicit consent of the data subject. However, personal data may be transferred without the explicit consent of the data subject if one of the conditions stipulated in Article 5 of Data Protection Law for processing the personal data and in Article 6 of the Data Protection Law for processing the sensitive data provided that the adequate measures are taken, is satisfied.

Transfer of Personal Data Outside Turkey:

As per the general principle set forth under Article 9 of the Data Protection Law, personal data cannot be transferred abroad without the explicit consent of the data subject. Unlike the transfer of personal data within Turkey, an additional requirement is envisaged to transfer the personal data abroad by satisfying conditions stipulated in Article 5 for processing the personal data and in Article 6 of the Data Protection Law for processing the sensitive data. In addition to the conditions under Articles 5 and 6 of the Data Protection Law, either (i) the adequate level of protection shall exist in the foreign country, or (ii) the data controllers in Turkey and related foreign countries guarantee the adequate level of protection in writing by signing an undertaking and the board consents in the case where the adequate level of protection does not exist in the foreign country. The board issued a template wording for guaranteeing an adequate level of protection. Kindly note that for the purposes of item (i) the countries affording the adequate level of protection shall be determined and declared by the board. However, the Board has not announced a white list of countries with an adequate level of protection. 

The board shall decide whether the foreign country concerned can afford an adequate level of protection and the consent is given according to the item (ii) in consideration of; (a) the international agreement to which Turkey is a party; (b) the reciprocity status related to data transfer between Turkey and the country demanding personal data; (c) the features and the purpose and period of processing for each transfer of personal data; (d) the relevant legislation applicable and the practice in the jurisdiction to which data will be transferred; and (e) the measures guaranteed by the data controller in the country to which the data will be transferred.

In addition to the foregoing, the Board issued a decision dated May 2, 2019, and numbered 2019/125 under which it provides a checklist combining all criteria for determining the countries with an adequate level of protection. The following constitute the main the criteria listed under the checklist: (i) the reciprocity status, (ii) the applicable legislation and practice on personal data’s processing of the jurisdiction concerned, (iii) whether there is an independent data protection authority, (iv) whether the country concerned is a party to international treaties or is a member of international organizations on data protection (v) whether the country concerned is a member of global or regional organizations to which Turkey is also a member, and (vi) trade volume with the country concerned.

Personal data may be transferred abroad solely with the consent of the board by receiving the relevant state institutions or agencies’ opinion in the case where the interest of Turkey or the data subject is damaged seriously.

Please note that with the public announcement dated February 9, 2021, the undertaking regarding data transfer abroad has been approved; thus, as of 2021, the process of transferring personal data abroad through an undertaking has commenced.
Are there any notification requirements for data breaches?

Pursuant to Article 12 of the Data Protection Law, the data controller shall inform both the board and the data subjects relating to any breach of the law. Please refer to our explanations under the question relating to storage, security and retention of personal data for the notification requirement.

Furthermore, certain breaches would also constitute crimes and a criminal misdemeanor which shall be investigated upon being notified.

Note: As for the data violations under Article 12, the Board clarified the rules concerning the notification requirement stipulated under Article 12 of the Data Protection Law to avoid any inconsistency and to standardize the relevant rules through its decision dated January 24, 2019, and numbered 2019/10 as follows; 

  • the phrase “as soon as possible” in Article 12/5 shall be interpreted as “72 hours” and thus if personal data is obtained unlawfully by others, the data controller shall notify the Board and the data subject within 72 hours;
  • if the Board cannot be notified within 72 hours with just cause, the reasons for the delay should be explained to the Board together with the notification to be made;
  • the “Personal Data Violation Form” published by the Board shall be used for the notification to be made to the Board;
  • recording the information, impacts and measures obtained by the data controller regarding data breaches and making them available for the review by the Board;
  • in case the personal data possessed by the data processor is unlawfully obtained by the others, the data processor shall notify the data controller without delay;
  • in case the data violation occurs within the liability of a data controller residing abroad and in case the outcome of the violation affects the parties in Turkey and the relevant products and services are benefited by the relevant parties in Turkey; this data controller shall also notify the Board according to the same principles;
  • preparing and reviewing from time to time a data violation interference plan including several issues such as in case of a data violation, to whom the data controller shall report the situation internally, assessment of the possible consequences of the notifications under the Data Protection Law and the data violation, who is internally responsible.

As for criminal liability, Article 17 of the Data Protection Law refers to Articles 135 to 140 of the Criminal Code that is applicable to the crimes related to personal data.

Crimes and actions which may constitute a crime are as follows:

  • unlawful recording personal data (Article 135 of the Criminal Code);
  • illegally obtaining, disseminating or giving to another person someone's personal data (Article 136 of the Criminal Code); and 
  • failure to perform their duty to destroy data, although the expiry of the legally prescribed period for destruction had passed, (Article 138 of the Criminal Code)

Excluding the offenses of the recording of personal data, illegally obtaining or giving data and destruction of data, the commencement of an investigation and prosecution for the crimes listed hereinabove are subject to complain.

According to Article 18 of the Data Protection Law, those who fail to (i) fulfill the obligation to provide information; (ii) fulfill the obligations relating to data security referred; (iii) abide by the orders of the board, and (iv) comply with the obligation to enroll to the Registry of Data Controllers shall be subject to administrative fines in a range between TRY 13,394 and TRY 2,678,865. The board may take such actions into account with or without being notified.
Who is the privacy regulator?

There is a two-tier system consisting of regulatory and supervisory authorities.

Note: The Data Protection Authority is a public entity that has administrative and financial autonomy established under the Presidency, consisting of the Board and the presidency. The Data Protection Board is the decision making body of the Data Protection Authority:

  • The Data Protection Authority oversees legislative developments, works with government institutions and other international bodies and generally deals with data protection at a governmental level.
  • The Data Protection Board deals with processing at the individual and company level and acts to ensure that data is processed in accordance with the relevant legislation. It can determine measures in relation to the processing of sensitive data, it controls the Registry of Data Controllers and it performs regulatory data protection activities. It also deals with compliance and sanctions. For the purposes of data privacy in specific sectors, relevant bodies are also entitled to issue regulations. For instance, the Ministry of Health issued a regulation regarding personal health data referring to the Data Protection Law.
What are the consequences of a privacy breach?

The legal consequences envisaged under the law are imprisonment and administrative fines.

Note: The legal consequences envisaged under the law are imprisonment and administrative fines. Only specific crimes regulated under the Criminal Code are related to the Data Protection Law

For the crimes envisaged under the Criminal Code between Articles 135 and 140, the sanction is imprisonment ranging between one to four years. Article 140 of the Criminal Code states that security measures specific to legal entities shall be imposed where offenses defined in the above articles are committed by legal entities. This may include (amongst other things) the revocation of licenses granted by public institutions or the confiscation of the illegally generated income.

In addition to the foregoing, persons who fail to perform the obligations as stated under Article 18 shall be subject to administrative fines ranging from TRY 13,394 and TRY 2,678,865.
How is electronic marketing regulated?

Electronic marketing is regulated under the Law on Regulation of Electronic Commerce and its secondary legislation in line with the Data Protection Law.
 

Note: Electronic marketing has been regulated under the Law on Regulation of Electronic Commerce and its secondary legislation. According to Article 6 of the Law on Regulation of Electronic Commerce, unsolicited electronic marketing messages are forbidden. Consent of the customer or the target is required except for merchants and artisans. Such consent may be obtained in written form or by electronic means. Pursuant to the Regulation on the Amendment of the Regulation on Commercial Communication and Commercial Electronic Messages (published in the Official Gazette dated January 4, 2016, and numbered 30998) real persons and legal entities that use commercial electronic messages (“Service Providers”) are required to register the Electronic Messages Management System until December 31, 2020, for Service Providers with more than 150,000 commercial electronic message consents and May 31, 2021, for Service Providers with 150,000 or less commercial electronic message consents. (the previously announced date of December 1, 2020, extended as per the announcement of the Ministry of Trade dated November 30, 2020).
Are there any recent developments or expected reforms?

The secondary legislation has been issued by the board and the board is actively performing its duties by issuing decisions and imposing sanctions of which, relevant ones have been indicated above.  

Global Data Privacy Guide

Back XLS

Turkey

(Europe) Firm Pekin Attorney Partnership Updated 01 Mar 2022