May 25, 2016
After a decade of struggle, the long-awaited Personal Data Protection Law (the Law) came into partial force in Turkey on 7 April 2016. Despite the burdens the Law puts on Turkish businesses—and indeed the government—the Law provides (at least on its face) much needed protections of personal privacy and should help Turkey advance its EU candidacy. It should also help Turkish companies with work abroad and, among other things, provides an important part of the necessary groundwork for Turkey’s ambitious plans to become a global financial center.
Until now Turkey did not have one specific law governing the use of personal data. The Law is an attempt to address this omission. As such, the Law’s stated goal is to protect fundamental rights and freedoms of natural persons—primarily those arising from the right of privacy—during the “processing” of “personal data” and to set forth principles and procedures which bind those persons who processes personal data.
The administrative structure necessary to implement the Law—and give it real-life meaning— involves the formation by the government of a new regulatory authority, the Data Protection Board, and a Data Controller Registry. As for giving the Law “teeth,” administrative and criminal sanctions are provided for, along with a private right of action for those claiming to have been damaged by violations of the Law.
What is protected and regulated
The Law defines “personal data” as “any information relating to an identified or identifiable natural person.” The “data processing” to be regulated by the Law are broad, encompassing a wide range of activity such as the collection, recording, storage, preserving, alteration, dissemination and/or blocking of personal data.
Generally speaking, processing personal data sort without the permission of the subject person is now prohibited, with “explicit consent” by the individual is required.
The Law lists several exceptions where explicit consent need not be sought. These include those where data processing is:
- Expressly allowed by other laws.
- Necessary to protect the life or physical integrity of persons not able to express their consent due to practical impossibility or whose consent not valid.
- Necessary for parties to a contract, provided the processing is directly related to establishment or performance of a contract.
- Necessary for those involved with data processing to fulfill their legal obligations.
- Necessary to establish, exercise or protect a right (e.g. disclosure in a lawsuit filed by employers against employees, or by guardians, necessary for the protection of their rights or of those to whom they have legal obligations).
- Necessary to protect legitimate interests of those processing data, provided their processing does not violate the subject person’s fundamental rights.
Information such as name, surname, birth date and place, phone number, address, ID and social security number are classified as personal data under the Law. In addition, data on race, ethnicity, political opinion, philosophical belief, religion, sect or other belief, attire, membership to associations, foundations or trade-unions, health, sex life and previous convictions, along with biometric and genetic data are identified by the Law as “special” personal data. Such “special” data may only be processed with explicit consent, as is true with all personal data, but what distinguishes this category of data is that the abovementioned exceptions, for the most part, do not apply.
The Controllers, Board and Registry
The Law provides that, under the auspices of the government, a Data Protection Board and Data Controller Registry are to be established within six-months of the Law coming into force (or by 7 October 2016). Data Controllers, i.e. individuals or entities that process personal data, must be registered with the Data Controller Registry, which is to be maintained by the Board. All relevant secondary legislation (e.g. Regulations) must be enacted within 12 months (or by 7 April 2017). These are relatively tight deadlines. That said, a two-year window is provided within which those, who had been processing personal data prior to the Law coming into force, must come into compliance.
Pursuant to the Law, Data Controllers are responsible for taking the necessary steps to prevent the unlawful processing of and/or access to personal data. Once registered, Data Controllers are charged with informing interested persons of the purpose, content and place of use of their personal data prior to its processing, as well as taking the precautions necessary for protecting the security of this data.
The Law provides that personal data must not be kept for a period longer than is necessary. A corollary to this is that when that purpose no longer exists, the personal data must be deleted, destroyed or anonymized.
Transferring data to third parties and/or other countries is also addressed under the Law. Personal data can be so transferred only if adequate protections of the data exist where sent. Significantly, consent for the transfer of personal data to third countries must be explicit, and is in addition to general consent mentioned above.
Violations of the Law can be treated severely, with administrative fines and even imprisonment authorized. So, for example, fines can range anywhere from TL5,000 to TL1 million (approx. €1,500 to €300,00) and imprisonment from one to two years. The Law also provides, significantly, for a private right of action for those persons claiming to have been damaged by failures of those subject to the Law.
These sanctions are only applicable to natural persons and private legal entities acting as data controllers. In case a public entity violates the Law, disciplinary action must be initiated against the relevant personnel and the Board must be informed about the consequences of such action.
 Law No 6698 on Personal Data Protection.
 Article 1 of the Law.
 Article 3/1(d) of the Law.
 Article 3/1(e) of the Law.
 Explicit consent is defined in Article 3/1(a) of the Law as “any freely given specific and informed indication of the data subject’s wishes.” Explicit consent of the subject person is not required where that person has already made the data available to the public. Article 5/2(d) of the Law.
 Article 5/2(a)-(f) of the Law.
 Article 6/1 of the Law.
 Article 6/2 of the Law. The one exception to the non-applicability of the above exceptions is that special personal data, other than data on health and sex life, may be processed when expressly allowed by other laws. Article 6/3 of the Law.
 The Board is to be made up of nine members, five to be appointed by the Turkish Parliament, four by the Cabinet and two by the President. Article 21/2 of the Law. No Board member is to be a member of a political party. Article 21/3(c) of the Law.
 Provisional Article 1/1 of the Law.
 The deadline for registering will be determined by the Board. Provisional Article 1/2 of the Law.
 Provisional Article 1/4 of the Law.
 Provisional Article 1/3 of the Law. Persons and entities that begin processing personal data after the Law came into force have no such “window,” although the significance of their obligation under the Law would be hard to access given the absence of a functioning Board and Registry.
 Provisional Article 12/1 of the Law.
 Article 10 of the Law.
 Article 4/2(d) of the Law.
 Article 9/2 of the Law.
 Article 9/1 of the Law.
 Article 17 of the Law. The Law also references Articles 132-140 of Turkish Criminal Law, which concerns the unlawful recording, obtaining and distribution of personal data along with the failure to delete or anonymize personal data.
 Article 14/3 of the Law.
 Article 18/2 of the Law.