Many say, "data is the new oil". It is an inevitable fact that data is such a powerful tool today; however many of us are concerned about our privacy especially after Facebook Scandal. Maybe that is why the data protection law exists and it is quite a hot topic nowadays.

As European Union's data protection regulations date far back to 1995, Turkey recently initiated its legislative efforts and newly enacted Turkish Data Protection Law ("Law") which primarily follows the EU Directive 95/46/EC ("Directive"). Expectedly, it is highly criticized in Turkey that Law is unreasonably based on the Directive rather than the EU Regulation 2016/679 ("GDPR") which repealed the Directive and introduced new regulations in data protection. However, we may be optimistic and count this at least as a flare for data protection awareness.

As the deadline for the Data Protection compliance has passed in last April, The Turkish Data Protection Board ("Board") is quite active in imposing administrative fines to the companies. Recently, the Board released a brief summary of its recent cases in which the Board ruled several administrative monetary fines based on;

  • Late notification of the data protection violation,
  • Conditioning the explicit consent to the performance of the service,
  • Breach of data minimisation principle,
  • Not responding to the data subject within the time period determined by the Law,
  • Not fulfilling the request of the data subject regarding the erasure of the personal data,
  • The absence of administrative and technical measures to ensure the required level of data security,
  • Breach of the general data protection principles,
  • Unlawful sharing of personal data.

In the same breath, despite the efforts to complement the legal landscape with secondary legislation, minimal enforcement so far and the absence of well-established practices make it difficult for companies to steer their boat in a foggy sea.

As we can follow from the recent Board decisions and public speeches, one of the main hurdles that the companies encounter frequently is identifying data processing activities that require explicit consent. As it is emphasized in the updated guidelines, obtaining explicit consent will be evaluated as an abuse of right if the processing already falls under one of the exceptions under the article 5 of the Law[1]. In order words, companies must think twice and should initially check the existence of any possible exceptions before obtaining an explicit consent.

There are other uncertainties stemming from the major differences between GDPR and Law in Turkey. One of the main differences is that Law requires explicit consent both for processing of sensitive and non-sensitive data, while GDPR and the Directive only seek the consent for the sensitive data.

In addition, in Turkey, a new communique has been published in order to clarify the procedures of obligation to inform. Although it can be claimed that it mainly follows the footsteps of GDPR, there is a significant diversion. Accordingly, under the Law the process of obligation to inform and obtaining explicit consent should be conducted separately. It is still highly uncertain that how this provision should be interpreted and how these two-processes could be conducted 'separately`. However, the only clear thing is that there is no similar application within the scope of both GDPR and the Directive. Therefore, it is quite difficult to predict how the Board's approach will be in this regard.

Finally, it is worth to mention that GDPR expands the territorial scope of the EU Data Protection Law. With this regard, companies who target the EU residents should keep in the mind that they may fall into scope of the GDPR even if they conduct a business in Turkey/non-EU country. As an example, if a Turkish estate agency advertised a summerhouse, which is located in south part of Turkey, in euro currency and German language, we may say that the target audience is EU-residents, hence GDPR may apply this case as well.

To sum up, there are many grey areas in the practice of Data Protection Law in Turkey and firms require comprehensive legal assistance in order to avoid unforeseen sanctions.

We will keep you posted on any further updates in Turkish Data Protection Law.

[1] (2) Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:

a) It is expressly permitted by any law;

b) It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;

c) It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;

d) It is necessary for compliance with a legal obligation which the controller is subject to;

e) The relevant information is revealed to the public by the data subject herself/himself;

f) It is necessary for the institution, usage, or protection of a right;

g) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.