The long-awaited Personal Data Protection Law1 (Law) came into force in Turkey on 7 April 2016. Until now Turkey did not have one specific law governing the use of personal data.

The extent of processing covers a wide range of operations such as collection, recording, storage, preserving, alteration, and disclosure by transmission, dissemination, making available, alignment or blocking. The Law covers both automatic processing and non-automatic processing.

The purpose of the Law is to protect fundamental rights and freedoms in the processing of personal data and to set forth principles and procedures which bind any person who processes personal data. The Law describes personal data as "any information relating to an identified or identifiable natural person." Thus, the Law is limited to the protection of personal data of natural persons.

Data such as name, surname, birth date, birth place, phone number, address, ID number and social security number are classified as personal data. Moreover, data on race, ethnicity, religion, health, attire and political associations are regarded as sensitive personal data. Overall, processing data without permission of the related person is prohibited by the Law, and explicit consent of the individual is required.

The Law lists exceptional circumstances where an explicit consent is not sought for data processing. First of all, personal data may only be processed with the explicit consent of the data subject in the conditions clearly specified under the laws. In case of objection by the data subject, data cannot be processed except for the fulfillment of obligations foreseen in the laws. Examples to these exceptional circumstances include situations where data processing is:

  • Necessary to protect the life or the physical integrity of the related person who is not able to express his or her consent due to practical impossibility or whose consent is not valid
  • Necessary for the signatory parties, provided that the processing is directly related to establishment or performance of a contract
  • Necessary for the data controller to fulfill his legal obligations
  • Necessary to establish a right, use a right or protect a right
  • Necessary for the legitimate interest of the data controller on condition that the processing will not violate any fundamental rights or freedoms of the related person.

As per the Law, an explicit consent of the related person is not required in situations where the person has already made available the data to public.

Moreover, until six months after the enforcement date, the Data Protection Board and Data Controller Registry must be established, and the Data Controllers must be registered with the Data Controller Registry. On the other hand, until 12 months after the enforcement date, the secondary legislation will be enacted, and until two years after the enforcement date all personal data must be in complaint accordingly.

Data processing must be consistent with the principles of lawfulness and fairness grounded in Law. The processor is bound by these principles and its operations are limited and restricted to availability of an explicit and legitimate purpose.

Pursuant to the Law, the definition of data processor includes a natural or legal person, public authority or any other body which processes personal data. In order to use the data, the processor is required to register with the Registry of the Data Controller monitored by the Authority and explain the purpose, content and place of use of data belonging to the related person prior to processing. Information must be provided on data planned to be transferred to third parties or other countries. Moreover, the precautions taken for the data security and identities and addresses of the data controllers must be explained.

As per the Law, data must not be kept for a longer period than it is necessary. If the purpose of processing is no longer available, personal data shall be deleted, destroyed or anonymized upon demand by the data subject.

Transferring data to third parties or other countries is also regulated under the Law. Personal data can be transferred to third countries in the event that there is an adequate level of protection in the foreign country from which data is requested. The explicit consent of the related person is required for transferring the data to third parties or other countries; however, consent is not sought for under certain circumstances.

The Law stipulates that administrative fines will be imposed in infringement. In addition, the Law also makes reference to the Turkish Criminal Code, noting that Article 135 and the following provisions of the Code will be applicable if the act possesses a crime. In violation of the Law, the right to claim damages in accordance with the general provisions is reserved for the related persons.

Footnote

[1] Law No 6698 on Personal Data Protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.