Data Privacy

The data privacy framework in Türkiye is shaped by Law 6698 on the Protection of Personal Data (PDPL) and supplemented by a comprehensive array of legislative and regulatory measures, including:

• the Constitution of 1982, which sets the foundation for privacy rights;
• the Criminal Code 5237 and the Civil Code 4721, which address personal rights and privacy;
• the Labour Law 4857, which covers employee privacy;
• Law 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, pertinent to payment and open banking data;
• Law 4982 on the Right to Access Information;
• the Electronic Commerce Law 6563, which regulates information access and e-commerce;
• Law 5651 on Regulating Internet Broadcasting and Combating Crimes Committed through Internet Broadcasting;
• the Banking Law 5411 and Law 5464 on Bank Cards and Credit Cards, critical for financial privacy and card data;
• the Electronic Communications Law 5809, addressing digital communication;
• the Regulation on the Deletion, Destruction and Anonymisation of Personal Data;
• the Regulation on the Data Controllers’ Registry;
• the Regulation on the Operating Principles and Procedures of the Personal Data Protection Board;
• the Regulation on Commercial Communication and Commercial Electronic Messages;
• the Communiqué on the Procedures and Principles of the Obligation to Inform Data Subjects;
• the Communiqué on the Procedures and Principles of Applications to Data Controllers; and
• guidelines and decisions issued by the Personal Data Protection Authority.

This list is not exhaustive and there may be regulations concerning personal data in various specific fields.

Personal data relating to the following is considered to fall within special categories of personal data and is subject to additional protection:

• race;
• ethnic origin;
• political opinions;
• philosophical beliefs;
• religion and sectarian views;
• appearance and dress;
• membership in associations, foundations or trade unions;
• health;
• sexual life;
• criminal convictions and security measures; and
• biometrics and genetics.

Major sectors in which specific regimes apply include the following:

• Banking and payments:
• • Customer data is considered a ‘customer secret’ and is given extra protection.
  • Banks’ primary and secondary IT systems must be located within Türkiye.
  • Banks cannot share customer secrets with third parties, domestically or internationally, without explicit client request or instruction, even with customer consent.
• E-commerce:
• • Customer consent is required for marketing purposes.
  • Specific e-commerce companies must conduct an annual audit to demonstrate compliance with the PDPL and submit the results to the Republic of Türkiye Ministry of Trade.
• Telecommunications:
• • Special rules apply regarding:
  • • technical and administrative safeguards;
    • risk and personal data breach management;
    • explicit consent; and
    • the transfer of certain data.
  • The transfer of traffic and location data abroad requires the explicit consent of the data subject.

• Türkiye, as a founding member of the Council of Europe, is a party to the European Convention on Human Rights (ECHR). Although the ECHR does not directly regulate the processing of personal data, the European Court of Human Rights has developed jurisprudence protecting personal data.
• Türkiye was among the first countries to sign the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108), on 28 January 1981. This convention was incorporated into domestic law and published in Official Gazette 29656 on 17 March 2016.
• Türkiye signed the Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows (Convention 181) on 8 November 2001. This protocol was incorporated into domestic law and published in Official Gazette 29703 on 5 May 2016.

The Personal Data Protection Authority (the “Authority”) serves as the cornerstone of data privacy enforcement, complemented by the Personal Data Protection Board (the “Board”)..

The Authority’s duties are as follows:

• Monitor legislative and practice developments, offer evaluations and conduct or commission research and inspections;
• Collaborate with public and private entities on matters within its remit;
• Keep abreast of and engage with international developments and organisations on personal data issues;
• Submit annual activity reports to:
• • the presidency;
  • the Grand National Assembly’s Human Rights Inquiry Committee; and
  • the Prime Minister’s Office; and
• Execute additional duties as mandated by law.

The Board’s duties are as follows:

• Ensure that personal data processing aligns with fundamental rights;
• Make decisions on complaints regarding personal data rights violations;
• Investigate personal data processing compliance and take necessary interim measures;
• Define measures for processing special categories of personal data;
• Maintain the Data Controllers’ Registry (VERBIS);
• Decide on administrative sanctions under the law; and
• Review and provide opinions on legislative drafts affecting personal data.

While the PDPL forms the basis of the legislative regime, compliance and implementation are also influenced by both local and international best practices and standards.

Best practices, such as those influenced by the EU General Data Protection Regulation, are integral for organisations to navigate the complexities of data protection, ensuring secure processing and minimising the risks associated with non-compliance.

Organisations should adapt these best practices to the local context, ensuring that they not only are compliant with the PDPL but also address the challenges posed by technological advancements and changing regulatory landscapes. Such practices include:

• strong authentication measures;
• encryption; and
• the promotion of privacy awareness.

Law 6698 on the Protection of Personal Data (PDPL) applies to:

• real persons whose personal data is processed; and
• real and legal persons that process such data either entirely or partially by automated means or by non-automated means, provided that the data is part of a data recording system.

Full exemption: Personal data processing is fully exempt in the following scenarios:

• by individuals for personal or household family member-related activities;
• for research, planning and statistics after anonymisation for official use;
• for the purposes of art, history, literature or science, or under freedom of expression, ensuring no violation of national defence, security, public safety, order, economic security, privacy, personal rights or laws;
• by public institutions and organisations in preventive, protective and intelligence operations to uphold national defence, security, public safety, order or economic security; and
• by judicial or execution bodies during investigation, prosecution, trial or execution processes.

Partial exemptions: Certain activities are partially exempt from the requirements to:

• inform data subjects;
• respond to requests of data subjects (except for compensation claims); and
• register with the VERBIS.

These are as follows:

• where processing is vital for crime prevention or investigation.
• where the data handled has already been publicly disclosed by the data subject;
• for supervisory or regulatory tasks undertaken by public entities or professional associations with public institution status, as legally authorised, including disciplinary inquiries or prosecutions; or
• where necessary to safeguard the state’s economic and financial interests concerning budget, tax and financial issues.

While the PDPL lacks explicit clauses on extraterritorial reach, it effectively extends beyond Türkiye’s borders under certain circumstances.

Specifically, the PDPL applies to data controllers and processors outside of Türkiye if their activities involve processing the personal data of individuals within Türkiye, particularly in the context of offering goods or services to them or observing their behaviour, provided that such behaviour occurs within the Turkish territory.

Consequently, foreign entities engaging in these practices must adhere to the PDPL, which encompasses:

• adhering to data protection principles;
• respecting the rights of data subjects; and
• where applicable, registering with VERBIS.

(a) ‘Data processing’

Any operation which is performed upon personal data, such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or blocking of its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.

(b) ‘Data processor’

A natural or legal person that processes personal data based on the authority granted by and on behalf of the data controller.

(c) ‘Data controller’

A natural or legal person that determines the purposes and means of processing personal data and is responsible for the establishment and management of the filing system.

(d) Data subject

A natural person whose personal data is processed.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Data which is regulated as falling within a ‘special category of personal data’ under Law 6698 on the Protection of Personal Data (PDPL). This category includes:

(g) Consent

Consent is regulated as ‘explicit’ consent under the PDPL. ‘Explicit’ consent means “freely given specific and informed consent”.

• Data Controllers’ Registry (VERBIS): A digital platform with which data controllers (both Turkish and foreign entities processing the data of individuals in Türkiye) must register before processing personal data. VERBIS is designed to increase transparency by obliging data controllers to disclose their:
• • data processing activities;
  • data protection measures; and
  • data transfer procedures.
• ‘Data protection representative’: Data controllers not established in Türkiye must appoint a Turkish legal entity or citizen based in Türkiye as their data protection representative.
• ‘Contact person’: A natural person authorised by the data controller during registration to VERBİS for the purpose of facilitating communication between the data controller and the Personal Data Protection Board.

In Türkiye, data controllers must register with VERBIS if they meet the criteria specified by the Personal Data Protection Board, in accordance with Law 6698 on the Protection of Personal Data (PDPL). This obligation aims to ensure transparency and accountability in the processing of personal data.

The data controllers that are obliged to register with VERBIS are as follows:

• Data controllers not established in Türkiye;
• Local data controllers with:
• • more than 50 employees annually; or
  • an annual balance sheet with a value more than TRY 100 million, and
• Local data controllers whose main field of activity involves the processing of sensitive personal data.

The following Turkish controllers are exempt from registration:

• data controllers with:
• • fewer than 50 employees; and
  • an annual balance sheet of less than TRY 100 million.
• public notaries, political parties, lawyers, accountants, customs advisers and mediators; and
• certain non-profit organisations, provided that data processing is:
• • pertinent to their purpose;
  • confined to their field; and
  • solely for their employees, members and donors.

Failure to comply with the registration requirement can result in significant administrative fines. According to the regulations, the penalties for non-compliance can range from TRY 189,245 to TRY 9,463,213 for 2024.

To register with VERBIS, both foreign and local data controllers must follow these guidelines:

• Local controllers:
• • Register with VERBIS before starting data processing;
  • Prepare a personal data processing inventory for the registry application;
  • Ensure that the information entered in VERBIS is accurate, complete and lawful;
  • Comply with all other legal obligations, as registration does not exempt them from these requirements; and
  • Conduct all registry-related operations through VERBIS.
• Foreign controllers:
• • Must register via representatives in Türkiye before data processing begins;
  • Follow similar steps to local controllers, including the preparation of a personal data processing inventory;
  • Ensure that the information in VERBIS is accurate and lawful;
  • Have their representatives submit a certified decision of designation, covering various responsibilities such as:
  • • acting on behalf of the controller for registry operations; and
    • handling data subject requests; and
  • Ensure that all registration actions are carried out via VERBIS.

Both must include details such as:

• the identity and contact information of the controller (or representative);
• the purposes of the processing;
• the data subjects and categories;
• the recipients;
• data security measures; and
• data storage periods.

Updates to registry records must be made in VERBIS within seven days of any change.

Yes, the information registered in VERBIS by data controllers in Türkiye is publicly accessible.

Personal data may be processed without the explicit consent of the data subject only where one of the following conditions is met:

• It is expressly provided for by law;
• It is necessary for the protection of life or physical integrity of the data subject or any other person:
• • who is unable to give his or her consent due to physical disability; or
  • whose consent is not deemed legally valid;
• The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
• The data processing is necessary for compliance with a legal obligation to which the data controller is subject;
• The personal data has been made public by the data subject;
• The data processing is necessary for the establishment, exercise or protection of any right; or
• The processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing does not violate the fundamental rights and freedoms of the data subject.

Following amendments Law 6698 on the Protection of Personal Data (PDPL) introduced on 12 March 2024, the processing of special categories of personal data is prohibited. However, the processing of such data is permitted in the following cases:

• The data subject has granted consent;
• The data processing is explicitly provided for by law;
• The data processing is necessary to protect the life or physical integrity of the data subject or another person who is physically incapable of giving consent or whose consent is not legally recognised;
• The data processing:
• • pertains to personal data made public by the data subject; and
  • accords with the intention behind making it public;
• The data processing is necessary for the establishment, exercise or defence of legal claims;
• The data processing is necessary to carry out the obligations and exercise specific rights of the data controller or the data subject in the field of employment, occupational health and safety, social security, social services and social aid, under the confidentiality obligation by persons or authorised institutions and organisations for:
• • the protection of public health;
  • preventive medicine;
  • medical diagnosis;
  • treatment and care services; and
  • the planning, management and financing of health services; or
• The data processing is for the purposes of processing by foundations, associations or other non-profit organisations or bodies established for political, philosophical, religious or trade union purposes, provided that:
• • the processing is in accordance with the legislation and objectives to which they are subject, limited to their field of activity; and
  • the data is not disclosed to third parties and relates to current or former members or those who regularly communicate with these organisations or bodies.

Principles on the processing of personal data are outlined in the PDPL and apply regardless of the data type or whether the processing is outsourced.

The following principles must be complied with when processing personal data:

• The processing must conform with the law and good faith;
• The data must be accurate and, if necessary, up to date;
• The data must be processed for specified, explicit and legitimate purposes;
• The data must be relevant, limited and proportionate to the purposes for which it is being processed; and
• The data must be stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.

In the context of processing personal data, data controllers must align their practices with the PDPL and its underlying principles. Key obligations and best practices include the following:

• Adherence to the PDPL principles: See question 5.2.
• Legal justification for processing: See question 5.1.
• Transparency and data subject information: Before collecting personal data, entities must inform individuals about:
• • the data controller’s identity;
  • the data collection purposes;
  • the recipients of the data;
  • the legal basis for processing; and
  • the rights of data subjects.
• Data Controllers’ Registry: See question 4.2.
• Data processing inventory: A comprehensive inventory should detail:
• • processing activities;
  • legal bases;
  • data subject categories;
  • data categories;
  • recipient groups;
  • data transfer details;
  • retention periods; and
  • security measures.
• International data transfers: Entities must ensure that personal data transferred abroad is adequately protected, aligning with PDPL requirements (see question 6.2).
• Data security: Adequate technical and administrative measures must be implemented in order to:
• • protect personal data against unauthorised access, loss or damage; and
  • ensure the notification of data breaches.

Personal data can be transferred to third parties within Türkiye based on any of the legal grounds outlined in Law 6698 on the Protection of Personal Data (PDPL), as detailed in question 5.1.

Amendments introduced to the PDPL on 12 March 2024 have restructured the conditions for the transfer of data abroad. Companies must comply with these amendments by 1 September. The requirements are as follows:

• Adequacy decision: Personal data can be transferred abroad if:
• • one of the processing conditions (see question 5.1.) for personal data or special category personal data is met; and
  • there is an adequacy decision regarding:
  • • the destination country;
    • sectors within the country; or
    • international organisations.
• No adequacy decision: Personal data can be transferred abroad if:
• • one of the processing conditions (see question 5.1) for personal data or special category personal data is met; and
  • one of the appropriate safeguards is in place between the parties (ie, agreements between public institutions and organisations, binding corporate rules, standard contractual clauses, written commitments).
• Occasional transfers: In exceptional cases, data controllers and processors can conduct occasional transfers abroad cases without adequacy decisions or appropriate safeguards as a last resort. This allows one-time or infrequent data transfers. Examples include sharing employee information for incidental commercial activities. Conditions for such transfers include:
• • explicit consent;
  • contract performance;
  • public interest;
  • legal claims;
  • vital interests protection; and
  • access to public registers with prescribed conditions.

When transferring personal data in Türkiye or abroad, it is essential to comply with the principles outlined in the PDPL (see question 5.2).

Recent amendments to the PDPL introduced in March 2024 have restructured the conditions for the transfer abroad of personal data, shifting from an approach based on explicit consent to a systematic process of:

However, the implementation details for this new structure have yet to be defined. The Personal Data Protection Board is set to issue regulations that will elaborate on the procedures and principles for cross-border data transfers. These regulations are expected to:

• clarify the application of standard contractual clauses; and
• outline the procedures for transfers under particular circumstances.

An additional key update from the recent amendments is the extension of the safeguards to include subsequent transfers (further processing) of personal data abroad, ensuring the continuity of protection measures. This provision emphasises the importance of maintaining data protection standards throughout the entire data transfer and processing lifecycle, reflecting a comprehensive approach to data privacy and security in cross-border contexts.

Under the Law 6698 on the Protection of Personal Data (PDPL), every data subject has the right to apply to the data controller in order to:

• learn whether his or her personal data has been processed;
• request information as to processing if his or her data has been processed;
• learn the purpose of processing of the personal data and whether the data is being used in accordance with the stated purpose;
• learn of any third parties in the country or abroad to which the personal data has been transferred;
• request rectification if the personal data has been processed incompletely or inaccurately;
• request the deletion or destruction of personal data within the framework of the conditions set under the PDPL and request notification of the operations to third parties to which personal data has been transferred;
• object to the occurrence of any result that is to his or her detriment by means of analysis of personal data exclusively through automated systems; and
• request compensation if he or she incurs damages due to the unlawful processing of his or her personal data.

Although there are no exceptions in this regard, individuals who fail to submit their applications in accordance with the procedures specified in the relevant regulations may be requested by data controllers to resubmit their inquiries.

Data subjects have the right to submit requests concerning their personal data to the data controller. These requests can be made in various forms, as follows:

• in writing;
• via registered electronic mail;
• with secure electronic or mobile signatures;
• through an email address previously supplied and recorded by the data controller; or
• via dedicated software or an application.

To ensure effective processing, requests must be detailed and submitted in Turkish. The application should include:

• the data subject’s name, surname and signature for written submissions;
• for Turkish citizens, their Turkish Republic identification number; or for foreigners, their nationality, passport number or any identification number;
• a notification address, which can be either residential or work related;
• optionally, an email address, telephone and fax number for further communication; and
• the specific subject matter of the request.

Data controllers must address these requests within 30 days of receipt. Should a controller have legitimate reasons to deny a request, it must still respond within the same timeframe, providing a clear and justified explanation for its decision. This approach ensures transparency and accountability in handling personal data requests.

The law envisages a gradual request procedure for applications within the scope of the protection of personal data. Data subjects must apply to the data controller in order to exercise their rights; a complaint cannot be made to the Personal Data Protection Board before this remedy is exhausted.

Persons whose requests are refused or who find the answer insufficient, or whose application is not answered in due time, can exercise their right to complain to the board.

Following an investigation by the Board, if a violation is found, the Board will:

• order the data controller to rectify the infringement within 30 days of notification; and/or
• impose administrative fines.

Data subjects may file a lawsuit in the general courts claiming that their personality rights have been violated. In these lawsuits, data subjects can allege that:

• their personal data has been processed unlawfully; and
• this processing has harmed their personal rights.

In such cases, courts may order compensation and other legal consequences based on the type, nature and effects of the violation.

In Türkiye, under Law 6698 on the Protection of Personal Data (PDPL), there is no legal requirement for data controllers and data processors to appoint a data protection officer.

However, foreign data controllers must appoint a data controller representative (see questions 3.2 and 4.2).

This requirement underscores the importance of having a contact within Türkiye to handle matters related to data protection and compliance with Turkish data privacy regulations for entities based outside the country.

N/A.

N/A.

N/A.

Compliance with record-keeping and documentation requirements is essential in order to:

• maintain compliance with the PDPL; and
• raise awareness and promote education about data protection concepts.

Key documents include the following

• Data processing inventory: Data controllers obliged to register with the Data Controllers’ Registry (VERBİS) must maintain detailed records of their data processing activities. This involves documenting:
• • the reasons for the data processing;
  • the data categories being processed;
  • the data recipients; and
  • the legal basis for the processing.
• Privacy notice: All data controllers should prepare a transparent privacy notice which demonstrates communication from the data controller with data subjects on how their personal data is being used, stored and protected.
• Data retention and destruction policy: Data controllers obliged to register with VERBİS must prepare a policy outlining:
• • the length of time for which different types of personal data will be kept (data retention); and
  • the procedures for securely deleting or destroying data once it is no longer needed (data destruction).

• Compliance with the PDPL principles: See question 5.2.
• Employee training and awareness: Provide regular training and awareness programmes for employees.
• Privacy by design: Integrate privacy considerations into the design and implementation of systems, processes and services from the outset, adopting privacy-enhancing technologies and default settings that prioritise data protection.
• Technical and administrative measures: Implement administrative and technical measures for data privacy purposes with an accountability mindset.

Data controllers and processors must secure personal data, focusing on:

• preventing unlawful processing and access; and
• ensuring its safekeeping.

These duties require the adoption of appropriate technical and administrative measures, tailored to the level of risk and the nature of the data. Data processors are jointly liable with the data controller for taking the appropriate measures,

• Preventing unlawful processing: Data controllers must ensure that data processing complies with legal standards, incorporating protocols to align with data protection laws.
• Preventing unauthorised access: It is essential to protect data against unauthorised access through physical and digital safeguards, including secure building access and data encryption. Measures include:
• • monitoring access permissions; and
  • using strong authentication methods.
• Ensuring the protection of personal data: Controllers are tasked with protecting data integrity and confidentiality and preventing loss, destruction or damage through practices such as regular backups and encryption.

Adopting both technical measures (eg, encryption and cybersecurity defences) and administrative strategies (eg, policy development, employee training, audits) is essential.

Data controllers must notify both the Personal Data Protection Authority and affected data subjects of personal data breaches within 72 hours of becoming aware of the breach. If the notification cannot be made within 72 hours, the reasons for this delay must be explained with the notification.

The data controller must use the Personal Data Breach Notification Form provided by the authority to report the breach. If all necessary information cannot be provided immediately, it should be provided in phases without unnecessary delay. The form must include:

• the data controller’s name and address;
• the incident’s start and end times, and detection time;
• the nature of the breach and details on how it occurred;
• the categories of personal data involved;
• the number of affected individuals and data records;
• the potential consequences and severity of the breach;
• the measures taken or planned in response to the breach;
• when the breach occurred;
• the categories of personal data affected;
• the possible consequences of the breach;
• recommended measures for individuals to mitigate adverse effects; and
• contact details for further information (eg, contact person, website link, call centre).

Yes. Following the identification of individuals affected by the data breach, the data controller must also notify the relevant data subjects as soon as reasonably possible. If the contact address of the affected individual is available, the notification should be made directly; if not, it should be done through suitable methods such as publication on the data controller’s website.

The notification must be written in clear, understandable language and include specific details, as follows:

• Date and time: When the data breach occurred.
• Categories of personal data: The types of affected data, clearly distinguishing between personal data and special categories of personal data.
• Potential consequences: The possible effects of the breach on data subjects.
• Recommended measures: The actions that data subjects can take to mitigate potential adverse outcomes.
• Contact information: How affected individuals can reach the data controller (eg, contact persons, website links, call centre numbers).

In the event of a data breach, it is imperative for both data processors and data controllers to adhere to specific protocols to manage the situation effectively:

• Data processor’s immediate notification: If a breach occurs, data processors must notify the data controller immediately. This ensures that necessary measures can be promptly initiated.
• Foreign data controllers’ notification: Data controllers located outside of Türkiye that process the data of individuals within Türkiye are subject to the same notification requirements, especially if their services or products are used by Turkish data subjects. The location of the data controller does not exempt it from responsibilities towards data subjects in Türkiye.
• Data breach response plan: Organisations must have a robust data breach response plan in place. This plan should outline:
• • internal reporting channels for quick communication within the organisation; and
  • procedures to assess the potential impact of the breach on affected parties and the organisation.
• Regular review and update: The data breach response plan should be periodically reviewed and updated to address new security threats and comply with evolving regulatory requirements.

These steps are crucial for swiftly managing data breaches and mitigating their effects. They demonstrate an organisation’s commitment to data protection and the privacy of individuals.

There is no detailed and specific rule in Law 6698 on the Protection of Personal Data (PDPL) on the processing of employees’ personal data. Thus, data controllers with employees must:

• adhere to the general data protection principles (see question 5.2); and
• have a legal basis for the data processing (see question 5.1).

Further to amendments to the PDPL introduced in March 2024, if the processing of a special category of data is required to fulfil legal obligations in the fields of employment, occupational health and safety, social security, social services or social aid, the data controller can process the data without the explicit consent of the data subject.

In Türkiye, the Personal Data Protection Board mandates that employee surveillance must serve a legitimate purpose which is closely related to workplace requirements or the nature of the employment.

Employers are permitted to monitor activities to meet operational needs or safeguard company assets, ensuring that such surveillance is:

• necessary and proportionate; and
• aligned with legal principles.

Legality, fairness and transparency are pivotal: employers must notify employees about surveillance measures, detailing their existence, scope and objectives.

Surveillance methods, and particularly those that could infringe on private life:

• require strong justification through legitimate interest; and
• must represent the least intrusive option available.

Given the power disparity in employer-employee dynamics, obtaining consent for surveillance is not advised. Instead, employers should rely on alternative legal bases such as legitimate interest or legal obligations, prioritising the protection of employee privacy and personal data rights.

The Personal Data Protection Board underscores the need for a careful balance between employers’ legitimate interests and employees’ privacy rights, advocating for surveillance measures that are both necessary and proportionate. This guidance aims to foster a workplace environment in which surveillance is implemented responsibly and ethically, respecting both operational needs and individual privacy.

Considering the inherent power imbalance in the employer-employee relationship, relying on explicit consent for data processing should be a last resort. This approach ensures that consent is genuinely voluntary and is not influenced by the employment context.

From an employment perspective in the data privacy context, it is also crucial to ensure that measures are in place to prevent employees from accessing each other’s personal data without justification. This involves establishing strict access controls and implementing an authorisation matrix to limit access to files based on roles and necessity, ensuring that sensitive or personal data is accessible only to those with a legitimate need to know.

Additionally, employers should conduct regular data privacy training for all employees to foster a culture of privacy awareness and compliance.

The use of cookies is not directly regulated under Law 6698 on the Protection of Personal Data (PDPL). However, the Personal Data Protection Board has published a Guide on Cookie Applications which sets out best practices in relation to the management of cookies. Among other things, it provides as follows:

• Website operators must provide users with clear inform about the use of cookies, including:
• • the types of cookies used;
  • the purposes of data collection; and
  • how users can control or opt out of cookies.
• Explicit consent must be obtained from users for any cookies that process personal data, except strictly necessary cookies that are essential for the functioning of the website. This consent must be informed, specific and freely given.
• The website should have a clear and accessible cookie policy that provides detailed information about the use of cookies, including how users can manage their cookie preferences.

The use of cloud computing is not directly regulated under the PDPL. However, the Personal Data Protection Board has published a Guide on Personal Data Security which includes provisions on cloud computing. The same could be acknowledged as a resource for best practice in managing cloud computing.

According to the guide, the key principles that should be paid attention for cloud computing are as follows:

• Evaluation of security measures: Data controllers must assess the adequacy and appropriateness of security measures implemented by cloud storage service providers to prevent illegal processing of and access to stored personal data.
• Understanding and management of stored data: It is crucial for data controllers to have a detailed inventory of personal data stored in the cloud. This includes ensuring that:
• • data is backed up;
  • synchronisation processes are in place; and
  • two-factor authentication for remote access is implemented where necessary.
• Data encryption: Personal data should be encrypted using cryptographic methods before being uploaded to cloud environments. Utilising separate encryption keys for each cloud service provider enhances data security.
• End of service data management: Upon termination of cloud computing services, data controllers must ensure that all copies of encryption keys which could potentially be used to access or use personal data are destroyed.

These measures emphasise the importance of security, transparency and accountability in cloud computing services, focusing on safeguarding personal data against breaches and unauthorised access. Adhering to these guidelines helps to maintain the integrity and confidentiality of personal data, aligning with legal standards for data protection.

From a marketing perspective, navigating the online and networked landscape in Türkiye necessitates adherence to a set of requirements, restrictions and best practices, especially concerning:

• personal data protection;
• e-commerce; and
• consumer rights.

Key considerations include the following:

• Compliance with the PDPL: Marketing activities must comply with the PDPL, which means that explicit consent from individuals is required before processing their personal data for marketing purposes. Marketers must clearly inform individuals about the scope and purpose of data collection and processing.
• Opt-in and opt-out mechanisms: Businesses should implement clear opt-in procedures for subscribers to consent actively to receive marketing communications. Similarly, an easy and straightforward opt-out or unsubscribe option must be provided in every communication to respect the recipient’s choice and privacy.
• Transparency and accountability: Marketers should:
• • maintain transparency about the use of personal data, including any third-party sharing for targeted advertising; and
  • ensure accountability by keeping records of consent and managing data securely.
• Respect for consumer rights: Adherence to the Consumer Protection Law is crucial, particularly regarding:
• • advertising ethics;
  • the truthfulness of marketing communications; and
  • not misleading consumers.
• Email and SMS marketing: Specific regulations govern email and SMS marketing. Businesses that send marketing messages must register with the Commercial Electronic Message Management System.
• Social media and influencer marketing: Disclosures are important in influencer marketing. Any paid partnership or endorsement should:
• • be clearly indicated to maintain trust; and
  • comply with the applicable regulations.

In Türkiye, data privacy disputes are primarily addressed within the framework established by the Law 6698 on the Protection of Personal Data (PDPL). The resolution of these disputes typically involves several forums and processes, as follows:

• Personal Data Protection Board: As the primary regulatory body overseeing data privacy, the Board is tasked with handling complaints related to violations of personal data protection rights. Individuals can file complaints directly with the Board if they believe that their data privacy rights have been infringed under the PDPL. The Board reviews these complaints and can issue decisions that may impose administrative fines or other sanctions on violators.
• Civil courts: For disputes involving personal data protection that may also constitute a violation of personal rights, affected individuals have the right to initiate civil lawsuits. These cases are heard in the civil courts, where plaintiffs can seek compensation for damages resulting from the unlawful processing of their personal data or privacy breaches.
• Criminal courts: Where a violation of data privacy laws also constitutes a criminal offence (eg, unauthorised access to or dissemination of personal data), the matter can be referred to the criminal courts. The Penal Code provides for sanctions, including imprisonment and fines, for such offences.
• Administrative courts: Decisions of the Personal Data Protection Board can be appealed in the administrative courts. Following recent changes, from 1 June 2024, administrative fines imposed by the Personal Data Protection Authority for breaches under the PDPL can be contested in the administrative courts.

The issues involved in such disputes often revolve around allegations of unlawful processing of personal data, data breaches and non-compliance with regulations, such as:

• failure to prepare privacy notices;
• lack of administrative and technical measures;
• inadequate notification of data breaches;
• ineffective response to data subject requests;
• failure to prepare a data processing inventory;
• lack of a data retention and destruction policy; and
• invalid cross-border data transfer mechanisms.

Resolutions often involve:

• addressing the non-compliance;
• implementing corrective measures; and
• sometimes paying fines or facing other sanctions.

Recent rulings by the Personal Data Protection Board include the following:

• Meal card mobile application (2023/1430): A meal card provider’s app required Turkish ID numbers for registration, leading to a TRY 200,000 fine for processing ID numbers without legal justification, in breach of the data minimisation and purpose limitation principles.
• E-commerce site payment information requirement (2023/567): An e-commerce site was fined TRY 500,000 for mandating the storage of credit/debit card information for further transactions without obtaining explicit consent from users, emphasising the significance of consent in data processing for further processing.
• Continued email processing post-employment (2023/1321): The monitoring of a former partner’s email resulted in a TRY 50,000 fine, highlighting:
• • the obligation to terminate personal data processing post-employment; and
  • the importance of ceasing email monitoring after an individual leaves the organisation.
• Cookie-based personal data processing (2023/1645): This ruling stresses the requirement for explicit consent in cookie-based data processing. It criticises the use of blanket consent for all cookies without providing users with individual choice options, noting violations in the handling of necessary cookies and unauthorised international data transfers.

These decisions reflect the Board's stance on:

• the importance of legal bases for data processing;
• the need for explicit consent; and
• adherence to the principles of data minimisation and purpose limitation.

On 12 March 2024, Türkiye took a critical step to align Law 6698 on the Protection of Personal Data with the EU General Data Protection Regulation.

The provisions on three key areas were updated, with changes set to take effect on 1 June 2024:

• Sensitive data: The conditions for processing data that falls within a special category of personal data (also known as ‘sensitive personal data’) were restructured.
• Cross-border data transfers: The previous requirement for ‘explicit consent’ to the transfer of personal data abroad has been replaced with a new framework:
• • Adequacy decision > appropriate safeguard > occasional transfers
• Jurisdiction: Jurisdiction for administrative fines has been assigned to the administrative courts.

A forthcoming regulation, expected to be issued shortly by the Personal Data Protection Board, will set out the procedures and principles for cross-border data transfers. It is expected that this upcoming regulation will clarify the use of standard contractual clauses and the management of occasional transfers, in order to refine the legal framework for international data exchange.

These developments signal Türkiye’s commitment to bolstering data privacy and aligning its regulations with international standards. As the country continues to refine its data protection practices, these changes should significantly impact how personal data is processed, shared and protected within and beyond national borders.

Foreign data controllers seeking to ensure effective data protection compliance in Türkiye should appoint a data protection representative stands as a fundamental initial step (see questions 3.2 and 4.2).

As a result of the amendments to Law 6698 on the Protection of Personal Data (PDPL) introduced on 12 March 2024, significant changes will take effect on 1 June, particularly with regard to:

• the processing of special categories of personal data; and
• cross-border data transfers.

The mechanism for transferring data abroad has changed, as detailed in question 6.2, necessitating updates to the data transfer processes for both:

• companies that process data abroad (including cloud service providers); and
• companies that transfer data abroad.

Companies should promptly conduct privacy impact assessments and update their documentation to align with the modifications regarding special categories of personal data.

Additionally, it is crucial for companies to prepare for the forthcoming regulation on international data transfers, to ensure compliance with these updated legal requirements.

The PDPL specifies upper limits for administrative fines. However, it is expected that under forthcoming amendments aimed at ensuring alignment with the EU General Data Protection Regulation, administrative fines will be calculated as a percentage of turnover.