Turkey has completed the final step in a long process to enact the Data Protection Law. On April 7, 2016, Turkey’s law on Personal Data Protection, number 6698 (the “Law”) was published in the Official Gazette and came into force. The Law is based on the European Union’s 1995 Data Protection Directive (95/46/EC) (the “Directive”), but differs from the Directive in a number of important respects.

Legislation

In Turkey, the first legal arrangement on personal data protection is ‘’The Principles for Protection of Personal Space and Cross Border Data Traffic’’ which was adopted on 23 September 1980. One the most important legal arrangements on protection of personal data is the amendment of Article 10 of Turkish Constitution which took place on 12 September 2010. Thanks to this amendment, protection of personal data became a constitutional right.  However, Turkey couldn’t put this into practice because of the lack of legal infrastructure.

Turkey signed the European Council’s ‘’Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’’ on 28 January 1981. However, the Convention could not come into force for Turkey until 17 March 2016. With the help of this process, Turkey has been able to speed up enactment of the Law on Personal Data Protection which (i) governs the details of the protection, processing and storage of personal data, and (ii) establishes a supervisory body to inspect the application of the law. The Law applies to all natural persons whose personal data are processed and to all natural persons and legal entities who process personal data.

From 7 April 2016 onward, a general prohibition now applies in Turkey on processing or storing personal data without express consent. The Law addresses responsibilities of key players, companies and data processing companies, as well as appropriate methods for processing and transmitting data.

The Turkish Data Protection Authority (the “DPA”) and the Data Protection Board (“DPB”)

The Law establishes a Data Protection Authority in Ankara, responsible for researching, investigating and making recommendations regarding personal data processing. The DPA is directly connected to the office of the Prime Minister and consists of the Data Protection Board and the president. The DPB supervises whether personal data processing is in accord with the fundamental rights and freedoms of the individual. The DPB consists of seven members (four members selected by the cabinet and three members selected by the President). The Board is independent from governmental bodies and other authorities.

Personal Data Processing

The Law defines the processing of personal data, i.e. all types of information relating to an identified or identifiable natural person, as any operation which is performed in relation to such data, including their retrieval, recording, storage, alteration or transfer to third parties or outside of Turkey. Data concerning physical, familial, economic, social and other features of the individual are also classified as “personal data”, and these data may only be processed after informing the data subject and especially obtaining the data subject’s explicit and freely-given consent.

The Law provides several exceptions to the requirement that a data subject’s consent first be obtained. These include where (i) the processing is explicitly required by law; (ii) the processing is intended to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; (iii) the processing is directly related to the performance or establishment of a contract; (iv) the processing is necessary for the establishment, exercise or defense of legal claims; (v) the processing is required so that the data controller can fulfill its legal obligations; (vi) the processing is required in order for the data controller to perform an official duty, such as the disclosure of employees’ data to third party financial auditors for accounting purposes; and (vii) in the event that the personal data are made publically available by the data subject.

Transfer of Personal Data to Foreign Countries

Personal data may only be transferred abroad if the data subject has given explicit consent, albeit the exceptions relating to the processing of personal data noted above also apply to data being transferred outside of Turkey. Where the country to which personal data are being transferred does not offer an adequate level of protection, the data controller in Turkey and the data importer must enter into a written agreement and undertake to provide an adequate level of protection for the data. Such agreements are subject to the approval of the Board, i.e., the decision-making body of the DPA.

Data Controllers and Data Processors

Data controllers must register with the Data Controllers’ Registry before commencing data processing, unless they can rely on one of the exceptions provided by the Law. Data controllers must respond to data subjects’ access and other requests free of charge and, depending on the purpose of the request, should do so as soon as possible and not later than 30 days after the request is made. If the data controller rejects the request, he/she is obligated to provide the reasons for the rejection.

Data processors are directly subject to the Law. Accordingly, they must comply with its principles governing data processing activities, and they share responsibility with the data controller to take the measures necessary to maintain data security and prevent unlawful access to personal data.

Sanctions

Administrative fines of up to TRY 1,000,000 (EUR 311,000) and/or imprisonment of one to four years may be imposed for violations of the Law.

Dr. Gökce Uzar Schüller, Attorney at Law
Munich and Istanbul