DLA Piper Intelligence

Data Protection
Laws of the World

Law

Turkey
Turkey

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (LPPD). The LPPD is primarily based on EU Directive 95/46/EC.

To date, the legislature has enacted several regulations to implement various aspects of the LPPD. The notable ones are mentioned below:

  • Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224)
  • Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette dated November 16, 2017, numbered 30242)
  • Regulation on the Registry of Data Controllers (published in the Official Gazette dated December 30, 2017, numbered 30286)
  • Regulation on the Organization of Personal Data Protection Authority (published in the Official Gazette dated April 26, 2018, numbered 30403)
  • The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform (published in the Official Gazette dated March 10, 2018, numbered 30356)
  • The Decision of Data Protection Board, dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data

Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law No. 5809 also touch upon data protection and are mentioned below when relevant.

Last modified 23 Jul 2019
Law
Turkey

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (LPPD). The LPPD is primarily based on EU Directive 95/46/EC.

To date, the legislature has enacted several regulations to implement various aspects of the LPPD. The notable ones are mentioned below:

  • Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224)
  • Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette dated November 16, 2017, numbered 30242)
  • Regulation on the Registry of Data Controllers (published in the Official Gazette dated December 30, 2017, numbered 30286)
  • Regulation on the Organization of Personal Data Protection Authority (published in the Official Gazette dated April 26, 2018, numbered 30403)
  • The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform (published in the Official Gazette dated March 10, 2018, numbered 30356)
  • The Decision of Data Protection Board, dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data

Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law No. 5809 also touch upon data protection and are mentioned below when relevant.

Last modified 23 Jul 2019
Definitions

Definition of personal data

In the LLPD, personal data is defined as “Any information relating to an identified or identifiable natural person.”

Definition of sensitive personal data

Sensitive personal data (Special Categories of Personal Data under the LPPD) is defined as "personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data.”

Last modified 23 Jul 2019
Authority

The national data protection authority is the Kişisel Verileri Koruma Kurumu (Personal Data Protection Authority). The Personal Data Protection Authority’s decision-making body is Kişisel Verileri Koruma Kurulu (Personal Data Protection Board). The organizational structure of the Authority and the duties and powers of its bodies are regulated under the Regulation on the Organization of Personal Data Protection Authority and the Regulation on the Working Procedures and Principles of Personal Data Protection Board.

Kişisel Verileri Koruma Kurumu

Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4

06520 Balgat-Çankaya/Ankara

T +90 312 216 5050

http://www.kvkk.gov.tr

Last modified 23 Jul 2019
Registration

Pursuant to the LPPD and the Regulation on the Registry of Data Controllers, data controllers are required to enroll in the Registry of Data Controllers before proceeding with data processing.

The Regulation on the Registry of Data Controllers was published in the Official Gazette dated December 30, 2017, and entered into force on January 1, 2018. It regulates the establishment of a publicly accessible registry, which is to be held by the Personal Data Protection Authority and the procedures and principles concerning enrollment in the registry.

Under this Regulation, all data controllers are required to enroll in the Registry of Data Controllers before proceeding with data processing. However, the Personal Data Protection Board may bring an exception to the obligation of enrollment by taking into account the nature and number of personal data, purpose of processing personal data, and other objective criteria. Data controllers are not required to enroll in the Registry of Data Controllers in the following circumstances:

  • The processing of personal data is required for criminal investigation or for prevention of a criminal offense
  • If the personal data being processed is already publicized by the data subject
  • If, based on the authority given by Law, personal data processing is required for disciplinary investigation or prosecution and execution of the supervision or regulation duties to be conducted by public institutions and organizations and professional organizations with public institution status or
  • If processing of personal data is required to protect the economic and financial interests of the State in relation to budget, tax and financial matters

Over the past year, the Personal Data Protection Board has enumerated additional exceptions to enrollment obligation:

  • Data controllers who process personal data by non-automatic means as a part of a filing system, lawyers, independent accountants and financial advisors
  • Natural or legal persons having less than 50 employees per annum and annual balance less than 25 million Liras and whose main field of activity is not processing special categories of personal data.

Data controllers who are non-resident in Turkey shall enroll in the registry through a representative they assign in Turkey. Legal persons in Turkey or Turkish citizens may be assigned as representatives for this purpose.

In addition, both legal entities resident in Turkey and the above-mentioned representatives of non-resident data controllers shall, as part of the enrollment procedure, appoint an individual to act as “contact person” for both the Personal Data Protection Authority and for data subjects.

Operations related to the Registry of Data Controllers shall be carried out through VERBIS (Data Controllers Registry Information System) by data controllers. The Personal Data Protection Authority, with its decision dated July 19, 2018, numbered 2018/88, sets forth the dates for the registration through VERBIS for four categories of data controllers.

Data Controllers

Commencement Date of Registration

Due Date

Any data controller who has more than 50 employees or whose total annual balance is more than TL 25,000,000

October 1, 2018

September 30, 2019

Non-resident individual and legal entity data controllers

October 1, 2018

September 30, 2019

Any data controller who has less than 50 employees and whose total annual balance is less than TL 25,000,000, but who process sensitive personal data as their main activity

January 1, 2019

March 31, 2020

Public institutions and organizations

April 1, 2019

June 30, 2020

 

Administrative fines of between 20,000 (approx. €3,250) and 1 million (approx. €162,000) may be imposed on data controllers breaching obligations regarding the Registry of Data Controllers.

Last modified 23 Jul 2019
Data Protection Officers

There is not yet a requirement in Turkey to appoint a data protection officer.

Last modified 23 Jul 2019
Collection & Processing

Pursuant to the LPPD, it is mandatory to comply with certain principles while collecting and processing personal data. In light of such principles collected personal data must be all of the following:

  • Processed fairly and lawfully
  • Accurate and up-to-date
  • Processed for specific, explicit and legitimate purposes
  • Relevant, adequate and not excessive 
  • Kept for a term necessary for purposes or for a term prescribed in relevant laws for which the data have been processed

Further, in principle, personal data cannot be processed without being collected and processed with explicit consent of the data subject. However, the LPPD stipulates certain exceptions where consent is not required. These are:

  • Processing is expressly permitted by law
  • Processing is necessary for protection of the life or physical integrity of the data subject or a third party, where the data subject is not physically or legally capable of giving consent
  • Processing personal data of the contractual parties is necessary for the conclusion or the performance of a contract
  • Processing is mandatory for the data controller to perform his / her legal obligation(s)
  • Personal data has been made public by the data subject
  • Processing is necessary in order to assign, use or protect a right 
  • Processing is necessary for the legitimate interests of data processor and this does not damage the rights of the data subject

Pursuant to Article 10 of the LPPD, data controllers or their authorized persons have an obligation to inform data subjects during the collection of the personal data. The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform published in the Official Gazette dated March 10, 2018, numbered 30356 sets forth the principles and procedures on the obligation to inform. As part of the collection of data from the data subject the controller is obliged to provide the data subject with the following information:

  • Identity of the controller and of its representative, if any
  • Purposes of the processing for which the data is intended
  • Recipients of the data and the reasons for transfer
  • Process of collecting data and the legal grounds
  • Rights of the data subject

Where the data has not been obtained from the data subject, the controller shall provide the data subject with the above stated information as well as details of the categories of data concerned. According to the relevant Communiqué, the obligation to inform should be fulfilled within a reasonable time after collecting the personal data, or during the first contact if the personal data is obtained for communication purposes with the relevant persons, or at the very latest the time of the initial transfer if the personal data is to be transferred.

Processing of sensitive personal data without explicit consent of the data subject is generally forbidden, although sensitive data other than health and sexual life data can be processed without explicit consent of data subject if a law / legislation permits such processing. Under the LPPD, data controllers need to take adequate measures required for the processing of sensitive personal data and comply with the decisions and guides of the Personal Data Protection Board designating such adequate measures. See also Personal Data Protection Board Decision dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data.

Health data and sexual life data can only be processed by natural persons who are under an oath of secrecy or by authorities for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or planning, and the management and financing of healthcare services.

Deletion, destruction or anonymization of personal data

The Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation on Deletion of Personal Data") was published in the Official Gazette dated October 28, 2017, and entered into force on January 1, 2018. This Regulation is crucially important for data controllers in terms of time limitations regarding deletion, destruction or anonymization of personal data.

Pursuant to the Regulation on Deletion of Personal Data, data controllers are required to prepare a personal data processing inventory and a personal data storage and destruction policy (Policy). Data controllers are also required to take measures to safeguard the data that they are processing, identify persons working in personal data storage and destruction processes, categorize personal data, store and destroy these data, and determine periodic destruction processes.

If the prerequisites for processing personal data provided under LPPD are not met, then the personal data must be deleted, destroyed or anonymized by the data controller (of its own accord or upon the application of related person). All actions related to the execution of this process must be recorded and these records shall be kept for at least three years.

In addition, if a data controller ceases to continue to meet the above conditions for processing personal data, then they must carry out a process of periodic destruction. Periodic destruction is the deletion, destruction or anonymization of personal data at recurring intervals specified in the relevant data controller's Policy. This period cannot exceed six months.

Last modified 23 Jul 2019
Transfer

The LPPD distinguishes between the transfer of personal data to third parties in Turkey and the transfer of personal data to third countries.

Transfer of personal data to third parties

In principle, personal data can be transferred to third parties with the explicit consent of the data subject. The conditions and exemptions applied to collection and processing of personal data also apply to the transfer of personal data to third parties.

Transfer of personal data to parties in third countries

In addition to the conditions and exemptions applied to the transfer of personal data to third parties, one of the following conditions shall exist for transfer of data to parties in third countries:

  • The country to which personal data will be sent shall have sufficient level of protection.
  • The data controllers in Turkey and in the target country shall undertake protection in writing and obtain the Personal Data Protection Board's permission.

The Personal Data Protection Board shall declare the countries having adequate level of protection. So far, the Personal Data Protection Board has not announced any country. However, the Personal Data Protection Board has announced the minimum clauses to be found in the undertakings of data controllers by setting out examples of undertaking where there is not an adequate level of protection in the country where personal data is transferred.

Last modified 23 Jul 2019
Security

In light of the provisions of the LPPD and consistent with the principles of good faith, those entrusted with personal data are expected to ensure protection of such data. Under the LPPD, the data controller is required to ensure that appropriate technical and organizational measures are taken to prevent all illegal processing and to ensure the data is not destroyed, lost, amended, disclosed or transferred without authority. Such measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected. Additionally, the data controller has to carry out the necessary inspections on its own institution or organization in order to ensure the implementation of the LPPD.

Data controllers and data processors shall not disclose any personal data in contradiction with the provisions of LPPD and shall not use any personal data for any purposes except for the purpose of processing. This obligation continues after leaving their institution.

In addition, the LPPD enables data subjects to apply to data controllers by various means in relation to their rights stated in Article 11. Data controllers have an obligation to take every necessary administrative and technical measure effectively to finalize these applications in accordance with the LPPD and in good faith. The Communiqué on Procedures and Principles for Application to Data Controller dated March 10, 2018, numbered 30356 outlines the procedures of application.

Last modified 23 Jul 2019
Breach Notification

Under the DPL, controllers must notify the data subject and the Data Protection Authority in case of a data breach. The Data Protection Authority reserves the right to inform the public about the breach if it deems necessary.

While there is no specific time frame stipulated in the DPL, with the decision numbered 2019/10, which was published on February 15 2019, the Data Protection Authority stipulated the procedure for breach notifications, which can be found at https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi

Notification to the Data Protection Authority

Pursuant to Decision 2019/10, data controllers are required to notify the Data Protection Authority within 72 hours of becoming aware of a breach.

In cases where the notification cannot be sent within 72 hours, the causes for the delay must be sent as well.

Further, with the Decision 2019/10, the Data Protection Authority published the Data Breach Notification Form, which can be accessed here: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9.pdf

For all data breach notifications sent to the Data Protection Authority, the Data Breach Notification Form must be used. If it is not possible to fill out all of the information in the Data Breach Notification Form, a partially filled form may be sent to the Data Protection Authority. Therefore, gradual breach notification is possible.

The data breach notification sent to the Data Protection Authority can be sent via e-mail by sending the Data Breach Notification Form to ihlalbildirimi@kvkk.gov.tr with the subject “Kişisel veri ihlali bildirimi”

Alternatively, the form can be sent by post to the Data Protection Authority’s address.

Notification to Data Subjects

There is no clear time frame stipulated for notification to data subjects. The DPL and the Decision 2019/10 require the data subjects to be notified “as soon as possible”. Notifications can be sent to data subjects directly if the data controller has their contact information. If not, any other appropriate way can be used, such as announcing the breach in data controller’s website.

Other requirements

Pursuant to Decision 2019/10, data controllers are required to prepare a “Data Breach Response Plan” which should specify who, within the organization, should be contacted in the event of a data breach. This person will be the primary person responsible for assessing the consequences of such a breach.

Further, there is a requirement to retain the records regarding (i) information on the data security breach, (ii) impacts of the breach, and (iii) measures taken, and to make these available for a possible assessment by the DPA.

Last modified 23 Jul 2019
Enforcement

Under the DPL, the Board may apply administrative fines up to TRY 1.000.000 for each incident. (These values are increased each year based on the re-evaluation values published in the Official Gazette with Tax Procedural Law Communiques. The re-evaluated value for 2019 is approx. TRY 1.470.583) The following administrative fines apply for non-compliance with the data protection laws:

  • Non-compliance with the information notice requirements: a fine between TRY 7352 to TRY 147,058 (approx. € 1145,00 to € 22.890,00);
  • Non-compliance with the data security obligations a fine between TRY 22,058 to TRY 1.470.583 (approx. € 3.435,00 to € 229.000,00);
  • Non-compliance with Data Protection Authority orders/decisions: a fine between TRY 36,764 to TRY 1.470.583 (approx. € 5.726,00 to € 229.000,00); and
  • Non-compliance with the Data Controllers' Registry requirements: a fine between TRY 29,411 to TRY 1.470.583 (approx. € 4.580,00 to € 229.000,00).

Further, under the Turkish Criminal Code, the following acts are subject to imprisonment;

  • Persons who illegally collect personal data may be subject to imprisonment for a term of between one and three years. If the personal data is sensitive personal data, the offender may be subject to imprisonment for a term of between one and a half years to four and a half years.
  • Persons who illegally transfer personal data or make personal data available to the public may be subject to imprisonment for a term of between two and four years.
  • If any of the above criminal acts are committed by using the advantage or ease of a specific profession, or by a public officer using the authority given to him/her, the sanctions will be increased by 50%.
  • Those responsible for the deletion of data following the expiry of the retention period, and who fail to do so, can be subject to imprisonment for a term of between one and two years.
Last modified 23 Jul 2019
Electronic Marketing

The Law on Regulation of Electronic Trade was published in the Official Gazette on November 5, 2014 (Electronic Trade Law). The Electronic Trade Law came into force on May 1, 2015. Secondary legislation (The Regulation on Electronic Trade) was published in the Official Gazette on August 26, 2015, and came into force on the same date.

Pursuant to the Electronic Trade Law, commercial electronic communications (electronic marketing) can only be sent by if prior consent (opt-in) has been obtained from recipients. Such consent may be obtained in writing or through means of electronic communication, although if the consent is taken in physical from, must contain the recipient's signature. Commercial electronic communications can be sent to craftsman and merchants without obtaining prior consent. The commercial electronic communication must comply with the consent obtained from recipients, and must contain the identity of the service provider, contact information (such as email, SMS, telephone number, fax number (depending on the type of commercial electronic communication)), and, if sent on behalf of a third party, information about that third party.

Consumers have the right to refuse a commercial electronic communication, and the service provider is obliged to allow the free transmission of the refusal. Commercial electronic communications to the recipient must cease within three business days of the receipt of refusal. Non-compliance with the above obligations is subject to administrative fines between 1,000 to 15,000.

The Communiqué on Electronic Trade Information System and Obligations of Notification (Communiqué) was published in the Official Gazette on August 11, 2017, and entered in force on the same date. The Communiqué regulates the procedure and principles related to the registration and notifications through the Electronic Trade Information System (ETBIS), in respect of service providers operating in electronic trade (e-trade) and intermediary service providers that provide e-trade environments for the economic and commercial activities of others. Within the scope of the Communiqué, service providers and intermediary service providers are required to enroll in ETBIS before starting e-commerce activities. Service providers and intermediary service providers must provide information about the service, type of goods and services offered, payment methods and the like.

Similar regulations are enacted under electronic trade law. Accordingly, the obligation of registration and notification to ETBIS is imposed on service providers and intermediaries possessing certain qualifications. With regards to the Communiqué, service providers and intermediary service providers were obliged to fulfill this obligation between December 1, 2017, and December 31, 2017.

Administrative fines between 5,000 and 20,000 shall be imposed on providers that do not register with the ETBIS.

The Ministry of Customs and Trade is empowered to establish an electronic system that allows the receipt of commercial electronic communications approvals and the use of the right to refuse. The approvals received under the Electronic Trade Law shall be transferred to the system within the time limit set by the Ministry. The right of rejection by buyers is through this system. Other procedures and principles regarding the establishment of the system, the transfer of the approvals to the system, the use of the right to refuse, and the operation of the system will be determined by secondary legislation.

Since electronic marketing activities include more and more use of personal data, the Electronic Trade Law and the LPPD often may be implicated at the same time. The Personal Data Protection Board Decision dated October 16, 2018 numbered 2018/119 states that commercial electronic communications such as advertisement notifications and marketing telephone calls also fall within the scope of the LPPD. However, this decision raised some questions regarding the application and enforcement of the Electronic Trade Law and LPPD at the same time, especially in relation to fines which may be imposed twice both according to the LPPD and the Electronic Trade Law.

Last modified 23 Jul 2019
Online Privacy

There is no legislation in Turkey that specifically regulates privacy in respect of cookies and location data. However, Law No. 5651 on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting enables Internet users to initiate prosecution in case of infringements of their personal rights.

Under the Regulation on Protection of Personal Data in the Electronic Communications Sector and Preservation of Privacy, an Operator cannot process traffic data for purposes other than those required for the purposes of their service. Traffic data shall be processed in accordance with the provisions of the relevant legislation for the purposes of traffic management, interconnection, billing, corruption detection and similar transactions or settlement of disputes. The processed and stored traffic data belonging to the subscriber / user shall be deleted or made anonymous after the completion of the required activity to process and store these data.

Traffic data may be processed if required for marketing electronic communication services or providing value added electronic communication services, provided that either it is anonymized, or relevant subscribers / users give their consent after being informed of the traffic data to be processed and the processing time.

Location data not qualifying as traffic data may be processed if required to provide value added electronic communication services, on the condition that it is anonymized or the relevant subscribers / users give their consent after being informed of the location data to be processed and of the purpose and duration of the processing.

Administrative fines of up to three percent of the net sales of the Operator in the previous calendar year shall be imposed if it fails to fulfill its obligation to process traffic data and location data.

Last modified 23 Jul 2019
Contacts
Burak Özdağıstanli
Burak Özdağıstanli
Partner
T +90 216 663 60 11
Hatice Ekici Tağa
Hatice Ekici Tağa
Partner
T +90 216 663 60 11
Last modified 23 Jul 2019