DLA Piper Intelligence

Data Protection
Laws of the World

Law

Turkey
Turkey

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated 7 April 2016 ("LPPD"). The LPPD is primarily based on EU Directive 95/46/EC.

To date, three Regulations have been enacted in order to implement various aspects of the LPPD:

  1. Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated 28 October 2017 numbered 30224);
  2. Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette dated 16 November 2017 numbered 30242); and
  3. Regulation on the Registry of Data Controllers (published in the Official Gazette dated 30 December 2017 numbered 30286).

Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law No. 5809 also touch upon data protection, and are mentioned below when relevant.

Last modified 24 Jan 2018
Law
Turkey

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated 7 April 2016 ("LPPD"). The LPPD is primarily based on EU Directive 95/46/EC.

To date, three Regulations have been enacted in order to implement various aspects of the LPPD:

  1. Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated 28 October 2017 numbered 30224);
  2. Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette dated 16 November 2017 numbered 30242); and
  3. Regulation on the Registry of Data Controllers (published in the Official Gazette dated 30 December 2017 numbered 30286).

Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law No. 5809 also touch upon data protection, and are mentioned below when relevant.

Last modified 24 Jan 2018
Definitions

Definition of personal data

In the LLPD, personal data is defined as “Any information relating to an identified or identifiable natural person”.

Definition of sensitive personal data

Sensitive personal data (Special Categories of Personal Data under the LPPD) is defined as "personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data”.

Last modified 24 Jan 2018
Authority

The national data protection authority is the Kişisel Verileri Koruma Kurumu ("Personal Data Protection Authority"). The Authority’s decision-making body is Kişisel Verileri Koruma Kurulu ("Personal Data Protection Board"), whose duties and powers are regulated under the Regulation on the Working Procedures and Principles of Personal Data Protection Board.

Kişisel Verileri Koruma Kurumu
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4
06520 Balgat-Çankaya/Ankara
T +90 312 216 5050
http://www.kvkk.gov.tr

Last modified 24 Jan 2018
Registration

Pursuant to the LPPD and Regulation on the Registry of Data Controllers, data controllers are required to enrol in the Registry of Data Controllers before proceeding with data processing.

The Regulation on the Registry of Data Controllers was published in the Official Gazette dated 30 December 2017 and entered into force on 1 January 2018. It regulates the establishment of a publicly accessible registry which is to be held by the Personal Data Protection Authority and the procedures and principles concerning enrolment in the registry.

Under the Regulation, all data controllers are required to enrol in the Data Controllers Registry before proceeding with data processing. However, the Data Protection Board may bring an exception to the obligation of enrolment by taking into account the nature and number of personal data, purpose of processing personal data and some other objective criteria. Also, for the following personal data processing activities, data controllers have no obligation to enrol in the registry and to report these activities:

  1. if processing of personal data is required for criminal investigation or for prevention of a criminal offence;
  2. if the personal data being processed is already publicized by the data subject;
  3. if, based on the authority given by Law, personal data processing is required for disciplinary investigation or prosecution and execution of the supervision or regulation duties to be conducted by public institutions and organizations and professional organizations with public institution status; or
  4. if processing of personal data is required to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

Data controllers who are non-resident in Turkey shall enrol in the registry through a representative they assign in Turkey. Legal persons in Turkey or Turkish citizens may be assigned as representatives for this purpose.

In addition, both legal entities resident in Turkey and above-mentioned representatives of non-resident data controllers shall, as part of the enrolment procedure, appoint an individual to act as “contact person” for both the Data Protection Authority and for data subjects.

Operations related to the Registry shall be carried out through VERBIS (Data Controllers Registry Information System) by data controllers. Administrative fines of between TRY 20,000 (approx. €4.500) and TRY 1,000,000 (approx. €220.000) may be imposed on data controllers breaching obligations regarding the Registry.

Last modified 24 Jan 2018
Data Protection Officers

There is not yet a requirement in Turkey to appoint a data protection officer.

Last modified 24 Jan 2018
Collection & Processing

Pursuant to the LPPD, it is mandatory to comply with certain principles while collecting and processing personal data.  In light of such principles personal data must be:

  • processed fairly and lawfully;
  • accurate and up to date;
  • processed for specific, explicit and legitimate purposes;
  • relevant, adequate and not excessive; and
  • kept for a term necessary for purposes or for a term prescribed in relevant laws for which the data have been processed.

Further, in principle, personal data cannot be processed without being collected and processed with explicit consent of the data subject.  However, the LPPD stipulates certain exceptions where consent is not required.  These are:

  • processing is expressly permitted by law;
  • processing is necessary for protection of the life or physical integrity of the data subject or a third party, where the data subject is not physically or legally capable of giving consent;
  • processing personal data of the contractual parties is necessary for the conclusion or the performance of a contract;
  • processing is mandatory for the data controller to perform his/her legal obligation(s);
  • personal data has been made public by the data subject;
  • processing is necessary in order to assign, use or protect a right; or
  • processing is necessary for the legitimate interests of data processor and this does not damage the rights of the data subject.

As part of the collection of data from the data subject the controller is obliged to provide the data subject with the following information:

  • the identity of the controller and of his representative, if any;
  • the purposes of the processing for which the data is intended;
  • the recipients of the data and the reasons for transfer;
  • the process of collecting data and the legal grounds, and
  • the rights of the data subject.

Where the data has not been obtained from the data subject, the controller shall provide the data subject with the above stated information as well as details of the categories of data concerned.

Processing of sensitive personal data without explicit consent of the data subject is generally forbidden, although sensitive data other than health and sexual life data can be processed without explicit consent of data subject if a law/legislation permits such processing. 

Health data and sexual life data can only be processed by natural persons who are under an oath of secrecy or by authorities for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or planning, management and financing of health-care services.

The Regulation on Processing and Protecting the Privacy of Personal Health Data ("Regulation on Health Data") was published in the Official Gazette dated 20 October 2016 and came into force on the same date.

The Regulation on Health Data, as amended, determines rules and procedures for collecting, processing, transferring the personal health data and provides for an access system to be established. It also regulates procedures and principles to be followed in notifying the Ministry of Health of employee movements in relation to the provision of health services. Those who process data shall not copy, save or store the personal health data on any system except the access system established by the Ministry of Health, the central health data system and other data recording environment approved by relevant authorities. The data subject may withdraw the consent for the processing and transfer of the data at any time, if there is no legal regulation or judicial decision otherwise.

DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

The Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation on Deletion of Personal Data") was published in the Official Gazette dated 28 October 2017 and entered into force on 1 January 2018. Regulation is crucially important for data controllers in terms of time limitations regarding deletion, destruction or anonymization of personal data.

Pursuant to the Regulation on Deletion of Personal Data, data controllers are required to prepare a personal data processing inventory and a personal data storage and destruction policy ("Policy"). Data controllers are also obliged to determine precautions to be taken for the processing of personal data, identify persons working in personal data storage and destruction processes, categorize personal data, store and destroy these data and determine periodic destruction processes.

If the prerequisites for processing personal data provided under LPPD are not met at all, the personal data must be deleted, destroyed or anonymized by data controller (of its own accord or upon the application of related person). All actions related to the execution of this process must be recorded and these records shall be kept for at least three years.

In addition, in the event that conditions for processing personal data contained in the law are no longer met, data controllers must carry out a process of "periodic destruction".  Periodic destruction is the deletion, destruction or anonymization of personal data at recurring intervals specified in the relevant data controller's Policy. This period cannot exceed six months.

Last modified 24 Jan 2018
Transfer

The DP Law distinguishes between the transfer of personal data to third parties in Turkey and the transfer of personal data to third countries.

Transfer of personal data to third parties

In principle, personal data can be transferred to third parties with the explicit consent of data subject.  The conditions and exemptions applied to collection and processing of personal data also apply to the transfer of personal data to third parties.

Transfer of personal data to parties in third countries

In addition to the conditions and exemptions applied to the transfer of personal data to third parties, one of the following conditions shall exist for transfer of data to parties in third countries. Either:

  • The country to which personal data will be sent shall have sufficient level of protection; or
  • The data controllers in Turkey and in the target country shall undertake protection in writing and obtain the Data Protection Board's permission.
Last modified 24 Jan 2018
Security

In light of the provisions of the LPPD and consistent with the principles of good faith, those entrusted with personal data are expected to ensure protection of such data. Under the LPPD, the data controller is required to ensure that appropriate technical and organisational measures are taken to prevent all illegal processing and to ensure the data is not destroyed, lost, amended, disclosed or transferred without authority. Such measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected. Additionally, the data controller has to carry out the necessary inspections on its own institution or organization in order to ensure the implementation of the LPPD.

Data controllers and data processors shall not disclose any personal data in contradiction with the provisions of LPPD and shall not use any personal data for any purposes except for the purpose of processing. This obligation continues after leaving their institution.

Last modified 24 Jan 2018
Breach Notification

There is no general breach notification obligation under the LPPD. However, in the event that personal data is unlawfully obtained by others, the data controller must notify the Personal Data Protection Board and the data subject as soon as possible. If necessary, the Board may declare such situation on its website or in any other way it deems appropriate.

Additionally, under the Regulation on the Protection of Personal Data in the Electronic Communications Sector and the Preservation of Privacy; companies providing electronic communication service and/or providing an electronic communication network and operating the sub-structure ("Operators"), are obliged to inform the Personal Data Protection Authority in a timely and effective manner if there is a risk that violates the security of the network and the personal data.

Administrative fines of up to three percent (3%) of the net sales of the previous calendar year may be applied to the Operator, if the personal data is destroyed, altered, stored or recorded, processed or disclosed involuntarily, in an unauthorized manner or illegally.

Last modified 24 Jan 2018
Enforcement

The LLPD and the Turkish Criminal Code No. 5237 impose custodial sentences for the unlawful processing of data. The Turkish Civil Law No. 4721 grants the right to claim compensation for the unjust use of data and a number of other laws impose administrative fines.

Furthermore, the LLPD introduces administrative fines up to TRY 1.000.000 (approx. €227.000) for those who act contrary to the requirements or rules in the DP Law.

Administrative fines between TRY 5,000 (approx. €1.900) and TRY 20,000 (approx. €4.500) shall be imposed for providers that do not fulfil the obligation of registration to ETBIS.

As mentioned previously, administrative fines between TRY 20,000 (approx. €4.500) and TRY 1,000,000 (approx. €220.000) shall be imposed on data controllers that do not fulfil the registration obligation within the scope of the Regulation on the Registry of Data Controllers.

Last modified 24 Jan 2018
Electronic Marketing

The Law on Regulation of Electronic Trade was published in the Official Gazette on 5 November 2014 ("Electronic Trade Law").  The Electronic Trade Law came into force on 1 May 2015. Secondary legislation ("The Regulation on Electronic Trade") was published in the Official Gazette on 26 August 2015 and came into force on the same date.

Pursuant to the Electronic Trade Law, commercial electronic communication (electronic marketing) can only be sent by if prior consent (opt-in) has been obtained from recipients. Such consent may be obtained in writing or through means of electronic communication, although if the consent is taken in physical from, must contain the recipient's signature. Commercial electronic communications can be sent to craftsman and merchants without obtaining prior consent. The commercial electronic communication must comply with the consent obtained from recipients, and must contain the identity of the service provider, contact information (such as e-mail, SMS, telephone number, fax number (depending on the type of commercial electronic communication) and, if sent on behalf of a third party, information about that third party.

Consumers have the right to refuse a commercial electronic communication, and the service provider is obliged to allow the free transmission of the refusal.  Commercial electronic communications to the recipient must cease within 3 business days of the receipt of refusal. Non-compliance with the above obligations is subject to administrative fines between TRY 1.000 to TRY 15.000 TRY (approx. 220 - 3.300 EUR).

The Communiqué on Electronic Trade Information System and Obligations of Notification ("Communiqué") was published in the Official Gazette on 11 August 2017 and entered in force on the same date. The Communiqué regulates the procedure and principles related to the registration and notifications through the Electronic Trade Information System ("ETBIS"), in respect of service providers operating in electronic trade (e-trade) and intermediary service providers that provide e-trade environments for the economic and commercial activities of others. Within the scope of the Communiqué, service providers and intermediary service providers are obliged to enrol in ETBIS before starting e-commerce activities. Service providers and intermediary service providers shall provide information about the service, type of goods and services offered, payment methods and the like.

Similar regulations are enacted under electronic trade law. Accordingly, the obligation of registration and notification to ETBIS is imposed on service providers and intermediaries possessing certain qualifications. With regards to the Communiqué, service providers and intermediary service providers were obliged to fulfil this obligation between 1 December 2017 and 31 December 2017.

Administrative fines between TRY 5,000 (approx. 1.900 EUR) and TRY 20,000 (approx. 4.500 EUR) shall be imposed on providers that do not fulfil the obligation of registration to ETBIS.

The Ministry of Customs and Trade is also empowered to establish an electronic system that allows the receipt of commercial electronic communications approvals and the use of the right to refuse. The approvals received under Electronic Trade Law shall be transferred to the system within the time limit set by the Ministry. The right of rejection by buyers is used through this system. Other procedures and principles regarding the establishment of the system, the transfer of the approvals to the system, the use of the right to refuse, and the operation of the system will be determined by secondary legislation.

Last modified 24 Jan 2018
Online Privacy

There is no legislation in Turkey which specifically regulates privacy in respect of Cookies and Location Data.  However, Law No. 5651 on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting enables internet users to initiate prosecution in case of infringements of their personal rights.

Under the Regulation on Protection of Personal Data in the Electronic Communications Sector and Preservation of Privacy, an Operator cannot process traffic data for purposes other than those required for the purposes of their service. Traffic data shall be processed in accordance with the provisions of the relevant legislation for the purposes of traffic management, interconnection, billing, corruption detection and similar transactions or settlement of disputes. The processed and stored traffic data belonging to the subscriber / user shall be deleted or made anonymous after the completion of the required activity to process and store these data.

Traffic data may be processed if required for marketing electronic communication services or providing value added electronic communication services, provided that either it is anonymized, or relevant subscribers / users give their consent after being informed of the traffic data to be processed and the processing time.

Location data not qualifying as traffic data may be processed if required to provide value added electronic communication services, on the condition that it is anonymized or the relevant subscribers/users give their consent after being informed of the location data to be processed and of the purpose and duration of the processing.

Administrative fines of up to three percent (3%) of the net sales of the Operator in the previous calendar year shall be imposed if it fails to fulfil its obligation to process traffic data and location data. 

Last modified 24 Jan 2018
Contacts
Görkem Gökçe
Görkem Gökçe
Managing Partner
T +90 212 352 88 33
Last modified 24 Jan 2018