New Legislation Alert: Law on Protection of Personal Data

April 2016

The law on protection of personal data is a long-awaited legislation. Turkey’s long journey for passing legislation on data protection dates back to 1981, signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Although being among the initial signatories, Turkey did not passed a law on data protection since then and the Convention cannot become effective in respect of Turkey[1].  

In 2005, new Turkish Criminal Code (No. 5237) has been adopted containing new crimes in respect of collecting, recording and processing of personal data unlawfully. Then in 2010, protection of personal data has acquired constitutional protection with the amendment made to Article 20 of Turkish Constitution. Thereafter, protection of personal data is enforced through general provisions laid down in Turkish Constitution, Turkish Criminal Code and a number of laws and regulations[2].

In between, in 2008, within the scope of EU accession process, a draft law has been drawn up in principle based on EU’s directive, namely 95/46/EC. The draft law could not been enacted and in 2012, the draft law with revision has been submitted to the parliament[3]. In January 2016, to proceed on EU’s accession negotiations, the draft law –again with revisions- submitted to the parliament to be discussed. The Law on Protection of Personal Data (No. 6698) enacted and published in Official Gazette on April 07, 2016 (the “Law”).

What is new?

The Law regulating rules and procedures regards processing of personal data introduces a new privacy regime for personal data. To begin with, the Law applies to (i) any natural person whose personal data is processed and (ii) any natural person or legal person who processes personal data, whether such data is processed in full or in part, automatically or non-automatically subject to be part of any data registry system. To this end, each company falls into scope of the Law by virtue of the kept data of its employees and/or customers or similar.

Under the Law, “processing of personal data” is the any and all operations performed upon the personal data as of its inquiry and defined as any kind of operation which is performed upon personal data in full or in part, whether by automatic means or subject to be part of any data registry system by non-automatic means, such as collection, recording, storage, retaining, alteration, reorganizing, disclosing, transferring, taking over, making it available, classifying or blocking to be used. In this respect, any and all activity performed by using personal data starting with collecting the personal data for the first time to deleting, erasing or anonymization shall be considered within the scope of processing of personal data.

Prominent aspects of the Law may be highlighted as;

  • Definition of personal data and sensitive data
  • Establishment of an authority and a registry
  • Appointment of data controller
  • Procedure for transfer of personal data including sensitive data

Personal data – The Law defines “personal data” as any information relating to an identified or identifiable natural person.

Sensitive data – The Law acknowledges the personal data revealing race, ethnic origins, political opinions, philosophical beliefs, religion, sect or other beliefs, choice of personal clothing, association, foundation or union membership, health, sexual life, criminal records, security measures, and biometric and genetic data as sensitive personal data.

Personal Data Protection Authority – In accordance with the Law an authority –namely, the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu)- and a council –the National Data Protection Council (Kişisel Verileri Koruma Kurulu)- is established. Council is the body provided with duties and power to enforce application of the law, monitor data processing and ensure compliance.

Data Controller Registry – The Law stipulates keeping a Data Controller Registry under the scrutiny of the Council. Natural and legal persons who process personal data are required to register prior to commencing any data processing activities save for the exemptions set forth by the Law.

Data controller – The Law defines “data controller” as the natural or legal person, which determines the purposes and means of the processing of personal data; responsible for the data registry system to be set up and managed.

Transfer of data – The Law enables transfer of personal data to third parties and abroad subject to set of conditions under the Law.

How will companies be affected?

Companies fall into scope of the Law whether by virtue of the kept data of its employees or customers or similar. Therefore, in line with this brand new privacy regime, companies need to review and assess their data collection and processing procedures and ensure the required mechanisms under the Law are established and in place.

Explicit consent – The primary principle under the Law for processing and transferring personal data is obtaining the explicit consent of the data subject[4]. The Law defines “explicit consent” as a consent that is freely given on a specific matter and informed indication of data subject’s wishes. The Law does not set the requirements for explicit consent separately. Just the preamble of Law states that explicit consent should be understood as the declaration of data subject’s consent to personal data pertaining to her/him being processed that is freely given as being sufficiently informed, unambiguous and only limited to a specific action.

To this end, companies should be prudent to recording and retaining consents and sufficiently inform the data subjects to the scope of processing and receive their written explicit consent.

Applicable principles – Processing of personal data should comply with the following principles:

  • Processed fairly and lawfully;
  • Accurate and keep up to date;
  • Processed for specified, explicit and legitimate purposes;
  • Relevant, limited and not excessive in relation to purposes for which they are processed
  • Kept for duration permitted by law or no longer than is necessary for the purposes for which they are processed.

 Companies should ensure their compliance to abovementioned principles while collecting and processing of personal data.

Duty to notify – The Law requires that at the time of collection of the personal data the data subject to be informed as to the identity of the data controller (or the representative), the purpose for which personal will be processed, to whom and for what purpose the personal data may be transferred, the method of collection of personal data and its legal ground, and all other rights that the data subject has as per Law.

Companies will have to designate a data controller in order to process personal data, receive and log any complaints made by data subjects.

Security of the personal data – The Law envisages the data controller to ensure that appropriate technical and organisational measures are taken to prevent all illegal processing and access as well as to ensure the retaining of personal data. In the event of the personal data is processed by a processor (either natural or legal person), the data controller will jointly and severally liable with the processor.

Enforcement – The Law foresees transition periods for the application of the Law. Please refer to key milestones below.

In addition to the sanctions imposed under the Turkish Criminal Code No. 5237 the Law also introduces administrative fines for failing to comply with the obligations of the Law ranging from TL 5,000 (approximately EUR 1,550) to TL 1,000,000 (approximately EUR 31,000)[5].

Key milestones

All companies collecting and processing personal data should observe the below key milestones;

From April 7, 2016 onward
  • Obtain express consent before collecting new personal and sensitive data.
  • Review the personal data which was collected before the Law was enacted, develop a compliance strategy and ensure the compliance.
  • Designate an authorized staff to carry out the operations in respect to data protection.
  • Establish a control system for data protection and regularly audit the system.

From April 7, 2016 to

October 7, 2016

Once the Data Protection Board/Council and Data Controller Registry are established register its data controller.

From April 7, 2016 to

April 7, 2017

Once the secondary legislation is enacted review the provisions regards the operational procedures on the Law and comply accordingly.
April 7, 2018 The deadline for ensuring all personal data collected prior to entry into force of the Law is compliant.


The subject matter of the Law is safeguarding the fundamental rights and freedoms of the individuals, in particular their right to private life with respect to processing of personal data. In this regard, one-size-fits-all approach shall not be applicable for compliance with Law; each situation needs to be evaluated individually.

[1] The Convention sets out that each Party shall take the necessary measures in its domestic law to give effect to the basic principles of the Convention and taking these measures is acknowledged as a condition for entry into force of the Convention in respect of that Party.

[2] So far there are limited sector specific legislations such as health, electronic communications.

[3] We note that more recent developments (i.e Directive Proposal 2012/0010/COD) have not taken into consideration during this revision; also same for the amendments in 2016.

[4] The Law includes exceptions where explicit consent not required provided that at least one of these are applicable: (i) processing is explicitly foreseen by law, (ii) processing is compulsory for the protection of the life or physical integrity of the data subject or another where the data subject is incapable of giving consent, (iii) personal data of the contracting parties provided that processing is necessary the execution or performance of a contract to which data subject is party, (iv) processing is compulsory for the performance of data controller’s legal duty, (v) personal data has been made available in the public domain by the data subject, (vi) processing is compulsory for the establishment, exercising or protection of a right, (vii) processing is compulsory for the purpose of legitimate interest of data controller provided that not overriding the fundamental rights and freedoms of the data subject.

[5] The fines under the Law are as follows: TL 5,000 to TL 100,000 for failing to notify, TL 15,000 to TL 1,000,000 for failing to comply with obligations for ensuring data security, TL 25,000 to TL 1,000,000 for failing to execute National Authority’s decisions, TL 20,000 to TL 1,000,000 for failing to comply with obligations to register.

© 2020 Cektirlaw