Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
The new Data Protection Law, which has been in preparation since 2003, was finally approved by Parliament on March 24 2016 and published in the Official Gazette on April 7 2016. This is Turkey’s first dedicated general data protection law. The law is mainly based on the EU Data Protection Directive (95/46/EC), but differs from the EU data protection regime in certain respects.
As the Data Protection Directive has been implemented for many years and the European Union is preparing the forthcoming EU General Data Protection Regulation (2016/679), and considering data privacy and protection trends throughout the world, Turkey can be considered to be behind the international curve.
Are any changes to existing data protection legislation proposed or expected in the near future?
The Data Protection Law was enacted as recently as April 7 2016. Hence, no changes are expected or proposed in the near future. However, secondary legislation regulating in detail the principles set forth under the law will be enacted within one year of this date.
What legislation governs the collection, storage and use of personal data?
The Data Protection Law governs the collection, storage and use of personal data. It is supplemented by sector-specific regulations, including:
- the Regulation on Processing and Protection of Privacy of Personal Data in the Electronic Communications Sector;
- the Regulation on Protection and Sharing of the General Health Insurance Data; and
- the Regulation on Data Privacy and Principles and Procedures Regarding Security of Confidential Data in the Official Statistics.
Scope and jurisdiction
Who falls within the scope of the legislation?
The Data Protection Law applies to real persons whose data is processed and real persons or legal entities that process personal data.
What kind of data falls within the scope of the legislation?
The Data Protection Law applies to personal data (including sensitive personal data) processed wholly or partly by:
- automatic means; or
- non-automatic means, provided that the data is part of a data filing system.
Are data owners required to register with the relevant authority before processing data?
Under the Data Protection Law, persons or legal entities must register on the Data File Registry before processing personal data. The Personal Data Protection Board may grant exemptions based on certain objective criteria, such as the type of data, the amount of data and whether the processing is based on the law.
Is information regarding registered data owners publicly available?
Under the Data Protection Law, the Personal Data Protection Authority must maintain a public data file registry. Article 16 stipulates that a data controllers’ registry will be maintained publicly under the supervision of the Personal Data Protection Board.
Is there a requirement to appoint a data protection officer?
Which body is responsible for enforcing data protection legislation and what are its powers?
Turkey has no specific data protection authority. However, the Data Protection Law stipulates the establishment of the Personal Data Protection Authority, which is authorised to supervise data processing systems’ compliance with the law.
Under the Data Protection Law, the Personal Data Protection Authority will evaluate complaints regarding the application of data protection provisions and subsequently issue instructions for data handlers or halt the processing of personal data and impose administrative fines.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Article 4 of the Data Protection Law provides that personal data must be processed to achieve a “clear, certain and legitimate purpose”; therefore, personal data may not be processed for an unrelated purpose. Article 4 further states that personal data may be processed only in line with the Data Protection Law and other laws. Data processing must be lawful, in good faith, precise and up to date. The data must be preserved for the period determined by the relevant legislation or necessary for the purpose of processing.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The Data Protection Law states that personal data may be processed for as long as necessary to realise the purpose of doing so; it also refers to the relevant laws, which require retention periods for certain data.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. A data subject may:
- apply to the data controller to learn whether data relating to him or her is being processed;
- request relevant information if personal data relating to him or her is being processed;
- request information regarding the purposes of the processing and whether the personal data has been processed accordingly;
- obtain information regarding third parties (in or outside Turkey) to which personal data is being transferred;
- request the correction of incomplete or inaccurate processing of personal data;
- request the erasure or destruction of personal data, within the framework of the provision of the Data Protection Law entitled “Erasure, Destruction or Anonymisation of Personal Data”;
- request notification to third parties receiving the data of:
- corrections related to inaccurate or incomplete personal data processing; or
- the erasure, destruction or anonymisation of personal data;
- object to the potentially negative consequences of the analysis of personal data by exclusively automated systems; and
- demand compensation for damages suffered as a result of an unlawful processing operation.
Do individuals have a right to request deletion of their data?
Yes. Article 7 of the Data Protection Law requires the erasure, destruction or anonymisation of personal data by the data controller either ex officio or at the request of the data subject (even if the data is processed in line with the relevant legislation), when the reasons for the processing of personal data are no longer valid.
Is consent required before processing personal data?
Yes. Article 5 of the Data Protection Law requires a data subject’s explicit consent for the processing of personal data. However, the law provides exceptions to the explicit consent requirement.
If consent is not provided, are there other circumstances in which data processing is permitted?
Article 5(2) of the Data Protection Law permits processing of personal data without the explicit consent of the data subject, where:
- it is explicitly foreseen by law;
- processing is necessary to protect the vital interests or bodily integrity of the data subject (or of another person, where the data subject is physically or legally incapable of giving consent);
- processing the personal data of the parties to a contract is necessary (provided that it is directly related to the execution or performance of the contract);
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- the data has been made public by the data subject;
- processing is necessary for the establishment, exercise or defence of a legal claim; or
- processing is necessary for the legitimate interests of the data controller, provided that such interests do not violate the fundamental rights and freedoms of the data subject.
However, special categories of personal data may not be processed without the data subject’s explicit consent. Special categories of personal data – other than those related to health and sex life – may be processed without the explicit consent of the data subject if the processing is explicitly foreseen by law. Personal data relating to health and sex life may be processed without the explicit consent of the data subject only if the data is processed by authorised entities and institutions or persons who are under a confidentiality obligation for the purposes of:
- protection of public health;
- preventive medicine;
- medical diagnosis; or
- planning, managing and financing of treatment and maintenance services.
What information must be provided to individuals when personal data is collected?
Article 10 of the Data Protection Law stipulates that the data controller or any other person authorised by the data controller must provide data subjects with the following information during the collection of personal data:
- the identity of the data controller (and representative, if any);
- the purposes of the data processing;
- to which parties and with what purpose the processed personal data can be transferred;
- the method and legal reason for the data collection; and
- the data subjects’ rights under Article 11 of the Data Protection Law.
Data security and breach notification
Are there specific security obligations that must be complied with?
The Data Protection Law obliges data controllers to take the appropriate technical and administrative measures to protect personal data. The law prescribes no specific technical requirements. However, the International Organisation for Standardisation (ISO) has already produced a set of standards with respect to technical data security measures: ISO/IEC 27000. However, whether the ISO standards correspond to the information security requirements established by the Data Protection Law remains unclear.
Are data owners/processors required to notify individuals in the event of a breach?
In the event that personal data is unlawfully obtained by a third party, the data controller must notify the data subject as soon as possible.
Are data owners/processors required to notify the regulator in the event of a breach?
In the event that personal data is unlawfully obtained by a third party, the data controller must notify the Personal Data Protection Board as soon as possible. If necessary, the board may announce this issue on its own website or via other appropriate means.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
The Law on Regulation of Electronic Commerce aims to regulate the principles and procedures of commercial electronic communications, especially the obligation to inform. The regulation covers all kinds of communication sent by electronic means to promote the goods, services or brands of real or legal persons, directly or indirectly. The law requires an opt-in regime and states that prior consent must be obtained before sending electronic commercial communications.
Turkish law provides no specific rules regarding cookies. However, the Constitution and the Data Protection Law require a data subject’s explicit consent to process personal data, confirmed by the applicable data protection laws and High Court of Appeals precedents. Therefore, cookies which collect personal data may be legitimately used only once the data subject’s explicit consent has been obtained.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Article 9 of the Data Protection Law provides that in principle, personal data cannot be transferred abroad without the explicit consent of the data subject. However, there are some exceptions.
Are there restrictions on the geographic transfer of data?
Personal data may be transferred abroad without obtaining the explicit consent of the data subject in the following circumstances:
- The country receiving the personal data must provide an adequate level of protection.
- If the country receiving the data does not provide adequate protection, the data controllers in both countries must provide a written undertaking guaranteeing an adequate level of protection, which must be authorised by the Personal Data Protection Board.
The Personal Data Protection Board determines which countries provide an adequate level of protection. The board determines whether a country can afford an adequate level of protection and whether data transfer can be authorised under Paragraph 2(b) of Article 9 of the Data Protection Law (which regulates data transfer abroad), after consulting to the relevant public administrations and agencies (if necessary) and evaluating:
- the international agreements to which Turkey is a party;
- the data transfer reciprocity between Turkey and the country requesting personal data;
- the category of the personal data as well as the purpose and processing period for each specific transfer of data;
- the relevant legislation and practice in the country receiving the data; and
- the measures that the data controller in the country receiving the data commits to provide.
Without prejudice to international treaties, if Turkey’s interests or those of the data subject are likely to be seriously undermined, personal data may be transferred abroad only on the authorisation of the Personal Data Protection Board, following the opinion of the relevant public institution or authority.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
In the event that personal data is processed by a third party on behalf of the data controller, the data controller shall be jointly liable with that party to undertake data security measures.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Article 17 of the Data Protection Law refers to the provisions of the Criminal Code relevant to crimes involving data protection. Article 18 regulates minor offences and provides for administrative fines of between TRY5,000 to TRY1 million for breaches of the Data Protection Law.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Turkey has no specific legislation regulating cybersecurity, although certain adventitious regulations include cybersecurity-related provisions.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
A Council of Ministers decision on conducting, managing and coordinating national cybersecurity activities came into force on October 20 2012. On June 20 2013 another decision regarding the national cybersecurity strategy and action plan for 2013 and 2014 came into force. The action plan aimed to protect public IT systems and critical IT infrastructure operated by both the government and the private sector. One of the key aims of the action plan was to amend primary legislation by considering the needs of cybersecurity in Turkey.
Further, Turkey has established a Cybersecurity Board, which is empowered to:
- determine government precautions regarding cybersecurity;
- approve national cybersecurity strategies and procedures and principles within this scope; and
- maintain national cybersecurity and coordination.
At the time of writing, preparation of the 2015 to 2016 action plan was continuing.
Which cyber activities are criminalised in your jurisdiction?
The Data Protection Law refers to the existing criminal penalties for data breaches under the Criminal Code, as follows:
- Any person who unjustly records personal data faces six months to three years’ imprisonment.
- Any person who unjustly acquires or disseminates personal data or passes it on to somebody else faces one to four years’ imprisonment.
- Any person who fails to destroy personal data after the legal retention periods have passed faces six months to one year’s imprisonment.
Which authorities are responsible for enforcing cybersecurity rules?
Courts, public prosecutors and the Information and Communication Technologies Authority.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes. However, it is uncommon.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Yes. Where processed personal data is unlawfully obtained by a third party as a result of cybercrime, the data controller must notify the data subject and the Personal Data Protection Board as soon as possible.
Are companies required to report cybercrime threats, attacks and breaches publicly?
If the breach concerns personal data, the Personal Data Protection Board may announce this issue on its own website or via other appropriate means.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Any person who unjustly records personal data faces six months to three years’ imprisonment. Any person who unjustly acquires or disseminates personal data or passes it on to somebody else faces one to four years’ imprisonment. Any person who fails to destroy personal data after the legal retention periods have expired faces six months to one year’s imprisonment.
What penalties may be imposed for failure to comply with cybersecurity regulations?
Those who fail to fulfil the obligations relating to data security referred to in Article 12 of the Data Protection Law will face an administrative fine of TRY15,000 to TRY1 million.