Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Article 4 of the Data Protection Law provides that personal data must be processed to achieve a “clear, certain and legitimate purpose”; therefore, personal data may not be processed for an unrelated purpose. Article 4 further states that personal data may be processed only in line with the Data Protection Law and other laws. Data processing must be lawful, in good faith, precise and up to date. The data must be preserved for the period determined by the relevant legislation or necessary for the purpose of processing.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Data Protection Law states that personal data may be processed for as long as necessary to realise the purpose of doing so; it also refers to the relevant laws, which require retention periods for certain data.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. A data subject may:

  • apply to the data controller to learn whether data relating to him or her is being processed;
  • request relevant information if personal data relating to him or her is being processed;
  • request information regarding the purposes of the processing and whether the personal data has been processed accordingly;
  • obtain information regarding third parties (in or outside Turkey) to which personal data is being transferred;
  • request the correction of incomplete or inaccurate processing of personal data;
  • request the erasure or destruction of personal data, within the framework of the provision of the Data Protection Law entitled “Erasure, Destruction or Anonymisation of Personal Data”;
  • request notification to third parties receiving the data of:
    • corrections related to inaccurate or incomplete personal data processing; or
    • the erasure, destruction or anonymisation of personal data;
  • object to the potentially negative consequences of the analysis of personal data by exclusively automated systems; and
  • demand compensation for damages suffered as a result of an unlawful processing operation.

Do individuals have a right to request deletion of their data?

Yes. Article 7 of the Data Protection Law requires the erasure, destruction or anonymisation of personal data by the data controller either ex officio or at the request of the data subject (even if the data is processed in line with the relevant legislation), when the reasons for the processing of personal data are no longer valid.

Consent obligations
Is consent required before processing personal data?

Yes. Article 5 of the Data Protection Law requires a data subject’s explicit consent for the processing of personal data. However, the law provides exceptions to the explicit consent requirement.

If consent is not provided, are there other circumstances in which data processing is permitted?

Article 5(2) of the Data Protection Law permits processing of personal data without the explicit consent of the data subject, where:

  • it is explicitly foreseen by law;
  • processing is necessary to protect the vital interests or bodily integrity of the data subject (or of another person, where the data subject is physically or legally incapable of giving consent);
  • processing the personal data of the parties to a contract is necessary (provided that it is directly related to the execution or performance of the contract);
  • processing is necessary for compliance with a legal obligation to which the data controller is subject; 
  • the data has been made public by the data subject;
  • processing is necessary for the establishment, exercise or defence of a legal claim; or
  • processing is necessary for the legitimate interests of the data controller, provided that such interests do not violate the fundamental rights and freedoms of the data subject.

However, special categories of personal data may not be processed without the data subject’s explicit consent. Special categories of personal data – other than those related to health and sex life – may be processed without the explicit consent of the data subject if the processing is explicitly foreseen by law. Personal data relating to health and sex life may be processed without the explicit consent of the data subject only if the data is processed by authorised entities and institutions or persons who are under a confidentiality obligation for the purposes of:

  • protection of public health;
  • preventive medicine;
  • medical diagnosis; or
  • planning, managing and financing of treatment and maintenance services.

What information must be provided to individuals when personal data is collected?

Article 10 of the Data Protection Law stipulates that the data controller or any other person authorised by the data controller must provide data subjects with the following information during the collection of personal data:

  • the identity of the data controller (and representative, if any);
  • the purposes of the data processing;
  • to which parties and with what purpose the processed personal data can be transferred;
  • the method and legal reason for the data collection; and
  • the data subjects’ rights under Article 11 of the Data Protection Law.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Article 9 of the Data Protection Law provides that in principle, personal data cannot be transferred abroad without the explicit consent of the data subject. However, there are some exceptions.

Are there restrictions on the geographic transfer of data?

Personal data may be transferred abroad without obtaining the explicit consent of the data subject in the following circumstances:

  • The country receiving the personal data must provide an adequate level of protection.
  • If the country receiving the data does not provide adequate protection, the data controllers in both countries must provide a written undertaking guaranteeing an adequate level of protection, which must be authorised by the Personal Data Protection Board.

The Personal Data Protection Board determines which countries provide an adequate level of protection. The board determines whether a country can afford an adequate level of protection and whether data transfer can be authorised under Paragraph 2(b) of Article 9 of the Data Protection Law (which regulates data transfer abroad), after consulting to the relevant public administrations and agencies (if necessary) and evaluating:

  • the international agreements to which Turkey is a party;
  • the data transfer reciprocity between Turkey and the country requesting personal data;
  • the category of the personal data as well as the purpose and processing period for each specific transfer of data;
  • the relevant legislation and practice in the country receiving the data; and
  • the measures that the data controller in the country receiving the data commits to provide.       

Without prejudice to international treaties, if Turkey’s interests or those of the data subject are likely to be seriously undermined, personal data may be transferred abroad only on the authorisation of the Personal Data Protection Board, following the opinion of the relevant public institution or authority.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

In the event that personal data is processed by a third party on behalf of the data controller, the data controller shall be jointly liable with that party to undertake data security measures.

Click here to view the full article.