In 1981, Turkey signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention”) at Strasbourg. At long last, the Convention has now been enacted into Turkish law. Ratification had been delayed while Turkey completed enactment of the necessary legislative arrangements in its domestic law. However, the importance of the subject matter meant that Turkey changed its approach to proceed with the domestic legislative requirements in parallel to ratifying the Convention.
The Convention’s purpose is to secure respect for every individual’s rights and fundamental freedoms in territories belonging to the Convention’s signatories, whatever an individual’s nationality or residence. The Convention particularly addresses individuals’ right to privacy, with regard to automatic processing of personal data.
Law Number 6669 on Ratification of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data dated 30 January 2016 was published in the Official Gazette on 17 February 2016 (“Ratification Law”), entering into effect on the same date.
The Convention requires each signatory to take the necessary measures in its domestic law to give effect to the basic data protection principles outlined in the Convention. In parallel to the Ratification Law, the 2016 Action Plan of Turkey’s 64th Government includes enactment of the Draft Law on Data Protection (“Draft Law”) by the end of March 2016 (more). The Draft Law has been delivered to Turkish Grand National Assembly on 18 January 2016. The Convention and the Draft Law regulate the main principles and conditions for processing personal data in a similar manner, even though the Draft Law’s scope of transmission of personal data to third parties is wider than the scope set out in the Convention.
The Ratification Law declares that the Convention will also apply to personal data which is not processed automatically (as per Article 3(1)(c) of the Convention).
The Ratification Law specifically excludes the Convention from applying to:
- Automatic processing of personal data realized by natural persons exclusively for their personal use, or household purposes.
- Public registers specifically regulated by law in Turkey.
- Data available to the general public information in accordance with law.
- Personal data which is processed by public institutions for the purposes of national security and defense, as well as for investigation and prevention of criminal offences.
A personal data protection council will be established by each member country which is responsible for implementing the Convention. In Turkey, the Personal Data Protection Authority and the Personal Data Protection Board (within the Authority) will be established and responsible for implementing the Convention (Section 6 of the Draft Law).
Please see this link for the full text of the Ratification Law (only available in Turkish) and the Convention (available in Turkish, English and French).
Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.