The Data Protection Law, as approved by the Turkish Parliament on 24 March 2016 (“Law”) may be criticised in many respects, but it is a valuable starting point for the protection of personal data in Turkey. First and foremost, it established the Data Protection Authority, which will supervise the implementation of the Law (the “DPA”).
It has been almost a decade since the first draft of the Law was prepared and submitted to the Turkish Parliament for notification, and entered into force as at today upon publication in the Official Gazette. Please note that certain articles relating to the transfer of data (both domestically and abroad); rights of the subject whose data is processed; complaints to be filed before the DPA; procedures to be followed by the DPA regarding its investigations; and sanctions, shall only enter into force six months following the publication of the Law.
Prior to the Law, general provisions on data protection existed in various pieces of legislation; inter alia, the Constitution, the Civil Code, the Code of Obligations, the Criminal Code and other sector tailored codes. However, due to the piecemeal manner in which these provisions were implemented, there was no solid principle of data protection in Turkey. For instance, a code on Regulation of Electronic Commerce came into force on 1 May 2015 (“Regulation”) with the aim of preventing companies from contacting customers, however, in principle, it only banned commercial messages by email, text messaging (sms), fax, and autodial machines to consumers without their prior approval. Accordingly, the Regulation did not do anything in practice to prevent or regulate the creation of customer profiles containing personal data or the transfer of such data to third parties, and there was no legislation regarding the removal of such data from the data processors’ database.
Highlights of the Law
The Law aims to protect the fundamental rights of individuals and to regulate the provision, processing and storage of personal data. In principle, pursuant to the Law, personal data cannot be processed or transferred (domestically or abroad) without the explicit consent of the data subject. The exceptions to this rule are in line with, but more broadly drafted then, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Law classifies certain data as “sensitive personal data” including the biometric and genetic data of individuals together with data regarding race, ethnic background, philosophical and political view, religion, union affiliations, health, sexual life and convictions of the same. The major difference between personal data and sensitive personal data is that the general exceptions to the prohibition on processing personal data under the Law do not apply to certain types of sensitive personal data (i.e. related to health and sexual life) and consequently such sensitive personal data can only be processed upon the data subject’s explicit consent or only for the purpose of the protection of public health, rendering preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing.
In accordance with the Law, personal data may be deleted or anonymised when the reasons for processing such data cease to exist or upon the request of the related individual. The details relating to these procedures are expected to be detailed in ancillary legislation.
The Law is also expected to encourage foreign investors and companies which previously abstained from entering the Turkish market to enter into Turkish, since the introduction of rules and regulations on the processing and transfer of personal data in commercial and financial operations will assist foreign investors in complying with their already existing obligations under EU law and create a more level playing field. Following the publication of the secondary legislation and the practical implications, if compatible with European standards, the Law would enable Turkey to cooperate more closely with Europol, Eurojust and Member States’ enforcement agencies.
There shall be a transition period for the real and legal persons who process personal data. During this period, processors have to register with the registry of the processors. Following registration, data processors must ensure that processed data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Noncompliance with the aforesaid principles and procedure may lead to a monetary fine of up to one million Turkish Liras and a custodial sentence of between 1 to 4 years.