After almost a decade of legislative struggles, on March 24 the Turkish Parliament finally adopted the Law on the Protection of Personal Data (the "New Law"). The New Law is Turkey's first specific set of parliamentary level rules addressing data protection concerns in all sectors.
It continues to be a big year from a data protection perspective for Turkish citizens and corporations alike. As explained in an earlier alert, the month of February saw the much anticipated ratification of the Council of Europe's 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data. This ratification had signaled that data protection was high on the Turkish Parliament's agenda, and now with the adoption of the New Law, Turkey finally has a set of rules that reflects, to a large extent, the EU Data Protection Directive (95/46/EC).
What to anticipate
The Law on the Protection of Personal Data will enter into force once it is published in the Official Gazette, but envisages a transition period for certain provisions to allow time to ensure compliance with the newly introduced rules and standards.
The New Law sheds light on significant ambiguities and fills in legal gaps. Most notably, it:
- defines concepts like "personal data," "sensitive data," "explicit consent" and "data controller,"
- lists the legitimate purposes for data processing,
- regulates the international transfer of personal data,
- imposes rules on data controllers for retention periods and standards,
- provides details on the rights of data subjects, and
- establishes a Data Protection Authority to act as the regulator.
The New Law is a major step in aligning Turkey's legislative framework with that of the EU and is expected to have significant implications.