Introduction

Parliament approved the Data Protection Law – which has been deferred since 2003 – on March 24 2016. The consolidated text of the law was sent to the president on March 30 2016 for approval and publication; he has 15 days to publish the law or return it to Parliament for re-evaluation.

The Data Protection Law is the first piece of dedicated general data protection legislation in Turkey. It is primarily based on the EU Data Protection Directive (95/46/EC). That said, it differs from the EU data protection regime at numerous points.

The law's main aim is to protect fundamental rights and freedoms regarding the processing of personal data – particularly regarding the right to privacy – and to regulate the procedures, principles and obligations that must be followed by real persons and legal entities that process personal data. The law applies to:

  • real persons whose data is processed;
  • real persons or legal entities that process personal data; and
  • data processed wholly or partly by automatic means or non-automatic means, provided that the data is part of a data filing system.

The Personal Data Protection Authority will be established to perform the duties set out in the law.

General principles and processing of personal data

The Data Protection Law includes "clear, certain and legitimate purpose" as one of the general principles for processing personal data. According to Article 4, personal data must be processed and limited to achieve a stated purpose. Personal data may not be processed if it is unrelated to the stated purpose. Under Article 4, personal data can be processed only in line with the Data Protection Law and other laws. Data processing must be lawful, in line with good faith, precise and up to date where necessary. Further, processed data must be preserved for a period determined by the relevant legislation or the period necessary for the purposes of processing.

Article 5 of the law requires "explicit consent" of the data subject for processing his or her personal data. The law provides exceptions to the explicit consent requirement. It states that if one of the relevant exceptions listed under the law exists, personal data can be processed without obtaining the data subject's explicit consent.

These exemptions are regulated under Article 28, which states that the law will not be applicable if personal data is processed:

  • by a natural person in the course of a personal or household activity, provided that the personal data is not shared with third parties and the data security obligations are fulfilled and complied with;
  • for the purposes of research, planning or statistical operations after being anonymised;
  • for artistic, historical, literary or scientific purposes, provided that the processing does not:
    • violate national defence or safety;
    • economic security or privacy; or
    • constitute criminal activity;
  • in the scope of national defence or security or public safety or for reasons relating to economic security; or
  • for investigation, prosecution, trial or execution procedures by judicial organs or execution authorities.

Special categories of personal data

Under the Data Protection Law, the following are special categories of personal data, the details of which can be processed only if the data subject provides explicit consent:

  • racial or ethnic origin;
  • political opinions;
  • philosophical or religious beliefs;
  • clothing;
  • associations;
  • foundation or trade-union membership;
  • health or sex life;
  • criminal convictions;
  • security measures regarding a person; and
  • biometric and genetic information.

There are exceptions to this provision (eg, explicit consent will not be sought for the processing of special category personal data or for the protection of public health). That said, the exceptions for processing special categories of personal data are more limited than the exceptions set out for other types of personal data.

Erasure, destruction or anonymisation of personal data

Data controllers will be obliged to erase, destroy or anonymise personal data, either ex officio or on the request of the data subject (even if such data is processed in line with the Data Protection Law or other laws), when the original reasons for the processing of personal data are no longer valid.

Transfer of personal data and transfer of personal data abroad

The Data Protection Law divides the transfer of personal data into two categories: the transfer of personal data and the transfer of personal data abroad. Article 8 sets out the general principles for the transfer of personal data in Turkey to third parties. Regarding the transfer of personal data, the law provides no exceptions for groups of companies. Accordingly, personal data cannot be transferred without the explicit consent of the data subject. Article 9 sets out the general principles for transferring personal data abroad. Personal data cannot be transferred abroad without the explicit consent of the data subject. However, the law sets out certain exemptions for the transfer of personal data (inside or outside the country), which are specified under Articles 8 and 9.

Obligations of data controller

Article 10 of the Data Protection Law states that the data controller or anyone authorised by the data controller must provide the related parties with the information set out under Articles 10 and 11 during the collection of personal data. Under Article 12, the data controller must maintain data safety and security. The data controller is obliged to take the necessary administrative and technical measures to ensure that an adequate level of security is established, so that personal data is safeguarded and cannot be processed or accessed unlawfully.

Rights of data subject

A data subject has the right to:

  • apply to the data controller to learn whether data relating to him or her is being processed;
  • request relevant information if personal data relating to him or her is being processed;
  • obtain information regarding the purpose of the processing and whether the personal data has been processed accordingly;
  • obtain information regarding the third parties inside or outside the country to which personal data has been transferred;
  • request the correction of incomplete or inaccurate processing of personal data;
  • request the erasure or destruction of personal data under the framework set out in the erasure, destruction or anonymisation of personal data provision;
  • request that third parties to which personal data has been transferred are notified of corrections relating to inaccurate or incomplete personal data processing or the erasure, destruction or anonymisation of personal data;
  • object to potential negative consequences from the analysis of processed personal data through automated systems; and
  • demand compensation for damages suffered as a result of unlawful data processing.

Data controller registry

The Data Protection Law requires the establishment of a Data Controller Registry which will be maintained publicly under the supervision of the Protection of Personal Data Board. Natural and legal persons who process personal data will be registered in the registry prior to beginning data processing.

Crimes and minor offences

The crimes referred to under Article 17 of the Data Protection Law correspond to Articles 135 to 140 of the Criminal Code. Article 18 regulates minor offences and envisages administrative fines from TRY5,000 up to TRY1 million for breaches of certain provisions of the law.

Transitional provisions

Under the Data Protection Law:

  • Protection of Personal Data Board members will be elected within six months following the publication of the Data Protection Law;
  • data controllers must be registered in the Data Controller Registry in the period determined by the Protection of Personal Data Board; and
  • personal data processed prior to the publication of the Data Protection Law must comply with the law within two years of its publication.

Processed personal data that violates the law must be immediately erased, destroyed or anonymised. Explicit consent obtained before the Data Protection Law comes into effect will be deemed to agree with the law if there is no declaration on the contrary within one year.

Effectiveness

Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 of the Data Protection Law will enter into force six months after the law is published. The remaining provisions will enter into force on the date of the law's publication in the Official Gazette.

Criticisms

One of the most significant criticisms of the Data Protection Law is of the broad exemptions that it grants. Although the law states that it will apply to all real and legal persons, it provides broad exemptions for government authorities regarding data protection measures. The legal structure of the Personal Data Protection Authority and the Protection of Personal Data Board has also been criticised. Article 21 of the law states that the members of the Protection of Personal Data Board will be elected by Parliament (five members), the Council of Ministers (two members) and the President (two members). The previous version of Article 21 – approved by the Parliamentary Justice Commission – stated that the members of the Protection of Personal Data Board would be elected by the Council of Ministers and the President. While the latest version of Article 21 includes approval from the General Assembly of Parliament, it does not ensure the independence of the Personal Data Protection Authority and the Protection of Personal Data Board. As the supervisory and regulatory authority, the Personal Data Protection Authority should be administratively and financially independent from other government entities.

Although the Data Protection Law is based on the EU Data Protection Directive (95/46/EC), it differs from the EU's data protection regime at certain points. Further, the law includes no new provisions under the General Data Protection Regulation. This means that the law will need amendments in future to achieve full harmonisation with the EU data protection regime.

Comment

As the first legal instrument regarding the protection of personal data in Turkey, the new Data Protection Law introduces various provisions regarding the processing and protection of personal data. The law sets out the principles of personal data processing and new definitions of important terms such as 'explicit consent', which is established as a requirement of data processing. Obligations are imposed on data controllers regarding information requirements and the provision of data safety, while the law also imposes administrative fines for breaches of certain provisions therein. Further, the law establishes the first Personal Data Protection Authority in Turkey. The introduction of these new data protection measures and the increased harmonisation with the EU data protection regime are expected to provide new opportunities for foreign investors.

Parties processing and controlling personal data should re-evaluate:

  • their internal data protection measures and data collection points;
  • the purpose of data processing;
  • internal and external access to and disclosures of data;
  • the types of data collected and whether they are collected directly from the data subject or via a third party;
  • data subject groups and the classification of personal data related to these data subject groups; and
  • third-party data processors and recipients to which personal data may be transferred.

In light of the newly approved Data Protection Law, it may be valuable to reconsider privacy policies and conduct a gap analysis to determine whether additional internal administrative and technical measures are needed. The drafting of a protocol for data breaches before potential data breaches occur is recommended. Parties that process personal data could assign a data protection officer or someone otherwise responsible for compliance and data protection-related affairs. Finally, the preparation of an internal policy for compliance, monitoring, reviewing and assessing data processing activities and training personnel who may interact or deal with personal data regarding compliance and recognising the rights of data subjects are recommended to ensure compliance with the Data Protection Law.

For further information on this topic please contact Gönenç Gürkaynak or Ilay Yilmaz at ELIG, Attorneys at Law by telephone (+90 212 327 17 24) or email (gonenc.gurkaynak@elig.com or ilay.yilmaz@elig.com). The ELIG, Attorneys at Lawwebsite can be accessed at www.elig.com.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.