Q&A: the data protection legal framework in Turkey

Law and the regulatory authority

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

The Turkish Constitution has specifically protected PI since 2010.

The protection of PI has also been regulated by specific legislation, namely the Personal Data Protection Law (PDPL), Law No. 6698, which came into force in October 2016. Directive 95/46/EC is the starting point for the PDPL. Even though there are various differences between the PDPL and the EU General Data Protection Regulation (GDPR), the PDPL is generally based on, and follows, the GDPR.

Turkey is a party to the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data of 1981 of the Council of Europe. The Convention was published in the Turkish Official Gazette in March 2016 and became domestic law.

Crimes against data protection and related sanctions are also regulated by the Turkish Criminal Code.

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

The authority responsible for overseeing the implementation of the PDPL is the Personal Data Protection Authority (the Authority). The Authority is responsible, among other things, for monitoring the latest developments in legislation and practice, making evaluations and recommendations, conducting researches and analyses, and cooperating with public institutions and organisations, international organisations, non-governmental organisations, professional associations and universities.

The Data Protection Board (the Board) is formed within the Authority and has the following duties, among others:

• ensuring that personal data are processed in compliance with the PDPL, and fundamental rights and freedoms;
• promulgating rules and regulations under the PDPL;
• determining administrative sanctions under the PDPL;
• reviewing complaints of PDPL violations;
• taking necessary measures against PDPL violations at its discretion;
• setting a strategic plan for the Authority;
• determining the purpose, targets, service quality standards and performance criteria of the Authority;
• determining additional measures for the processing of sensitive personal data;
• determining specific rules regarding data security, and the duties, powers and responsibilities of data controllers;
• providing comments on legislation and rules drafted by other institutions and organisations that include personal data provisions; and
• approving and publishing periodic reports on the performance, financial situation, annual activities and other matters related to the Authority.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Authority is the solely authorised institution under the PDPL. The PDPL tasks the Authority with monitoring and evaluating international developments on personal data issues, and cooperating with international organisations and foreign counterparts.

Despite the limited number of decisions the Board has issued since its formation, the visible trend is that the Board takes decisions of the European Data Protection Board (EDPB) into account when investigating cases. However, there is no mechanism to prevent the Board from taking decisions diverging from those of the EDPB.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches of the PDPL can lead to both administrative fines and criminal penalties. The Board is responsible for ensuring that personal data is processed in compliance with fundamental rights and freedoms, and reviewing complaints of data subjects. The Board can take temporary measures and other adequate measures, such as monetary sanctions, against violations.

In addition, criminal acts such as the unlawful acquisition or registration of personal data, and non-destruction of personal data when required may be subject to criminal penalties under the Turkish Criminal Code.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Personal Data Protection Law (PDPL) applies to all natural persons whose personal data is processed. It also applies to all natural and legal persons who process such data using fully or partially automated means, provided that they are part of a data registry system (the ‘filing system’ under the EU General Data Protection Regulation), through non-automated means. There is no distinction foreseen between private sector institutions and state institutions. As such, the PDPL applies to all types of entities and persons.

However, the PDPL does not apply in the following cases:

• processing by natural persons within the scope of activities relating to either themselves or their family members living in the same household, on the condition that the data is safeguarded and not provided to third parties;
• anonymised processing for statistical, research, planning and similar purposes;
• processing for the purposes of art, history, literature and science, or as part of the exercise of freedom of speech, provided the processing does not prejudice national defence, national security, public order, public safety, economic security, privacy and other personal rights, or constitute a crime;
• processing within the scope of preventive, protective and intelligence activities by state institutions carrying out national defence, national security, public order, public safety or economic security functions; and
• processing by judicial authorities or execution authorities in relation to investigations, prosecutions, court cases, criminal proceedings, and execution and enforcement proceedings.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

No, the PDPL does not directly cover interception of communications, electronic marketing or monitoring and surveillance of the individuals. However, the Data Protection Board (Board) has issued a decision regarding the regulation of contacting individuals via email, SMS or phone calls to make advertisements, where it held that such communications are subject to the same principles under the PDPL as apply to other data processing. Accordingly, these types of communications can be made only based on consent or in reliance on an exemption.

Turkey has specific legislation that covers the interception of communications, electronic marketing, and monitoring and surveillance of individuals. For example, the Law on Electronic Communication regulates all electronic communication methods while the Law on Electronic Trade regulates electronic marketing and trade. The Regulation on Erasure, Destruction and Anonymisation of Personal Data and the Communiqué on Rules and Procedures for the Fulfilment of the Obligation to Inform determine the rules and procedures to be applied to interception of communications, electronic marketing, and monitoring and surveillance of individuals. The Board has also published guidance regarding electronic communications bearing personal information and deemed it necessary for data controllers to take reasonable measures to verify the contact information declared by the relevant data subjects (eg, sending a verification code or link to the person’s registered phone number or email address). Per the Board’s approach, keeping personal data accurate and up-to-date is both in the interest of the data controller and necessary to protect the fundamental rights and freedoms of the data subject. In addition, channels must be made available at all times for data subjects to update their personal data. The Criminal Code and Criminal Procedural Law regulate the sanctions in case of breach of the applicable legislation.

Are there any further laws or regulations that provide specific data protection rules for related areas?

There are specific rules that outline data protection rules for various areas. For example, Turkish Labour Law holds that employers are obliged to use the personal data of employees in good faith and accordance with applicable law, and not to disclose any personal data in which an employee has a legitimate interest and has requested to be kept private.

Another example is the Regulation on Processing and Maintaining Privacy of Personal Health Data, regulating the rules and procedures to be used while processing data involving health information.

Turkish Banking Law, the Law on Payment and Security Agreement Systems, Payment Systems and Electronic Currency Organisations and the Law on Bank Cards and Credit Cards regulate the processing and transfer of financial data in Turkey and abroad.

Turkish telecommunications legislation also has provisions regarding data processing and transfers.

What categories and types of PI are covered by the law?

The PDPL does not limit the scope of protection by categories or types. All information relating to an identified or identifiable natural person maintained and stored in any format is covered by the PDPL and secondary legislation promulgated thereunder. However, there are specific provisions in the PDPL that regulate sensitive personal data as ‘special categories of personal data’.

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The PDPL makes no differentiation between data subjects who are nationals or not. The PDPL applies to all natural persons whose personal data are processed.

However, there are specific rules that apply to the transfer of personal data outside of Turkey. As a general rule, personal data cannot be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without the explicit consent of the data subject provided that one of the conditions specified in the PDPL is met, and that:

• adequate protection is provided in the foreign country where the data are to be transferred (the Board has the authority to determine the countries where an adequate level of protection is deemed to be provided although it has not done so yet); or
• where adequate protection is not provided, the controllers in Turkey and the relevant foreign country guarantee sufficient protection in writing, and the Board authorises such transfer (although data requiring data subject’s explicit consent in Turkey will continue to require such consent and will not be automatically covered by the approved undertaking); or
• approved binding corporate rules are followed (although data requiring data subject’s explicit consent in Turkey will continue to require such consent and will not be automatically covered by such rules).

Hence, the applicability of the PDPL is not limited to Turkey.

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The PDPL covers all processing and use of personal data. Certain distinctions are made among the owners, controllers and processors concerning their duties and liabilities.

Law stated date

Give the date on which the information above is accurate.

27 May 2022.