Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

The Law on the Protection of Personal Data 6698 came into force on April 7 2016 and is parallel to the EU Data Protection Directive (95/46/EC). Although the Constitution and certain laws (eg, the Criminal Code) had included general rules with regard to personal data before the adoption of the law, Turkey’s national data protection laws are arguably behind the international curve as the country has been late to regulate data privacy compared to the European Union. Further, since the General Data Protection Regulation – which sets forth higher requirements for personal data protection than the EU Directive – will enter into force in May 2018, the law is also arguably behind the requirements for general data protection.

Are any changes to existing data protection legislation proposed or expected in the near future?

The Law Amending Certain Tax Laws 7061 and other material changes to several laws were published in the Official Gazette 30261 on December 5 2017. According to the amendments, the appointment of a data protection expert at the Personal Data Protection Board is to be regulated temporarily under Article 2 of the Law on the Protection of Personal Data. No other amendments to the law are expected in the near future.

Since the Law on the Protection of Personal Data entered into force only recently, certain regulations which should be issued under the law are yet to be published by the Personal Data Protection Authority. Publications are expected on secondary legislation, including:

  • the Regulation on the Data Controllers’ Registry; and
  • the Regulation on Working Procedures and Principles of Personal Data Protection Directorate Service Units.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The Law on the Protection of Personal Data governs the processing, collection, storage and use of personal data in general. Other general legislations apply to the collection, storage and use of personal data, including:

  • the Constitution 1982;
  • the Criminal Code 5237;
  • the Civil Code 4721; and
  • the Code of Obligations 6098.

There are also sector-specific laws governing the collection, storage and use of personal data, including:

  • the Law on Regulation of Electronic Commerce 6563;
  • the Electronic Communications Law 5809;
  • the Law on Payment and Security Reconciliation Systems, Payment Services and Electronic Money Organisations 6493;
  • the Banking Law 5411; and
  • the Regulation on Patient Rights published in the Official Gazette 23420 on August 1 1998.

Scope and jurisdiction

Who falls within the scope of the legislation?

Natural or legal persons processing personal data wholly or partly by automatic means or by non-automated means as part of a filing system (ie, data controllers) and natural persons whose personal data is processed (ie, data subjects) fall within the scope of the Law on the Protection of Personal Data. Although the law remains silent on the territorial scope, the Guideline on Questions on the Application of the Law on the Protection of Personal Data published by the Personal Data Protection Board states that the law applies to data controllers located both in Turkey and abroad. However, the board will update its guidelines and this may be subject to change.

What kind of data falls within the scope of the legislation?

The Law on the Protection of Personal Data governs personal data. Any information relating to an identified or identifiable natural person is considered personal data under the law. Information relating to legal persons is not included in this definition.

Special categories of personal data include:

  • race and ethnicity;
  • political opinion;
  • philosophical beliefs;
  • religion, sect and other beliefs;
  • association, foundation and union memberships;
  • health;
  • sexual orientation;
  • criminal convictions;
  • safety precautions;
  • clothes and appearance; and
  • biometric and genetic data.

Personal data relating to any of these categories will be processed subject to additional requirements determined by the Personal Data Protection Board.

Are data owners required to register with the relevant authority before processing data?

Data controllers must register with a public registry (eg, the data controllers’ registry) before processing personal data. However, the registry is yet to be established and the secondary legislation regulating the registry is still in its draft form.

Pursuant to the Draft Regulation on the Data Controllers’ Registry, the Personal Data Protection Board is authorised to determine exceptions to the registration requirement by taking into account criteria such as:

  • the nature of the personal data;
  • the quantity of personal data;
  • the purpose of data processing;
  • the activity field of the processed data;
  • the transfer of personal data to third parties;
  • whether personal data processing is stipulated or falls under the scope of Articles 5/2(a), 5/2(c) and 6/3 of the Law on the Protection of Personal Data;
  • the retention period;
  • the data controller’s annual revenue; and
  • the data controller’s employee number.  

Pursuant to the draft regulation, data controllers that are located outside Turkey must appoint a legal entity that is located in Turkey or a natural person who is a Turkish citizen as their data controller representative to register with the data controllers’ registry.

Is information regarding registered data owners publicly available?

Pursuant to the Draft Regulation on the Data Controllers’ Registry, the following information will be publicly available:

  • the name and address of the data controller and its representative (if any);
  • the purpose of personal data processing;
  • the person groups and data categories relating to such persons;
  • the recipient and recipient groups;
  • the personal data to be transferred outside Turkey; and
  • the registration date and expiry date of registration.

Is there a requirement to appoint a data protection officer?

No. The definition and appointment of a data protection officer has not been regulated under the law.

According to the Draft Regulation on the Data Controllers’ Registry, data controllers located in Turkey must appoint a contact person; however, data controllers located outside Turkey must appoint a data controller representative who should be granted with the authority specified under the regulation. The contact person and data controller representative are responsible for carrying out correspondence between the data controller and the Personal Data Protection Board. However, they do not have the same legal status as a data protection officer stipulated under the General Data Protection Regulation.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Personal Data Protection Board is responsible for enforcing the rules regarding data protection in Turkey. Pursuant to the Regulation on Working Procedures and Principles of the Board, the board’s duties include:

  • ensuring that personal data is processed in conformity with fundamental rights and freedoms;
  • settling the complaints of individuals who claim that their rights regarding personal data have been violated;
  • investigating whether personal data has been processed in accordance with the law on receiving complaints or ex officio with regard to matters that fall under its subject matter in the event that it detects a violation, and taking temporary measures if necessary;
  • determining the sufficient measures sought for processing sensitive personal data;
  • ensuring that the data controllers’ registry is maintained;
  • carrying out regulatory transactions in relation to the subject matter and operation of the board;
  • carrying out regulatory transactions in order to determine obligations with regard to data security;
  • carrying out regulatory transactions with regard to duties, authorities and liabilities of the data controller and its representative;
  • imposing administrative penalties set forth in the Law on the Protection of Personal Data;
  • performing other duties assigned by law;
  • carrying out regulatory transactions to determine liabilities relating to data security;
  • determining the principles and procedures for the deletion, destruction or anonymisation of personal data;
  • identifying and declaring countries with adequate protection for cross-border data transfer;
  • determining the sectoral implementation principles relating to the protection, processing and security of personal data, and determining the procedures and principles in accreditation, certification, training and guidance;
  • making and carrying out domestic and international projects relating to the protection of personal data;
  • informing institutions and organisations about the protection of personal data and carrying out activities to raise public awareness;
  • carrying out studies on tariffs;
  • carrying out cooperation and coordination activities with universities and other relevant domestic and foreign institutions and organisations;
  • deciding on the administrative penalties envisaged under the Law on the Protection of Personal Data;
  • submitting opinions on draft legislation prepared by other institutions and organisations which contain provisions on personal data;
  • determining the Personal Data Protection Institution’s strategic plan – setting its goals and objectives, service quality standards and performance criteria;
  • discussing and finalising the performance budgets prepared in accordance with the institution’s strategic plan and goals and objectives;
  • approving and publishing draft reports on performance, financial status, annual activities and other relevant issues of the Personal Data Protection Institution; and
  • negotiating and resolving proposals on purchase, sale and lease of real estate.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Pursuant to Article 4 of the Law on the Protection of Personal Data, personal data must be:

  • processed in conformity with the law and good faith;
  • accurate and up to date where necessary;
  • processed for specified, explicit and legitimate purposes;
  • relevant, limited and proportionate to what is necessary in relation to the purposes for which it is processed; and
  • stored for the period stipulated by the relevant legislation or necessary to the purposes for which it is processed.

With regard to information provision obligations, data controllers must provide data subjects with the following information when the personal data is collected:

  • the identity of the data controller and its representative (if any);
  • the purpose for processing the personal data;
  • any purposes for transferring the personal data and the persons to which it may be transferred;
  • the method and legal reasons for collecting the personal data; and
  • the data subjects’ rights under Article 11 of the Law on the Protection of Personal Data.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Law on the Protection of Personal Data provides a general obligation for data controllers in relation to deletion, destruction and anonymisation. Pursuant to the Regulation on Deletion, Destruction and Anonymisation of Personal Data published in the Official Gazette 30224 on October 28 2017, which will enter into force on January 1 2018, if the conditions for lawful processing specified under Articles 5 and 6 of the law no longer exist, personal data must be deleted, destroyed or anonymised by the data controller ex officio or on request of the data subject.

With regard to retention of records, data controllers must register with the data controllers’ registry and draft a personal data retention and destruction policy, which includes:

  • the purpose for personal data retention and destruction policy;
  • the data processing medium;
  • definitions of legal and technical terms;
  • explanations relating to the legal, technical or other reasons requiring retention and destruction of personal data;
  • the technical and administrative measures adopted for the purposes of ensuring the secure retention of personal data and preventing personal data from being processed or accessed unlawfully;
  • the technical and administrative measures adopted for the purposes of ensuring the lawful destruction of personal data;
  • the titles, departments and job descriptions of those participating in the retention and destruction of personal data;
  • a table indicating the retention and destruction periods;
  • amendments to the existing personal data retention and destruction policy (if any); and
  • the timeframe for periodical destruction which can be a maximum of six months.

Data controllers must keep all records in relation to the deletion, destruction or anonymisation of personal data for a minimum period of three years.

Do individuals have a right to access personal information about them that is held by an organisation?

Pursuant to Article 11 of the Law on the Protection of Personal Data, data subjects have the right to:

  • know whether their personal data has been processed and, if it has been processed, to be informed of:
    • its details;
    • the purpose for its processing and whether it has been used appropriately for its purpose; and
    • the names of the third parties to which it has been transferred, whether in Turkey or abroad;
  • require correction of the data if it is incomplete or inaccurate, deletion or destruction of the data within the conditions stipulated in the relevant legislation and notification of the correction, deletion or destruction of data that has been transferred to third parties;
  • object to a possible outcome which may be disadvantageous for the data subject’s interest as a result of analysis of the processed data made exclusively via automated systems; and
  • claim damages in the event that the data subject has suffered damages due to his or her data being processed in violation of data protection laws.

Data subjects have the right to request only information relating to their personal data, rather than direct access to the data (eg, online or on the data controller’s premises).

Do individuals have a right to request deletion of their data?

Yes. In accordance with the Regulation on Deletion, Destruction and Anonymisation of Personal Data, data subjects may request the deletion of their personal data. In such cases, the data controller must delete, destroy or anonymise the relevant personal data within 30 days if the conditions for lawful processing cease to exist. The data controller can choose between the deletion, destruction or anonymisation methods. However, if any condition for lawful processing is in place, the data controller may reject the deletion request by indicating grounds for refusal.

Further, in accordance with the Law on the Protection of Personal Data, data subjects have no right to data portability as provided in the General Data Protection Regulation.

Consent obligations

Is consent required before processing personal data?

Yes. Personal data may be legitimately processed if the data subject’s explicit consent is obtained. Nonetheless, the Law on the Protection of Personal Data regulates exceptions to this requirement.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data may be legitimately processed if:

  • it is expressly permitted by law;
  • it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of consenting;
  • it is necessary for, and directly related to, the execution or performance of a contract to which the data subject is a party;
  • it is necessary for compliance with a legal obligation which the controller is subject to;
  • the relevant information is revealed to the public by the data subject;
  • it is necessary for the establishment, usage or protection of a right; or
  • it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

What information must be provided to individuals when personal data is collected?

Data controllers must provide data subjects with the following information when their personal data is collected:

  • the identity of the data controller and its representative (if any);
  • the purpose for processing the personal data;
  • any purposes for transferring the data and the persons to which it may be transferred;
  • the method and legal reasons for collecting the personal data; and
  • the data subjects’ rights under Article 11 of the Law on the Protection of Personal Data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Pursuant to Article 12 of the Law on the Protection of Personal Data, data controllers must implement any technical or administrative measure necessary to ensure the appropriate security level in order to prevent the personal data from being processed or accessed unlawfully and to ensure its protection.

Further, they must adopt the adequate measures determined by the Personal Data Protection Board when special categories of personal data are processed.

Data controllers that are subject to sector-specific laws (eg, banking and telecoms regulations) must also comply with other sector-specific security obligations.

For example, in the banking sector, pursuant to the Regulation on Banks’ Internal Control and Internal Capital Adequacy Assessment Process and the Law on Payment and Security Reconciliation Systems, Payment Services and Electronic Money Organisations 6493, primary and secondary systems of banks and payment service providers or electronic money institutions should be located in Turkey. In addition, the Regulation on Bank Cards and Credit Cards sets forth that institutions that issue cards must:

  • keep all personal data in confidence;
  • refrain from using such data for marketing activities; and
  • take all necessary precautions to keep records safe.

In the energy sector, Article 30/B/1 of the Regulation on Balancing and Compliance in the Electricity Market sets forth that suppliers must keep and update data records in order to ensure data stability and security. They must also take all necessary precautions to keep personal data safe.

However, the Personal Data Protection Board has published no guidance on the technical measures required.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. If the processed personal data is obtained by other persons illegally, the data controller must inform the relevant person as soon as possible.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. If the processed personal data is obtained by other persons illegally, the data controller must inform the Personal Data Protection Board as soon as possible. The board may announce the situation on its website or by another method that it deems appropriate.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes. The Law on Regulation of Electronic Commerce and the Regulation on Commercial Communications and Commercial Electronic Messages govern unsolicited electronic marketing and all kinds of commercial communication sent by electronic means. The legislation provides an opt-in regime for commercial electronic messages.

Cookies

Are there rules governing the use of cookies?

To date, there are no rules governing the use of cookies. The approach of the Personal Data Protection Board on this matter is eagerly awaited.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Pursuant to the Law on the Protection of Personal Data, personal data cannot be transferred outside of Turkey without the data subject’s explicit consent. Exceptions to this rule are set out in Articles 5 and 6 of the law, which state that personal data may be legitimately processed if:

  • it is expressly permitted by law;
  • it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of consenting;
  • it is necessary for, and directly related to, the execution or performance of a contract to which the data subject is a party;
  • it is necessary for compliance with a legal obligation which the controller is subject to;
  • the relevant information is revealed to the public by the data subject;
  • it is necessary for the establishment, usage or protection of a right; or
  • it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Are there restrictions on the geographic transfer of data?

As stated above, personal data cannot be transferred abroad without the data subject’s explicit consent.

Personal data can be transferred abroad without the data subject’s explicit consent only in the exceptional circumstances outlined in the Law on the Protection of Personal Data and where the country to which the data will be transferred:

  • has an adequate level of data protection (this will be assessed by the Personal Data Protection Board); or
  • does not have an adequate level of data protection but the data controllers in both Turkey and the transfer country make a written commitment regarding data transfer and permission is provided by the board.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Personal data can be transferred without the data subject’s explicit consent only in the exceptional circumstances outlined in the law, provided that the necessary measures are taken.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Crime or offence

Penalty

Unlawful recording of personal data

One to three years’ imprisonment

Unlawful recording of special categories of personal data

One-and-a-half to four-and-a-half years’ imprisonment

Unlawful transfer, transmission and collection of personal data

Two to four years’ imprisonment

Failure to destroy personal data that is

required to be destroyed

One to two years’ imprisonment

Non-compliance with the information provision obligation

Administrative fine of between TL5,000 and TL100,000 to be issued by the Personal Data Protection Board

Non-compliance with the data controllers’ registry requirements

Administrative fine of between TL20,000 and TL1 million to be issued by the Personal Data Protection Board

Non-compliance with the data security obligations

Administrative fine of between TL15,000 and TL1 million to be issued by the Personal Data Protection Board

Non-compliance with Personal Data Protection Board decisions

Administrative fine of between TL25,000 and TL1 million to be issued by the board

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Pursuant to Article 11 of the Law on the Protection of Personal Data, data subjects are entitled to claim damages in the event that they have suffered damages as a result of their data being processed in violation of data protection law.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

On November 10 2010 Turkey signed the Council of Europe’s Convention on Cybercrime, which was ratified on September 29 2014 and adopted on May 2 2014. Parallel to the convention, the first, second and third-category offences are stipulated under Articles 243, 244, 158/1-f and 226 of the Criminal Code. These cover:

  • offences against the confidentiality, integrity and availability of computer data and systems;
  • computer-related offences; and
  • content-related offences.

However, it can be argued that these articles do not include the provisions of the convention to a satisfactory level.

With regard to procedural law, the convention covers the expedited preservation of stored computer data (Article 16) and the expedited preservation and partial disclosure of traffic data (Article 17). There are no similar provisions under Turkish criminal procedural law; however, Law 5651 on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts contains similar administrative measures.

Law 5651 regulates the principles and procedures regarding the obligations and responsibilities of content providers, hosting providers and access providers, as well as combating specific crimes committed online through such providers. Pursuant to Law 5651 and the Regulation on the Principles and Procedures of Regulating Publications on the Internet, hosting providers must maintain hosting provider traffic information for six months and ensure the accuracy and integrity of such information, as well as the file integrity values of data together with a time stamp. Access providers must maintain access provider traffic information for one year and maintain the accuracy and integrity of such information, as well as the file integrity values of the data created together with a time stamp.   

Turkey has no other specific legislation in force to target cybercrime or cybersecurity directly.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The initial specific regulation with regard to cybersecurity was set out by the Council of Ministers Decision Regarding Performance, Management and Coordination of National Cybersecurity Works 2012/3842 on June 11 2012. This established the Cybersecurity Board as the main authority to approve policies, strategies and action plans relating to cybersecurity in Turkey. The decision also regulates the duties of the Ministry of Transport, Maritime Affairs and Communication in the field of cybersecurity. The Law on Electronic Communications 5809 includes general rules on the duties of both the Cybersecurity Board and the Ministry of Transport, Maritime Affairs and Communication.

On June 20 2013 another council of ministers decision on national cybersecurity strategy was published in the Official Gazette. The aim of the 2013-2014 action plan was, among other things, to protect services, transactions and data provided by the government through IT systems and critical IT infrastructure operated by the private sector and the government. In accordance with the plan, the Ministry of Transport, Maritime Affairs and Communication has published its 2016-2019 national cybersecurity strategy and action plan which determines definitions, principles, cybersecurity risks and strategic cybersecurity purposes and actions. The plan’s main aims are to regulate cybersecurity legislation in accordance with international standards and form a public authority which ensures coordination in the field of cybersecurity.

Which cyber activities are criminalised in your jurisdiction?

The Criminal Code regulates the following cyber activities as crimes:

  • providing unlawful or unauthorised access to information systems;
  • blocking or destroying information systems and altering or destroying data;
  • improper use of bank or credit cards; and
  • creating or putting together devices, software, passwords or other security codes to commit the abovementioned crimes, or producing, importing, delivering, transporting, storing, accepting, selling, suppling, purchasing or carrying the same.

In addition, the Law on the Protection of Personal Data refers to the Criminal Code with regard to personal data breaches.

Which authorities are responsible for enforcing cybersecurity rules?

The Cybersecurity Board is authorised to approve policies, strategies and action plans relating to cybersecurity in Turkey. With respect to the enforcement of cybersecurity rules, the Information and Communication Authority and the courts or prosecutors have jurisdiction.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Some insurers provide insurance for cybersecurity breaches. In practice, multinational companies take out such insurance. However, this is not particularly common.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Since there are no specific regulations in relation to cybersecurity in Turkey, as a rule, companies are not required to keep records of cybercrime threats, attacks or breaches. However, in certain regulated sectors (eg, banking), it is obligatory to implement an audit trail registration mechanism. In addition, pursuant to the Draft Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector, operators are responsible for keeping an inventory of personal data breaches, including:

  • the facts surrounding the breach;
  • the effects of the breach; and
  • the remedies for ensuring confidentiality and integrity.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Regarding personal data breaches, if processed personal data is obtained by other persons unlawfully, the data controller must inform the relevant person and the Personal Data Protection Board as soon as possible.

In the electronic telecoms sector, the Draft Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector provides that in case of a risk of a personal data or network security breach, the operator must inform its users and the Information and Communication Technologies Authority without undue delay.

Are companies required to report cybercrime threats, attacks and breaches publicly?

The Personal Data Protection Board may announce a breach of personal data on its website or by another method that it deems appropriate.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Crime or offence

Sanction

Unlawful or unauthorised access to information systems

One-year imprisonment

Blocking or destroying an information system, or altering or destroying data

One to five years’ imprisonment

Improper use of bank or credit cards

Three to six years’ imprisonment

Creating or putting together devices, software, passwords or other security codes to commit the abovementioned crimes, or producing, importing, delivering, transporting, storing, accepting, selling, suppling, purchasing or carrying the same

One to three years’ imprisonment

What penalties may be imposed for failure to comply with cybersecurity regulations?

Excluding sector-specific regulations, under the Law on the Protection of Personal Data, non-compliance with the data security obligations is subject to a monetary fine of between TL15,000 and TL1 million.