Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Pursuant to Article 4 of the Law on the Protection of Personal Data, personal data must be:

  • processed in conformity with the law and good faith;
  • accurate and up to date where necessary;
  • processed for specified, explicit and legitimate purposes;
  • relevant, limited and proportionate to what is necessary in relation to the purposes for which it is processed; and
  • stored for the period stipulated by the relevant legislation or necessary to the purposes for which it is processed.

With regard to information provision obligations, data controllers must provide data subjects with the following information when the personal data is collected:

  • the identity of the data controller and its representative (if any);
  • the purpose for processing the personal data;
  • any purposes for transferring the personal data and the persons to which it may be transferred;
  • the method and legal reasons for collecting the personal data; and
  • the data subjects’ rights under Article 11 of the Law on the Protection of Personal Data.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Law on the Protection of Personal Data provides a general obligation for data controllers in relation to deletion, destruction and anonymisation. Pursuant to the Regulation on Deletion, Destruction and Anonymisation of Personal Data published in the Official Gazette 30224 on October 28 2017, which will enter into force on January 1 2018, if the conditions for lawful processing specified under Articles 5 and 6 of the law no longer exist, personal data must be deleted, destroyed or anonymised by the data controller ex officio or on request of the data subject.

With regard to retention of records, data controllers must register with the data controllers’ registry and draft a personal data retention and destruction policy, which includes:

  • the purpose for personal data retention and destruction policy;
  • the data processing medium;
  • definitions of legal and technical terms;
  • explanations relating to the legal, technical or other reasons requiring retention and destruction of personal data;
  • the technical and administrative measures adopted for the purposes of ensuring the secure retention of personal data and preventing personal data from being processed or accessed unlawfully;
  • the technical and administrative measures adopted for the purposes of ensuring the lawful destruction of personal data;
  • the titles, departments and job descriptions of those participating in the retention and destruction of personal data;
  • a table indicating the retention and destruction periods;
  • amendments to the existing personal data retention and destruction policy (if any); and
  • the timeframe for periodical destruction which can be a maximum of six months.

Data controllers must keep all records in relation to the deletion, destruction or anonymisation of personal data for a minimum period of three years.

Do individuals have a right to access personal information about them that is held by an organisation?

Pursuant to Article 11 of the Law on the Protection of Personal Data, data subjects have the right to:

  • know whether their personal data has been processed and, if it has been processed, to be informed of:
    • its details;
    • the purpose for its processing and whether it has been used appropriately for its purpose; and
    • the names of the third parties to which it has been transferred, whether in Turkey or abroad;
  • require correction of the data if it is incomplete or inaccurate, deletion or destruction of the data within the conditions stipulated in the relevant legislation and notification of the correction, deletion or destruction of data that has been transferred to third parties;
  • object to a possible outcome which may be disadvantageous for the data subject’s interest as a result of analysis of the processed data made exclusively via automated systems; and
  • claim damages in the event that the data subject has suffered damages due to his or her data being processed in violation of data protection laws.

Data subjects have the right to request only information relating to their personal data, rather than direct access to the data (eg, online or on the data controller’s premises).

Do individuals have a right to request deletion of their data?

Yes. In accordance with the Regulation on Deletion, Destruction and Anonymisation of Personal Data, data subjects may request the deletion of their personal data. In such cases, the data controller must delete, destroy or anonymise the relevant personal data within 30 days if the conditions for lawful processing cease to exist. The data controller can choose between the deletion, destruction or anonymisation methods. However, if any condition for lawful processing is in place, the data controller may reject the deletion request by indicating grounds for refusal.

Further, in accordance with the Law on the Protection of Personal Data, data subjects have no right to data portability as provided in the General Data Protection Regulation.

Consent obligations

Is consent required before processing personal data?

Yes. Personal data may be legitimately processed if the data subject’s explicit consent is obtained. Nonetheless, the Law on the Protection of Personal Data regulates exceptions to this requirement.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data may be legitimately processed if:

  • it is expressly permitted by law;
  • it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of consenting;
  • it is necessary for, and directly related to, the execution or performance of a contract to which the data subject is a party;
  • it is necessary for compliance with a legal obligation which the controller is subject to;
  • the relevant information is revealed to the public by the data subject;
  • it is necessary for the establishment, usage or protection of a right; or
  • it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

What information must be provided to individuals when personal data is collected?

Data controllers must provide data subjects with the following information when their personal data is collected:

  • the identity of the data controller and its representative (if any);
  • the purpose for processing the personal data;
  • any purposes for transferring the data and the persons to which it may be transferred;
  • the method and legal reasons for collecting the personal data; and
  • the data subjects’ rights under Article 11 of the Law on the Protection of Personal Data.

Click here to view the full article