Recently a draft law on the Protection of Personal Data (“Law”) was put before the Grand Assembly in January 2016 and we understand that it is likely to be passed as legislation within the coming months.

The Law is very similar to EU data protection laws including that personal data can only be processed with the explicit consent of the data subject.

There are EU style exemptions from consent including contractual necessity and legitimate interest, and the definitions in the Law are similar to those in the EU Data Protection Directive (95/46/EC).

A data protection authority will be created 6 months following implementation of the Law and a register of data controllers will be set up as registration of data controllers will be mandatory.

It is proposed that after the Law is passed data controllers will have a transition period of 2 years to bring prior processing activities into compliance. However new processing activities will immediately be subject to the requirements of the Law.

The Law addresses international transfers of data indicating that explicit consent must be obtained and that transfers to foreign countries can only take place where the recipient company is deemed “adequate” by the Turkish Data Protection Authority.

It is anticipated that businesses in Turkey will need to implement EU style compliance policies and procedures once the Law is passed.