Data protection legislation

While Turkey has certain sector-specific regulations, it does not yet have dedicated data protection legislation. However, it has signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe(1) and has developed the Draft Law on the Protection of Personal Data, both of which are awaiting ratification.

On August 1 2014 the convention was sent to the Grand National Assembly as a draft law for ratification. This is a significant step in establishing legal grounds for data protection in Turkey.

Turkey has signed the convention with certain declarations and, as per Article 2 of the draft law on ratification of the convention, the convention will be effective from the date of its publication in the Official Gazette.

Under Article 3 of the convention, Turkey has declared that the convention will not apply to:

  • the automatic processing of personal data realised by natural persons exclusively for their personal use;
  • public registers specifically regulated by Turkish law;
  • data that is available to the general public in accordance with the law; and
  • personal data which is processed by public institutions for the purposes of national security, defence and the investigation and prevention of crime.

Turkey has also declared that the convention will apply to personal data which is not processed automatically.

Draft law versus EU Data Protection Directive

The draft law has been drawn up in accordance with EU data protection legislation, especially EU Directive 95/46/EC, as part of the accession process, and has been awaiting ratification since 2007.

The preamble of the draft law adopts the same principles for processing and controlling personal data as the opinion of the EU data protection authorities on the Internet of Things (IoT), adopted at the plenary meeting of the Article 29 Working Party (WP29) on September 16 and 17 2014. The opinion explains how stakeholders can implement a sustainable IoT in compliance with the EU data protection legal framework. It also stresses that the EU framework is fully applicable to the processing of personal data in the IoT ecosystem.(2)

Considering that the WP29's opinion is specifically on the IoT, this shared approach is encouraging. However, the definition of 'personal data' in the draft law differs significantly from that in the directive.

The draft law defines 'personal data' as "any data relating to an identified or identifiable real or legal person". This broad definition deviates from the principle of proportionality adopted by Recital 26 of the directive,(3) which provides that:

"personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

This difference in approach to the regulation of personal data can be seen clearly when the two definitions are compared. The draft law emphasises the data with the word 'any', while the directive clearly indicates what this means. In the context of the IoT, an individual can be identified based on data collected. Therefore, the draft law's broad definition might help in establishing stronger protection of personal data originating from the IoT.

The WP29 stresses the importance of the directive's approach on the applicable law. This is emphasised in Article 4, which provides that even when an IoT stakeholder that qualifies as a data controller under the directive is not established in the European Union (whether involved in the development, distribution or operation of IoT devices), it is still likely to be subject to EU law, insofar as it processes data collected through the equipment of users in the European Union. The WP29 points out that the term 'equipment' is inclusive enough for Article 4 to apply to any object that is used to collect and process an individual's data in the context of the provision of services in the IoT.

The draft law mentions this approach only in its preamble, stating that the term 'data representative' is preferred throughout the draft law in accordance with Article 4 of the directive in terms of data collected through equipment in an EU member state. However, this term is not defined under the draft law; nor does any specific article refer to these issues.

The WP29 further indicates in its opinion that concepts such as 'data controller' and 'data processor' are central to the application of the directive. The directive defines 'data controller' as:

"the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law."

The draft law defines 'data controller' as the 'database owner' – that is, the natural or legal person who defines the aims and methods of processing personal data, individually or with third parties.

Under the directive, 'data processor' "shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller". While the definition in the draft law seems almost identical at first glance, one significant difference is the exclusion of public authorities, agencies and any other bodies from the definition.

The WP29 stresses the importance of including the relationship between data controllers and processors with the respective definitions to ensure that personal data is protected in the event of the combined intervention of multiple stakeholders in the IoT environment. However, this relationship is also reflected in the respective definitions in the draft law. A narrow definition regarding data controllers as database owners may exclude certain IoT stakeholders – such as device manufacturers, device lenders or renters – from the protection of the draft law.


The opinion adopted by the WP29 on the IoT should urge the Turkish legislature to re-evaluate the draft law in the context of the IoT. While the differences between the draft law and the directive may seem subtle, considering that the WP29 repeatedly focuses on the importance of specific provisions of the directive which require attention in terms of IoT, the draft law needs some revision to mould an encouraging and empowering legal landscape for IoT stakeholders, businesses and users alike.

Gönenç Gürkaynak

İlay Yılmaz

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.