The Data Protection Law provides the guidelines, in line with the constitutional principles protecting privacy and confidentiality of personal life, applicable to the processing of personal data by any entity.
The Data Protection Law, modelled after European Union practices, is applicable to any entity that processes any kind of personal data for any reason. For the purposes of the law, “processing of personal data” means obtaining, recording, storing, retaining, changing, re-arranging, disclosing, conveying, acquiring, making available or categorizing the data as well as blocking its usage. Data may not be “processed” without the data owner’s consent and must be collected for a specific and legitimate purpose, be relevant and not disproportionate to the purpose of processing, and be processed in accordance with the general principles set by the law. Processors are obliged to inform the data owner about the processing and the reasons therefor. Where such legitimate purpose ceases to exist and processing of data is no longer required, data controllers must erase, destroy or anonymize the stored data, either ex officio or upon request.
There are certain limited exceptions to the consent requirement as follows:
- Processing of such data is explicitly required by law;
- Processing is required to protect the life of the owner or a third party if the owner of the data is physically or legally incapable of providing consent;
- Processing is directly related to the execution or performance of a contract in which case only the personal data of the parties may be processed;
- Processing is required for the data controller to fulfill its own legal obligations;
- Such personal data was previously made public by the owner;
- Processing is necessary to establish, use or protect a right;
- To the extent that processing does not harm the rights of the data owner, processing is required for the legitimate benefit of the data controller.
The transfer of data is subject to the same rules and exceptions as the processing of data; however, further restrictions apply if data will be transferred abroad. To transfer data outside of Turkey, either the data subject’s consent must directly be obtained or one of the exceptions to the consent requirement must exist and (i) the country to where the data will be transferred must offer an adequate level of protection, or (ii) the data controller in Turkey must conclude an agreement with the data importer to impose an adequate level of protection for the personal data. This agreement must contain the minimum required content announced by the Data Protection Board and must be submitted to, and approved by, the Board. In relation to condition (i) above, the Board is expected to announce the whitelisted countries, approved as having an adequate level of protection.
In the case of an unlawful access to personal data (data breach), data controllers must notify the Data Protection Board within seventy-two hours after the incident using the breach notification form published by the Board. Affected data subjects must be notified as soon as reasonably possible.
Data subjects have the right to know if their personal data has been processed and, if so, to request any information related to the processing, usage or storage of the personal data, or persons or entities (in Turkey or abroad) to whom the personal data has been disclosed. The data subject may demand correction of their data or, if there is no longer a need to process such data, its deletion. The data subject may ask for damages due to the illegal or irregular processing of personal data. Data subject information requests from a data controller must be processed within 30 days of the request. If the data controller fails to respond, rejects the application or provides an unsatisfactory response, the data subject may submit a complaint to the Data Protection Board.
Because data processing is a regulated activity, data processors are required to register with the Data Protection Board. The Board has the discretion to decide on exemptions to the registration requirement and has announced a list of data controllers, which are exempt from the requirement of registration with the data processors registry. It is important to note that the majority of data controllers, whether resident in or outside of Turkey, will need to register by December 31, 2019. Processing of data in breach of the Data Protection Law may result in administrative fines and/or imprisonment.