Data protection

The Data Protection Law provides the guidelines, in line with the constitutional principles protecting privacy and confidentiality of personal life, applicable to the processing of personal data.

The Data Protection Law, modelled after European Union practices, is applicable to any entity that processes any kind of personal data for any reason. For the purposes of the Data Protection Law, "processing of personal data" means obtaining, recording, storing, retaining, changing, re-arranging, disclosing, conveying, acquiring, making available or categorizing the data as well as blocking its usage. Data may not be "processed" without the data subject's explicit consent and must be collected for a specific and legitimate purpose, be relevant and not disproportionate to the purpose of processing, and be processed in accordance with the general principles set by the Data Protection Law. Where such legitimate purpose ceases to exist and processing of data is no longer required, data controllers must erase, destroy or anonymize the stored data, either ex officio or upon request.

The Data Protection Board, the ultimate authority responsible for enforcing the Data Protection Law and resolving complaints against data controllers arising out of alleged breaches of the Data Protection Law, has clarified that explicit consent must be sufficiently informative in nature and, for example, not be obscured in a lengthy text on the data processor's confidentiality notice. Further, the Data Protection Board has clarified in its decisions that "opt-out" modes of obtaining consent, whereby the data subject is automatically and by default presumed to have consented to data processing, violate the Data Protection Law and that an "opt-in" mode of obtaining consent must be adopted.

There are certain limited exceptions to the consent requirement, especially if:

  • processing of such data is explicitly required by law;
  • processing is required to protect the life of the owner or a third party, if the owner of the data is physically or legally incapable of providing consent;
  • processing is directly related to the execution or performance of a contract, in which case only the personal data of the parties may be processed;
  • processing is required for the data controller to fulfill his/her own legal obligations;
  • such personal data was previously made public by the owner;
  • processing is necessary to establish, use or protect a right;
  • to the extent that processing does not harm the rights of the data owner, processing is required for the legitimate benefit of the data controller.

The Data Protection Law classifies certain data as "sensitive." These are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect and other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal record and biometric and genetic features. These types of data must be processed with the data subject's explicit consent or if allowed by law. Within the category of sensitive data, the Data Protection Law provides further protections for special data relating to health and sexual life. These data may only be processed if the data subject provides explicit consent or if required by law for a limited set of purposes, including safeguarding public health and carrying out healthcare activities.

The transfer of data is subject to the same rules and exceptions as the processing of data; however, further restrictions apply if data will be transferred abroad. To transfer data outside of Turkey, either the data subject's consent must directly be obtained or one of the exceptions to the consent requirement must exist and (i) the country to where the data will be transferred must offer an adequate level of protection, or (ii) the transferring data controller in Turkey must conclude an agreement with the data importer to impose an adequate level of protection for the personal data. This agreement must contain the minimum required content announced by the Data Protection Board and must be submitted to, and approved by, the Data Protection Board. In relation to condition (i) above, the Data Protection Board is expected to announce the whitelisted countries, approved as having an adequate level of protection.

Under the applicable rules, the data controller must provide, among others, the following information to data subjects, whose personal data is processed:

  • the identity of the data controller and its representative, if any;
  • the purpose of processing;
  • to whom and for what purpose the data will be transferred; and
  • the method of collection of personal data and the legal reason for collection and rights of the data subject.

A data processor (veri işleyen) who processes personal data based on authority given by the data controller is also obliged to inform the data owner about the processing and its reasons.

In the case of an unlawful access to personal data (i.e. data breach), data controllers must notify the Data Protection Board within 72 hours after the incident, using the breach notification form published by the Data Protection Board. Affected data subjects must be notified as soon as reasonably possible.

Data subjects have the right to know if their personal data has been processed and, if so, to request any information related to the processing, usage or storage of the personal data, or persons or entities (in Turkey or abroad) to whom the personal data has been disclosed. The data subject may demand correction of their data or, if there is no longer a need to process such data, its deletion. The data subject may ask for damages due to the illegal or irregular processing of personal data. Data subject information requests from a data controller must be processed within 30 days of the request. As discussed in more detail below, if the data controller fails to respond, rejects the application or provides an unsatisfactory response, the data subject may submit a complaint to the Data Protection Board.

Because data processing is a regulated activity, data processors are required to register with the Data Controllers' Registry or VERBİS, a publicly available database kept by the Data Protection Board. Unless exempt from the requirement, all data controllers (individuals, as well as domestic or foreign legal entities) who process personal data pursuant to the Data Protection Law must be recorded with VERBİS prior to processing any personal data.

Turkish legal entities, unless exempt, must register with VERBİS if they employ 50 employees on an annual basis or if their total assets or liabilities stated in the annual balance sheet exceed Turkish Lira 25m. Legal entities that do not fulfill the above requirements but whose main business is processing sensitive personal data must also register with VERBİS. The deadline to register for the first group legal entities expired on September 30, 2020, while the second group legal entities may still register until March 31, 2021. This is a one-time registration to be updated as necessary.

When assessing the registration obligation of foreign data controllers, the Data Protection Board has not taken into consideration any criteria such as the number of employees, annual financial statements or the scope of activities. The Data Protection Board has stated that it is required and sufficient that a foreign data controller processes personal data of data subjects resident/located in Turkey and there seems to exist no de minimis threshold for registration. The deadline for registration for foreign data controllers expired on September 30, 2020.

If a data controller becomes subject to the registration requirement after the deadlines listed above (as it fulfils the criteria), then it must register with VERBİS within 30 days upon fulfilment of the criteria.

Exemption from the registration requirement does not relieve data controllers of other duties and obligations under the Data Protection Law.

As the ultimate enforcer of the Data Protection Law, the Data Protection Board may look into allegations of non-compliance either through a complaint lodged by a data subject before it or ex officio. To lodge a complaint before the Data Protection Board, a data subject alleging a violation must first petition the data controller seeking a remedy to the alleged violation. The data controller must adequately respond to the data subject's request within 30 days. Upon receipt of the response, the data subject has the right to lodge a complaint before the Data Protection Board within 30 days. Data subjects must therefore contact their data controllers before petitioning the Data Protection Board.

The Data Protection Board has a diverse array of powers in its arsenal to ensure compliance with the Data Protection Law. These range from issuing administrative fines to non-compliant data controllers to making requests that data controllers revise their relevant texts and notifications relating to data processing. If the Data Protection Board considers that the facts of the case trigger criminal responsibility, it will also inform relevant government bodies (e.g. prosecutors and other investigative authorities as the case may be). Below is a table summarizing the most commonly issued administrative fines by the Data Protection Board with the corresponding offenses:

Offense Administrative fine
Failure to comply with information obligations up to Turkish Lira 196,686
Failure to take measures to safeguard data up to Turkish Lira 1,966,862
Failure to comply with the Board's decisions up to Turkish Lira 1,966,862

Despite these extensive powers, the Data Protection Board has ruled on numerous occasions that it is not in a position to, nor authorized to, award damages to data subjects. It therefore refers the aggrieved party to general courts for damage claims.

Since non-compliance with the Data Protection Law may simultaneously violate rights of personhood protected by the Civil Code, data subjects who allege a violation of such rights may pursue damages or other restitution requests provided in the Civil Code through general courts, independent of any complaint they may or may not have lodged before the Data Protection Board.

Once the Data Protection Board issues a decision imposing an administrative fine, the decision may be taken before a criminal court for review within 15 days. The criminal court may affirm the fine, reject it altogether or alter the amount.