Protection of Personal Data in Turkey November 14, 2018 – Posted in: Blog

Protection of Personal Data in Turkey

With the entry into force on April 7, 2016 of the new Law on the Protection of Personal Data (LPPD) no. 6698, Turkey has signalled its sincerity in conforming to European standards in online and offline data privacy and the protection of the personal data of individuals.

This Law sets out the conditions for the processing, transfer, anonymization and deletion of the personal data of individuals. It also makes a distinction between regular and special personal data, the latter of which are subject to stricter scrutiny. Special personal data are those pertaining to the ethnicity, race, political- philosophical- and religious beliefs, clothing and costume, trade union or association membership, health, sexual life, criminal and security record, and biometric and genetic information of the individual. In this regard, the legislation closely mirrors the EU General Data Protection Regulation (GDPR).

The general principles governing the processing of personal data are as follows:

  • Legitimacy;
  • The use of correct and up-to-date data;
  • The pursuing of clear, open and legitimate interests;
  • Relevance, limitation and proportionality to the purpose of processing; and
  • Storage no longer than the time period prescribed by law or the duration necessary for the purpose of processing.

The processing of personal data relies on the explicit consent of the concerned individual. The exceptions to this rule are listed in LPPD article 5(2). With regard to the processing of special personal data, there are no exceptions to the consent requirement concerning data on health and sexual life. The other categories are subject to the exceptions set forth in art. 6(3) LPPD.

Personal data are to be deleted or anonymized as soon as the legitimate reasons for their processing cease to exist, either by the data controller’s own initiative or upon request by the data subject (owner). Personal data cannot be transferred unless the explicit consent of the data owner is obtained, subject again to the exceptions in article 6(3). The transfer of personal data to another country is also dependent on the data subject’s explicit consent, as well as an evaluation (by the Board for the Protection of Personal Data) of the other country’s data protection scheme as sufficiently advanced.

The Law designates certain roles which echo those set out in the GDPR. The most important of these are the data controller and the data processor. The data controller is the natural or legal person responsible for determining the purposes and tools for the processing of personal data, as well as for establishing and managing the database. The data processor is the natural or legal person that processes personal data with the authorisation, and on behalf of, the data controller. The Law also calls for the establishment of the Institution and Board for the Protection of Personal Data.

The data controller is responsible for enlightening the concerned individual during the collection of personal data regarding the identity of the data controller (or its representative), the purpose of data processing, the possible transfer of personal data to third parties, and the legal basis and method of data collection.

The data controller is also responsible for ensuring the security and safe storage of personal data, including preventing illegal processing and access under art. 12 LPPD. The same article provides for an obligation to inform the concerned individual(s) and the Board for the Protection of Personal Data in case of compromise of personal data. The data controller must carry out inspections to ensure these standards and is jointly responsible with the data processor. The data controller must also register with the Registry of Data Controllers before beginning data processing.

Individuals whose personal data is processed have the right to request information from the data controller regarding the processing of their personal data, its purpose, its legitimacy, whether transfers have been made, and to have incorrect or missing data corrected. In the event that the reply from the data controller is deemed to be insufficient or unsatisfactory (or late), the individual can file a complaint with the Board for the Protection of Personal Data. The Board can then determine whether a violation has been made, and order the remedying of illegalities. It can also decide to halt the processing or transfer of personal data.

The Law sets out fines and sanctions for non-compliance with its provisions. These include two criminal offences under the Turkish Penal Code (TPC) relating to crimes involving personal data (art. 135-140 TPC), as well as failure to delete or anonymize personal data (art. 138 TPC). The administrative fines are as follows:

  • 5000-100.000 TL for failing to comply with the obligation to enlighten under art. 10 LPPD;
  • 15.000-1.000.000 TL for failing to comply with the obligation to ensure data security under art. 12 LPPD;
  • 25.000-1.000.000 TL for failing to comply with Board decisions under art. 15 LPPD; and
  • 20.000-1.000.000 TL for failing to register with the Registry of Data Controllers and for failing to comply with the obligation to inform under art. 16 LPPD.

In practical terms, in order to comply with the obligations set out in the Law on the Protection of Personal Data, a company will have to designate a data controller/processor and draft a number of documents, including those pertaining to the personal data processing policy, the enlightenment of the data subject, the declaration of express consent (including on the website), the application form, as well as the privacy declaration to be signed by employees who are to process personal data.

The employees themselves are entitled to data protection and must also sign an explicit consent form regarding the processing of their personal data. This also applies to anyone who submits a job application to the company, whose personal data must be deleted in case of an unsuccessful application. The employer has the same obligations towards its employees as its data subjects, namely data privacy, explicit consent, enlightenment, the right to request information, deletion and anonymization of personal data.

It should also be noted that by virtue of its territorial scope, the EU GDPR will also apply to data controllers and processors located in Turkey that process the personal data of data subject located in the EU where the processing activities concern the offering of goods or services (with or without payment) and the monitoring of behaviour taking place within the EU.