New Data Protection Law Turkey April 2016-Update 7th October Compliance Deadline

Data Protection Turkey


As of 7 October 2016, the Data Protection Law shall be fully effective. The six-months compliance period for companies expires on 7th October 2016.

The Law on the Protection of Personal Data (“Data Protection Law”) has been published on the Official Gazette on 7 April 2016. Although the majority of the provisions of this Act became effective immediately, the law making authority made an exception for the provisions that are harder to comply with by allowing a transition period to comply. These are related to transfer of personal data, rights of the data subject, data controllers’ registry, administrative fines, and criminal penalties. Accordingly, these provisions including the fines and penalties will become effective as of 7 October 2016.

We suggest companies full compliance with the Data Protection Law, considering both the heavy administrative fines amounting between TRY 5.000 to TRY 1.000.000 and criminal penalties that may lead to imprisonment between 1 to 4.5 years.

The Law 

The Law on the Protection of Personal Data in Turkey, partially entered into effect and was officially published on April 7th 2016. The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. It is an important introduction as no formal or clarified Data Protection Law had existed previously. The Law will affect any company that conducts business in Turkey or collects the personal data of customers, employees, or other individuals located in Turkey.

Overview of the New Data Protection Law

The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic processing of personal data “which form part of a filing system.”  “Personal data” means “any information relating to an identified or identifiable natural person.” The concept of a “filing system” is not expressly defined in the law, which may pose difficulties for companies in determining whether their paper records are within scope.

The Law distinguishes personal data, meaning information relating to an identified or identifiable person from sensitive or special data and makes sensitive data subject to additional protections. The Turkish definition of sensitive data is in line with and set out in the EU Directive and includes information such as racial or ethnic origin, political opinion, union membership. However, the law also distinguishes a person’s appearance as sensitive data and data regarding health or sex life, which can only be processed for the purposes of protection of public health, preventive medicine, medical diagnosis, conducting of nursing services, planning of the health services and financing by persons who are under the obligation of confidentiality or authorized institutions and organizations.

Both personal and sensitive data may not be processed without the data subject’s “explicit consent”, this is defined as freely given, specific or informed consent.  Data may be processed without “explicit consent” subject to limited conditions, including where necessary to perform a contract to which the data subject is a party, to comply with a legal obligation of the data controller, or for the purposes of the “legitimate interests” of the data controller.

The General Principles of the Law are that personal data should be:

  • Processed fairly and lawfully,
  • To be accurate and kept up-to-date.
  • To be processed only for a specific, explicit and legitimate purposes,
  • Limited, relevant and proportional to the purposes for which they are processed
  • Only to be kept for the necessary purpose for which the data are processed and duration foreseen under the relevant legislation.

The law also creates a distinction between data controllers and data processors, and assigns certain responsibilities accordingly. Data controllers must register with Turkey’s Data Protection Registry, which will be established by October 7 of this year.

  • The data controller must provide notice to each subject regarding the collection, use, and transfer of their personal data.
  • Data subject have the right to access and correct the information collected and to demand further information from the data controller, including “the third party recipients to whom the data is shared within the Turkey or abroad.”
  • Data subjects may “demand compensation” for damages suffered as a result of unlawful processing.
  • Data controllers must take security measures to prevent unlawful processing or access to data, including “necessary audits” to ensure compliance.
  • If personal data is obtained by third parties illegally a notification must be made to the data subject and the DPA, with immediate effect.
  • The law creates a distinction between data controllers and data processors, and assigns certain responsibilities accordingly. Data controllers must register with Turkey’s Data Protection Registry, which will be established by October 7 of this year.

Additional requirements outlined within the Data Protection Law include:

Erasure, Destruction, or Anonymisation of Personal Data

The Data Protection Law includes a provision expressly requiring the erasure, destruction, or anonymization of personal data once the purpose for its collection has expired, and Infringements are specifically punishable and are designated a criminal offence. The law provides for the adoption of secondary legislation regarding these requirements.

 Transfers of Personal Data

Transfers of personal data to third parties or outside of Turkey require the explicit consent of the data subject.  Although, personal data may be transferred to third parties or transferred abroad under the same limited conditions to consent that apply to processing as outlined above i.e.; to perform a contract to which the data subject.

However, for transfers of data abroad without explicit consent, additional conditions apply:

The country to which the transfer is made must provide sufficient protection as determined and announced by the Board of the Personal Data Protection Authority (“DPA”).

The transfer may be authorized by the Board where the data controllers involved “undertake sufficient protection of the data to be transferred in writing pre transfer” where “the interests of Turkey or the data subject may be seriously harmed,” personal data may only be transferred abroad with the Board’s permission.

The DPA and its Board are provided within the Law although as yet are not in place. The data transfer provisions of the Data Protection Law, subsequently will not enter into force until six months after publication of the law.

Violators of the New Law can receive fines of up to 1 million Turkish Lira as well as imprisonment.  The law entered into force upon its publication, although entry into force and enforcement of certain articles including, registration and transfers, have been given a transition period for data processing currently under way until October this year.

The new Data Protection Law appears to stick with Turkey’s continued commitment to inline itself with current EU regulation and we shall see how the provisions set out within the Law will be interpreted and enforced. In the meantime, it is important for any company with Turkish business and those currently with cross-border ties start to align their business practices, within the scope of the new law before October 2016. This will help companies to avoid any possible fines or punishments, that may be given for breaking the country’s new Data Protection and Privacy Law.

For Legal advice company training and support, contact us to book an appointment here KILIC & Partners International Law Firm