Data Protected - Turkey

Contributed by Gen & Temizer | Ozer (Kinstellar Istanbul)

Last updated April 2020

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The protection of personal data has been introduced as Article 20(3) of the Constitution of the Republic of Turkey, titled Secrecy of Private Life, following the constitutional amendment made in 2010. It entitles every individual to the protection of his/her own personal data, including the right to be informed about his/her personal data, to access to his/her personal data, to request correction or deletion thereof and to be informed of whether his/her personal data is used in accordance with a legitimate purpose.

Article 20(3) also provided that the principles and procedures in respect of protection of personal data shall be regulated under a specific law. Accordingly, Law No. 6698 on Protection of Personal Data has been introduced (“PDPL”).  

Turkey is also party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and Additional Protocol No. 181 regarding supervisory authorities and transborder data flows. These international treaties have the same effect as domestic laws under the Constitution of the Republic of Turkey.

Entry into force

Article 20(3) of the Constitution of the Republic of Turkey was published in Official Gazette No. 27580 on 13 May 2010 and entered into force on the same date.

The PDPL was published in Official Gazette No. 29677 on 7 April 2016 and partially entered into force on the same date. All the remaining provisions entered into force two years after the publication date.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data entered into force under Turkish law on 17 March 2016. Additional Protocol No. 181 entered into force under Turkish law on 5 May 2016.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Turkish Personal Data Protection Authority (the “Authority”)
Nasuh Akar Mahallesi Ziyabey Caddesi

1407 Sokak No:4 06520

Çankaya 

Ankara Türkiye

www.kvkk.gov.tr

 

Notification or registration scheme and timing

Data controllers must register with the Authority before commencing data processing activities.

Exemptions to notification

Some data controllers are exempt from the registration requirement. This includes: (i) professional services entities such as lawyers, notaries, accountants, mediators and customs consultants; (ii) trade unions, associations and foundations; (iii) political parties; (iv) data controllers who only process personal data by non-automated means; and (v) small data controllers whose main activities do not consist of the processing of sensitive personal data, have less than 50 employees and whose annual balance sheet is less than TRY 25 million (EUR 3.5 million).

Certain types of data processing are also exempt from registration requirement. This includes processing: (i) for the prevention or investigation of a crime; (ii) of personal data made public by the data subject; (iii) for performance of supervision, regulatory or disciplinary functions by public authorities or professional bodies; and (iv) for the protection of the economic and financial interests of Turkey related to budgetary, tax and financial matters.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PDPL does not set forth any rule as to the territorial scope.

However, the decisions of the Authority suggest the PDPL applies for the data processing carried out in Turkey or that relates to the data of Turkish citizens. Therefore, even if a controller is not located in Turkey, its data processing activities may fall under the scope of the PDPL if such data or activities are related to Turkey or Turkish citizens.

Is there a concept of a controller and a processor?

Yes. The PDPL uses the GDPR definitions of “data controller” and “data processor”.

Whilst most of the obligations in the PDPL apply to data controllers, data processors are jointly liable for the security of personal data.

Are both manual and electronic records subject to data protection legislation?

Yes. However, in order for the manual records to be subject to the PDPL, they must be processed within a filing system where personal data is processed according to specific parameters and criteria.

Are there any national derogations?

The PDPL contains exemptions where processing is: (i) by individuals in respect of personal data of their family members living together with them for purely personal purposes provided that it is not to be disclosed to third parties and kept secure; (ii) for official statistics and, provided they are anonymised, for other research, planning and statistical purposes; (iii) for artistic, historical, literary or scientific purposes provided that national security, public order, right to privacy and similar rights are not violated and the process does not constitute a crime; (iv) by intelligence activities to maintain national security, public order or economic security; and (v) by judicial authorities.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data means any information relating to an identified or identifiable real individual.

Is information about legal entities personal data?

No. However, information relating to an individual acting as a representative of a legal entity will be personal data.

What are the rules for processing personal data?

The PDPL imposes general principles that broadly follow the Data Protection Directive and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Personal data must be: (i) processed lawfully and fairly; (ii) accurate and, where necessary, kept up to date; (iii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (iv) relevant, limited and proportionate to the purposes for which they are processed; and (v) retained for no longer than is necessary for the purposes of the processing.

In addition to this, the processing of personal data must have a [legal basis]. The primary basis is explicit consent of the data subject. However, it is not necessary to obtain explicit consent where processing is: (i) explicitly provided for by law; (ii) necessary for the protection of life or physical integrity and the individual cannot provide consent; (iii) relates to the personal data of the parties to an agreement and is directly related to the conclusion and/or fulfilment of the agreement; (iv) mandatory for the data controller to fulfil its legal obligations; (v) made manifestly public by the data subject; (vi) necessary for the establishment, exercise or protection of a right; or (vii) required for the legitimate interests of the data controller and does not violate the fundamental rights and freedoms of the data subjects.

Are there any formalities to obtain consent to process personal data?

Explicit consent must be: (i) related to a specified activity; (ii) based on adequate information; and (iii) be freely given. According to the guidelines issued by the Authority, explicit consent must include “positive declaration of intention”.

Explicit consent may be obtained through any means and it is not mandatory to obtain explicit consent in writing. However, there should be a clear evidential record of consent (e.g. keeping log records).

Are there any special rules when processing personal data about children?

The PDPL does not include special rules regarding the personal data of children.

Are there any special rules when processing personal data about employees?

The PDPL does not provide any specific rules for the processing of personal data of employees. However, as stated above, explicit consent of the data subject is not needed if processing of personal data is permitted by law. The Labour Code requires the employers to keep a personnel file of the employees during the employment term. The personnel file must contain the copy of identity card of the employee, diploma, resume, employment contract, social security documents, certificate of residency, performance assessment reports, health reports and any other employment related document. Therefore, processing of such data of the employee would not require explicit consent.

Pursuant to social security legislation, the employers must retain the personnel files for 10 years as of the termination of employment. As per the occupational health and safety law, files concerning the health and safety of the employee must retain for 15 years. Such documents containing the special categories of personal data must be kept by the workplace doctors with restricted access to other personnel and must not be processed for any purpose other than the requirements of the employment relationship.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and biometric and genetic data are deemed to be sensitive. These are exhaustively listed in the law.

The reason “clothing” is treated as sensitive personal data is that clothing preferences of individuals may be based on their beliefs and local traditions (i.e. wearing hijab, growing beard etc) and processing of such data may cause the data subject to face discrimination or another unequal treatment.

Are there additional rules for processing sensitive personal data?

The main basis for the processing of sensitive personal data is that the data subject has given explicit consent.

However, sensitive personal data (other than data relating to health and sexual life) can also be processed where explicitly set out by law.

Data relating to health and sexual life may only be processed by persons under an obligation of confidentiality or by authorised institutions and establishments for health care purposes.

Are there additional rules for processing information about criminal offences?

Information about criminal convictions is treated in the same way as sensitive personal data (see above).

Are there any formalities to obtain consent to process sensitive personal data?

The same rules apply as for non-sensitive personal data (see above).

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

A contact person must be appointed if the controller is a legal entity located in Turkey and is not exempt from registration with the Authority (see above).

Additionally, if the controller is not located in Turkey, it must appoint a representative who must be either a Turkish legal entity or Turkish citizen.

What are the duties of a data protection officer?

The data controller’s contact person or representative is responsible for managing communications with the Authority and data subjects. Data controllers remain liable for compliance with the PDPL regardless of the appointment of a contact person or a representative.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation, save in respect of data security where data controllers must conduct, or arrange, data security audits.

Are privacy impact assessments mandatory?

The PDPL does not directly impose an obligation to carry out privacy impact assessments.

However, the Authority’s guidance on data security suggests that this might impose a wide range of obligations and, while privacy impact assessments are not mandatory, it is a recommended administrative measure for providing data security.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Before processing personal data, the data controller must inform data subjects about the: (i) identity of the controller; (ii) the purposes of data processing; (iii) the recipients to whom the data can be transferred, and the purpose of the transfer; (iv) the methods and legal reasons of collection of the personal data; and (v) the data subject’s rights.

Rights to access information

Data subjects can ask a data controller if their personal data is being processed and for details of the third parties to whom their personal data has been transferred.

Data subjects can exercise their rights by contacting the data controller by post or using e-mail with an electronic signature.

Rights to data portability

The PDPL does not include a right to data portability.

Right to be forgotten

Data subjects are entitled to request erasure or destruction of their personal data where the reasons for processing no longer exist or explicit consent is withdrawn.

In a number of cases, the Turkish Constitutional Court has also acknowledged that individuals have a right to be forgotten within the scope of their constitutional right to secrecy of their private lives.

Objection to direct marketing

Whilst the PDPL does not directly refer to direct marketing and profiling, data subjects can always revoke their explicit consent.

This would act as an objection to marketing and profiling unless the controller can show one of the other legal basis for processing applies (see above).

Other rights

The data subject can request the rectification of incomplete or inaccurate personal data. Data subjects can also object to decisions made about them arising from processing through exclusively automated systems.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Data controllers must take all necessary technical and organisational measures to provide reasonable levels of security for the purposes of preventing the unlawful processing of, and unlawful access to, personal data, and ensuring personal data is kept securely.

Specific rules governing processing by third party agents (processors)

There is no specific rule regarding data controllers engaging data processors beyond the fact controllers and the processors shall be jointly liable for the security of personal data.

The PDPL does not directly require controllers to enter into a contract with their processors. However, the Authority’s guidance on data security recommends entering into a contract with the persons to whom the personal data is transferred as part of the administrative measures for data security.

Notice of breach laws

The data controller must promptly contact the data subject and notify the Authority in case of a breach of data security. The Authority may announce such breaches on its website.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

A data controller may transfer personal data to a third country if: (i) the data subject has given explicit consent; (ii) the third country provides adequate protection for the personal data; or (iii) both the importing and exporting data controllers give written undertaking to adequately protect that data and obtain an approval from the executive branch of the Authority.

The Authority is responsible for identifying which countries provide adequate protection. However, the Authority has not announced a list of such countries yet. Instead, it published a list of criteria for the practitioners to make the assessment themselves. The list includes a range of criteria such as whether the third country has a law on personal data protection and whether there is data protection authority.

Notification and approval of national regulator (including notification of use of Model Contracts)

Notification and approval of the Authority is only required as set out above, i.e. where the data controller wants to transfer personal data to a third country which does not provide an adequate level of protection (and the data subject has not provided explicit consent).

Use of binding corporate rules

Whilst the PDPL does not have a provision on binding corporate rules, the multinational companies having affiliates in countries which do not provide accurate protection must use binding corporate rules in their applications for authorisation from the Authority as an undertaking required for transfer of personal data if they transfer the personal data to the affiliates in these countries.

_____________________________________________________________________ Top

Enforcement

Fines

Breach of the PDPL or a decision issued by the Authority can result in an administrative fine of between TRY 5,000 (EUR 700) and TRY 1,000,000 (EUR 150,000) depending on the nature, amount and consequences of the breach.

Imprisonment

The Turkish Penal Code No. 5237 published in Official Gazette No. 25611 on October 12, 2004 introduces a range of crimes. These are: (i) violation of secrecy of communication which can be punished with one to five years imprisonment; (ii) wiretapping which can be punished with two to five years imprisonment; (iii) violation of secrecy of private life which can be punished with one to three years imprisonment (which can be doubled where the violation is by means of visual or audio recording); (iv) illegal recording of personal data can be punished with one to three years imprisonment (if the subject matter relates to certain type of sensitive personal data the punishment is increased by 50 per cent); (v) unlawful collection or transfer of personal data which can be punished with two to four years imprisonment; and (vi) breach of the requirement to destroy personal data which can be punished with one to two years imprisonment.

Compensation

Data subjects are entitled to be compensated for their losses arising from a breach of the PDPL or other laws governing the protection of personal data. Compensation will be payable by the controller and/or the processor in accordance with the general principles of civil law.

Other powers

The Authority has a range of other powers to: (i) issue regulations and communiqués for implementation of the PDPL; (ii) examine complaints and implement sanctions; and (iii) investigate whether the personal data is processed in compliance with the law ex officio or upon a complaint and take temporary measures where necessary.

Practice

According to the 2018 Annual Report published by the Authority, the Authority examined 310 matters brought before it in respect of compliance with the PDPL. 122 out of 310 files have been concluded. The Authority imposed administrative fines for eight inspections which amount to TRY 870,000 (EUR 130,000) in total.

Whilst the 2019 Annual Report has not yet been published, the Authority published 39 decisions on its website in 2019. The Authority implemented administrative fines in 19 out of 39 decisions which amount to TRY 8.4 million (EUR 1.2 million) in total.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Regulation on Commercial Communication and Commercial Electronic Messages published in Official Gazette No. 29417 on July 15, 2015 (“Commercial Message Regulation”) regulates the sending of electronic direct marketing.

The Law No. 6563 on Regulation of Electronic Commerce Law published in Official Gazette No. 29166 on November 5, 2014 provides (without details) that personal data may not be transferred to third parties or may not be used for any other purposes without the approval of the data subject.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The PDPL does not specifically refer to cookies. However, it is widely accepted that the cookies are considered to contain personal data where they able to identify an individual, and are thus subject to the PDPL.

Regulatory guidance on the use of cookies

N/A.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Commercial Message Regulation requires the approval of the receiver of any commercial electronic message.

In addition, sending an e-mail to an individual for marketing purposes is a form of personal data processing and is thus subject to the PDPL meaning the explicit consent of the data subject (or other legal basis) is necessary.

Conditions for direct marketing by e-mail to corporate subscribers

The Commercial Message Regulation permits marketing e-mails to corporate subscribers unless they have objected to those messages.

Exemptions and other issues

The Commercial Message Regulation allows electronic message to be sent without the approval of the recipient where the message: (i) relates to the change, use or maintenance of goods and services, and the recipient has given its details for that purpose; (ii) relates to a continuing subscription, debt collection, updates or the notification of a purchase or delivery; (iii) is sent due to a legal requirement; and (iv) is an information update sent by brokerage companies in capital markets to the customers.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The same rules apply as for Marketing by E-mail.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The same rules apply as for Marketing by E-mail.

Exemptions and other issues

The same rules apply as for Marketing by E-mail.

_____________________________________________________________________ Top