Data Protected - Türkiye

Contributed by Gen & Temizer | Ozer (Kinstellar Istanbul)

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws

The protection of personal data has been introduced as Article 20(3) of the Constitution of the Republic of Türkiye, titled Secrecy of Private Life, following the constitutional amendment made in 2010. It entitles every individual to the protection of his/her own personal data, including the right to be informed about his/her personal data, to access to his/her personal data, to request correction or deletion thereof and to be informed of whether his/her personal data is used in accordance with a legitimate purpose.

Article 20(3) also provided that the principles and procedures in respect of protection of personal data shall be regulated under a specific law. Accordingly, Law No. 6698 on Protection of Personal Data has been introduced (“PDPL”).

Türkiye is also party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and Additional Protocol No. 181 regarding supervisory authorities and transborder data flows. These international treaties have the same effect as domestic laws under the Constitution of the Republic of Türkiye.

On February 16, 2024, the Draft Law Amending the Code of Criminal Procedure and Certain Laws and Decree Law No. 659 was submitted to the Turkish Grand National Assembly. This includes significant amendments to align the PDPL with the GDPR. In particular, the draft law will: (i) extend the legal bases available to process sensitive data so they are similar to the conditions for processing special category personal data in the GDPR; and (ii) align the rules on transborder dataflow to broadly match those in the GDPR so that it will only exceptionally be necessary to rely on explicit consent.

Entry into force

Article 20(3) of the Constitution of the Republic of Türkiye was published in Official Gazette No. 27580 on 13 May 2010 and entered into force on the same date.

The PDPL was published in Official Gazette No. 29677 on 7 April 2016 and partially entered into force on the same date. All the remaining provisions entered into force two years after the publication date.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data entered into force under Turkish law on 17 March 2016. Additional Protocol No. 181 entered into force under Turkish law on 5 May 2016.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Turkish Personal Data Protection Authority (the “Authority”)
Nasuh Akar Mahallesi Ziyabey Caddesi

1407 Sokak No:4 06520

Çankaya

Ankara Türkiye

www.kvkk.gov.tr

Notification or registration scheme and timing

Data controllers must register with the Data Controllers Registry System (“VERBIS”) established and operated by the Authority before commencing data processing activities, and also upload their data inventories to the template of that registry.

Exemptions to notification

Some data controllers are exempt from the registration requirement. This includes: (i) professional services entities such as lawyers, notaries, accountants, mediators and customs consultants; (ii) trade unions, associations and foundations; (iii) political parties; (iv) data controllers who only process personal data by non-automated means; and (v) small data controllers whose main activities do not consist of the processing of sensitive personal data, have less than 50 employees and whose annual balance sheet is less than TRY 100 million (approx. EUR 3 million).

Certain types of data processing are also exempt from registration requirement. This includes processing: (i) for the prevention or investigation of a crime; (ii) of personal data made public by the data subject; (iii) for performance of supervision, regulatory or disciplinary functions by public authorities or professional bodies; and (iv) for the protection of the economic and financial interests of Türkiye related to budgetary, tax and financial matters.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PDPL does not set forth any rule as to the territorial scope.

However, the decisions of the Authority stipulate that the PDPL applies for the data processing carried out in Türkiye or that relates to the data of Turkish citizens or real persons residing in Türkiye. Therefore, even if a controller is not located in Türkiye, the controller, to the extent it processes the personal data of Turkish citizens or real persons residing in Türkiye, may fall under the territorial scope of the PDPL.

Is there a concept of a controller and a processor?

Yes. The PDPL uses the GDPR definitions of “data controller” and “data processor”.

Whilst most of the obligations in the PDPL apply to data controllers, data processors are jointly liable for the security of personal data.

Are both manual and electronic records subject to data protection legislation?

Yes. However, in order for the manual records to be subject to the PDPL, they must be processed within a filing system where personal data is processed according to specific parameters and criteria.

Are there any national derogations?

The PDPL contains exemptions where processing is: (i) by individuals in respect of personal data of their family members living together with them for purely personal purposes provided that it is not to be disclosed to third parties and kept secure; (ii) for official statistics and, provided they are anonymised, for other research, planning and statistical purposes; (iii) for artistic, historical, literary or scientific purposes provided that national security, public order, right to privacy and similar rights are not violated and the process does not constitute a crime; (iv) by intelligence activities to maintain national security, public order or economic security; and (v) by judicial authorities.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data means any information relating to an identified or identifiable real person.

Is information about legal entities personal data?

No. However, information relating to a real person acting as a representative of a legal entity shall be considered personal data.

What are the rules for processing personal data?

The PDPL imposes general principles that broadly follow the Data Protection Directive and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Personal data must be: (i) processed lawfully and fairly; (ii) accurate and, where necessary, kept up to date; (iii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (iv) relevant, limited and proportionate to the purposes for which they are processed; and (v) retained for no longer than is necessary for the purposes of the processing.

In addition to this, the processing of personal data must have a legal basis. The primary basis is explicit consent of the data subject. However, it is not necessary to obtain explicit consent where processing is: (i) explicitly provided for by law; (ii) necessary for the protection of life or physical integrity and the individual cannot provide consent; (iii) relates to the personal data of the parties to an agreement and is directly related to the conclusion and/or fulfilment of the agreement; (iv) mandatory for the data controller to fulfil its legal obligations; (v) made manifestly public by the data subject; (vi) necessary for the establishment, exercise or protection of a right; or (vii) required for the legitimate interests of the data controller and does not violate the fundamental rights and freedoms of the data subjects.

Are there any formalities to obtain consent to process personal data?

Explicit consent must be: (i) related to a specified activity; (ii) based on adequate information; and (iii) declared by free will. According to the guidelines issued by the Authority, explicit consent must include “positive declaration of intention”.

In this respect, data controllers are required to apply an opt-in system while obtaining explicit consent, since silence of the data subject is interpreted as rejection, not acceptance. When the Authority examined Amazon's membership conditions, it decided that presenting all options which require consent in a “pre-ticked” way violated this requirement. Accordingly, explicit consent is considered valid in cases where the person actively demonstrates a declaration of will, not where the person remains silent.

PDPL does not stipulate any requirement as to the form in which for explicit consent should be provided. Accordingly, explicit consent may be obtained through any means such as orally, in writing or electronically. It should be noted that the burden of proof of demonstrating that explicit consent has been obtained belongs to the data controller. For this reason, it is important that explicit consent is evidenced, e.g. by keeping log records.

Are there any special rules when processing personal data about children?

The PDPL does not include special rules regarding the personal data of children.

Are there any special rules when processing personal data about employees?

The PDPL does not provide any specific rules for the processing of personal data of employees. However, as stated above, explicit consent of the data subject is not needed if processing of personal data is permitted by law. The Labour Code requires the employers to keep a personnel file of the employees during the employment term. The personnel file must contain the copy of identity card of the employee, diploma, resume, employment contract, social security documents, certificate of residency, performance assessment reports, health reports and any other employment related document. Therefore, processing of such data of the employee would not require explicit consent.

Pursuant to social security legislation, the employers must retain the personnel files for 10 years as of the termination of employment. As per the occupational health and safety law, files concerning the health and safety of the employee must retain for 15 years.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and biometric and genetic data are deemed to be sensitive. These are exhaustively listed in the law.

The reason “clothing” is treated as sensitive personal data is that clothing preferences of individuals may be based on their beliefs and local traditions (i.e. wearing hijab, growing beard etc) and processing of such data may cause the data subject to face discrimination or another unequal treatment.

Are there additional rules for processing sensitive personal data?

The main basis for the processing of sensitive personal data is that the data subject has given explicit consent. However, sensitive personal data (other than data relating to health and sexual life) can also be processed where explicitly set out by law. Data relating to health and sexual life may only be processed by persons under an obligation of confidentiality or by authorised institutions and establishments for health care purposes without explicit consent of data subject.

The decision numbered 2018/10 of Authority sets out the fundamental principles for the processing and transferring of sensitive data. The Authority states that data controllers need to take the following measures: (i) create a policy and procedure for the security of sensitive personal data; (ii) provide training to employees involved in the processing of sensitive personal data and ensure they subject to appropriate confidentiality agreements and access controls; (iii) use appropriate security measures to protect the data, such as encryption and access logging; (iv) ensure the physical environment in which the servers are stored is secure; and (v) ensure that the data secure transferred, e.g. using in encrypted form by using a corporate e-mail address or a Registered Electronic Mail (KEP) account.

As to the biometric data, Guidelines on the Matters to be Taken into Consideration for Processing Biometric Data (“Guidelines on Biometric Data”) set out fundamental processing principles and necessary technical and organisational measures for the processing of biometric data. The Guidelines on Biometric Data set out fundamental principles for the processing of biometric data, as follows: (i) its use must be fair and lawful so as to be proportionate and not, for example, infringe fundamental rights and freedoms; (ii) keep records to demonstrate compliance; (iii) do not collect genetic data unless strictly necessary; (iv) there must be a specific justification for the types of biometric information collected (e.g. fingerprint, retina); and (v) the retention period must be appropriate.

As to the genetic data, the Guideline on the Processing of Genetic Data (“Guidelines on Genetic Data”) issued by the Authority, provides a detailed definition of genetic data and the outlines key considerations for its processing. According to the Guidelines on Genetic Data, genetic data is defined as “all or part of the information extracted from the entire DNA, RNA and protein sequence encoded from the genome, cell nucleus or mitochondria of a living organism”. The Guidelines on Genetic Data stipulates that for the lawful processing of genetic data under the PDPL, it is necessary to (i) have the legal bases for processing; and (ii) adhere to the general principles regulated under the PDPL.

Are there additional rules for processing information about criminal offences?

Information about criminal convictions is treated in the same way as sensitive personal data (see above).

Are there any formalities to obtain consent to process sensitive personal data?

The same rules apply as for non-sensitive personal data (see above).

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

A contact person must be appointed if the controller is a legal entity located in Türkiye and is not exempt from registration with the Authority (see above).

Additionally, if the controller is not located in Türkiye, it must appoint a representative who must be either a Turkish legal entity or Turkish citizen.

What are the duties of a data protection officer?

The data controller’s contact person or representative is responsible for managing communications with the Authority and data subjects. Data controllers remain liable for compliance with the PDPL regardless of the appointment of a contact person or a representative.

In a communiqué published in the Official Gazette in December 2021, the Authority introduced the concept of controllers appointing a “data protection officer”. In a subsequent announcement, the Authority stated that the data protection officer must be a person with sufficient knowledge in terms of personal data protection legislation; however, this is likely to be a different role to the one defined in the GDPR.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation, save in respect of data security where data controllers must conduct, or arrange, data security audits.

Are privacy impact assessments mandatory?

The PDPL does not directly impose an obligation to carry out privacy impact assessments.

However, the Authority’s guidance on data security suggests that this might impose a wide range of obligations and, while privacy impact assessments are not mandatory, it is a recommended administrative measure for providing data security.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Before processing personal data, the data controller must inform data subjects about the: (i) identity of the controller; (ii) the purposes of data processing; (iii) the recipients to whom the data can be transferred, and the purpose of the transfer; (iv) the methods and legal reasons of collection of the personal data; and (v) the data subject’s rights.

Rights to access information

Data subjects can ask a data controller if their personal data is being processed and for details of the third parties to whom their personal data has been transferred.

Data subjects can exercise their rights by contacting the data controller by post or using e-mail with an electronic signature.

Rights to data portability

The PDPL does not include a right to data portability.

However, the Authority has developed this right following a complaint. In decision numbered 2018/131 of the Authority, a legal entity applied to the data controller and requested to transfer the personal data of a data subject. After the data controller rejected this request, the legal entity has complained to the Authority. The Authority considered this portability request to be within the scope of the right to access personal data but rejected the complaint since it was made by a legal entity and not the data subject.

Right to be forgotten

Data subjects are entitled to request erasure or destruction of their personal data where the reasons for processing no longer exist or explicit consent is withdrawn.

In a number of cases, the Turkish Constitutional Court has also acknowledged that individuals have a right to be forgotten within the scope of their constitutional right to secrecy of their private lives.

Objection to direct marketing

Whilst the PDPL does not directly refer to direct marketing and profiling, data subjects can always revoke their explicit consent.

This would act as an objection to marketing and profiling unless the controller can show one of the other legal basis for processing applies (see above).

Other rights

The data subject can request the rectification of incomplete or inaccurate personal data. Data subjects can also object to decisions made about them arising from processing through exclusively automated systems.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Data controllers must take all necessary technical and organisational measures to provide adequate levels of security for the purposes of preventing the unlawful processing of, and unlawful access to, personal data, and ensuring personal data is kept securely.

Specific rules governing processing by third party agents (processors)

There is no specific rule regarding data controllers engaging data processors beyond the fact controllers and the processors shall be jointly liable for the security of personal data.

The PDPL does not directly require controllers to enter into a contract with their processors. However, the Authority’s guidance on data security recommends entering into a contract with the persons to whom the personal data is transferred as part of the administrative measures for data security.

Notice of breach laws

The data controller must notify the Authority within 72 hours of becoming aware of a data breach and provide information to affected data subjects within a reasonable period of time. The Authority may announce such breaches on its website.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

A data controller may transfer personal data to a third country if: (i) the data subject has given explicit consent; (ii) the third country provides adequate protection for personal data. The Authority is responsible for identifying which countries provide adequate protection, however, the Authority has not provided the list of safe countries which provide adequate protection as yet; or (iii) both the importing and exporting data controllers give written undertaking to adequately protect that data and obtain an approval from the executive branch of the Authority.

Notification and approval of national regulator (including notification of use of Model Contracts)

Notification and approval of the Authority is only required as set out above, i.e. where the data controller wants to transfer personal data to a third country which does not provide an adequate level of protection (and the data subject has not provided explicit consent). As of February 2024, the Authority announced eight written undertaking letter applications they approved.

Use of binding corporate rules

Whilst the PDPL does not have a provision on binding corporate rules, multinational companies having affiliates in countries which do not provide accurate protection must use binding corporate rules in any application for authorisation from the Authority. In other words, where such affiliates want to rely on written undertakings approved by the Authority to transfer personal data to an affiliate, those undertaking must be in the form of binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Administrative fine amounts shall be determined for every year according to the rate of revaluation of the previous year. For the year 2024, breach of the PDPL or a decision issued by the Authority can result in an administrative fine of between TRY 47,303 to TRY 9,463,213 (approx. EUR 1,435 to EUR 287,112) depending on the nature, amount, and consequences of the breach.

Imprisonment

The Turkish Penal Code No. 5237 published in Official Gazette No. 25611 on October 12, 2004 introduces a range of crimes. These are: (i) violation of secrecy of communication which can be punished with one to five years imprisonment; (ii) wiretapping which can be punished with two to five years imprisonment; (iii) violation of secrecy of private life which can be punished with one to three years imprisonment (which can be doubled where the violation is by means of visual or audio recording); (iv) illegal recording of personal data can be punished with one to three years imprisonment (if the subject matter relates to certain type of sensitive personal data the punishment is increased by 50 per cent); (v) unlawful collection or transfer of personal data which can be punished with two to four years imprisonment; and (vi) breach of the requirement to destroy personal data which can be punished with one to two years imprisonment.

Compensation

Data subjects are entitled to be compensated for their losses arising from a breach of the PDPL or other laws governing the protection of personal data. Compensation will be payable by the controller and/or the processor in accordance with the general principles of civil law.

Other powers

The Authority has a range of other powers to: (i) issue regulations and communiqués for implementation of the PDPL; (ii) examine complaints and implement sanctions; and (iii) investigate whether the personal data is processed in compliance with the law ex officio or upon a complaint and take temporary measures where necessary.

Practice

According to the statement of the President of the Authority on 28 January, 2024, so far: (i) 38,789 reports, complaints, and applications have been submitted to the Authority, of which 37,010 have been concluded; (ii) out of 1,317 data breach notifications, 290 have been published on the Authority's website; (iii) as a result of the examinations conducted, administrative fines totalling TRY 463,801,000 (EUR 14,054,575) have been imposed; (iv) The Authority has provided 1,080 legal opinions on matters within its jurisdiction; and (v) 8 written letter of undertaking applications meeting the necessary qualifications for the transfer of personal data abroad have been approved by the Authority.

In September 2023, Whatsapp was fined TRY 1,9 million (approx. EUR 111,325) as a result of an ex officio investigation initiated after WhatsApp updated its Terms of Service and Privacy Policy to include the explicit consent of users regarding the processing of personal data and the transfer of personal data abroad.

In March 2023, TikTok was fined TRY 1,750,000 (approx. EUR 53,030) as a result of numerous complaints and news reports. Allegations included (i) unlawfulness in obtaining and retaining personal data; (ii) failure to obtain explicit consent in line with PDPL; and (iii) multiple security vulnerabilities in TikTok's software. In response, the Authority initiated an ex officio investigation and concluded that TikTok had not implemented all necessary technical and organisational measures to ensure data security, including non-compliance with cookie regulations.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Regulation on Commercial Communication and Commercial Electronic Messages published in Official Gazette No. 29417 on July 15, 2015 (“Commercial Message Regulation”) regulates the sending of electronic direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The PDPL does not specifically refer to cookies. However, it is widely accepted that the cookies are considered to contain personal data where they able to identify an individual, and are thus subject to the PDPL.

The Authority has also issued a decision on cookie using on web-sites/mobile apps in May 2022. In the decision the Authority clarified that cookies that are essential for directly operating a website and/or mobile app are classified as strictly necessary, whereas cookies that are not necessary for operating a web-site/mobile app are classified as not strictly necessary.

The Authority stated the approach to the use of cookie practices should be as follows: (i) if a data controller uses a strictly necessary cookie, the data controller does not need to obtain explicit consent to processes personal data via such a cookie; (ii) if a data controller uses cookies other than strictly necessary cookies, the data controller must obtain the explicit consent of the relevant data subjects (i.e. they must use an opt-in mechanism rather than an opt-out mechanism); and (iii) data controllers must inform user of their usage of cookies, regardless of the types of cookies used.

Regulatory guidance on the use of cookies

In June 2022, the Authority published guidelines on the use of cookies to collect personal data and the use of personal data in online environments. In the guidelines, the Authority provides details of: (i) the definition of and types of cookies; (ii) the rules for processing personal data through cookies; (iii) when explicit consent is necessary regarding the use of cookies; (iv) examples of cookie implementations (both correct and incorrect ways of usage); (v) the types of cookies for which explicit consent is not needed, i.e. strictly necessary cookies and cookies used for the transmission of a communication; and (vi) cross-border data flows via cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Commercial Message Regulation requires the approval of the receiver of any commercial electronic message.

In order to monitor and manage the approvals of the individuals for receiving commercial electronic message, an Electronic Message Management System (“EMMS”) has been established by the Ministry of Trade. EMMS is an electronic database where the approval of the individuals for receiving electronic messages may be easily listed and managed. Real persons or legal entities which involve in e-commerce activities (“Service Providers”) and which send commercial electronic message to the individuals are required to register with the EMMS and upload the approvals of the receivers.

In addition, sending an e-mail to an individual for marketing purposes is a form of personal data processing and is thus subject to the PDPL meaning the explicit consent of the data subject (or other legal basis) is necessary.

Conditions for direct marketing by e-mail to corporate subscribers

The Commercial Message Regulation permits marketing e-mails to corporate subscribers unless they have objected to those messages.

Exemptions and other issues

The Commercial Message Regulation allows electronic message to be sent without the approval of the recipient where the message: (i) relates to the change, use or maintenance of goods and services, and the recipient has given its details for that purpose; (ii) relates to a continuing subscription, debt collection, updates or the notification of a purchase or delivery; (iii) is sent due to a legal requirement; and (iv) is an information update sent by brokerage companies in capital markets to the customers.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The same rules apply as for Marketing by E-mail.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The same rules apply as for Marketing by E-mail.

Exemptions and other issues

The same rules apply as for Marketing by E-mail.

_____________________________________________________________________ Top

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - Türkiye

General | Data Protection Laws

National Legislation

National Supervisory Authority

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - Türkiye

General | Data Protection Laws

National Legislation

National Supervisory Authority

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

You will need to log in or register to view the content

Register

Reset password

Log in