For many years, Turkey had lacked a separate legislative measure
regarding the issue of data protection. Over the last decade, the
draft laws that had been sent to the Turkish Parliament were either
returned to the proposing committee or not even discussed. Adoption
of data protection law was a real need both for the Turkish society
and for Turkey's harmonization with EU regulations. Finally the
long awaited Data Protection Law (the "Law") entered into
force on April 7, 2016.
The Law contains detailed provisions relating to the protection
of personal data, an area that was previously only covered by an
insufficient and piecemeal application of different legislative
measures and the Turkish Constitution.
The Law introduces an official definition for the term
"personal data," defining it as "any type of
information that relates to an identified or identifiable natural
This means that the Law covers data of real people and its scope
is very wide indeed. The main principle is that personal data can
only be processed once the data subject has provided explicit
consent. However, personal data can be processed without obtaining
explicit consent in cases of certain exceptions stated under the
The Law also separately distinguished a category of
"personal data of a special nature" which is subject to a
more extensive level of protection. The types of personal data that
fall under this category are related to race, ethnicity, political
views, philosophical belief, religious denomination or other
beliefs, clothing and attire, membership in associations, charities
or trade unions, health, sex life, convictions, security measures
and biometric data. The law-maker has set the standard of
prohibition of processing personal data of special nature, unless
explicit consent of the data subject is present.
It must be noted that health and sex life data cannot be
processed in any case without an explicit consent and even in the
presence of explicit consent, such data can only be processed by
persons or authorized institutes bound by the duty of
confidentiality for the purpose of the protection of public health,
the provision of medical, diagnostic and treatment services and the
planning, managements and financing of healthcare services.
The Law further provides for data security obligations for data
controllers and stipulates that data controllers are under the
obligation to implement all kinds of technical and administrative
measures to maintain a security level that would avoid unlawful
processing of and access to personal data, whilst also safeguarding
personal data. The data controller and data processor are jointly
liable for maintaining the security measures under the Law.
It should also be noted that the data controller has a duty to
inform the Data Protection Board and the relevant party if and when
personal data has been unlawfully accessed. Thereafter, the board
has the discretion to announce the breach on its website or via
another communications channel.
In addition to criminal sanctions stipulated under the Turkish
Criminal Code and repeated under the Law, the Law introduces
monetary sanctions. Data controllers will face administrative
monetary sanctions between the range of TRY 5,000 (approx. EUR
1,500) and TRY 1,000,000 (approx. EUR 300,000) if they are in
breach of their obligations to inform the data subject, to ensure
data security, enforce the decisions of the board and to the
Under the Law, there is a transition period of two years for
data controllers to make personal data that has been processed
prior to the enactment of the Law in compliance with the Law. In
case such compliance is not ensured, incompliant personal data will
be deleted, destroyed or anonymized.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The EU Commission has now formally adopted the EU-US Privacy Shield arrangement for the legal transfer of personal data from the EU/EEA to the US.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).