Turkey finally ratified the Council of Europe's 1981
Strasbourg Convention for the Protection of Individuals with regard
to Automatic Processing of Data on February 18th, 2016. The
ratification of this Convention is one of the major steps for the
approval of the draft data protection law ("Draft
Law") by the Turkish Parliament which had been
awaited for at least 35 years.
Processing Personal Data
The Draft Law is similar to the European Union data protection
laws and regulations as the basis of this Draft Law is EU Data
Protection Directive (95/46/EC) which includes the processing of
personal data. The Draft Law defines "processing" as any
operation or a set of operations that are performed upon personal
data, such as collection, recording, storage, adaptation or
alteration, disclosure by transmission, classification,
dissemination or otherwise making available, whether or not by
automatic means. According to the Draft Law, personal data must be
processed in a way compatible with the law and rules of veracity
(fairly and lawfully). They must be collected for specified, clear
and legitimate purposes and they must not be reprocessed contrary
to those purposes. As per Article 5/1 of the Draft Law, personal
data may only be processed with the consent of the data subject,
however with some exceptions listed in Article 5/2 of the Draft
Law. The exceptions of this rule have been indicated in Article 5/2
as follows: clear specification by laws, vital interests of a
person who is incapable of explaining his/her consent, conclusion
and performance of the contract, making public by the data subject
and fulfillment of legal responsibilities of data controller or it
is mandatory to process the data for the exercise, establishment
and protection of a right. The Draft Law also separates the
processing of personal data which have special categories (i.e.
gender, political view, ethnic origin etc.). According to Article
6/2 (a), special categories of data may be processed if the data
subject has given his explicit consent. Similar exemptions also
apply to the processing of data with special attributes.
Transfer of Personal Data
In respect of accession to the European Union, data protection
is one of the major topics of Turkey as most of the international
corporations and institutions that have offices in Turkey face
problems with processing the personal data of their employees and
transferring the data abroad. Article 8 of the Draft Law clarifies
the transfer of personal data from Turkey to abroad. As a rule,
personal data can be transferred to another country on the
condition that there is an adequate level of protection in the
foreign country from which the data is requested and the conditions
specified in the Draft Law are met. Please kindly be informed that
the provisions regarding the transfer of personal data shall enter
into force in 6 months as of the publication of the Draft Law in
the Official Gazette.
Data Protection Agency
A Data Protection Board is going to be established as a public
organization with administrative and its own financial autonomy to
perform the duties determined under the Draft Law. The Data
Protection Board is affiliated with the Ministry of Justice however
it is stated in the Draft Law that the Data Protection Board is an
independent institution. The Data Protection Board is obliged to
audit and investigate the complaints and notifications in respect
of compliance to the rules of the Draft Law, take interim
injunctions for prospective damages, prepare regulatory
transactions, cooperate with national and international
Although it is expected that Turkey will have a Data Protection
Law within the coming months as it was put before the Grand
Assembly of Turkish Parliament in January 2016, it is seen that the
Draft Law still has insufficient rules vis a vis EU laws and
regulations. However, since the Convention of the Council of Europe
for the Protection of Individuals with regard to Automatic
Processing of Data has been ratified; in case of a conflict, the
Convention of the Council of Europe for the Protection of
Individuals with regard to Automatic Processing of Data will
prevail over national laws addressing the protection of personal
Please contact us if you have any questions about the Draft
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).