The six month transition period for certain provisions under
Turkey's new data protection regime ended on 7 October 2016. As
a result, penalties and certain obligations for transfering data to
third parties and abroad now apply for personal data collected and
processed in Turkey.
The Data Protection Law numbered 6698 ("Law") was
published in Official Gazette number 29677 on 7 April 2016, with
certain provisions becoming effective six months after that date.
Further information about the Law and its implementation can be
Delays in Establishing Government Bodies and
The Law introduced a legislative structure and definition for a
national data protection regulator: the Data Protection Authority
and Data Protection Board. The Data Protection Authority will
include the Data Protection Board and the Board's President.
Once the Board is established, it will then create and maintain the
Data Controller Registry.
When the Law was published, it envisioned October 2016 as the
deadline for establishing the Data Protection Board and Data
Controller Registry. From October 2016, Companies are also
technically required to register Data Controllers with the Data
However, necessary secondary legislation has not been enacted
yet. Similarly, neither the Data Protection Board nor Data
Controller Registry have been established yet.
To date, only five member of the Data Protection Board have been
appointed (via decision number 1129 from the Turkish Parliament on
5 October 2016). The remaining four members are expected to be
appointed in the near future.
The Law's New Obligations Apply Regardless
Despite delays in establishing the government bodies and
mechanisms, the Law's obligations apply regardless. Similarly,
criminal offenses and punitive measures now apply for failure to
comply with the Law's obligations.
Therefore, from 7 October 2016, the following obligations apply
to persons and companies which deal with personal data:
Register with the Data Controller Registry (if and when the
Registry is established).
Comply with the requirements under Article 8 of the Law
regarding data transfers to third parties.
Comply with the requirements under Article 9 of the Law
regarding data transfers abroad.
Please see this link for the full text of the Law
(only available in Turkish).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).