1 RELEVANT LEGISLATION AND COMPETENT AUTHORITIES

1.1 What is the principal data protection legislation?

The principal data protection legislation is the Law on the Protection of Personal Data no. 6698 (the "Data Protection Law"), which was inspired by the European Union Data Protection Directive 95/46/EC (the "EU Directive").

The Data Protection Law entered into force on 7 April 2016; however, its provisions relating to the transfer of data, rights of the data subject, data controllers registry, administrative fines, and criminal sanctions will enter into force six months following its effective date.

1.2 Is there any other general legislation that impacts data protection?

The general provisions that are applicable in terms of data protection are primarily the following:

  • The Constitution of the Republic of Turkey: Right to privacy and data protection as per Article 20 and freedom of communication as per Article 22.
  • Turkish Civil Code: Protection of personality against violations as per Article 24.
  • Turkish Criminal Code: Unlawful recording, acquisition or dissemination of personal data as per Articles 135–138; unlawful surveillance of the transmission of data between information systems as per Article 243; and unlawful deletion or altering of data as per Article 244.

1.3 Is there any sector specific legislation that impacts data protection?

The sector-specific laws and regulations that are relevant in terms of data protection are primarily the following:

  • the Law on the Regulation of Broadcasts via Internet and Combating Crimes Committed by Means of Such Publications;
  • the Electronic Communication Law and its secondary legislation;
  • the Law on the Regulation of Electronic Commerce ("E-Commerce Law") and its secondary legislation;
  • the Bank Cards and Credit Cards Law and its secondary legislation;
  • the Regulation on Patient Rights; and
  • the Regulation on Distance Contracts.

1.4 What is the relevant data protection regulatory authority(ies)?

The Data Protection Law stipulates the establishment of a Data Protection Authority whose decision-making body shall be the Data Protection Board (the "Data Protection Board") which shall be constituted within the six months following the Data Protection Law's effective date.

2 DEFINITIONS

2.1 Please provide the key definitions used in the relevant legislation:

"Personal Data"

Personal data is defined as "any information relating to an identified or identifiable natural person".

"Sensitive Personal Data"

The Data Protection Law refers to this type of information as "special categories of personal data" which is defined as "data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics".

"Processing"

Processing is defined as "any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system".

"Data Controller"

Data controller is defined as "any natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system".

"Data Processor"

Data processor is defined as "any natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller".

"Data Subject"

Data subject is defined as "any natural person whose personal data are processed".

  • Other key definitions – please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")
  • Anonymisation is defined as "rendering personal data by no means identified or identifiable with a natural person, even by linking with other data".
  • Explicit consent is defined as "freely given specific and informed consent".
  • Filing system is "any recording system through which personal data are processed by structuring the same according to specific criteria".

3 KEY PRINCIPLES

3.1 What are the key principles that apply to the processing of personal data?

Transparency

The Data Protection Law provides for certain obligations to ensure transparency when data are processed. Accordingly, while collecting personal data, the data controller is obligated to inform the data subject of the following information:

  • the identity of the data controller, or, if available, its representative;
  • the purposes for which personal data will be processed;
  • the persons to whom personal data might be transferred and the purposes for such transfer;
  • the method and legal cause of collection of personal data; and
  • the rights of the data subject.

The data controllers are also required to register with a publicly available Data Controllers Registry before they start processing personal data.

Lawful basis for processing

The Data Protection Law adopts a rule and exception model, where it provides a general rule for processing, and then sets forth exceptions thereto. Accordingly, the primary principle is that personal data shall only be processed with the explicit consent of the data subject. Nevertheless, personal data may also be processed without obtaining the explicit consent of the data subject if one of the following conditions exists:

  • processing is expressly permitted by any law;
  • processing is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
  • it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
  • processing is necessary for compliance with a legal obligation which the controller is subject to;
  • the relevant information is revealed to the public by the data subject herself/himself;
  • processing is necessary for the institution, usage, or protection of a right; and
  • processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

In terms of sensitive personal data, although the explicit consent rule is applicable to the processing of sensitive personal data, exceptions are rather limited in this case:

  • Sensitive data, except for data concerning health and sexual life, can be processed if it is permitted by any law;
  • Data concerning health or sexual life can only be processed for the purposes of protection of public health, and planning or sustaining health-care services by an authorised body or persons who are under the obligation of confidentiality.

Additionally, data controllers are required to take adequate measures designated by the Data Protection Board when processing sensitive personal data.

Finally, the Data Protection Law stipulates general principles ("General Principles") to be complied with when data are processed. These principles require that personal data should be:

  • in conformity with the law and good faith;
  • accurate and, if necessary, up to date;
  • processed for specified, explicit, and legitimate purposes; and
  • relevant, limited and proportionate to the purposes for which data are processed;
  • stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.

Purpose limitation

The General Principles indicated above covers purpose limitation as well.

Data minimisation

The General Principles indicated above covers data minimisation as well.

Proportionality

The General Principles indicated above covers proportionality as well.

Retention

As the General Principles require, personal data must be stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected. Further, the Data Protection Law requires that personal data shall be deleted ex officio or upon data subject's request in case the reasons necessitating their processing ceases to exist.

Other key principles – please specify

Data Accuracy: As per the General Principles, personal data must be accurate and if necessary, up to date.

4 INDIVIDUAL RIGHTS

4.1 What are the key rights that individuals have in relation to the processing of their personal data?

Access to data

Data subjects have the right to (i) learn whether or not their personal data have been processed, (ii) request further information as to the processing, (iii) learn the purpose of processing and whether data are processed in accordance with these purposes, and (iv) learn the third parties in Turkey or abroad to whom personal data have been transferred.

Correction and deletion

The Data Protection Law entitles the data subjects to (i) request rectification of their personal data in case such data are incomplete or inaccurate, and (ii) request deletion of their personal data in case the reasons necessitating the processing ceases to exist.

Objection to processing

A right to object in the meaning of the EU Directive is not explicitly included in the Data Protection Law.

Objection to marketing

A specific right to object to marketing is not regulated in the data protection legislation of Turkey. However, general provisions of the Data Protection Law as well as the E-Commerce Law (please refer to our answer to question 8.1) provides for a similar, if not the same, right.

Complaint to relevant data protection authority(ies)

The data subject is first required to apply to the data controller and indicate her/his request. Afterwards, the data controller must reply to the request free of charge and as soon as possible considering the nature of the request and within 30 days at the latest.

In the event that the data subject's application is rejected, replied insufficiently, or not replied in due time, he/she is entitled to file a complaint with the Data Protection Board and request enforcement of her/his rights.

Other key rights – please specify

Notification to Third Parties: Data subjects have the right to request notification of the operations made within the scope of their correction or deletion request to the persons to whom data subjects' personal data have been transferred.

Automated Decision-making: Data subjects have the right to object to occurrence of any result that is to their detriment by means of analysis of personal data exclusively through automated systems.

Right to Compensation: Data subjects have the right to request compensation for the damages they incurred due to unlawful processing of their personal data.

5 REGISTRATION FORMALITIES AND PRIOR APPROVAL

5.1 In what circumstances is registration or notification required to the relevant data protection regulatory authority(ies)? (E.g., general notification requirement, notification required for specific processing activities.)

The Data Protection Law sets forth a general obligation for data controllers to register with the publicly available Data Controllers Registry ("Registry") prior to commencing processing. However, on the condition of being in accordance with and proportionate to the purpose and general principles of the Data Protection Law, this obligation does not apply in certain cases listed in Article 28 (2). Moreover, the Data Protection Board is also authorised to set forth exemptions to this obligation as per the objective criteria it may so determine.

5.2 On what basis are registrations/notifications made? (E.g., per legal entity, per processing purpose, per data category, per system or database.)

The Data Protection Law does not indicate the basis on which registration to the Registry shall be made and refers to the secondary legislation to be issued later by the Data Protection Authority.

5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation.)

Save for the exceptions provided by the Data Protection Law, all natural or legal persons who process personal data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system are obligated to register with the Registry.

5.4 What information must be included in the registration/notification? (E.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes.)

The application to the Registry shall be made with a notification including the following:

  • identity and address information of the data controller and the representative thereof, if any;
  • purposes for which personal data will be processed;
  • a description of the categories of data subjects and the data categories;
  • recipients or categories of recipients to whom personal data may be transferred;
  • personal data which is to be transferred abroad;
  • measures taken for the security of personal data; and
  • a maximum period of time necessitated by the purposes for which personal data are processed.

5.5 What are the sanctions for failure to register/notify where required?

Failure to comply with the registration obligations is subject to an administrative fine ranging from approximately €6,000 to €310,000.

5.6 What is the fee per registration (if applicable)?

The Data Protection Law does not indicate the registration fees related to the Registry.

5.7 How frequently must registrations/notifications be renewed (if applicable)?

The Data Protection Law does not indicate if and when registrations must be renewed; however, the Data Protection Board must be notified of any changes affecting the information provided in the registration notification.

5.8 For what types of processing activities is prior approval required from the data protection regulator?

The Data Protection Law does not explicitly refer to a prior approval requirement for any processing activity. However, as explained above in detail, data controllers' obligation to register with the Registry before they start processing covers all types of processing activities.

Further, although not clear, prior approval may be required for the transfer of personal data abroad. In this regard, please see our answer to question 8.1.

5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe.

Please refer to our answer above in question 5.8.

6 APPOINTMENT OF A DATA PROTECTION OFFICER

6.1 Is the appointment of a Data Protection Officer mandatory or optional?

The appointment of a Data Protection Officer may be deemed optional as there are no provisions relating to this in the Turkish legislation.

6.2 What are the sanctions for failing to appoint a mandatory Data Protection Officer where required?

This is not applicable.

6.3 What are the advantages of voluntarily appointing a Data Protection Officer (if applicable)?

This is not applicable.

6.4 Please describe any specific qualifications for the Data Protection Officer required by law.

This is not applicable.

6.5 What are the responsibilities of the Data Protection Officer, as required by law or typical in practice?

This is not applicable.

6.6 Must the appointment of a Data Protection Officer be registered/notified to the relevant data protection authority(ies)?

This is not applicable.

7 MARKETING AND COOKIES

7.1 Please describe any legislative restrictions on the sending of marketing communications by post, telephone, e-mail, or SMS text message. (E.g., requirement to obtain prior opt-in consent or to provide a simple and free means of opt-out.)

Marketing communications are not regulated by the data protection legislation in Turkey but are instead subject to the E-Commerce Law and its secondary legislation. Accordingly, commercial electronic messages including telephone calls, SMS and fax messages, and emails shall be sent to persons other than merchants and artisans upon prior opt-in consent. Further, an easy and free means of opting-out of receiving marketing communications shall be provided in the commercial electronic message and the recipient shall be able to use such right at any time without indicating any reason.

Marketing communications sent through physical means are not within the scope of the E-Commerce Law as well as the Data Protection Law. In this regard, general provisions of Turkish law and particularly, rules pertaining to the protection of the consumer, shall apply.

7.2 Is the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions?

The governmental agency responsible for the enforcement of the E-Commerce Law is the Ministry of Customs and Trade ("Ministry"). According to data obtained from the Ministry by a news reporter, the sum of the administrative fines issued since the entry into force of the E-Commerce Law on 1 May 2015 amounts to approximately €400,000.

7.3 Are companies required to screen against any "do not contact" list or registry?

Turkey does not have a "do not contact" registry, and the Data Protection Law does not require companies to screen against any such list or registry.

7.4 What are the maximum penalties for sending marketing communications in breach of applicable restrictions?

Sending unsolicited marketing communications is subject to an administrative fine ranging from approximately €310 to €1,500, which can be multiplied by up to 10 at the discretion of the Ministry if the commercial electronic message is sent to multiple recipients at once.

Further, failure to provide an easy and free means of opting-out and/or to cease sending commercial electronic messages within three business days as of the date the company has received the opt-out demand are subject to an administrative fine ranging from approximately €600 to €4,600.

7.5 What types of cookies require explicit opt-in consent, as mandated by law or binding guidance issued by the relevant data protection authority(ies)?

Cookies are not explicitly regulated in the Data Protection Law; however, depending on the characteristics of the respective cookie, explicit opt-in consent may be required as per the general rules governing the processing of personal data. As the Data Protection Board is not established yet, there is no guidance on this matter.

7.6 For what types of cookies is implied consent acceptable, under relevant national legislation or binding guidance issued by the relevant data protection authority(ies)?

Please refer to our answer above in question 7.5.

7.7 To date, has the relevant data protection authority(ies) taken any enforcement action in relation to cookies?

As the Data Protection Board is not established yet, there have been no enforcement actions in relation to cookies.

7.8 What are the maximum penalties for breaches of applicable cookie restrictions?

Please refer to our answer above in question 7.5.

8 RESTRICTIONS ON INTERNATIONAL DATA TRANSFERS

8.1 Please describe any restrictions on the transfer of personal data abroad?

The primary rule is that the explicit consent of the data subject must be obtained for the transfer of personal data abroad. In this case, an adequate level of protection in the destination country will not be required.

Personal data can also be transferred abroad without obtaining the explicit consent of the data subject if one of the exceptional cases set forth under its processing is present (please refer to "lawful basis for processing" under question 3.1). However, in this case, it is additionally required that:

  • the destination country must have an adequate level of protection (such countries will be declared by the Data Protection Board); or
  • both sides of the transfer must commit, in writing, to provide an adequate level of protection and the approval of the Data Protection Board must be obtained.

Furthermore, the Data Protection Law sets forth that, save for the provisions of international agreements, "in cases where the interests of Turkey or the data subject will be seriously harmed", personal data may only be transferred abroad upon approval of the Data Protection Board. The preamble of this provision does not offer much explanation, and at this point, it is uncertain as to how it will be enforced.

8.2 Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions.

As the provision regulating transfers abroad is not in effect yet, explicit consent of the data subject is usually obtained as per the general provisions of Turkish law (e.g. the Constitution).

8.3 Do transfers of personal data abroad require registration/notification or prior approval from the relevant data protection authority(ies)? Describe which mechanisms require approval or notification, what those steps involve, and how long they take.

For prior approval requirements, please refer to our answer above in question 8.1. It is also worth noting here that data controllers who transfer personal data abroad must be registered with the Registry; however, this does not require a separate registration from the one explained in detail in question 5.1.

9 WHISTLE-BLOWER HOTLINES

9.1 What is the permitted scope of corporate whistle-blower hotlines under applicable law or binding guidance issued by the relevant data protection authority(ies)? (E.g., restrictions on the scope of issues that may be reported, the persons who may submit a report, the persons whom a report may concern.)

The Data Protection Law, as well as other Turkish laws, do not explicitly deal with whistle-blower hotlines and there is no guidance on this matter as the Data Protection Board has not been established yet. Nevertheless, it is plausible that employers who establish such hotlines will be deemed data controllers and therefore will be subject to the obligations thereof. As the provisions of the Data Protection Law is similar to that of the EU Directive, Opinion 1/2006 of the Article 29 Working Party may be considered relevant in this regard as well.

9.2 Is anonymous reporting strictly prohibited, or strongly discouraged, under applicable law or binding guidance issued by the relevant data protection authority(ies)? If so, how do companies typically address this issue?

Please refer to the answer above in question 9.1.

9.3 Do corporate whistle-blower hotlines require separate registration/notification or prior approval from the relevant data protection authority(ies)? Please explain the process, how long it typically takes, and any available exemptions.

Please refer to the answer above in question 9.1.

9.4 Do corporate whistle-blower hotlines require a separate privacy notice?

Please refer to the answer above in question 9.1.

9.5 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?

This is not applicable.

10 CCTV AND EMPLOYEE MONITORING

10.1 Does the use of CCTV require separate registration/notification or prior approval from the relevant data protection authority(ies)?

Turkish laws do not specifically address the use of CCTV; however, CCTV operators may be deemed data controllers as per the Data Protection Law and be subject to the abovementioned registration obligations.

10.2 What types of employee monitoring are permitted (if any), and in what circumstances?

Although employee monitoring is not specifically regulated in Turkish legislation, according to the jurisprudence of the high courts and the doctrine, employers may monitor their employee's use of company emails and internet during working hours, provided that such monitoring is based on legitimate reasons and proportionate thereto.

Continuous CCTV monitoring specific to an employee can be deemed to be in violation of the essence of the right to privacy and therefore not permitted. However, CCTV monitoring is permitted if there are legitimate reasons (e.g. security of the workplace), provided that the monitoring is proportionate to such reasons.

10.3 Is consent or notice required? Describe how employers typically obtain consent or provide notice.

Although there is no strict requirement in this regard, employees should be informed of any monitoring. This is typically done via a provision of the original employment agreement or a specific monitoring policy or similar.

In addition to the above, consent or notice would not be required if the monitoring is conducted for the purposes of security and protection of the workplace or a similar legitimate purpose.

10.4 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?

This is not applicable.

10.5 Does employee monitoring require separate registration/notification or prior approval from the relevant data protection authority(ies)?

Employers who monitor their employees may be deemed data controllers as per the Data Protection Law and therefore may be subject to the registration obligations thereof. However, whether this will require separate registration will be clear when secondary legislation of the Data Protection Law enters into force.

11 PROCESSING DATA IN THE CLOUD

11.1 Is it permitted to process personal data in the cloud? If so, what specific due diligence must be performed, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Processing data in the cloud is not forbidden, nor is it specifically regulated. In this regard, the Data Protection Law, particularly its provisions relating to the rights of the data subject, transfers abroad, and data security, shall apply in general.

11.2 What specific contractual obligations must be imposed on a processor providing cloud-based services, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

This is not applicable.

12 BIG DATA AND ANALYTICS

12.1 Is the utilisation of big data and analytics permitted? If so, what due diligence is required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Controllers may utilise big data and analytics, provided that the processing involved in the analysis of personal data is covered by a legal basis and the remaining provisions of the Data Protection Law are complied with.

Further, the Data Protection Law contains certain exceptions in this regard where its provisions shall not be applied. Accordingly, the processing of personal data for the purposes of research, planning, statistics and similar is outside the scope of the Data Protection Law, provided that the relevant data are anonymised. It is worth noting here that these exceptions do not provide a ground for lawfulness for such processing but merely exclude it from the scope of the Data Protection Law.

13 DATA SECURITY AND DATA BREACH

13.1 What data security standards (e.g., encryption) are required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Data controllers and processors are jointly responsible for implementing technical and organisational measures for providing an appropriate level of security in order to protect personal data from unlawful access and processing. Although the Data Protection Law does not stipulate any security standards, there are certain requirements in this regard in sector-specific regulations (e.g. telecommunications).

13.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

The Data Protection Law requires that the data controller must notify the data subject and the Data Protection Board of data breaches as soon as possible. The details of such notification are not clear as the Data Protection Board has not been established and the secondary legislation drafted yet.

13.3 Is there a legal requirement to report data breaches to individuals? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

Please refer to our answer above in question 13.2.

13.4What are the maximum penalties for security breaches?

Failure to comply with the data security obligations is subject to an administrative fine ranging from approximately €5,000 to €310,000.

14 ENFORCEMENT AND SANCTIONS

14.1 Describe the enforcement powers of the data protection authority(ies):

Investigatory Power Civil/Administrative Sanction Criminal Sanction
The Data Protection Board has the power to investigate possible violations of the Data Protection Law, at its own initiative or upon complaints from data subjects. Administrative fines up to €30,000 for non-compliance with the obligation to inform.

Administrative fines up to €310,000 for non-compliance with (i) the decisions of the Data Protection Board (ii) obligations relating to the Registry, or (iii) obligations relating to data security.

In certain cases, the Data Protection Board may also take interim measures to cease the processing (including transfers abroad).		 The Data Protection Board may refer the case to the public prosecutor or a data subject may raise a criminal complaint and a judge may impose a criminal sanction, which may lead to imprisonment.

14.2 Describe the data protection authority's approach to exercising those powers, with examples of recent cases.

As the Data Protection Board is not established yet, this is not applicable.

15 E-DISCOVERY / DISCLOSURE TO FOREIGN LAW ENFORCEMENT AGENCIES

15.1 How do companies within your jurisdiction respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies?

Save for the provisions of mutual legal assistance treaties, controllers are not obliged to respond to such requests under Turkish legislation. On the other hand, voluntary sharing of personal data shall be subject to the provisions of the Data Protection Law; please refer to our answers in sections 3 and 8.

15.2 What guidance has the data protection authority(ies) issued?

As the Data Protection Board has not been established yet, this is not applicable.

16 TRENDS AND DEVELOPMENTS

16.1 What enforcement trends have emerged during the previous 12 months? Describe any relevant case law.

a) Legislative Activity

Data Protection Legislation

The long-awaited Law on the Protection of Personal Data no. 6698 has been enacted by Parliament and was published in the Official Gazette on 7 April 2016. The Turkish Parliament also ratified the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data no. 108 and its additional protocol no. 181 regarding supervisory authorities and transborder data flows.

Marketing Communications

As indicated in our answer to question 7.2, the E-Commerce Law entered into force on 1 May 2015 and unsolicited marketing communications have been subject to administrative fines thenceforth.

b) Case Law

Right to be Forgotten

Right to be forgotten is not explicitly established in Turkish legislation, including the Data Protection Law. However, it may be inferred from the general provisions of Turkish law. In this regard, for the first time, the Supreme Court, in its decision dated 17 June 2015, used the term "right to be forgotten" and explicitly cited the case C‑131/12 of the European Court of Justice. The Court defined the right to be forgotten as a right to request negative events experienced in the past that exist in the digital memory to be forgotten after a period of time, provided that there is no superior public interest. It then ruled that including a person's full name in a criminal law textbook without pseudonymisation is in violation of the person's right to be forgotten.

This decision was prior to the entry into force of the Data Protection Law and in that regard, it is reasonable to infer that recognition of right to be forgotten will be even stronger in Turkish law with the Data Protection Law in force.

Employee Monitoring

In a case involving the monitoring of employees' company email accounts, the Constitutional Court, in its decision dated 24 March 2016, ruled that such monitoring does not violate the right to respect for private life and freedom of communication of the employees, provided that the employees are informed of such monitoring and the monitoring is based on legitimate reasons and proportionate thereto.

Invalidation of Provisions of Internet Law

The Constitutional Court has, in its decision dated 8 December 2015, invalidated the provisions of The Law on Regulation of Broadcasts via Internet and Combating Crimes Committed by Means of Such Publications –commonly known as the Internet Law– requiring content, hosting, and service providers to submit information relating to their customers to the Presidency of Telecommunication upon its request.

16.2 What "hot topics" are currently a focus for the data protection regulator?

The Data Protection Law has been very recently enacted and the Data Protection Board is yet to be established. In this regard, the protection of personal data is a "hot topic" in general at the moment and will continue to be, especially after October when certain provisions including the ones relating to transfers abroad and administrative fines and criminal sanctions will enter into force. In particular, data security has been a "hot topic" throughout the past year due to data breaches on a massive scale within Turkey's public institutions.

Originally published in International Comparative Legal Guide to Data Protection by Global Legal Group, 11 July 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.