Data Protection Law numbered 6698 has been enacted on 24/3/2016 and published in the Official Gazette dated 7/4/2016 numbered 29677 ("Law").
The purpose of the Law is to protect the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.
The provisions of the Law is applied to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.
Personal data shall only be processed in accordance with the procedures and principles set forth below;
- Being in conformity with the law and good faith;
- Being accurate and if necessary, up to date;
- Being processed for specified, explicit, and legitimate purposes;
- Being relevant, limited and proportionate to the purposes for which data are processed;
- Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.
In accordance with Article 5 of the Law, Personal data shall not be processed without obtaining the explicit consent of the data subject.
However, Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:
- It is expressly permitted by any law;
- It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
- It is necessary for compliance with a legal obligation which the controller is subject to;
- The relevant information is revealed to the public by the data subject herself/himself;
- It is necessary for the institution, usage, or protection of a right;
- It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Under 6th Article of the Law, conditions for processing of special categories of personal data are regulated. Accordingly, Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject.
Personal data other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.
Pursuant to the Law, personal data shall not be transferred without obtaining the explicit consent of the data subject. There are certain exceptions of this rule as also valid and indicated for the processing personal date without the consent of the data subject.
Personal data also cannot be transferred abroad without obtaining the explicit consent of the data subject. Subject to the exceptions valid for the personal data transfer without the consent, personal data may also be transferred abroad without obtaining the explicit consent of the data subject if one of the conditions set forth below;
- If the foreign country to whom personal data will be transferred has an adequate level of protection,
- In case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists.
The countries where an adequate level of protection exist shall be declared by the Board. The Board shall decide whether there is adequate level of protection in a foreign country and whether approval will be granted in terms of indent (b) of the second paragraph by evaluating
- The international agreements to which Turkey is a party,
- Reciprocality regarding transfer of personal data between the country requesting personal data and Turkey,
- With regard to each present transfer of personal data, nature of personal data and purpose of processing and retention,
- Relevant legislation and practice of the country to whom personal data will be transferred,
- Measures committed by the data controller in the country to whom personal data will be transferred
- and if it requires, by obtaining the opinion of relevant public institutions and organizations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.