Data controllers should become compliant with Turkish Data Protection Law ("DPL") as soon as possible in order to avoid possible heavy sanctions.

The main obligations that fall on a data controller according to the DPL are as follows:

  1. Preparing Data Inventory

The data controller must prepare a data inventory.

Such inventory should include the details of data processing, including but not limited to purpose of data processing, description of a group of data subjects and data categories related to this group, recipient or recipient groups that any personal data will be transferred to, any personal data that is envisaged to be transferred overseas, precautions that will be taken to safeguard personal data and data retention periods.

  1. Obligation to obtain consent of the data subject (where applicable)

The general rule for processing of personal data is that data can only be processed with the explicit consent of the data subject. Explicit consent has been defined as consent that relates to a specified issue, declared by free will and based on information.

However, certain exceptions have been introduced to this rule under the DPL, and data can be processed without explicit consent from the data subject if one of these exceptions applies.

  1. Obligation to inform the data subject

Data controllers are obliged to inform the data subject prior processing of their personal data. Within the framework of this obligation, the data controller must inform the data subject with regards to:

  • Identity of the data controller and (if any) its representative.
  • Purpose of processing the data.
  • Legal grounds for collecting and processing the personal data.
  • Method for collecting the personal data.
  • Rights of the data subject stipulated under Article 11 of the DPL.
  1. Obligation to delete, destroy or anonymise the data

If the reason(s) for processing the data no longer exist(s), related personal data must be deleted, destroyed or anonymised automatically by the data controller or upon request by a related person. Therefore, data controllers must use infrastructure where the reasons for processing data can be monitored and assessed regularly.

Also pursuant to the Regulation on the Deletion, Destruction and Anonymization of Personal Data, certain data controllers have to prepare a personal data retention and destruction policy.

  1. Data safety obligations

Data controllers are obliged to adopt all kinds of technical and administrative measures necessary to prevent the illegal processing of data, prevent unauthorised access to data and to provide safekeeping of personal data.

Details of the suggested technical and administrative measures are determined in the decision of Data Protection Board.

  1. Data Controller Registry

Data Controller Registry (VERBİS) is a registration system where data controllers shall be registered and record the data processing activities they are engaged in.

Turkish and foreign data controllers (that process personal data of subjects residing in Turkey) will need to register on VERBİS (if not exempted via Data Protection Board resolutions).

Registration can be made online through the website of VERBİS. Data controllers will need to provide the following information during registration:

  • Identifying information (including the address of the data controller or its representative).
  • Purpose of the data processing.
  • Data subject groups and data categories (data processing inventory).
  • Recipient or recipient groups to which the data may be transferred.
  • Any personal data which may be transferred abroad.
  • Data security measures taken.
  • Data retention period.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.