The Law No. 6698 on the Protection of Personal Data (Turkish Data Protection Law – TDPL), introduced to legal landscape on April 2016, was the first legislative piece covering the data protection wholly in Turkey. However, at the time, the EU Directive 95/46/EC was in force, and the TDPL was based on this aged legal text, with a little consideration of EU's upcoming General Data Protection Regulation (GDPR). The gap between the TDPL and the GDPR created this uneven playing field, where the conditions for processing personal data are not corresponding evenly one another, and the procedures are varying significantly.
However, the GDPR naturally made its mark on the TDPL throughout the practice in many forms, either by secondary legislation or by authority decisions. Turkish Data Protection Authority (TDPA), the regulatory body responsible of enforcement of the TDPL, was also keeping its eye on GDPR while reading between the lines of the TDPL. This tendency is now expected to thrive even more following the publication of 11th Development Plan of Turkey.
The 11th Development Plan of Turkey, which is prepared by the Directorate of Strategy and Budget (Directorate) and submitted to the Parliament, explicitly states the TDPL will be revised to align with GDPR. Such plan to level the playing fields of EU and Turkey in data protection practice is greeted.
Over the course of harmonization of TDPL with GDPR, one can expect amendments to the conditions for processing sensitive personal data, which are not fully compliant with each other as of today. The TDPA is using all in its arsenal to fine the data controllers that are in violation of the TDPL, however, the limits of monetary fines are lower compared to GDPR. Hence, it is expected to see the GDPR's penalty regime adopted with the revisions on the TDPL, enabling TDPA to impose fines on higher limits or on percentage based on global turnover.
Yet, the enforcement of the same rules may still vary, and it is unknown if the EU's implementation of GDPR will be considered as a precedent in Turkish data protection practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.