The Data Protection Law applies to data controllers who process and transfer personal data. In the situation where data controllers utilise the services of third-party data processors for these processes, the law holds them jointly liable for taking all of the technical and administrative measures required to ensure the safeguarding of personal data and to prevent any unlawful access or processing.
The Data Protection Law does not envisage the scope of its application in terms of territory. However, the DPA has the GDPR approach, and in this regard, it takes the view that the Data Protection Law is applicable to data controllers in Turkey, as well as data controllers not residing in Turkey, but who target data subjects in Turkey (in other words those monitoring and providing services and/ or goods in or to Turkey) irrespective of citizenship. The Data Protection Law does not aim to apply to those who are resident abroad, not targeting data subjects in Turkey but, randomly, may be in a position to provide goods/ services to persons in Turkey (passively).
The Data Protection Law contains a provision that identifies areas exempted from its application, as follows:
- Use of personal data by real persons within the scope of activities relating to either themselves or their family members living in the same household, on the condition that the data is not provided to third parties and data security requirements are followed;
- Processing of personal data for official statistics or, on the condition that the data is made anonymous, used for purposes such as research, planning or statistics;
- On the condition that such use is not contrary to national defence and security, public safety and order, economic security, the right to privacy and personal rights and, on the condition that it does not constitute a crime, processing for the purposes of art, history, literature or scientific research or processing within the scope of the freedom of speech;
- Processing within the scope of the preventive, protective, and intelligence activities of the public bodies and institutions that have been authorised by law to safeguard the national defence, security, public safety and order or economic security; or
- Processing by judicial authorities or penal institutions in relation to investigations, prosecutions, trials or enforcement proceedings.
We provide legal assistance to global companies having activities in Turkey, whether they have establishments in Turkey or not, we evaluate their activities, and advise on the procedures they need to follow as per the Data Protection Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
