Turkey: The Primary Responsibilities Under The Turkish Data Protection Law

To avoid potential heavy sanctions, data controllers should strive to become compliant with the Turkish Data Protection Law (DPL) at the earliest.

• The DPL imposes several obligations on data controllers, including the preparation of a data inventory. This inventory should detail the purpose of data processing, the data subject group, data categories, the recipients or recipient groups that the personal data will be transferred to, any personal data that is likely to be transferred abroad, and the measures that will be implemented to safeguard the personal data and determine data retention periods.
• The general rule for processing personal data is that it can only be done with the explicit consent of the data subject. However, certain exceptions have been introduced to this rule under the DPL.
• Data controllers must also inform data subjects prior to processing their personal data, detailing the identity of the data controller and its representative (if applicable), the purpose of processing the data, the legal grounds for collecting and processing personal data, the method for collecting personal data, and the data subject's rights specified under Article 11 of the DPL.
• Data controllers must delete, destroy or anonymize personal data if the reasons for processing the data no longer exist, and this must be done automatically or upon the request of the concerned individual. Therefore, data controllers must regularly monitor and assess the reasons for processing data.
• Furthermore, data controllers are obliged to adopt technical and administrative measures to prevent unauthorized access to data and ensure safekeeping of personal data. Details of the suggested measures are specified in the decision of the Data Protection Board.
• Data controllers must register on the Data Controller Registry (VERBIS), a registration system where data controllers record their data processing activities. Turkish and foreign data controllers processing personal data of subjects residing in Turkey must register on VERBIS unless exempted via the Data Protection Board resolutions.

Registration can be made online, and data controllers must provide identifying information, purpose of data processing, data subject groups and data categories, recipient or recipient groups to which the data may be transferred, any personal data which may be transferred abroad, data security measures taken, and data retention periods during registration.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.