Please be informed that currently there is no specific regulation regarding the protection of  personal data in Turkey and protection of personal data is regulated under various legislation.

However, the Draft Code on the Protection of Personal Data (the "Draft Code") is recently approved  by the Prime Minister of Turkey to be submitted to the Parliament on January 18, 2016.

As part of the European Union compliance procedure, the Draft Code is prepared by way of modelling  European Union's Directive numbered 95/46 ("Directive No. 95/46") and published in 1995.

Due to the fact that data protection is regulated under various laws and regulations, there is not  any specific definition for "Personal Data" under our current legislation.

However, a definition is provided in the Preamble of the Draft Code. Accordingly, a personal data  may be defined as any type of information related to a person to identify his/her identification.  In this regard, any information and documents which are related to religion, language, race,  origin, private life, health, habits, behaviour patterns, sexuality, family and private life,  honour and professional and family values of an individual can be referred to as personal data.

Due to the current absence of specific legislation governing data protection, the legal framework  applicable to data protection is determined by way of interpretation of the general principles  under Turkish Constitutional Law, Turkish Civil Code, Turkish Criminal Code, Turkish Labour Code,  Banking Law and other relevant legislation.

However, in this presentation we will be focusing on the content of the Draft Code and the  provisions that the Draft Code introduces.

In the Preamble of the Draft Code, a number of different reasons are stated for the need to enforce  a new law for the protection of personal data.

The Turkish Criminal Code is given as one of the main reasons to enact the Draft Code. In the  current Turkish Criminal Code, the unlawful storage, unlawful transmission, reception and  disclosure of personal data are considered as a crime and are subject to penalties.

However, due to the lack of any specific law regulating the process of personal data, there are  some grey areas in determining as to when such acts shall be considered as legal or illegal acts  and therefore shall be subject to punishments.

Furthermore, it is also stated that protection of personal data is regulated under Article 20 of  the Turkish Constitutional Law as well. However, it is stated under the same Article that the  principles and procedures relating to the protection of personal data shall be regulated by law.  Again, the need for a specific law is underlined in the Constitution.

Due to above reasons, it has become a legal necessity to harmonize all the laws dealing with  protection of personal data. Despite the fact that the studies of the Turkish Government date back  to 1980s, it was only recently that it was approved by the Prime Ministry.

Accordingly, the Draft Code has faced with several amendments since 2003 and is submitted to the  approval of the Council of Ministers on February 2013.

The Council of Ministers sent the Draft Code back for revision by anticipating certain amendments  and it is expected that the Draft Code shall be enforced in the near future.

Upon enactment of the Draft Code, the following concepts will be introduced to Turkish law:  definition of personal data including anonymous and sensitive personal data, data processor and  data controller, transfer to third persons and restrictions on cross-border transfers.

The Draft Code is drafted with the purpose to regulate the processing of personal data and to  protect fundamental rights and freedoms especially to protect the privacy of personal life as  regulated under the Turkish Constitution.

The provisions of the Draft Code apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or  partially through automatic or non- automatic means. The Draft Code does not make any difference  between private and public sectors and the procedures and rules apply equally to each sector.

As a general rule, personal data may only be processed with the explicit consent of the relevant  person. However, specific conditions wherein no consent is required are indicated under the Draft  Code.


  1. requirements under the laws,
  2. vital necessities for the protection of the life and physical integrity of a person or a third  person who is incapable of explaining his/her consent,
  3. the requirement to process the personal data of the parties of a contract provided that it is  directly related to execution and performance of a contract,
  4. existence of necessities for the data controller to fulfil its legal responsibilities,
  5. information that is made public by the relevant person,
  6. the necessity to process data for establishment, use and protection of a right,
  7. provided that the fundamental rights and freedoms of the  relevant person is protected, the  necessity to process data for the protection of the legal rights of the data controller are stated  under the Draft Code as exemptions to obtain consent

Sensitive data is also defined under the Draft Code. As per such definition, information relating to race, ethnic origins, political views, philosophical beliefs,  religion, sect or other beliefs, appearance, membership to certain associations, foundations or  trade-unions, health, sexual life, biometric data or information related to sentenced punishments  or safety precautions taken are considered as sensitive data.

The  processing  of  special  categories  of  data  (sensitive  data) is prohibited.

The processing of sensitive data without taking sufficient precautions is prohibited. The Draft  Code also states that such sensitive data cannot be processed without the explicit consent of the  relevant person.

However, conclusive conditions are stated under the Draft Code which enables the process of the  sensitive data without the obtainment of the consent of the relevant person.

Circumstances stated explicitly under the law, information that is made known to the public by the  relevant person can be stated as examples for conclusive conditions.

Cross-border transfer of personal data is regulated under Article 9 of the Draft Code. Accordingly,  personal data can only be transferred to third countries with the explicit consent of the relevant  person. There are, of course some exceptions to this rule as well. The Draft Code states that there  will not be any need to obtain prior consent, in the existence of adequate level of protection in  the foreign country that the data will be transferred to and that one of the conditions stated  under Articles 5 and 6 are met.

The Draft Code further provides that in the absence of adequate level of protection in the relevant  foreign country, an exemption to the rule of obtaining the consent of the relevant person would  still be applicable provided that the data controllers in Turkey as well as in the foreign county  undertakes to provide sufficient protection and a consent from the Personal Data Protection Board  is obtained in this respect.

The Draft Code also introduces complaint mechanisms for the violation of the rules set forth and  imposes criminal or administrative sanctions for any crimes committed in relation to personal data.

Please be informed that the Draft Code is yet to be enforced. However, due to the increasing  necessity to exchange information in relation to matters such as global security and immigration,  we believe it will soon be approved by the Turkish Parliament.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.