Please be informed that currently there is no specific regulation regarding the protection of personal data in Turkey and protection of personal data is regulated under various legislation.
However, the Draft Code on the Protection of Personal Data (the "Draft Code") is recently approved by the Prime Minister of Turkey to be submitted to the Parliament on January 18, 2016.
As part of the European Union compliance procedure, the Draft Code is prepared by way of modelling European Union's Directive numbered 95/46 ("Directive No. 95/46") and published in 1995.
Due to the fact that data protection is regulated under various laws and regulations, there is not any specific definition for "Personal Data" under our current legislation.
However, a definition is provided in the Preamble of the Draft Code. Accordingly, a personal data may be defined as any type of information related to a person to identify his/her identification. In this regard, any information and documents which are related to religion, language, race, origin, private life, health, habits, behaviour patterns, sexuality, family and private life, honour and professional and family values of an individual can be referred to as personal data.
Due to the current absence of specific legislation governing data protection, the legal framework applicable to data protection is determined by way of interpretation of the general principles under Turkish Constitutional Law, Turkish Civil Code, Turkish Criminal Code, Turkish Labour Code, Banking Law and other relevant legislation.
However, in this presentation we will be focusing on the content of the Draft Code and the provisions that the Draft Code introduces.
In the Preamble of the Draft Code, a number of different reasons are stated for the need to enforce a new law for the protection of personal data.
The Turkish Criminal Code is given as one of the main reasons to enact the Draft Code. In the current Turkish Criminal Code, the unlawful storage, unlawful transmission, reception and disclosure of personal data are considered as a crime and are subject to penalties.
However, due to the lack of any specific law regulating the process of personal data, there are some grey areas in determining as to when such acts shall be considered as legal or illegal acts and therefore shall be subject to punishments.
Furthermore, it is also stated that protection of personal data is regulated under Article 20 of the Turkish Constitutional Law as well. However, it is stated under the same Article that the principles and procedures relating to the protection of personal data shall be regulated by law. Again, the need for a specific law is underlined in the Constitution.
Due to above reasons, it has become a legal necessity to harmonize all the laws dealing with protection of personal data. Despite the fact that the studies of the Turkish Government date back to 1980s, it was only recently that it was approved by the Prime Ministry.
Accordingly, the Draft Code has faced with several amendments since 2003 and is submitted to the approval of the Council of Ministers on February 2013.
The Council of Ministers sent the Draft Code back for revision by anticipating certain amendments and it is expected that the Draft Code shall be enforced in the near future.
Upon enactment of the Draft Code, the following concepts will be introduced to Turkish law: definition of personal data including anonymous and sensitive personal data, data processor and data controller, transfer to third persons and restrictions on cross-border transfers.
The Draft Code is drafted with the purpose to regulate the processing of personal data and to protect fundamental rights and freedoms especially to protect the privacy of personal life as regulated under the Turkish Constitution.
The provisions of the Draft Code apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic or non- automatic means. The Draft Code does not make any difference between private and public sectors and the procedures and rules apply equally to each sector.
As a general rule, personal data may only be processed with the explicit consent of the relevant person. However, specific conditions wherein no consent is required are indicated under the Draft Code.
- requirements under the laws,
- vital necessities for the protection of the life and physical integrity of a person or a third person who is incapable of explaining his/her consent,
- the requirement to process the personal data of the parties of a contract provided that it is directly related to execution and performance of a contract,
- existence of necessities for the data controller to fulfil its legal responsibilities,
- information that is made public by the relevant person,
- the necessity to process data for establishment, use and protection of a right,
- provided that the fundamental rights and freedoms of the relevant person is protected, the necessity to process data for the protection of the legal rights of the data controller are stated under the Draft Code as exemptions to obtain consent
Sensitive data is also defined under the Draft Code. As per such definition, information relating to race, ethnic origins, political views, philosophical beliefs, religion, sect or other beliefs, appearance, membership to certain associations, foundations or trade-unions, health, sexual life, biometric data or information related to sentenced punishments or safety precautions taken are considered as sensitive data.
The processing of special categories of data (sensitive data) is prohibited.
The processing of sensitive data without taking sufficient precautions is prohibited. The Draft Code also states that such sensitive data cannot be processed without the explicit consent of the relevant person.
However, conclusive conditions are stated under the Draft Code which enables the process of the sensitive data without the obtainment of the consent of the relevant person.
Circumstances stated explicitly under the law, information that is made known to the public by the relevant person can be stated as examples for conclusive conditions.
Cross-border transfer of personal data is regulated under Article 9 of the Draft Code. Accordingly, personal data can only be transferred to third countries with the explicit consent of the relevant person. There are, of course some exceptions to this rule as well. The Draft Code states that there will not be any need to obtain prior consent, in the existence of adequate level of protection in the foreign country that the data will be transferred to and that one of the conditions stated under Articles 5 and 6 are met.
The Draft Code further provides that in the absence of adequate level of protection in the relevant foreign country, an exemption to the rule of obtaining the consent of the relevant person would still be applicable provided that the data controllers in Turkey as well as in the foreign county undertakes to provide sufficient protection and a consent from the Personal Data Protection Board is obtained in this respect.
The Draft Code also introduces complaint mechanisms for the violation of the rules set forth and imposes criminal or administrative sanctions for any crimes committed in relation to personal data.
Please be informed that the Draft Code is yet to be enforced. However, due to the increasing necessity to exchange information in relation to matters such as global security and immigration, we believe it will soon be approved by the Turkish Parliament.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.