In light of recent lawsuits regarding the violation of individual rights by not removing internet content and failing to implement court rulings in that respect, it is timely to examine the state of the law regarding the protection of personal data. In Turkey, data protection is not regulated under a single coherent code, but rather is governed by provisions scattered among many different laws and regulations in an ad hoc manner. Similarly, the term "personal data" is not defined under Turkish laws, however based on the precedents of the International Court of Human Rights it is understood to cover all information regarding an identifiable person, such as age, gender, place of birth, medical records, criminal records, education data and other private information.

The Turkish Parliament is working on a draft Law on the Protection of Personal Data (the "Draft Law"). Unfortunately, the Draft Law, although first proposed in 2008, still has not been enacted. Therefore, in the absence of a specific data protection law, the general provisions of laws apply with respect to the protection of personal data as summarized below:

  • The Constitution of the Republic of Turkey: Article 20 of the Constitution regarding the confidentiality of private life provides that everyone is entitled to the protection of their personal data. Such right also includes the right to be informed about their personal data, and to access the data and request correction or destruction of such data. The article states that personal data may only be processed with the explicit consent of the relevant person or as envisaged by law. It is further stipulated that the principles and procedures regarding the use of personal data are to be regulated by legislation to that effect. As mentioned above, such a law has yet to be enacted in Turkey.
  • Turkish Civil Code (Law No: 4721): Articles 23 and 24 of the Turkish Civil Code which provide for the "Protection of Personality" implicitly covers the protection of personal data in a very general manner. Article 23 states that no person may waive his/her freedoms or have such freedoms limited in a manner contrary to law or morality. Article 24 further states that a person whose "personality right" has been violated may request protection from such violation from the court. Each violation of an individual's personality right is deemed to be illegal unless the consent of the subject person is obtained or there is a higher degree of private or public benefit, or occurs via a statutory authority.
  • Turkish Criminal Code (Law No: 5237): Articles 134-140 of the Turkish Criminal Code regulate the protection of privacy and make it an offense (punishable by imprisonment) to violate the confidentiality of private life. Article 135 specifically regulates the recording of personal data and states that persons who record personal data in a manner contrary to law shall be sentenced to imprisonment for between one-to-three years. Furthermore, providing, disseminating, or obtaining personal data to or from another person in an illegal manner is also punishable by imprisonment for between two-to-four years. According to Article 138, in the event those who are obliged to destroy stored data upon lapse of the time periods stipulated by law fail to destroy such data, they shall be subject to imprisonment of between one-to-two years. Article 139 also stipulates that except for the recording of personal data, providing or obtaining data in a manner contrary to law and/or failure to destroy data shall be subject to the filing of a complaint. Where these offences are committed by legal persons, measures reserved for legal persons shall be applicable. Based upon the foregoing, those who process personal data without explicit consent may be subject to criminal penalties under the Turkish Criminal Code.
  • Specific Regulations: In addition to the above, with respect to certain regulated sectors that are subject to higher levels of legal scrutiny and monitoring (such as banking, insurance, health, and telecommunications), data protection is further regulated under specific provisions of their relevant laws and regulations.

The Draft Law mainly aims to protect the privacy, rights, and freedoms of persons in connection with the processing of their personal data. The Draft Law is exists in parallel with the provisions of the Data Protection Directive (EU Directive 95/46/EC). According to the Draft Law, personal data shall only be processed with the consent of the relevant person and in accordance with certain legal principles. Moreover, transmission of personal data shall be contingent upon certain conditions. The Draft Law envisions the establishment of a "Personal Data Protection Committee" (the "Committee") with a view to implement the Draft Law. The duties of the Committee include, among other things: rendering decisions regarding the applications of those whose rights have been violated; taking temporary precautions when there is a possibility of a loss which cannot be remedied; preparing regulatory procedures regarding the processing of personal data; ensuring that records are kept; and cooperating with the domestic and overseas data protection authorities. To ensure implementation of the Draft Law, the Committee sets up a data recording registry ("Registry"). All legal and real persons who process personal data for and on behalf of a data-file owner are required to be registered at the Registry prior to forming a data-file. The Registry shall be open to public. Any complaints regarding the implementation of any provision of the Draft Law shall be filed at the Committee, and in the event that the Committee determines that the provisions of this Draft Law have not been fulfilled, it may require the relevant data-file owner to process such personal data in accordance with the Draft Law. Moreover, if there is a possibility of an irreparable loss or damage to one's reputation or if there is a clear violation of law, the Committee may also decide to suspend the processing or overseas transmission of data of the relevant person. (The obvious problem is that with current technology, data transmission is virtually instantaneous, and unfortunately, the "horse would already be out of the barn" before the Committee could act.) Upon decision of the Committee regarding such complaint, the complainant may further file a lawsuit at the administrative court. In this respect, the Draft Law indicates that the compensation rights of those complainants whose personal rights have been violated shall be reserved.

In light of the foregoing, the enactment of the Draft Law depends on the establishment of the relevant authorities and institutions that shall be responsible for the proper implementation of the Draft Law. In fact, the delay in the enactment of the Draft Law is said to be the result the failure to form such regulatory bodies which are pre-requisite for the proper functioning of the data protection regime. It is not clear when the Draft Law will be finally legislated and the new data protection regime will be implemented. However even in the absence of a comprehensive legal framework on data protection, it is advisable for those who collect, use and process personal data to ensure its protection and confidentiality in order to avoid any liability under the general provisions of existing laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.