1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

  • The Turkish Constitution of 1982;
  • The Law on the Protection of Personal Data (6698);
  • The Criminal Code (5237);
  • The Civil Code (4721);
  • The Labour Law (4857);
  • The Law on the Right to Access Information;
  • The Regulation on the Deletion, Destruction and Anonymisation of Personal Data;
  • The Regulation on the Data Controllers' Registry;
  • The Regulation on the Operating Principles and Procedures of the Personal Data Protection Board;
  • The Communiqué on the Procedures and Principles of the Obligation to Inform Data Subjects; and
  • The Communiqué on the Procedures and Principles of Applications to Data Controllers.

There are also sectoral laws for banking, electronic communications, e-commerce, insurance and so on.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Special regimes and sectoral laws apply in the following sectors.

Banking: The personal data of all customers is protected as ‘customer secrets'. Banks are also required to retain personal data within Turkey.

The following laws apply in this sector:

  • the Banking Law (5411);
  • the Bank and Credit Cards Law (5464);
  • the Law on Payment and Security Reconciliation Systems, Payments Services and Electronic Money Institutions (6493); and
  • the Regulation on Information Systems of Banks and Electronic Banking Services, as amended on 20 June 2020.

Telecommunications: The personal data of customers is subject to protection. The content of communications and traffic data are subject to specific protection and cannot be disclosed without a court or administrative decision, unless the parties to the communication provide their consent. Traffic and location data can be transferred abroad from Turkey only with the explicit consent of the data subject.

The Electronic Communications Law (5809) applies in this sector.

E-commerce: Marketing messages are subject to an opt-in regime.

The following laws apply in this sector:

  • the Law on Regulation on Electronic Commerce (6563); and
  • the Regulation on Commercial Communication and Commercial Electronic Messages of 15 July 2015.

Insurance and health: The following laws apply in these sectors:

  • the Insurance Law (5684); and
  • the Regulation on Personal Health Records of 21 June 2019.

Special categories of personal data: The following types of personal data are defined as ‘special categories of personal data' and are subject to additional protection:

  • race and ethnicity;
  • political, philosophical, religious and sectarian views, or similar;
  • beliefs;
  • dress and appearance;
  • association, foundation and union memberships;
  • health conditions;
  • biometric and genetic data;
  • sexual life; and
  • convictions and safety precautions, as set out in the Criminal Code.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

  • The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was signed by Turkey on 28 January 1981 and was published in the Official Gazette on 17 March 2016.
  • The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (Convention 181), was published in the Official Gazette on 5 May 2016.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The Turkish Data Protection Authority (DPA) is responsible for enforcing the personal data protection legislation.

The Data Protection Board is the decision-making organ of the DPA. For the purposes of this Q&A, we use the term ‘DPA' when mentioning both the authority and the board.

The DPA can:

  • draft secondary legislation regarding data protection;
  • investigate and act on data subjects' complaints;
  • determine sufficient measures for the processing of sensitive personal data;
  • apply administrative fines and other sanctions, such as restrictions on processing, or refer violations to criminal proceedings;
  • maintain a public register of controllers involved in processing; and
  • cooperate with international organisations on data protection matters.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

The Law on the Protection of Personal Data came into force on 7 April 2016. It is the first comprehensive statute regarding data protection and data privacy in Turkey.

As the law and its secondary legislation may not be sufficient to cover every case, the DPA's decisions further determine issues in the data protection and data privacy fields in Turkey. The DPA also refers to EU legislation, implementations and general principles in its decisions; and has specified that its aim is to follow best practices around the world.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The Law on the Protection of Personal Data applies to natural persons whose personal data is processed (data subjects) and to natural or legal persons that process such data, wholly or partially, by automated means or by non-automated means, as a part of a data filing system (data controllers).

Data processors are also briefly mentioned in the law.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

  • Processing that a natural person carries out for purely personal or household activities.
  • Processing for official statistical purposes or, if the data is anonymised, for research, planning or statistical purposes.
  • Processing for artistic, literary, historic or scientific purposes, within the scope of freedom of expression, if the processing does not constitute a crime and does not violate:
    • privacy and personal rights;
    • national defence or security;
    • public security or order; or
    • economic security.
  • Processing within the scope of preventive, protective and intelligence-related activities that assigned and authorised public institutions and organisations carry out for purposes relating to:
    • national defence or security;
    • public security or order; or
    • economic safety.
  • Processing for investigations, prosecutions, criminal proceedings or execution proceedings by courts and execution bodies.

2.3 Does the data privacy regime have extra-territorial application?

The Law on the Protection of Personal Data contains no provisions on territorial scope, but it is accepted that the law has extra-territorial application. Additionally, the Regulation on the Data Controllers' Registry of 30 December 2017 defines a ‘foreign controller' as a data controller that is not established in Turkey.

Therefore, the law has extra-territorial application for data controllers that collect data in Turkey or process data that has been collected in Turkey.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation which is performed on personal data, wholly or partially by automated means or non-automated means, which forms part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or restriction.

(b) Data processor

A natural or legal person that processes personal data on behalf of the data controller and with its authorisation.

(c) Data controller

A natural or legal person that determines the purposes and means of the data processing and is responsible for the establishment and management of the data filing system.

(d) Data subject

A natural person whose personal data is processed.

(e) Personal data

Any information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Known as ‘special categories of personal data' in Turkey: that is, personal data relating to an individual's race, ethnic origin, political opinions, philosophical beliefs, religious or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions or security measures; and biometric and genetic data.

(g) Consent

Consent in Turkey is ‘explicit' when it is freely given, specific and informed consent.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

  • Registry of Data Controllers Information System (VERBIS): The information system through which data controllers submit their applications and conduct other relevant actions in relation to the registry.
  • Contact person: A natural person (Turkish citizen) who is designated at the time of registration with VERBIS by the data controller for the purpose of communicating with the Data Protection Authority.
  • Personal data processing inventory: An inventory created and maintained by the data controller on the personal data processing activities that it conducts, including information on:
    • the purposes of the data processing;
    • the data categories;
    • the recipient groups;
    • the groups of data subjects;
    • the storage period;
    • any transfers of personal data to foreign countries; and
    • the precautions taken in respect of data security.
  • Data controller representative: A legal entity which is based in Turkey or a natural person who is a Turkish citizen that is authorised to represent the foreign data controller in Turkey.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Data controllers (both Turkish and foreign) must register with the Registry of Data Controllers Information System (VERBIS) by 30 September 2020. An administrative fine of between TRY 36,000 and TRY 1.8 million (approximately €4,400 to €220,122) will be imposed on anyone that fails to register with or notify VERBIS where required to do so.

Further, an additional administrative fine of up to TRY 1.8 million may also be applied where the Data Protection Authority (DPA) decides to restrict the data processing activities of the data controller in Turkey.

4.2 What is the process for registration?

Natural or legal persons who process personal data must register with VERBIS before commencing data processing activities. The deadline for registration (for those that already are processing personal data in Turkey) is 30 September 2020.

The process is different for foreign controllers and Turkish controllers.

Foreign controllers: Generally, before processing personal data, foreign private sector controllers must:

  • appoint a Turkish natural or legal person as data controller representative. The appointment decision must be signed by an authorised individual of the controller, notarised and apostilled, and sent to the local representative;
  • appoint an individual to act as a contact person with the DPA;
  • prepare a data processing inventory; and
  • register with VERBIS.

Only local representatives can register on behalf of foreign controllers. The registration is completed online by the local representative and the following information must be provided:

  • identification information, including the name and address of the controller and its representative;
  • the purpose of the personal data processing;
  • a data processing inventory, including the applicable data subject groups and personal data categories;
  • any third parties or groups of recipients to which the personal data may be transferred, including details of any cross-border data transfers;
  • a description of the safety and security measures taken; and
  • the maximum term for processing personal data, which must correspond to the purpose for which the data is being processed.

Turkish controllers: Generally, before processing personal data, Turkish controllers must:

  • appoint an individual to act as a ‘contact person' with the DPA;
  • prepare a data processing inventory; and
  • register with VERBIS.

The following Turkish controllers are exempt from registration:

  • controllers that employ fewer than 50 employees and have an annual balance sheet of less than TRY 25 million, unless their main business relies on processing sensitive personal data (eg, doctors, hospitals);
  • public notaries;
  • political parties;
  • lawyers;
  • accountants;
  • customs advisers;
  • mediators; and
  • non-profit organisations such as associations, foundations and unions, if they process personal data that is:
    • appropriate for their purpose;
    • limited to their field of activity; and
    • only for their own employees, members and donors.

4.3 Is registered information publicly accessible?

VERBIS is maintained publicly. The following data can be reviewed by the public:

  • the full name/trade name, address and, where applicable, REM address of the data controller, the data controller's representative, if any, and the contact person;
  • the designated purposes for which the personal data may be processed;
  • the groups of data subjects and the data categories of such persons;
  • the recipients and recipient groups to which the personal data may be transferred;
  • the personal data which may be transferred to foreign countries;
  • the date of registration with VERBIS and the date on which the validity of such registration expires;
  • the precautions taken in respect of personal data security; and
  • the maximum timeframe required to achieve the purpose for which the personal data is being processed.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

  • The data subject has explicitly consented.
  • The data processing is expressly provided for by law.
  • The data processing is required for the protection of the life or physical integrity of the data subject, or of any other person who is unable to give his or her consent due to physical disability, or whose consent is not deemed legally valid.
  • The data processing is necessary to execute a contract between the parties, provided that it is directly related to the establishment or performance of that contract.
  • The data processing is required to comply with a legal obligation to which the data controller is subject.
  • The personal data has been made public by the data subject himself or herself.
  • The data processing is required for the establishment, exercise or protection of any right.
  • The data processing is required for legitimate interests pursued by the data controller, provided that this does not violate the fundamental rights and freedoms of the data subject.

In principle, special categories of personal data may be processed only with the explicit consent of the data subject.

With the exception of data concerning health and sexual life, special categories of personal data may also be processed without seeking the explicit consent of the data subject in the cases provided for by law.

Data concerning health and sexual life may be processed without the explicit consent of the data subject only by persons who are subject to a secrecy obligation or competent public institutions and organisations, for the purposes of the protection of public health, the operation of preventive medicine, medical diagnosis, treatment and nursing services, or the planning, management or financing of healthcare services.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

  • The processing must be lawful and fair.
  • The data must be accurate and kept up to date where necessary.
  • The data must be processed for specified, explicit and legitimate purposes.
  • The processing must be relevant, limited and proportionate to the purposes for which the data is being processed.
  • The data must be stored for the period specified by relevant legislation or required by the purpose for which the personal data is being processed.

These principles are valid for all types of personal data and for all data controllers that are within the scope of the Law on the Protection of Personal Data.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Data controllers have the following obligations under the Law on the Protection of Personal Data:

  • to process personal data in accordance with the principles of the law (see question 5.2);
  • to process personal data in accordance with a legal justification (see question 5.1);
  • to inform data subjects before the collection of personal data. The privacy notices prepared for this purpose must specify the following:
    • the identity of the data controller and its representative, if any;
    • the purpose for which the personal data is being processed;
    • to whom and for what purposes the processed personal data may be transferred;
    • the method and legal basis for the collection of personal data; and
    • the data subjects' rights;
  • to register with the Registry of Data Controllers Information System (see question 4);
  • to prepare a data processing inventory that contains the following information, based on processing activity:
    • the purpose of the data processing;
    • the legal basis for the data processing;
    • the categories of data subjects;
    • the categories of data;
    • the groups of recipients;
    • any data transfers abroad;
    • the period of retention;
    • technical precautions; and
    • administrative precautions;
  • to inform on international transfers (please see question 6.2);
  • to respond to the requests of data subjects (please see question 7);
  • to secure personal data (please see question 9);
  • to notify data breaches (please see question 9); and
  • to prepare a data retention and destruction policy.

Data controllers must prepare a policy that stipulates the retention term for personal data. The policy must also include the types and methods used for the deletion, anonymisation and destruction of personal data. This policy must also stipulate a periodic destruction term (which cannot be longer than six months). Personal data must be deleted, anonymised or destroyed pursuant to the policy.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Personal data can be transferred to third parties within Turkey on any of the legal bases in the Law on the Protection of Personal Data, as stated in question 5.1.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Turkey has a strict regime which applies to the transfer of personal data abroad. The use of data processors abroad or of systems that are located abroad is also regarded as the transfer of personal data abroad by the Data Protection Authority (DPA).

Personal data can be transferred abroad based on any of the following grounds:

  • the explicit consent of the data subject;
  • any of the statutory justifications in the Law on the Protection of Personal Data, provided that the recipient is located in a country which is included on the safe countries list to be published by the DPA;
  • any of the statutory justifications set out in the law, provided that Chubb Turkey and the recipient sign an undertaking to protect the personal data and the DPA approves such transfer; and
  • binding corporate rules (BCRs) (for transfers among group companies).

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

In practice, obtaining the explicit consent of the data subject seems to be the only viable option to transfer personal data abroad, the DPA has not yet published a safe countries list or announced the approval of any BCRs or transfer requests.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Every data subject has the following rights:

  • to learn whether his or her personal data is being processed;
  • to demand details of the processing of his or her personal data;
  • to learn the purpose of the data processing and whether his or her personal data is being used in accordance with this purpose;
  • to learn of any third parties to which his or her personal data has been transferred, whether in Turkey or abroad;
  • to request the rectification of incomplete or inaccurate data;
  • to request the erasure or destruction of his or her personal data under the conditions specified in the Law on the Protection of Personal Data;
  • to request notification of deletion or correction to third parties to which his or her personal data has been transferred;
  • to object to a result relating to himself or herself arising through the analysis of his or her data processed solely through automated systems; and
  • to claim compensation for damages arising from the unlawful processing of his or her personal data.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

The data subject must send his or her request regarding his or her rights:

  • in writing;
  • by registered electronic mail, secured by:
    • electronic signature;
    • mobile signature; or
    • an email address which has been previously recorded in the data controller's system; or
  • through software or an application designed to receive data subjects' requests.

The request must contain the following:

  • the data subject's name, surname and signature, if the request is made in writing,
  • for Turkish citizens, the data subject's identity number; for foreigners, his or her nationality, passport number or identity number if available;
  • the data subject's residential and business address, subject to notification;
  • the data subject's email address, telephone and fax number, if available, subject to notification; and
  • the request itself.

All documents and information regarding the request must be attached accordingly. In the case of written requests, the request date is the date on which the document is notified to the data controller or its representative.

For other electronic methods, the notification date is the date on which the request is delivered to the data controller.

Data controllers must respond to and comply with such requests within 30 days of receipt of a valid request. If there are justified grounds to reject the request (eg, a destruction request), the data controller must communicate its reasoned response within 30 days of receipt.

7.3 What remedies are available to data subjects in case of breach of their rights?

If the request is rejected, or if the data controller provides an insufficient response or does not respond in due time, the data subject may lodge a complaint with the Data Protection Authority within 30 days of the date on which he or she learns of the data controller's reply, and in any event within 60 days of the date of the request.

The data subject may also claim compensation from the data controller if he or she suffered any damage due to the unlawful processing of his or her personal data.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

There is no requirement to appoint a data protection officer under Turkish law. That said, all foreign controllers must appoint a data controller representative (please see questions 3.2 and 4.2).

8.2 What qualifications or other criteria must the data protection officer meet?

N/A.

8.3 What are the key responsibilities of the data protection officer?

N/A.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

N/A.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Data controllers must prepare and retain the following:

  • a data processing inventory (please see questions 3.2 and 5.3);
  • a privacy notice for the different categories of data subject (please see question 5.3); and
  • a data retention and destruction policy (please see question 5.3).

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

  • Employee training; and
  • Organisational measures

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

The Law on the Protection of Personal Data does not contain detailed provisions on the technical and organisational measures that must be taken by data controllers. The law stipulates that data controllers must take all necessary technical and organisational measures to provide an appropriate level of security in order to:

  • prevent the unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the protection of personal data.

If a data processor is used, the data controller is jointly liable with the data processor for taking these measures. Written agreements between data controllers and data processors are not mandatory; however, the Data Protection Authority (DPA) recommends that written agreements be concluded.

Further, the Law on the Protection of Personal Data requires all data controllers to undertake the necessary compliance measures to ensure the correct implementation of the law and secondary legislation.

Separate organisational and technical measures also apply to sensitive personal data.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Under the Law on the Protection of Personal Data, a data breach occurs if an unauthorised third party obtains personal data unlawfully.

In case of a data breach, the data controller must notify the DPA by using the data breach notification form on its website. The notification to the DPA must be made within 72 hours of becoming aware of the breach.

It is possible to notify the breach in stages if not all information required to complete the form is available within 72 hours.

The following information should be included in the notification:

  • the data controller's identification information (eg, name and address), and the details of the person preparing the notification on behalf of the data controller;
  • information regarding the data breach (eg, start and end date and time of the breach) and, if the breach was notified to the data controller by the data processor, information such as the name and address of the data processor and the date and time at which the data controller was informed of the detection and notification;
  • information on the source of the data breach and how it happened;
  • the security criteria affected by the data breach;
  • details of how the data breach was detected;
  • the categories of personal data affected by the data breach;
  • the numbers of persons and records affected by the data breach;
  • the groups of data subjects affected by the data breach and the effect on them;
  • information relating to late notification and whether the breach has been notified to the data subjects;
  • information relating to potential consequences of the breach; and
  • information relating to security measures.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

All data breaches must be notified to the data subjects. If the data controller has the contact information of affected data subjects, notification must be sent to their electronic or physical address.

If the data controller does not have the data subjects' contact information, a data breach notification may also be announced on its website.

There is no clear deadline to inform data subjects, but the Law on the Protection of Personal Data requires that they be notified as soon as possible.

The data subjects must be notified of the breach in clear and plain language and be provided with at least the following information:

  • the date and time of the data breach;
  • the categories of personal data affected by the breach (distinguishing between personal data and special categories of personal data);
  • the possible consequences of the breach;
  • the measures that they should take to mitigate the negative effects of the breach; and
  • the ways in which they can contact the data controller with regard to the data breach, such as the name and contact details of contact persons, a link to the data controller's website, a call centre number and so on.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Where the DPA cannot be notified within 72 hours, the reasons for the delay should be specified in the notification, which should be made to the DPA without undue delay.

If the personal data held by the data processor is obtained by others through unlawful methods, the data processor must notify the data controller without delay.

If a data breach occurs in the case of a data controller established abroad and affects data subjects who reside in Turkey and who benefit from products or services provided in Turkey, the data controller must notify the DPA according to the same principles.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

There are no detailed rules on the processing of personal data in the employment context. The general data processing principles apply and personal data must be processed based on the legal justifications in the Law on the Protection of Personal Data.

Explicit consent is a last resort in an employment relationship, as the employee and employer are not on equal footing in this employment relationship and the employee may not be acting of his or her own free will when providing consent, which may affect its validity.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Cameras and other technological devices are used in practice. In this regard, employers must inform employees about the use of these devices and methods. This information should include the purpose, duration and type of surveillance being conducted, and the period for which data will be retained. If cameras are used, information relating to the number and locations of cameras should also be provided.

Employers should have a legitimate interest in conducting the surveillance and the surveillance should be limited to business hours. Further, the surveillance must be proportionate to the employer's intended purpose. Continuous surveillance will not be accepted as proportionate.

Locker rooms, showers and other locations where employees have a valid expectation of privacy may not be placed under surveillance.

A biometric data system for employees to gain access to work premises is not recommended; alternative methods are preferred in this regard. Additionally, employers, as data controllers, must take all necessary technical and organisational measures to provide data security for their employees.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

When obtaining explicit consent, it should be borne in mind that this may be considered questionable, due to doubts over whether the employee is acting of his or her own free will.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There are no specific regulations on the use of cookies. However, the Law on the Protection of Personal Data applies to data controllers that process personal data using cookies. Data controllers that use cookies are recommended to post their cookie policy on their website, which should specify the types of cookies used and the purposes for which they are used.

Explicit consent may be required for statistics and marketing cookies. In this regard, the requirements on explicit consent stipulated in the Law on the Protection of Personal Data apply when obtaining explicit consent. The data subject should also be informed of how to control and delete cookies, and how they will be used by third parties.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

The Guidelines on Personal Data Security which were published by the Data Protection Authority (DPA) set out examples and advice on how to ensure the security of personal data which is stored in the cloud. These are not compulsory; but in the case of a data breach, the DPA will examine which measures have been taken and whether they are sufficient to ensure personal data security. If the cloud server is located abroad, this is regarded as a transfer of personal data abroad and the requirements relating to such transfers will apply accordingly.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The Law on the Protection of Personal Data does not specifically mention commercial or direct marketing communications. However, the DPA states that the law and its obligations for data controllers also apply to electronic commercial messages.

Electronic marketing messages may be sent only to data subjects that have provided opt-in consent. There are certain exemptions from this rule, although these are beyond the scope of this Q&A.

Further, in each marketing message the data controller must give recipients a way to freely and easily opt out of future messages.

Lastly, data controllers that send electronic marketing messages must register in the Commercial Electronic Message Management System.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

The Data Protection Authority (DPA) will examine matters that fall within its competence either upon complaint or ex officio where it learns of an alleged infringement. If the DPA determines that a data breach within the scope of the Law on the Protection of Personal Data has occurred, it has the power to impose an administrative fine on a data controller which has not fulfilled its obligations under the law.

If the DPA imposes an administrative fine, the data controller may challenge this decision before the magistrates' court. If the DPA imposes an administrative measure other than a fine, the DPA's decision may be challenged by the data controller before the administrative court.

Criminal cases concerning personal data under the Turkish Criminal Code are heard by the criminal courts. ‘Unlawfully recording personal data' and ‘unlawful delivery or acquisition of data' are recognised as crimes under Articles 135 and 136 of the Turkish Criminal Code.

12.2 What issues do such disputes typically involve? How are they typically resolved?

If a data controller fails to fulfil its obligations under the Law on the Protection of Personal Data, an administrative fine will be imposed and/or the data controller will be subject to administrative measures pursuant to the law. These obligations are as follows:

  • the obligation to prepare privacy notices;
  • the obligation to take all necessary technical and administrative measures in order to ensure the appropriate level of security;
  • the obligation to notify data breaches;
  • the obligation to respond to a request of a data subject within 30 days and to comply with decisions of the Turkish Data Protection Authority (DPA); and
  • the obligation to prepare a data processing inventory and a data retention and destruction policy.

12.3 Have there been any recent cases of note?

  • On 27 February 2020 the DPA imposed an administrative fine of TRY 1.2 million (approximately €146,100) on Amazon for:
    • failure to obtain explicit consent in compliance with the legislation;
    • non-compliance with the general principles of the Law on the Protection of Personal Data;
    • failure to transfer personal data lawfully; and
    • failure to provide information.
  • On 18 September 2019 the DPA imposed an administrative fine of TRY 1.6 million (approximately €194,800) on Facebook, Inc for:
    • failure to take the necessary technical and organisational measures to ensure data security; and
    • failure to notify a breach to the DPA without undue delay.
  • On 11 March 2019 the DPA imposed an administrative fine of TRY 1.65 million (approximately €200,843) on Facebook, Inc, for:
    • failure to take the necessary technical and organisational measures to ensure data security; and
    • failure to notify a breach to the DPA without undue delay.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The deadline to register with the Registry of Data Controllers Information System is 30 September 2020. After this date, data controllers that did not register will be subject to high administrative fines imposed by the Data Protection Authority (DPA).

No legislative reforms are anticipated at this stage; however, we expect the DPA to continue to shape the practice with important decisions.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

The Turkish regime is different from the EU General Data Protection Regulation (GDPR). Further, compliance with the GDPR does not mean that a data controller is also compliant with the Turkish regime. Data controllers and data protection officers must understand that compliance measures specific to Turkey are required; and that it is risky to move forward with translated or semi-localised policies and rules that were essentially prepared for the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.