The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (LPPD). The LPPD is primarily based on EU Directive 95/46/EC.
Pursuant to the LPPD and the Regulation on the Registry of Data Controllers, data controllers are required to enroll in the Registry of Data Controllers before proceeding with data processing.
The Regulation on the Registry of Data Controllers was published in the Official Gazette dated December 30, 2017, and entered into force on January 1, 2018. It regulates the establishment of a publicly accessible registry, which is to be held by the Personal Data Protection Authority, and the procedures and principles concerning enrollment in the registry.
Data controllers who are non-residents in Turkey shall enroll in the registry through a representative they assign in Turkey. Legal persons in Turkey or Turkish citizens may be assigned as representatives for this purpose.
There is not yet a requirement in Turkey to appoint a data protection officer in the sense of GDPR. However, there is a requirement to appoint a local Representative for foreign controllers.
Pursuant to the LPPD, it is mandatory to comply with certain principles while collecting and processing personal data. In light of such principles, collected personal data must be all of the following:
- Processed fairly and lawfully;
- Accurate and up-to-date;
- Processed for specific, explicit, and legitimate purposes;
- Relevant, adequate, and not excessive;
- Kept for a term necessary for purposes or for a term prescribed in relevant laws for which the data have been processed.
In the LLPD, personal data is defined as “Any information relating to an identified or identifiable natural person.”
Further, in principle, personal data cannot be processed without being collected and processed with the explicit consent of the data subject. However, the LPPD stipulates certain exceptions where consent is not required. These are:
Processing is expressly permitted by law;
Processing is necessary for the protection of the life or physical integrity of the data subject or a third party where the data subject is not physically or legally capable of giving consent;
Processing personal data of the contractual parties is necessary for the conclusion or the performance of a contract;
Processing is mandatory for the data controller to perform his / her legal obligation(s);
Personal data has been made public by the data subject;
Processing is necessary in order to assign, use or protect a right;
Processing is necessary for the data processor’s legitimate interests, and this does not damage the data subject’s rights.
Sensitive personal data (Special Categories of Personal Data under the LPPD) is defined as “personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data.”
Processing of sensitive personal data without the explicit consent of the data subject is generally forbidden, although sensitive data other than health and sexual life data can be processed without explicit consent of the data subject if a law/legislation permits such processing. Under the LPPD, data controllers need to take adequate measures required for the processing of sensitive personal data and comply with the decisions and guides of the Personal Data Protection Board designating such adequate measures. See also Personal Data Protection Board Decision dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data.
The LPPD distinguishes between the transfer of personal data to third parties in Turkey and the transfer of personal data to third countries.
There is no explicit definition of a data breach under Turkish Law. However, a breach can be defined as the illegal acquisition of personal data by others / third parties.
The LPPD does not contain any thresholds for a notifiable breach. Therefore, all breaches (“illegal acquisition of personal data by others / third parties”) are notifiable to the Authority (within 72 hours) and too concerned data subjects (as soon as possible) without any criteria/threshold.
Pursuant to Decision 2019/10, data controllers are required to notify the Data Protection Authority within 72 hours of becoming aware of a breach.
In cases where the notification cannot be sent within 72 hours, the causes for the delay must be sent as well.
The Law on Regulation of Electronic Trade was published in the Official Gazette on November 5, 2014 (Electronic Trade Law). The Electronic Trade Law came into force on May 1, 2015. Secondary legislation (The Regulation on Electronic Trade) was published in the Official Gazette on August 26, 2015, and came into force on the same date.
Pursuant to the Electronic Trade Law, commercial electronic communications (electronic marketing) can only be sent by if prior consent (opt-in) has been obtained from recipients.
Consumers have the right to refuse a commercial electronic communication, and the service provider is obliged to allow the free transmission of the refusal. Commercial electronic communications to the recipient must cease within three business days of the receipt of refusal. For 2023, non-compliance with opt-in requirements is subject to administrative fines up to TRY 31.518 (approx. €1.588).
There is no legislation in Turkey that specifically regulates privacy in respect of cookies and location data. However, Law No. 5651 on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting enables Internet users to initiate prosecution in case of infringements of their personal rights. Further, various amendments were made to Law No. 5651 on July 31, 2020. One of these amendments was adding the term “social network provider,” and the obligations of the social network providers have been regulated within this scope.
Location data not qualifying as traffic data may be processed if required to provide value-added electronic communication services on the condition that it is anonymized or the relevant subscribers/users give their consent after being informed of the location data to be processed and of the purpose and duration of the processing.
Under the DPL, for the year 2023, the Board may apply administrative fines up to TRY 5.972.040 per breach in line with the following limitations. Based on the re-evaluation percentage published on the Official Gazette on 24.11.2022.
- Non-compliance with the information notice requirements: a fine between TRY 29.857 to TRY 597.198 (approx. € 1.505 to 30.103);
- Non-compliance with the data security obligations, a fine between TRY 89.579 to TRY 5.972.040 (approx. € 4.515 to € 300.666);
- Non-compliance with Data Protection Authority orders/decisions: a fine between TRY 149.300 to TRY 5.972.040 (approx.€ 7.525 to 300.666); and
- Non-compliance with the Data Controllers’ Registry requirements: a fine between TRY 149.300 to TRY 5.972.040 (approx. € 7525 to 300.666).
Administrative fines of up to three percent of the net sales of the Operator in the previous calendar year shall be imposed if it fails to fulfill its obligation to process traffic data and location data.
The national data protection authority is the Kiisel Verileri Koruma Kurumu (Personal Data Protection Authority)
Kiisel Verileri Koruma Kurumu
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4