As of late, Turkey remained the only Council of Europe member state that had not ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data numbered 108, as it had not addressed protection of personal data with a framework law. It is for this reason that data protection legislation in Turkey was previously comprised of various provisions scattered among diverse codes and regulations and the interpretation thereof by the courts.

After more than ten years in the drafting, Turkish Parliament finally passed the long-awaited Law on the Protection of Personal Data following its ratification of the convention last month. After its publication in the Official Gazette, probably in the following days, Turkish data protection law will have finally embraced the holistic approach whose necessity persisted through decades.

The law follows the lead of the European Union and the Council of Europe, Directive 95/46/EC, and the convention in particular and sets forth a similar mechanism primarily comprising data subjects, data controllers, data processors, and a national data protection authority. Notably, the General Data Protection Regulation is not reflected in the law, and it is reasonable to expect further amendments in this direction in the following years.

ADVERTISEMENT

Radarfirst Ad - Don't let the first warning come from a regulator: Audit-proof your AI

It is worthy of note here that this article will rather focus on the implications of the law on the private sector by summarizing and reviewing relevant provisions in that regard.

Scope of the Law

The law applies to natural persons whose personal data is processed, and natural or legal persons who process such data. Both the private sector and the public institutions are within the scope of the law and “processing” is defined broadly to cover virtually any methodical practice relating to personal data, whether it is automated or not.

Certain cases are excluded from the scope of the law, and these include, among others, processing of personal data for the purposes of:

  • research, planning and statistics or similar through anonymization, and
  • art, history and literature or science, or within the scope of freedom of expression, provided that personal rights and public interests are not violated.

Definitions and General Principles

  • Personal Data is any information relating to an identified or identifiable natural person.
  • Sensitive personal data is information related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics.
  • Data Controller is a natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of a recording system through which personal data is structured by certain criteria.
  • Data Processor is a natural or legal person who processes personal data on behalf of the data controller by the authority granted by the data controller.
  • Data Protection Authority: The law stipulates the establishment of a national data protection authority whose decision-making body will be the Board of Protection of Personal Data.
  • Explicit consent is freely given specific and informed consent;
  • General principles stated in the law are parallel to the ones embodied in the legislation of the European Union and Council of Europe, and include principles of lawful processing, collection limitation, data quality, purpose specification, and use limitation.

Processing of Personal Data

The law stipulates that personal data may only be processed in accordance with the grounds for lawfulness it provides. These are similar to those of the directive and formulated in the law as the following:

  • If the data subject has given their explicit consent;
  • If it is expressly permitted by any law;
  • If it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
  • If it is necessary for and directly related to the execution or performance of a contract to which the data subject is party;
  • If it is necessary for compliance with a legal obligation to which the controller is subject;
  • If the relevant information is revealed to the public by the data subject themself;
  • If it is necessary for the institution, usage, or protection of a right;
  • If it is necessary for legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Sensitive personal data and its processing are subject to a stricter set of rules. In this case, grounds for lawfulness are rather limited, and it is not only required that these grounds must apply but also that the controller must take adequate measures designated by the DPA. The primary ground here is the explicit consent of the data subject. However, other grounds for lawfulness apply for certain sensitive data where consent will not be required:

  • Sensitive data, except for data concerning health and sexual life, can be processed if it is expressly permitted by any law;
  • Data concerning health or sexual life can only be processed for the purposes of protection of public health, and planning or sustaining health care services by an authorized body or persons who are under the obligation of confidentiality.

Transfer of Personal Data

The law regulates the transfer of personal data in coherence with its processing. Accordingly, both non-sensitive and sensitive personal data can be transferred abroad or to third parties in Turkey if any of their respective grounds for lawfulness applies. However, there are additional safeguards if data will be transferred without the explicit consent of the data subject. These depend on (1) the sensitiveness of the data, and (2) destination of the transfer.

Accordingly, if sensitive data is being transferred to third parties in Turkey without the consent of the data subject, the receiving end of the transfer must take adequate measures designated by the DPA.

A second additional safeguard concerns the transfer of both non-sensitive and sensitive personal data abroad without the consent of the data subject. In this case, it is additionally required that

  • the destination country must have an adequate level of protection, which is to be determined by the DPA; or
  • both sides of the transfer must commit, in writing, to provide an adequate level of protection and the approval of the DPA must be obtained.

Finally, a controversial provision regarding transfers abroad was introduced to the law in the parliamentary discussions. Accordingly, “save for the provisions of international agreements”, in cases where “interests of Turkey or the data subject will be seriously harmed,” personal data may only be transferred abroad upon approval of the DPA. The preamble of this provision does not offer much explanation, and at this point, it is uncertain as to how it will be enforced.

Obligations of Data Controllers, and Fines for Noncompliance

The law imposes serious obligations on data controllers, some of which are, in summary, the following:

  • To inform data subjects with regard to the data controller’s identity, purpose, method and legal ground of the processing, transfer of data to third parties, and the rights of the data subject (this might mean mandatory privacy policies for internet services), non-compliance of which results in an administrative fine of approx. €1,500 to €30,000; and
  • To ensure the security of the collected data, and to notify the DPA and the data subject of data breaches, non-compliance of which results in an administrative fine of approximately €5,000 to €310,000; and
  • To register with a publicly available Registry of Data Controllers, non-compliance of which results in an administrative fine of €6,000 to €310,000; and
  • To delete or anonymize outdated data, non-compliance of which is punishable by imprisonment pursuant to Article 138 of Turkish Criminal Code; and
  • To abide by the rights of the data subject and reply to the applications made by the data subject in 30 days; and
  • To comply with the decisions of the DPA, non-compliance of which results in an administrative fine of €8,000 to €310,000.

Transitional Provisions

The law stipulates a gradual entry into force and establishes transitional period obligations, some of which are summarized below.

Accordingly, the articles relating to the transfer of data, rights of the data subject, registry, administrative fines and criminal penalties will enter into force in six months. Further, data controllers must register with the registry in accordance with the timeline announced by the DPA, and make sure that the personal data they processed before the entry into force of the law is compliant in two years.

Conclusion

Being one of the seven countries that signed the convention on the very first day it opened to signature, Turkey had failed to pass a framework law on data protection as required by the Convention in thirty-five years. Now that it has ratified the Convention and adopted the law and that the additional protocol to the Convention numbered 181 is on the Parliament’s agenda, this suspense has finally ended.

The future of Turkish data protection law will be, hopefully, one that is progressive and dynamic.

photo credit: İstanbul, Türkiye via photopin(license)