Turkish Law on Personal Data Protection

This English translation of the Turkish Law on Personal Data Protection, originally found on the Turkish Personal Data Protection Authority (KVKK) website, available here.

FIRST CHAPTER

Purpose, Scope and Definitions

Purpose

ARTICLE 1 – (1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.

Scope

ARTICLE 2 – (2) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.

Definitions

ARTICLE 3 – (1) For the purposes of this Law:

  1. “Explicit consent” means freely given, specific and informed consent,
  2. “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
  3. “President” means President of the Personal Data Protection Authority,

(ç) “Data subject” (natural person concerned) means the natural person, whose personal data are processed,

  1. “Personal data” means any information relating to an identified or identifiable natural person,
  2. “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
  3. “Board” means the Personal Data Protection Board,
  4. “Authority” means the Personal Data Protection Authority,

(ğ) “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

  1. “Data filing system” means the system where personal data are processed by being structured according to specific criteria,

(ı) “Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

CHAPTER TWO

Processing of Personal Data

General Principles

ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and fairness

b) Being accurate and kept up to date where necessary.

c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Conditions for processing personal data

ARTICLE 5 – (1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

a) It is expressly provided for by the laws.

b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

ç) It is necessary for compliance with a legal obligation to which the data controller is subject.

d) Personal data have been made public by the data subject himself/herself.

e) Data processing is necessary for the establishment, exercise or protection of any right.

f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Conditions for processing of Special categories of personal data

Article 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data

Erasure, destruction or anonymization of personal data

ARTICLE 7 – Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.

(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.

(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.

Transfer of personal data

ARTICLE 8 - (1) Personal data shall not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:

a) the second paragraph of Article 5,

b) the third paragraph of Article 6, provided that sufficient measures are taken.

(3) The Provisions of other laws relating to transfer of personal data are reserved.

Transfer of personal data abroad

ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Turkey is a party,

b) the state of reciprocity relating to  data transfer between the requesting country and Turkey,

c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

d) the measures committed by the data controller in the country to which the personal data are to be transferred,

5)  Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.

6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

CHAPTER THREE

Rights and Obligations

Obligation of Data Controller to Inform

ARTICLE 10 – (1) At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:

a) the identity of the data controller and of its representative, if any,

b) the purpose of processing of personal data;

c) to whom and for which purposes the processed personal data may be transferred,

ç) the method and legal basis of collection of personal data,

d) other rights referred to in Article 11.

Rights of The Data Subject

ARTICLE 11 – (1) Each person has the right to request to the data controller about him/her;

a) to learn whether his/her personal data are processed or not,

b) to demand for information as to if his/her personal data have been processed,

c) to learn the purpose of the processing of his/her personal data and whether these personal

data are used in compliance with the purpose,

ç) to know the third parties to whom his personal data are transferred in country or abroad,

d) to request the rectification of the incomplete or inaccurate data, if any,

e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

Obligations concerning data security

ARTICLE 12- (1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:

a) preventing unlawful processing of personal data,

b) preventing unlawful access to personal data,

c) ensuring protection of personal data.

(2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.

(3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law.

(4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office.

(5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.

CHAPTER FOUR

Request, Complaint and Data Controllers’ Registry

Request to the Data Controller

ARTICLE 13- (1) The data subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Board.

(2) The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees may be charged in the tariff determined by the Board.

(3) The data controller shall act on the request or refuse it together with justified grounds and communicate its response to the data subject in writing or by electronic means. In case the demand in the request is accepted, it shall be fulfilled by the data controller. If the request is made due to fault of the data controller, the fee is refunded to data subject.

Complaint to the Board

ARTICLE 14 - (1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the data controller, or within sixty days as of the request date, in any case.

(2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.

(3) The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved.

Procedures and principles of the examination ex officio (on its own initiative) or upon complaint

ARTICLE 15 - (1) The Board shall carry out the necessary examination on the matters falling within its task upon complaint or ex officio where it has learnt about the alleged infringement.

(2) The notices and complaints not meeting conditions pursuant to Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.

(3) Except for the information and documents having the status of state secret, the data controller shall send the information and documents demanded by the Board related to  the subject of examination within fifteen days, and shall enable, where necessary, on-the-spot examination.

(4) Upon complaint, the Board examines the demand and gives an answer to the data subjects. In case it is not responded in sixty days from the date of complaint the demand shall be deemed refused.

(5) As a result of the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the  relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification,

(6) As a result of the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall take a resolution on this matter and publishes this resolution. Prior to taking the resolution, the Board may also receive the opinions of the relevant institutions and organisations, if needed.

(7) The Board may decide to stop the processing of personal data or transfer of personal data abroad in the case damages which are difficult or impossible to compensate for, and in the event of explicit infringement of the law.

Data Controllers’ Registry

ARTICLE 16 - (1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available.

(2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.

(3) Application for registration with the Data Controllers’ Registry shall be made with a notification including:

a) The identity and address of the data controller and of its representative, if any,

b) The purpose for which the personal data will be processed,

c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons,

ç) The recipients or groups of recipients to whom the personal data may be transferred,

d) The personal data which are envisaged to be transferred abroad,

e) The measures taken concerning the security of personal data.

f) The maximum storage period necessary for the purpose for which personal data are processed.

(4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency

(5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law.

CHAPTER FIVE         

Crimes and Misdemeanours

Crimes

ARTICLE 17 - (1) Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.

(2) Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of the Law No. 5237.

Misdemeanours

ARTICLE 18 - (1) For the purposes of this Law;

a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,

b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,

c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,

ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.

(2) The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers.

(3) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.

CHAPTER SIX

The Personal Data Protection Authority and its Organization

The Personal Data Protection Authority

ARTICLE 19 - (1) Personal Data Protection Authority, which is a public legal entity and has administrative and financial autonomy, has been established to carry out duties conferred on it under this Law.

(2) The Authority is affiliated to the Minister assigned by the President of the Republic.

(3) The Headquarters of the Authority is in Ankara

(4) The Authority is composed of the Board and the Presidency. Decision making body of the Authority is the Board.

Duties of the Authority

ARTICLE 20 - (1) The duties of the Authority are as follows;

(a) to follow the latest developments in the legislation and practices, make evaluations and recommendations, conduct researches and investigations or have them conducted, within its field of duty.

(b) to cooperate with public institutions and organisations, non-governmental organizations, professional associations or universities within its field of duty, if needed.

(c) to follow and evaluate the latest international developments on personal data; and within its field of duty cooperate with international organisations and participate in the meetings

(ç) to transmit the annual activity report to the Presidency of the Republic of Turkey, the Committee on Human Rights Inquiry of Grand National Assembly of Turkey.

(d) to carry out other duties provided by laws.

Personal Data Protection Board

ARTICLE 21 - (1) The Board shall perform and exercise the duties and powers conferred on it under this law and other legislation, independently and under its own responsibility. No body, authority, office or person shall give orders and instructions, recommendations or suggestions to the Board on matters falling within the scope of its duties and powers.

(2) The Board consists of nine members. Five members of the Board shall be elected by the Grand National Assembly of Turkey; four members shall be elected by the President of the Republic of Turkey.

(3) The following conditions shall be met to be a member of the Board:

a) to have knowledge and experience on the issues in the field of duty of the Authority.

b) to have the necessary qualifications specified in points (1), (4), (5), (6) and (7) of sub-paragraph (A) of first paragraph of Article 48 of the Civil Servants Law No. 657 of 14/7/1965.

c) Not being a member of any political party.

ç) Having a bachelor degree of at least four years.

d) (Repealed: 2/7/2018 – Decree Law – Article 703/163)

(4) (Obsolete: 2/7/2018 – Decree Law – Article 703/163)

(5) The Grand National Assembly of Turkey shall elect the Board members on the basis of the following procedure:

a) Persons twice as many as the number of members to be determined in proportion to the number of deputies of political party groups shall be nominated for election and the members of the Board shall be elected by the Plenary of the Grand National Assembly of Turkey from among these candidates on the basis of the number of deputies allocated to each political party. However, no negotiation shall be held and no decision shall be taken at political party groups regarding whom to vote for in the elections to be held in the Grand National Assembly of Turkey.

b) The election of the members of the Board shall be made within ten days after the nomination and announcement of the candidates. The unified ballot lists for candidates nominated by political party groups shall be issued in separate list. Votes shall be cast by marking the specific place across the names of the candidates. Votes given more than the number of members to be elected to the Board from the quota of political party groups determined in accordance with the second paragraph shall be deemed invalid.

c) Provided that the quorum of decision is ensured, candidates who have the most of the votes for the number of vacancies shall be deemed to have been elected.

ç) The election for the renewal of the members shall be held two months before the expiration of their term of office; should there be a vacancy in the membership positions for any reason, there shall be an election within one month as of the date of vacancy; or if the date of vacancy coincides with the recess of the Grand National Assembly of Turkey, the election shall take place within one month from the end of the recess, by employing the same procedure. During these elections, the allocation of the vacant membership positions to the political party groups shall be made by considering the number of the elected members from the political party groups’ quotas in the first election and the current proportions of the political party groups.

(6) Forty-five days before the expiration of the term of office or in case of expiration of term of office by any reason of the members elected by the President of the Republic of Turkey (…) (1), the Authority shall notify the Presidency of the Republic of Turkey of the situation in fifteen days (…). A new election shall take place one month before the expiration of term of office of the members. Should there be a vacancy in these memberships before the expiration of term of office, there shall be an election within fifteen days as of the date of notification.(1)

(7) The Board shall elect the Head and the Second Head of the Board among its members. The Head of the Board is also the President of the Authority.

(8) Term of office of the Board members is four years. Members may be re-elected after expiration of their term of office. The person who is elected for the position of the member whose post ends before the expiration of his or her term of office for any reason, shall serve the remaining period.

(9) Members of the Board shall take the following oath before the First Presidency Board of the Court of Cassation: "I do solemnly swear on my honour and on my dignity that I will carry out my duties with absolute impartiality, correctness, fairness and with sense of justice in line with the Constitution and the relevant legislation." Application to Court of Cassation for oath taking is deemed to be one of the pressing matters.

(10) Unless provided for by a specific law, the members shall not assume any public or private tasks other than those related with carrying out their official duties in the Board; shall not act as executives in associations, foundations, cooperatives and in similar bodies; shall not engage in commercial activities, shall not engage in self-employment, shall not act as arbitrators and expert witnesses. However, Board members may prepare scientific publications, give lectures and attend conferences provided that these will not hinder their primary duties, and may receive copyrights and fees associated with those.

(11) Investigations into the claims about the crimes allegedly committed by the members in connection with their duties shall be conducted as per the Law No. 4483 of 2/12/1999 on Adjudication of Public Servants and Other Public Employees, and permission for investigation shall be granted by the President of Turkey.(1)

(12) Provisions of the Law No. 657 shall be applied to disciplinary investigations and prosecutions about the members of the Board.

(13) Members shall not be removed from their office by any reason before the expiration of their term of office. However, members of the Board may be removed from office by the Board decision if:

a) it is found out subsequently that they do not meet the conditions required for their election,

b) the conviction for the crimes, which is rendered for crimes committed by them in connection with their duties, is finalised.

c) it is ascertained with a medical board report that they will not be able to fulfil their duties,

ç) it is ascertained that they have been absent from work for fifteen consecutive days or for a total of thirty days within a year, without legitimate permission and excuse.

d) it is ascertained that they fail to attend three Board meetings in one month and ten Board meetings in one year without any permission and excuse.

(14) Those who are appointed as the members of the Board shall be removed from their previous posts during their term of office in the Board. On the condition that they do not fail to meet the requirements of being employed as a civil servant, those who are assigned as Board members whilst on duty shall be appointed to posts that are appropriate for their vested positions and titles in one month, in case their term of office ends or they express their will to resign and lodge an application in this regard to their former institution within thirty days. Until the assignment, Authority shall continue to make any payment they are vested with. Until they take another post or take up another employment, Authority shall continue to make the payment of those who are appointed as Board members despite not being public servants and whose term of office terminated as stated hereinabove; and the payments to be made under this scope shall not exceed three months. With regard to personal and other rights, terms spent in the Authority shall be deemed to have spent in the previous institutions or organisations.

Duties and powers of the Board

ARTICLE 22 - (1) Duties and powers of the Board are as follows:

a) to ensure that the personal data are processed in compliance with fundamental rights and freedoms.

b) to conclude the complaints of those who claim that their rights with regard to personal data protection have been violated.

c) to examine whether the personal data are processed in compliance with the laws, upon complaint, or ex officio where it learns about the alleged violation, and to take temporary measures, if necessary.

ç) to determine the adequate measures which are necessary for the processing of special categories of personal data.

d) to ensure that Data Controllers’ Registry is maintained.

e) to carry out regulatory acts on the matters concerning the Board’s field of duty and operation of the Authority.

f) to carry out regulatory act to determine obligations related to data security

g) to carry out regulatory acts on the matters concerning duties, powers and responsibilities of the data controller and of its representative.

ğ) to decide on the imposition of administrative sanctions provided for in this Law.

h) to deliver its opinion about draft legislation prepared by other institutions or organizations that contain provisions on personal data.

ı) to conclude the Strategic Plan of the Authority; to determine the purpose, objectives, service quality standards and performance criteria of the Authority.

i) to discuss and decide on Strategic Plan and the budget proposal of the Authority which are prepared in compliance with its purposes and objectives.

j) to approve and publish the draft reports on the performance, financial situation, annual activities and other matters related with the Authority.

k) to discuss and decide on the recommendations as regards the purchase, sale and lease of immovable properties.

l) to carry out other tasks provided for by laws.

Working Principles of the Board

ARTICLE 23 - (1) President shall determine the dates and agenda of the meetings. The President may summon the Board for an extraordinary meeting, if necessary.

 (2) The Board shall convene at least with six members, including the President, and shall take decisions by simple majority of its total members. Members of the Board shall not cast abstaining vote.

(3) Members shall not attend and cast vote in meetings, which concern issues regarding themselves, their relatives by blood up to third degree and relatives by affinity of marriage up to second degree, their adopted children and their spouses even if the marriage has ended.

(4) Members of the Board shall not disclose the secrets they have learned concerning the relevant persons and third parties during their work to anyone other than legally authorized bodies, neither shall they use such secrets for their benefits. This obligation shall continue even after the end of their term of office.

(5) The issues debated in the Board shall be recorded in the minutes. The decisions and the grounds for the counter vote, if any, shall be written within 15 days at the latest. The Board shall release the decisions to the public, it deems necessary.

(6) Unless otherwise agreed, debates at the Board meetings are confidential.

(7) The Working procedures and principles of the Board and the writing procedure of the decisions and other issues shall be regulated through a by-law.

The President

ARTICLE 24 - (1) The President, who is the highest-level official of the Authority, as the Head of both the Authority and the Board, organises and conducts the services of the Authority in accordance with the legislation, Authority’s purpose and policies, Strategic Plan, performance criteria and service quality standards, and , ensures coordination between service units.

(2) The President is responsible for the general management and representation of the Authority. This responsibility entails the duties and powers concerning regulation, execution, inspection, evaluation of Authority’s work and, its announcement to the public, when necessary.

(3) The duties of the President are as follows;

a) to chair the Board's meetings.

b) to ensure the notification of Board decisions and public announcement of these when deemed necessary by the Board, and to monitor their implementation.

c) to appoint Vice President, Heads of Departments and Authority’s personnel.

ç) to finalize the recommendations communicated by service units and submit them to the Board.

d) to ensure the implementation of the Strategic Plan and to establish the human resources and working policies in line with service quality standards.

e) to prepare the annual budget and financial tables of the Authority in line with the determined strategies, annual purposes and objectives.

f) to ensure coordination between the Board and service units to have them work incoherent, efficient, disciplined and well-ordered manner.

g) to maintain the relations of the Authority with other institutions.

ğ) to determine the scope of the duties and powers of the personnel authorized to sign on behalf of the President.

h) to carry out other duties related to the management and operation of the Authority.

(4) The Second President is entitled to act on behalf of the President in his/her absence.

Composition and Duties of the Presidency

ARTICLE 25 - (1) The Presidency is composed of Vice President and service units. The Presidency shall fulfil the duties listed in paragraph four through the service units which are organized as departments. The number of departments shall not be more than seven.

(2) One Vice President shall be appointed by the President in order to assist him/her in his/her administrative duties.

(3) The Vice President and Heads of Departments shall be appointed by the President among those who have a bachelor degree of at least 4 year program and served in the public institutions for at least ten years.

(4) The duties of the Presidency are as follows,

a) to maintain the Data Controllers’ Registry.

b) to carry out clerical services for the Authority and the Board.

c) to represent the Authority through attorneys-at-law at the proceedings and enforcement proceedings to which the Authority is a party; to follow up such proceedings or have them followed up and carry out the legal services.

ç) to carry out personnel-related services of the Board members and Authority’s personnel.

d) to perform the duties referred to in laws with regard to financial services and strategy development units.

e) to ensure that the information systems are established and used in order to carry operations of the Authority.

f) to draft reports on the annual activities of the Authority or on other issues which are deemed needed, and submit them to the Board.

g) to draft the Strategic Plan of the Authority.

ğ) to determine the personnel policy of the Authority, prepare and implement the education and career-based plans for the personnel.

h) to carry out the appointment, transfer, discipline, performance, promotion, retirement and other similar procedures regarding the personnel.

ı) to determine the ethical principles for the personnel and provide necessary training.

i)to carry out the services with regard to purchasing, leasing, maintenance, repair, construction, archive, health and social issues and similar ones within the framework of the Public Financial Management and Control Law No. 5018 of 10/12/2003.

j) to keep record of the movable and immovable properties of the Authority

k) to fulfil other duties conferred by the Board or the President.

(5) Service units and their working procedures and principles shall be laid down through a by-law which is brought into force by President of the Republic of Turkey in compliance with the field of activity, duties and powers stated in the Law upon Authority’s proposal.

The Personal Data Protection Experts and the Assistant Experts

ARTICLE 26 - (1) The Personal Data Protection Experts and the Assistant Experts may be recruited by the Authority. The experts and assistant experts who are appointed as Personal Data Protection Expert within the framework of additional Article 41 of the Law No. 657 shall receive one extra grade for once only.

Provisions on the Personnel and Personnel Rights

ARTICLE 27- (1) Personnel of the Authority shall be subject to the Law No. 657, excluding the matters regulated through this Law.

(2) Head and members of the Board and personnel of the Authority shall receive remunerations determined to be paid to the precedent personnel, within the scope of financial and social rights, as per Additional Article 11 of the Decree Law No. 375 of 27/6/1989, within the framework of the same procedures and principles applicable. Among the remunerations paid to the precedent personnel, those which are exempt from taxes and other legal deductions shall also be exempt from taxes and deductions as per the Law.

(3) Head and members of the Board and personnel of the Authority are subject to the sub-paragraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 of 31/5/2006. Head and members of the Board and personnel of the Authority shall be considered equal with the precedent personnel in terms of retirement rights. Among the personnel who were appointed as Head and members of the Board when insured under sub-paragraph (c) of the first paragraph of Article 4 of the Law No. 5510, terms of office in these duties shall be considered while ascertaining acquired rights, pensions, grades and steps of those whose term of office ends or who express their will to resign. The relevant term of office of those who fall within the scope of Provisional Article 4 of the Law No. 5510 while on duty, shall be deemed as the period for which position and representation compensation should be paid. Removal from previous institutions and organisations of those who were appointed as Head and members of the Board when insured under sub-paragraph (a) of the first paragraph of Article 4 of the Law No. 5510, shall not entail receiving a severance pay or termination pay. In such a case, term of office qualified for a severance pay or redundancy payment, shall be added to the service periods spent as Head and member of the Board, and accepted as the period for which a retirement bonus.

(4) Civil servants working in public administrations attached to the centralized government, social security institutions, local administrations, administrations attached to local administrations, local administrative unions, revolving fund enterprises, funds established with laws, public entities, organizations more than 50% of whose capital belongs to public, public economic enterprises, state-owned economic enterprises, and associations and establishments attached to these, as well as other public officials may be seconded to the Authority upon the consent of their own institution, judges and public prosecutors may be seconded upon their consent provided that their salaries, allowances, any increases thereof, compensations and other social and financial rights and aids are paid by their own institution. Requests of the Authority in this regard shall be concluded with priority by the related institutions and organizations. Personnel assigned accordingly shall be deemed on paid leave. During this leave, rights of the personnel and their connection with civil service shall be maintained, this period of leave shall be taken into account in promotions and retirement, and they shall be promoted in due time without any need to further action. Periods spent in the Authority by those assigned under this Article shall be deemed to have been spent in their own institutions. Number of the personnel assigned accordingly shall not exceed ten per cent of the total number of posts for Personal Data Protection Experts and Personal Data Protection Assistant Experts, and the term of assignment shall not exceed two years. However, when deemed necessary, this term may be extended in one-year periods.

(5) Titles and numbers of posts regarding the personnel to be employed in the Authority are presented in the annexed Table (I). Changes in titles and grade; addition of new titles and annulment of vacant posts shall be made upon the decision of the Board, provided that it shall not exceed the total number of posts, and shall be limited with the titles in the annexed tables of the Decree Law No. 190 on the General Posts and Procedures, dated 13/12/1983.

CHAPTER SEVEN

Miscellaneous

Exemptions

ARTICLE 28 (1) The provisions of this Law shall not be applied in the following cases where:

a) personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.

b) personal data are processed for official statistics and provided that they are being anonymized for the  purposes for such as research, planning and statistics.

(c) personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.

(ç) personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.

(d) personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

(2) Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller's obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers’ Registry shall not be applied in the following cases where personal data processing:

a) is necessary for the prevention of committing a crime or for crime investigation.

b) is carried out on the data which are made public by the data subject himself/herself.

c) is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,

ç) is necessary for protection economic and financial interests of State related to budget, tax and financial matters.

The Budget and the Revenues of the Authority

ARTICLE 29 - (1) The budget of the Authority shall be prepared and adopted in accordance with procedures and principles provided for in the Law No. 5018.

(2) The revenues of the Authority are as follows;

a) Treasury grants from the general budget.

b) The revenues from the movable and immovable properties of the Authority.

c) Donations and grants received.

ç) The revenues from the utilization of the revenues.

d) Other revenues.

Amended and Added Provisions

ARTICLE 30 - (It is related to the Law No. 5018 and dated 10/12/2003 and inserted therein)

(2) – (5) - (It is related to the Law No. 5237 and dated 26/9/2004 and inserted therein)

(6) (It is related to the Law No. 3359 and dated 7/5/1987 and inserted therein)

(7) (It is related to the– Organization and Responsibilities of Ministry of Health and its Associated Institutions – Decree Law No 663 and dated 11/10/2011 and inserted herein)

By-law

ARTICLE 31 - (1) By-laws related to the implementation of this Law shall be brought into force by the Authority.

Transitional Provisions

PROVISIONAL ARTICLE 1- (1) The members of the Board shall be elected and the organizational structure of the Presidency shall be established within six months following the date of publication of this Law, as per the procedure stipulated in Article 21.

(2) Data controllers are obliged to register with the Data Controllers’ Registry within the time specified and announced by the Board.

(3) The personal data that were processed before the publication date of this Law shall be rendered compatible with the provisions of this Law within two years as of its date of publication. The personal data which are found to be not complying with the provisions of this Law shall be immediately erased, destructed or anonymized. However, consents duly taken before the publication date of this Law shall be deemed compatible with the provisions of this Law, unless no declaration of intent is made to the contrary within one year.

(4) The by-laws provided for by this Law shall be brought into force within one year as of the date of publication of this Law.

(5) A high-level executive, to ensure coordination with regard to the implementation of the Law in public institutions and organisations, shall be appointed and notified to the Presidency within one year as of the date of publication of this Law.

(6) The term of office for the first elected President, the Second President, and two members who are determined by ballot, shall be six years; this period shall be four years for the remaining five members.

(7) Until the budget of the Authority is allocated;

a) The expenditures of the Authority shall be reimbursed by the budget of the office of the Prime Minister.

b) All necessary support services such as the premises, equipment, furnishing and the hardware shall be provided by the office of the Prime Minister in order for the Authority to fulfil its duties.

(8) The clerical services of the Authority shall be carried out by the office of the Prime Minister until the service units of the Authority has become fully functional.

PROVISIONAL ARTICLE 2 – (Added:28/11/2017 – Article 7061/120)

(1) Those who are graduated from 4-year degree program from faculties of political sciences, economics and administrative sciences, faculty of law and business administration or the departments of electronics or electrical and electronic engineering, electronic and communication engineering, computer engineering, information systems engineering of faculty of engineering in Turkey or abroad whose accreditation have been recognized by Council of Higher Education; and who have served for more than two years excluding annual leaves at positions indicated in sub-paragraph (11) of paragraph (A) of  “Common Terms” Article 36 of the Law No 657 which requires occupational qualification test and on-the-job training and lecturers, having taken minimum 70 points at Foreign Language Placement Test and who are younger than 40 year old may be assigned as Personal Data Protection Expert. Number of personnel to be assigned in regard may not exceed fifteen.

Entry into force

ARTICLE 32 - (1) For the purposes of this Law;

a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months as of the date of its publication.

b) Other Articles shall enter into force on the date of its publication.

Enforcement

ARTICLE 33 – (1) The provisions of this law shall be enforced by the Council of Ministers.

TABLE NO (1)

PERSONAL DATA PROTECTION AUTHORİTY

LIST OF STAFF POSITIONS

Class Title Grade Total
GAS Deputy President 1 1
GAS Head of Department 1 7
GAS Legal Counsel 1 1
GAS Legal Counsel 3 3
JS Lawyer 6 4
GAS Personal Data Protection Expert 5 10
GAS Personal Data Protection Expert 7 20
GAS Personal Data Protection Expert 9 60
GAS Financial Services Expert 6 2
GAS Financial Services Expert 9 2
GAS Civil Servant 5 5
GAS Civil Servant 7 5
GAS Civil Servant 9 5
GAS Civil Servant 11 5
GAS Civil Servant 13 5
GAS Computer Operator 7 5
GAS Data Protection and Control Operator 6 5
GAS Data Protection and Control Operator 7 5
GAS Data Protection and Control Operator 8 5
GAS Data Protection and Control Operator 9 5
GAS Data Protection and Control Operator 10 5
GAS Secretary 5 3
GAS Secretary 8 7
GAS Switchboard Operator 9 1
GAS Driver 11 4
TS Technician 6 3
AS Assistant Technician 9 2
AS Servant 11 10
  TOTAL   195