Turkish data protection regime is executed by the Personal Data Protection Authority (“Authority”) in Ankara, Turkey. Authority, which is a public legal entity and has administrative and financial autonomy, has been established to carry out duties conferred on it under the Law. The Authority is affiliated to the Minister assigned by the President of the Republic.

3. Who is the Data Controller?

Data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

4. Who is the Data Subject?

Data of the natural persons are protected under the Law. Therefore, the term “data subject” is used in the Law to refer to natural person whose personal data are being processed.

5. What is the Personal Data?

Personal data means any information relating to an identified or identifiable natural person pursuant to Article 3 under the Law.

6. What is the Special Categories of Personal Data?

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

7. What are the Obligations of the Data Controller?

I. Obligation to Inform

Pursuant to Article 10 of the Law, at the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:

• the identity of the data controller and of its representative, if any,
• the purpose of processing of personal data,
• to whom and for which purposes the processed personal data may be transferred,
• the method and legal basis of collection of personal data,
• other rights referred to in Article 11.

The following procedures and principles must be followed at the time of the fulfilment of the obligation to inform by Data controller or the person authorized by it by using physical or electronic media such as oral or written statement, voice recording, call centre:

• The obligation to inform shall be fulfilled in any cases where the data processing adheres to the explicit consent of the data subject or processing is carried out under another condition.
• In case the purpose of personal data processing changes, the obligation to inform shall be fulfilled for new purpose prior to start of data processing.
• Fulfilment of the obligation to inform does not depend on the request of data subject.

II. Obligations Concerning Data Security

Personal Data Security Guide has been prepared by the Authority in order to provide clarity in practice and to create good practice examples for the technical and organisational measures that the data controller responsible for during the processing of personal data.

Pursuant to Article 12 of the Law the Data Controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
a) preventing unlawful processing of personal data,
b) preventing unlawful access to personal data,
c) ensuring protection of personal data

III. Obligation to Register with the Data Controller’s Registry

Pursuant to Article 16 of the Law natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. The procedures and principles related to the Data Controllers’ Registry were determined through By-Law.

• Data Controllers’ Registry Information System (VERBIS) : information system that is accessible on the Internet and established and managed by the Presidency under supervision of the Authority, that data controllers will use for the registration with the Registry and the other operations related to the Registry.

• The aim of the system is to announce who the data controllers are and to ensure exercise the right of personal data protection more effectively.

IV. Obligation to Respond to the Request of Data Subject

Pursuant to Article 13 of the Law, the Data Subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Authority. The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees in the tariff may be charged determined by the Authority.

V. Obligation to Fulfil the Authority Decisions

Pursuant to Article 15 of the Law As a result of the examination made upon complaint, or ex-officio, in cases where it is understood that an infringement exists, the Authority shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification.

Processing of Personal Data

8. What are the General Principles in Processing of Personal Data?

Pursuant to Article 4, Personal data shall only be processed in compliance with procedures and principles laid down in the Law or other laws.

The following principles shall be complied with while processing of personal data:

• Lawfulness and fairness
• Being accurate and kept up to date where necessary.
• Being processed for specified, explicit and legitimate purposes.
• Being relevant, limited and proportionate to the purposes for which they are processed.
• Being stored for the period laid down by relevant legislation or required for the purpose for which the personal data are processed.
• The principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities must be carried out in accordance with these principles.
• What are the Conditions for Processing Personal Data?

Lawfulness and fairness
Being accurate and kept up to date where necessary.
Being processed for specified, explicit and legitimate purposes.
Being relevant, limited and proportionate to the purposes for which they are processed.
Being stored for the period laid down by relevant legislation or required for the purpose for which the personal data are processed.
The principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities must be carried out in accordance with these principles.
9. What are the Conditions for Processing Personal Data?

Personal data may be processed only in cases where one of the following conditions is met:

• The data subject has given his/her explicit consent. 
• It is expressly provided for by the laws.
• It is necessary for the protection of life or physical integrity of the person himself/ herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
• Processing of personal data of the parties of a contract is necessary provided that it is directly related to the establishment or performance of the contract.
• It is necessary for compliance with a legal obligation to which the data controller is subject.
• Personal data being made public by the data subject himself/herself.
• Data processing is necessary for the establishment, exercise or protection of any right.
• Processing of data is necessary for the legitimate interests pursued by the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Conditions regarding processing of personal data are limited under the Law and cannot be extended.

10. What are the Conditions for Processing of Special Categories of Personal Data?

Special categories of personal data may be processed only in cases where one of the following conditions is met:

• The explicit consent of the data subject.
• Personal data, except for data concerning health and sexual life, may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed without seeking explicit consent of the data subject by the persons subject to an obligation of secrecy or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing

Adequate measures determined by the Authority shall be also taken while processing the special categories of personal data.

Erasure, Destruction or Anonymisation of Personal Data

11. What are the General Principles in Erasure, Destruction or Anonymisation of Personal Data?

Pursuant to Article 7 of the Law despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that all of the conditions for processing laid down in pursuant to Article 5 and Article 6 of the Law no longer exist.

The Authority issued By-Law on Erasure, Destruction Or Anonymization of Personal Data to determine principles and procedures regarding erasure, destruction and anonymization of personal data processed wholly or partially by automated means or non-automated means which provided that form part of a data filing system.

12. Transfer of Personal Data

1. In Turkey

Under Article 8 of the Law, transferring personal data in Turkey may take place in case one of the following conditions is met:

a) the second paragraph of Article 5 of the Law,

b) the third paragraph of Article 6 of the Law provided that sufficient measures are taken.

• Explicit consent of the data subject.
• Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:
• The Provisions of other laws relating to transfer of personal data are reserved. 

Processing of personal data lawfully in Turkey does not mean that the data can be directly transferred to the third parties. Conditions set out Article 5 and 6 of the Law are also stipulated for transferring of personal data.

2. Abroad

Under Article 9 of the Law, a cross-border transfer may take place in case one of the following conditions is met:

• Explicit consent of the data subject.
• Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;
  (a) Adequate protection is provided.
  (b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Authority.
• The Authority determines and announces the countries with adequate protection.
• The Authority shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

a) the international conventions to which Turkey is a party,

b) the state of reciprocity relating to data transfer between the requesting country and Turkey,

c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

d) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

e) the measures committed by the data controller in the country to which the personal data are to be transferred,

• Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data may only be transferred abroad upon the authorisation to be given by the Authority after receiving the opinions of relevant public institutions and organizations.
• The Provisions of other laws relating to the transfer of personal data abroad are reserved.

It is necessary to comply with the Article 9 of the Law for all kinds of data transfer between data controllers or between data controller and data processor.

13. What are the Rights of Data Subject?

1. Right to Make a Request

• Data subjects shall make a request to data controllers within the scope of their rights specified in Article 11 of the Law, in writing or by registered electronic mail (KEP) address, secured electronic signature, mobile signature or by the e-mail address which has been previously entered into the data controllers’ system or through a software or application designed for purposes of this request.
• The data controller is obliged to take necessary organizational and technical measures to conclude the requests to be made by data subject within the scope of the Communiqué, effectively and complying with norms of lawfulness and fairness.
• Data controller shall act on the requests or refuses them together with justified grounds.
• Data controller shall communicate its response to the data subject in writing or by electronic means
• Data controllers shall conclude the demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However, if process requires additional costs, fees may be charged in the tariff specified in Article 7 of the Communiqué. If the request is caused due to the fault of the data controller, the fee is refunded to data subject.

2. Right to Lodge a Complaint

• If the request pursuant to Article 13 of the Law is refused, the response of the data controller is found insufficient or the request is not answered by the controller within 30 days, the data subject may lodge a complaint with the Authority within thirty days as of he/she learns about the response of the data controller, or within sixty days as of the request date, in any case.
• A complaint cannot be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.
• Complaints not meeting conditions laid down in Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.
• As the request is mandatory and the complaint is optional, a data subject whose request has been refused implicitly or explicitly may both lodge a complaint with the Authority and resort directly to the judicial or administrative jurisdiction.
• The right to compensation of those whose personal rights are violated, pursuant to the general provisions, is reserved.
• Article 15 of the Law determines the procedures and principles of the examination to be made by the Authority.
• Upon complaint, the Authority examines the demand and gives an answer to the data subjects. In case the request isn’t responded in sixty days from the date of complaint the demand shall be deemed refused.
• As a result of the examination made upon complaint, in cases where it is understood that an infringement exists, the Authority shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and at the latest within thirty days after the notification.
• Data subject has the right to file a lawsuit at the administrative courts against decisions concerning him/her made by the Authority.

This information is intended to provide a general guide to the subject matter. For expert advice about your specific circumstances, please contact us.

Faruk AKTAY

Tutku Ecem REHBER