This country-specific Q&A provides an overview to Data Protection & Cyber Security laws and regulations that may occur in Turkey.
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The main legislative instrument governing data privacy practices in Turkey is the Law on Protection of Personal Data numbered 6698 (“Law No. 6698”), which was published in the Official Gazette on 7 April 2016 and is in effect as of this date. The principles and procedures specified thereunder, as well as the related secondary regulation which shall be elaborated in detail below, shall be applicable for all natural persons whose personal data are processed; as well as all natural and legal persons processing personal data, construed as data controllers or processors, irrespective of the sector within which they operate.
Within the purview of the Law No. 6698, the processing of personal data is construed as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. It could thus be concluded that all activities performed upon personal data, including the mere act of displaying, shall be deemed as processing personal data within the scope of the Law No. 6698.
Alongside with the specifying principles and procedures applicable to the processing of personal data, a local data protection authority is established under the Law No. 6698. The Personal Data Protection Board (hereinafter referred to as the “Board”) is active as of the date and has regularly been publishing secondary regulations, as well as principle decisions and guidance documents concerning the application of the Law No. 6698. The Board has also been performing activities in order to forge public opinion at a national level and to raise awareness of personal data protection.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Pursuant to Article 16 of the Law No. 6698, data controllers are under the obligation to register with the Registry of Data Controllers (“Registry”), operated by the Board. Principles and procedures relating to the fulfilment of such obligation are further provided for under the Regulation on the Registry of Data Controllers (“Regulation on the Registry”).
Further to the authority vested in the Board, the scope of the obligation to register with the Registry and the related calendar has been determined under certain board decisions. As per the said decisions, the Board decided that the below-listed data controllers shall not be required to be registered with the Registry:
Persons who process personal data as part of any data recording system, solely through non-automatic means,
Associations, foundations and unions that process personal data for their employees, members and donors, only in accordance with the relevant legislation, purposes and limited to their areas of activity,
Independent Accountants and Financial Advisors and Certified Public Accountants,
Customs brokers and authorized customs brokers,
Legal entities, whose (i) annual headcount is less than 50, (ii) annual sum of financial balance sheet is less than TRY 25.000.000, and (iii) the main field of activity is not processing special categories of personal data.
It should also be emphasized that there is no provision thereunder requiring the payment of a registration fee.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Within the purposes of the Law No. 6698, personal data is construed as all information relating to an identified or identifiable natural person; whereas the types of special categories of personal data are exclusively enumerated. Pursuant to Article 6 of the Law No. 6698, special categories of personal data include data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, data relating to health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Notably, data relating to “appearance and dressing” is not provided under the exhaustive list of special categories of personal data under the GDPR but is considered as such under the Law No. 6698.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Processing of special categories of data (including data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, criminal conviction and security measures, as well as biometric and genetic data) can only be processed without the explicit consent of the data subject if such a processing is provided by laws. Data relating to health of sexual life of data subjects can only be processed without the explicit consent of the data subject if it is processed by any person or authorized public institutions and organizations that have confidentiality obligation and for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
Explicit consent is construed as “freely given, specific and informed consent” under the Law No.6698. To illustrate, explicit consent must not be obtained as a condition for the provision of a service, must be limited to the relevant act of processing and have been given unambiguously by the data subject acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Conditions for processing “special categories of personal data” are provided under Article 6 of the Law No. 6698 and a stricter protection regime is prescribed for the processing of such personal data:
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject, provided that the relevant processing activity is envisaged under the laws.
Personal data relating to health and sexual life shall only be processed without obtaining the explicit consent of the data subject for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of healthcare services by persons under the obligation of secrecy or authorized institutions and organizations.
It should be noted that, as opposed to its EU counterpart, the Law No. 6698 does not provide a derogation from the general rule prohibiting the processing of health data without obtaining the explicit consent of the data subject, in favor of employment practices.
How do the laws in your jurisdiction address children’s PII?
There are no provisions within the local data protection legislation specifically addressing the processing of personal data relating to children.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Data controllers which are subject to the obligation to register with the Registry are also mandated to prepare a personal data processing inventory.
Within the purposes of the Regulation on the Registry (elaborated in detail above under Question 2), data controllers are obliged to prepare a personal data processing inventory incorporating information on the purposes and legal reasons for processing personal data, data categories, subject groups of the data, the maximum retention period of the data and measures taken regarding the data security. Information to be provided during the registry procedure shall be determined in accordance with the inventory.
The application to the Registry must contain information on the following matters:
Information provided within the application form to be specified by the Board concerning the identification and address information of the data controller, the data controller representative if any, and the contact person,
Purposes for processing personal data,
Explanations concerning the subject group or groups of the data and the data categories relating to such persons,
Recipient group or groups to which personal data may be transferred,
Personal data to be transferred abroad,
Measures taken regarding data security as specified by the Law and the criteria determined by the Board,
Maximum retention periods of personal data as envisaged under the legislation or as required by the purpose of processing.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
There are no specific provisions under the local legislation directly requiring consultations with the regulatory authority. However, considering that data privacy regulations are rather new and the industry practices are ever-evolving, it is recommended to establish balanced dialogues with the regulatory authority.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
There are no provisions under the local legislation directly envisaging the conduct of privacy risk assessments. However, in similar fashion, the Board refers to the conduct of a balancing test with respect to the application of the legitimate interest condition, within published guidelines.
In this respect, the Board has recently published a summary decision prescribing the following conditions for considering the legitimate interest condition as a lawful ground for processing personal data:
The fundamental rights and freedoms of the data subject and the benefit of processing personal data must be at a competing level.
Processing personal data processing must be necessary in order to reach such benefit.
The legitimate interest must be existing, specific and clear.
If the legitimate interest of the data controller concerned follows the fundamental rights and freedoms of the data subject, a benefit must be provided, and it must be impossible to obtain this benefit in any other way and method without the processing of personal data.
When determining the legitimate interest, the benefit must be based on criteria that are transparent and accountable, such as the fact that this benefit affects a large number of people, is not intended solely for profit or economic benefit, or facilitates business processes or a process (for instance, not in a unit or a small number of staff, but in a corporate manner).
In this regard, the person concerned should be kept away from any foreseeable, obvious and imminent risk in order to prevent violation of the fundamental rights and freedoms, in particular the protection of personal data,
Taking all technical and administrative measures limited to the purpose in order to ensure the proper functioning of the law in a data recording system and to prevent damages and violations,
Ensuring compliance with the general principles relating to the processing of personal data,
In the above-specified context, the balance between the fundamental rights and freedoms of the individual and the legitimate interests of the data controller are deemed to be in balance.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
There is no requirement to appoint a data protection officer under the Law No. 6698. However, two categories of responsible individuals are introduced thereunder: “representative of the data controller” and “contact person”.
Foreign entities, which are considered as data controllers are under the obligation to register to the Registry by way of their representative, either a natural person who is a Turkish citizen or a legal person established in Turkey; whereas the obligation to appoint a contact person shall be complied with by foreign entities by way of their representative and also by national entities, with regards to conveying communication between data controllers and the Board.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Pursuant to Article 10 of the Law No. 6698, data controllers are under the obligation to inform the related subjects on the following:
the name of the data controller and/or the representative of the data controller (if any),
to whom and for which purposes personal data shall be transferred;
the method and legal reason for collecting personal data,
rights of the data subjects as envisaged under Article 11 of the Law No. 6698.
The Board further published the Communiqué on Principles and Procedures to Be Followed When Fulfilling the Obligation to Inform (“Communiqué on the Obligation to Inform”) in order to clarify principles to be followed by data controllers while informing data subjects and obtaining explicit consent, where deemed necessary. Additionally, the Board has published a guideline document concerning the fulfilment of the obligation to inform, in order to illustrate best practices.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
The obligations set forth under the local data protection legislation are generally required to be complied with by the data controllers. However, with respect to ensuring compliance with the obligations concerning personal data security, data controllers and third-party service providers acting as data processors are jointly and severally liable.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
There are no specific minimum contract terms to be incorporated into service procurement agreements to be concluded with service providers and no specific regulatory restrictions are applicable to the appointment of service providers. As service providers processing personal data on behalf of the data controller are positioned as data processors, such parties are under data security and non-disclosure obligations, and the data controller is obligated to audit the service provider in this respect, pursuant to Article 12 of the Law No. 6698.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Article 9 of the Law No. 6698 prescribes principles and procedures in relation with cross-border personal data transfers.
In this regard, Article 9(1) of the Law No. 6698, introduces a general rule which restricts the cross-border transfer of personal data without obtaining the explicit consent of the data subject. Article 9(2), on the other hand, further provides for a derogation from the said general rule in the following circumstances:
In the event that (i) the conditions specified under Article 5 and Article 6 of the Law No. 6698 are deemed applicable, and (ii) the recipient country ensures an adequate level of personal data protection, the related transfer operation is permitted to be performed.
In the absence of an adequate level of personal data protection within the recipient country, the related transfer operation shall be permitted provided that; (i) the data controllers in Turkey and in the recipient country undertakes to ensure an adequate level of protection in writing, and (ii) the approval of the Board is obtained.
As of April 2019, the Board has not yet published the list of “secure countries” and currently all third countries are considered as unable to provide an adequate level of personal data protection. Thus, only the explicit consent of the data subject and the written undertaking and Board approval procedure options are left for lawfully transferring personal data from Turkey to abroad.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Law No. 6698 obliges data controllers to take all necessary measures to ensure security of the personal data that they process. However, it does not explicitly or directly require any particular data security measures to be taken by data controllers. The data security measures to be taken by the controllers are left to their own discretion. Data controllers are expected to decide which security measures must be taken in order to ensure adequate security to the personal data they are processing based on the sensitivity, scope of and the possible risks posed to their data processing operations. So, the “risk-based approach” is recognized by the data protection legislation. The Board have published a guidance document for data controllers that illustrates data security measures that are recommended to be taken by them. However, this document is recommendatory by its nature.
While the à la carte data security measure is the rule, there are two main exemptions to this:
First, there are certain sector specific legislation which includes mandatory information security measures to be taken by the players from critical sectors such as finance, energy, telecommunication etc. These measures are generally included in the secondary legislations prepared by the relevant sectoral regulatory bodies.
Secondly, there are certain data security measures to be implemented where the data controller processes special categories of personal data (e.g. health, religion, criminal conviction). Such mandatory measures have been listed under a Board decision published on the official gazette. The mandatory measures expected to be taken includes measures such as:
Storing sensitive data by using cryptographic methods
Securely logging records of all activities performed on the data,
Providing at least two-stage authentication system if the sensitive data can be accessed remotely,
If the data is being transferred between servers in different physical locations, to transfer the data by establishing an encrypted connection.
Does your jurisdiction impose requirements of data protection by design or default?
Data protection legislation in Turkey does not impose any requirements related to data protection by design or default specifically.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Law No. 6698 does not provide an explicit definition of ‘security breach’. Considering the general obligation of data controllers to ensure data security, any event that adversely affect the safekeeping of personal data can be considered as a ‘security breach’ and as a failure to comply with the data security obligations if the necessary measures were not taken to prevent such outcome.
But the Article 12 imposes an obligation to make a notification to the relevant data subject and the Board in the event that the personal data processed be acquired by 3rd parties through unlawful means. As the Law No. 6698 and secondary regulations do not provide any exceptions, thresholds or limitation to this obligation to report a breach, compliance to the provisions of the Law No. 6698 would require the notification of such a breach even if it involves the personal data of a single data subject. Article 12 requires that all data controllers are under the obligation to notify all data breach incidents to the relevant data subjects within the shortest time and to the Turkish Data Protection Authority in 72 hours. As opposed to the GDPR, the Law No. 6698 does not make any distinctions between high-risk and low-risk breaches and the number of individuals affected by the data breach.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
In contrast with the GDPR, Article 17 of the Law No. 6698 envisages the application of the provisions of the Turkish Penal Code with regards to offences concerning personal data. In this respect, a criminal sanction of up to a maximum six years of imprisonment shall be imposed upon persons who (i) unlawfully record personal data, (ii) unlawfully transfer, disclose or acquire personal data and (iii) do not destroy personal data from his/her systems, in despite of expiration of periods prescribed by laws.
Article 18, on the other hand, lists several misdemeanours and the range of the administrative fines to be imposed upon.
Breach of Obligation to Inform
From TRY 5.000 up to TRY 100.000
Breach of Data Security Obligations
From TRY 15.000 up to TRY 1.000.000
Failure to Comply with Decisions Given by the Board Under Article 15 of the Law
From TRY 25.000 up to TRY 1.000.000
Failure to Register with or Notify the Registry of Data Controllers
From TRY 20.000 up to TRY 1.000.000
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Article 28 of the Law No. 6698 regulates exceptions to the obligations set forth in the Law No. 6698. Within this scope, circumstances where the Law No. 6698 does not apply are enumerated in Paragraph 1 of the aforementioned article. Those are:
Processing of personal data;
by natural persons in the course of a solely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties.
for the purposes of official statistics and through anonymization for research, planning, statistics and similar purposes.
for the purposes of art, history, and literature or science, or within the scope of the freedom of expression, provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated.
within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.
by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.
Additionally; Paragraph 2 of Article 28 sets forth the circumstances where Article 10 (regarding the obligation to inform data subjects), Article 11 (envisaging the rights of the data subjects – except the right to demand compensation for the damages) and Article 16 (regulating the obligation to register with the Registry of Data Controllers) do not apply – as long as they are relevant and proportionate to the purpose and general principles of the Law No. 6698. Those are:
Processing of personal data;
is necessary for prevention or investigation of a crime.
made public by the data subject herself/himself.
is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.
is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
Please describe any laws addressing email communication or direct marketing?
Electronic marketing communications are regulated under the Regulation on Commercial Communications and Electronic Commercial Communications, which is a separate regulation from the Law no. 6698. Direct marketing activities that are communicated to the receiver’s communication address (e.g. commercial emails or newsletters, text messages and outbound calls) fall within the scope of the regulation and they are bound to certain prior consent.
On the other hand, marketing communications that are not send to a telecommunication address, such as browser notifications or website pop-ups, are not regulated by the relevant regulation.