This country-specific Q&A provides an overview of Data Protection & Cyber Security laws and regulations applicable in Turkey.
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
Protection of personal data is mainly regulated by Article 20/3 of the Turkish Constitution and the Personal Data Protection Law (the “DPL”) which came into force on April 7, 2016. Turkish Constitution mainly sets forth that each individual has right to request for protection of their personal data. The DPL regulates general principles of data processing and imposes several obligations on data controllers and data processor for their data processing activities. The secondary legislations of the DPL include the following:
Regulation on the Data Controllers’ Registry (“VERBIS”)
Regulation on Erasure, Destruction and Anonymisation of Personal Data
Communiqué on Rules and Procedures for Application to Data Controller
Communiqué on Rules for Fulfilling the Obligation to Inform Data Subjects
The DPL is applicable to natural persons, whose personal data are processed, and natural or legal persons, who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a data registry. The DPL will apply to all data processing activities regardless to the type of sector that data controller is operating within. In addition, there are several sector specific regulations such as banking, capital markets, telecommunication, health and payment services etc.
The DPL does not have a specific provision on its territorial scope. The Turkish Personal Data Protection Authority and Board (collectively the “DPA”), in its several decisions, mentioned that it would follow GDPR’s application on the territorial scope. Accordingly, in broader terms, the DPA applies the DPL for the data processing activities that concerns individuals in Turkey and/or have a consequence on the individuals in Turkey.
The DPA is the regulatory authority that enforce the DPL.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
The DPL requires real persons and legal entities processing personal data to register with the VERBIS before carrying out personal data processing activities. The registration process is carried out through an online system and is free of charge. The deadline for VERBIS registration is December 31, 2021.
During the registration, data controllers must provide following information to the DPA from a drop-down list:
Data subject categories
Personal data categories
Information on the cross-border transfer
Administrative and technical measures taken for data protection
The registration obligation applies to below listed data controllers:
Who are resident abroad and carry out personal data processing activities that have a consequence on the individuals in Turkey,
Who employ 50 or more personnel or whose yearly financial balance sum exceed TRY 25,000,000.00 and
Whose main operations are based on processing special categories of personal data
Under the decisions of the DPA, below listed data controllers are exempted from such obligation:
Persons who process personal data as part of any data recording system, solely through non-automatic means,
Associations, foundations, and unions established in Turkey that process personal data limited to their areas of activity,
Independent Accountants and Financial Advisors and Certified Public Accountants,
Customs brokers and authorized customs brokers.
Above listed exemptions are not applicable for data controllers that are resident abroad.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Under the DPL, personal data means any information relating to an identified or identifiable natural person. Personally identifiable information (PII) is not a term used in the DPL.
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, biometrics and genetics are considered as special categories of personal data.
Other key definitions include:
Data Processing: Any operation which is performed on personal data as part of a data filing system, wholly or partially by automated or non-automated means such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing its use.
Data Controller: The natural or legal person who determines the purpose and means of data processing and is responsible for establishing and managing the data registry system.
Data Processor: The natural or legal person that process the personal data based on the authority granted by and on behalf of the data controller.
What are the principles related to, the general processing of personal data or PII?
Personal data processing activities must be conducted in compliance with the following principles that are outlined as “fair processing principles”:
Conformity with the law and good faith;
Being accurate and if necessary, up to date;
Being processed for specified, explicit, and legitimate purposes;
Being relevant, limited and proportionate to the purposes, for which data are processed;
Being stored only for the time designated by relevant legislation or necessitated by the purpose, for which data are collected.
In addition, Articles 5 and 6 of the DPL regulates legal bases for processing of personal data. Data controllers must rely on one of the legal basis while processing personal data. Principally, under Article 5/1, personal data will not be processed in the absence of explicit consent. However, explicit consent will not be required in case one of the legal bases listed below are present:
Processing is explicitly foreseen under the applicable laws;
Processing is mandatory for the protection of life or to prevent the physical injury of a person or of any other person, in cases where that person cannot express his/her consent due to physical disability or that person’s consent is legally invalid;
Processing is directly linked to and necessary for the conclusion or performance of an agreement, where personal data belongs to parties of such agreement;
Processing is mandatory for fulfilling the legal obligations of the data controller
The data is made manifestly public by the data subject;
Processing is mandatory for the establishment, exercise or protection of any right; and
Processing is based on the legitimate interest of the data controller.
Please see Question 6 for conditions of processing special categories of personal data.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
In cases where none of the legal bases listed under Question 4 is presented, explicit consent is required for such processing activity.
Explicit consent must be given freely (i.e. data subject must have a real choice) by a clear affirmative act, based on a specific subject matter and obtained upon providing necessary information to the data subject.
Where processing is based on the explicit consent, the burden of proof is on the data controller that the data subject has granted its explicit consent. Data subjects have the right to withdraw their consents at any time.
Although there is no direct rules and regulation related to the content of the consent form, the DPA sets forth principles on this matter in its guidelines. Accordingly, consent form must include the purpose of data processing, processed personal data. It is also recommended to provide information on the right to withdrawal of consent at any time. Additionally, the consent form must be written with a plain and simple language and font size of such form must not be too small.
Also, the consent will be deemed invalid, if data controllers requires such consent as a pre-condition for providing its services.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
Article 6 of the DPL sets out special conditions for processing special categories of personal data. Such data, excluding health data and sexual life data, can only be processed, if such processing is explicitly foreseen under applicable laws or if the data subject’s explicit consent is obtained.
Processing conditions for health data and data related to the sexual life are more strict. Under the DPL, such data can only be processed with the data subject’s explicit consent, unless following requirements are met:
Data is processed by those who are under the obligation of secrecy or authorized institutions and organizations; and
Data is processed for the purposes of (i) protection of public health, (ii) operation of preventive medicine, (iii) medical diagnosis, (iv) treatment, and care services, (v) planning and management of health services and (vi) financing of health services.
Data controllers must take necessary administrative and technical measures announced by the DPA at its decision dated January 31, 2018 and numbered 2018/10 to ensure security of such data.
How do the laws in your jurisdiction address children’s personal data or PII?
The DPL does not stipulate special provisions for processing child data. Accordingly, evaluations on validity of a child’s consent and who should be the recipient of information notice, are made as per the Turkish Civil Code. Under the Turkish Civil Code, any person under age 18 is considered as minor. Accordingly, to process a minor’s data, consent of her parent or guardian is required and also information notice should be presented to her parent or guardian as well alongside with the child herself too.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Article 28 of the DPL sets forth full and partial exemptions for the below listed activities:
Full exemptions from the DPL – Listed activities are fully exempted from the DPL.
personal data processing by natural persons for purely personal activities or for household activities
personal data processing for official statistics and by anonymizing it for purposes such as research, planning and statistics
personal data processing with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression if national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime
personal data processing within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defense, national security, public security, public order or economic security
personal data processing by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings
Partial exemptions – Listed activities are exempted from the obligation to inform data subjects, to respond data subjects’ request (except for the request for compensation) and to register with VERBIS.
necessary processing for the prevention of committing a crime or for crime investigation.
processing of the data which are made public by the data subject himself/herself
necessary processing for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the law
necessary processing for protection of economic and financial interests of State related to budget, tax and financial matters
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The DPL does not provide a “data protection by design” or “data protection by default” per se. However, any data processing activity must be in compliance with the DPL and therefore data controllers must assess the status of compliance of any potential data processing activity before conducting such activity.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Yes, data controllers that are required to register with VERBIS must prepare a personal data processing inventory and keep it up-to-date. This inventory must stipulate data controller’s personal data processing activities; based on its business processes, reasons and legal grounds for processing and personal data categories, data recipient groups and data retention period, personal data that will be transferred to foreign countries and the technical and administrative measures in place in order to provide the protection of personal data. In practice, companies can keep such inventory records as excel sheets or can use data management software developed for inventory keeping.
In addition, data controllers which are required to register with VERBIS must prepare a data retention policy. As per the DPA decision dated 24 January 2019, data controllers must implement a data breach incident plan, which should include matters such as the internal reporting line, responsible persons for notification, and assessment of possible outcomes of breaches.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
The DPL does not require data controllers or data processors to consult with the DPA before carrying out data processing activities. However, since the DPL is rather new and its practice is evolving, it is recommended to establish well-balanced relationships with the DPA.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The DPL does not directly recognize “Data Protection Impact Assessment” concept. However, data controllers are required to process personal data in line with the general data processing principles. Therefore, although this concept is not directly regulated, data controllers should carry out risk assessments before conducting any personal data processing activity.
Additionally, in its decisions the DPA introduced “legitimate interest balance test” which must be carried out if the data is processed and/or transferred by relying on the data controller’s legitimate interest. In such case, data controller must demonstrate that it has existing, specific and clear legitimate interest; such interest does not override the rights and freedoms of data subjects.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
No. However, it is advisable to establish a privacy committee or appoint a person that will be responsible for the implementation of internal privacy policies and procedures to ensure compliance with the DPL.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Data controllers must provide data subjects with the following information at the time of collecting their personal data, in clear and plan language:
The identity of the data controller and its representative, if any,
The purposes for processing the personal data,
Purposes for transferring the personal data and the persons to which it may be transferred,
The method and legal grounds for collecting the personal data,
Data subjects’ rights under Article 11 of the DPL.
If personal data is not collected from the data subject, information provision obligation shall be fulfilled:
within a reasonable period after the collection of personal data,
in case that personal data will be used for communication with data subject, at the time of the first contact with data subject,
in case that personal data will be transferred, at the time of the first transfer of personal data.
The information obligation must be complied with in all cases, whether data processing is based on explicit consent or another legal ground.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
The provisions of the DPL and its secondary legislation are applicable to data controllers, thus liability lies with the data controller. However, data controllers are jointly responsible with data processors for taking the necessary technical and administrative measures to ensure the appropriate level of security, to prevent illegal access to personal data and to ensure the protection of personal data.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
The DPL neither require minimum contract terms to be incorporated into the agreements to be executed with the data processor nor foresee any restriction on the appoint of data processors. As indicated in question 15 above, data controllers are jointly responsible with the data processors for ensuring data security. Data controllers are required to audit the data processors to ensure compliance with the DPL.
Although the DPL does not set forth any minimum contract terms, under the Data Security Guideline, the DPA recommends having a written agreement in place between the data controller and the data processor to ensure data security. Such agreement should stipulate that the data processor will (i) process the personal data upon the instructions of the data controller for the purposes specified under the agreement in accordance with the DPL, (ii) be subject to a duty of confidentiality for an indefinite term, (iii) comply with the data retention policy of the data controller and (iv) notify the data controller in case of any data breach. The DPA also recommends that the categories and types of personal data transferred to data processor should specifically be indicated to the extent the nature of the agreement permits.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
Under the DPL, there is no specific provisions related to the monitoring or profiling activities through tracking technologies.
Additionally, different from the GDPR, the DPL’s “personal data” definition does not explicitly cover “online identifiers”. Therefore, the personal data status of online identifiers such as cookies was debated under the Turkish law. Recently, in one of its decisions the DPA considered cookies as personal data by following GDPR’s approach. Also, in the guideline on VERBIS registration, cookies are listed under personal data categories. Therefore, in the current practice cookies are considered as personal data and companies tend to follow GDPR’s practice while placing cookie banners and cookie management tools.
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
The Law No. 6563 on the Regulation of Electronic Commerce and its secondary regulations (“E-Commerce Law”) regulate commercial marketing communications. Commercial electronic messages are defined as messages containing data, audio or visual content, and transmitted electronically for commercial purposes, by making use of mediums such as telephone, call centers, fax, automated calling machines, smart voice recording systems, e-mail and SMS. Therefore, direct marketing activities fall within the scope of the E-Commerce Law. As a general rule, in order to send commercial electronic messages, consents of the recipients should be obtained other than the exceptions foreseen in the E-Commerce Law. Since direct marketing communications involve personal data processing activities, such activity must be carried in accordance with the applicable legal basis.
Under the E-Commerce Law, a central database named Commercial Electronic Message Management System (“IYS”) was established. The system is designed to store all consent records (opt-in records) of subscribers/users that can be reviewed and monitored by the government and subscribers/users via the system. The companies wish to send B2B or B2C electronic communications in all sectors are required to register with IYS and transfer their consent records (for B2C communication only) to IYS.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
Biometric data is considered as special category of personal data under the DPL but the DPL does not define what is biometric data. The DPA, in its several decisions, defines the biometric data by referring the definition of the GDPR, which is personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Please see Question 6 for the conditions of processing biometric data.
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
Personal data processed in Turkey can only be transferred to another country if:
the explicit consent of the data subject is obtained; or
the data is processed on the basis of the one of the exceptions provided under Article 5 and 6 of the DPL, and either (i) the destination country is among the countries designated by the DPA as a country with an adequate level of protection, or (ii) a written undertaking is executed between the transferor and transferee to ensure adequate protection, and the prior approval of the DPA is obtained.
For intragroup data transfers, the binding corporate rules mechanism may also be implemented instead of the above stated undertaking mechanism.
Since the enactment of the DPL, the DPA approved Teb Arval’s and Amazon Turkey’s undertaking letters on the cross-border data transfers.
As of March 2021, the DPA has not yet issued the list of countries with an adequate level of protection and therefore all countries are deemed as not providing an adequate level of protection at this stage.
On the other hand, the “Human Rights Action Plan” has been announced by the President on March 2021. One of the overarching aims of this action plan includes harmonization of the DPL with EU standards to ensure the protection of private life in the processing of personal data. Also, it is announced in the new economic plan that DPL’s provisions on the cross-border data transfers will be amended in accordance with the GDPR and the projected timeline for such amendment is March 2022. Therefore, further amendments are awaited in relation to the principles governing cross-border data transfers.
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Data controllers are obliged to ensure that all necessary technical and organizational measures for ensuring an appropriate level of security is in place to prevent unlawful processing of personal data, to prevent unlawful access to personal data and, to ensure the protection of personal data.
There is no exhaustive list for the measures to be taken by the data controllers and data controllers are expected to decide on which security measures should be adopted to ensure the appropriate level of security in line with the nature of personal and the risks posed by the concerning data processing activity. In its Data Security Guideline, the DPA recommends certain administrative and technical measures including:
Regular awareness trainings
Preparation of the relevant policies for personal data processing (e.g. data retention policy, data security policy etc.)
Carrying out risk analysis to define risks and solutions related to the data processing activities
Carrying out internal periodical and/or random audits
Preparation of access authorization matrix and ensuring authorization control
Ensuring network security and application security
Conducting penetration tests
Deletion, destruction and anonymization of personal data
On the other hand, the DPL provides that for the processing of special category personal data, “sufficient measures” as determined by the DPA must be adopted. Please refer question 6 for the relevant DPA decision.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
The DPL does not explicitly stipulate a definition for “security breach”. Considering the information to be provided to the DPA in case of any data breach, security breaches should be determined according to the following three well-known information security principles: (i) confidentiality, (ii) integrity, and (iii) availability.
The DPL provides that if personal data is illegally obtained by third parties, the data controller must inform the DPA and the relevant data subjects.
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
There are sector-specific cybersecurity requirements (such as banking and finance, health or energy sectors) rather than a generally applicable legislation. On the other hand, The Presidential Circular on Information and Communication Security Measures numbered 2019/12 (“Circular”) outlines measures for the security of critical data, including requirements for the domestic localization of data and limitations on the use of cloud services. Even though the Circular mainly focuses on public institutions and organizations, it nevertheless applies to private organizations that provide public services in critical infrastructure sectors (i.e. health, electronic communications, energy, water management, banking and finance and transportation).
The Turkish Presidency’s Digital Transformation Office has issued an Information and Communication Security Guide (“Guide”) in line with the Circular on July 2020. The Guide provides the details of information security measures applicable to public institutions and private organizations, which fall under the scope of the Circular.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
In case of a security breach affecting personal data, the data controller must notify the DPA within 72 hours after becoming aware of the data breach. Data subjects must also be notified via appropriate methods as soon as possible after determination of the persons affected by the data breach. Unlike the GDPR, the DPL does not recognize “risk based approach” in terms of data breach notification requirements and thus all personal data breaches are required to be notified.
The notification submitted to the DPA should include among others:
A description of the nature of the data, where possible the categories and approximate number of personal data and individuals concerned;
The contact details of the data controller;
A description of the likely consequences of the breach; and
The remedial measures taken and/or proposed to be taken by the data controller.
The following information should be included in the notification made to the data subjects:
date of the breach;
information on the categories of personal data affected by the breach;
likely consequences of the breach;
measures taken an/or proposed to be taken to reduce or eliminate possible adverse effects; and
the names and contact details of the persons who can provide information about the breach or the full contact details of the data controller.
There are also certain sector specific legislation, which requires notification of security breaches to the relevant sectoral regulatory bodies, such as telecommunication and finance.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Ransomware attacks are not subject to a specific regulation under Turkish law. The National Cybersecurity Response Center (“USOM”) has published a notification of increasing numbers of ransomware attacks on its website and stated certain precautionary measures for preventing ransomware attacks, such as notifying USOM within 72 hours with evidences proving such attack. Furthermore, specific ransomware attacks by certain bodies are publicly notified on websites of Information and Communication Technologies Authority (“ICTA”) and USOM. These notifications include details of the attack, its impacts and possible solutions for prevention.
Also, the Turkish Criminal Code defines following situations as crimes related to data processing systems; unlawfully accessing or continuously staying in information systems, blocking or breaking the operation of information systems and altering or destroying data; misuse of bank or credit cards; using devices, software, passwords or other security codes to commit such crimes and producing, importing, delivering, transporting, storing, accepting, selling, supplying, purchasing or carrying such items. Penalties for such crimes are ranging from six months to seven years of imprisonment.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
There is no general cybersecurity legislation, Law No. 5809 on Electronic Communications (“Law No. 5809”) implies duties to Ministry of Transport and Infrastructure (“Ministry”) and to the ICTA for providing cybersecurity in electronic communications sector. Furthermore, the Law No. 5809 outlines certain responsibilities allocated to the Board of Cyber Security in terms of ensuring cybersecurity, which was established by the Cabinet Decree on Execution, Management and Coordination of National Cyber Security Works. Responsibilities that are assigned to the Ministry include determining policies, strategies and objectives as well as setting principles and procedures for providing cybersecurity to public institutions, organizations, real persons and legal entities. Similarly, among its other responsibilities, ICTA is liable to fulfil and perform duties that are assigned by the Law No. 5809, Ministry and Board of Cyber Security. In addition, ICTA is entitled to impose administrative fines to electronic communication service providers for the matters related to the application of the Law No. 5809 and violations of cybersecurity.
For interventions on national cybersecurity, ICTA has established USOM under National Cyber Security Strategy and Action Plan of 2013-2014 which was later updated by the National Cyber Security Strategy, and Action Plan of 2016-2019. Cybersecurity Incident Response Teams are established within USOM that are responsible for taking necessary measures against cyber-attacks, to provide precautionary mechanisms as to the intervention of such incidents and ensuring information security in public institutions and private entities operating in critical sectors which are health, electronic communications, energy, banking and finance, transportation, critical public services.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
As per the DPL, each person has right to apply to the controller about him/her:
to learn whether his/her personal data is processed;
to request information if his/her personal data is processed;
to learn for which purposes his/her data is processed and whether they are used in accordance with these purposes;
to know the third parties to which his/her personal data is transferred domestically or abroad;
to request the rectification if the personal data is incompletely or inaccurately processed;
to request the deletion or destruction of his/her personal data;
to request the transmission of correction, deletion and destruction requests to third parties to whom your personal data has been transferred;
to object to the processing of his/her personal data, which leads to an unfavorable consequence for the data subject, by means of analyzing the processed data only through automatic systems;
to request compensation of damages arising from the unlawful processing of his/her personal data.
Although the data subject’s right to access is not expressly regulated under the DPL, the DPA recognizes this right within the scope of data subject’s right to obtain information. Data subjects may exercise the above-stated rights in line with the Communiqué on Rules and Procedures for Application to Data Controller.
Please refer Question 8 above for the exceptions.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Data subjects must first apply to the data controller in writing. In case the application is rejected, replied insufficiently, or not replied by the data controller in 30 days, data subjects are entitled to file a complaint before the DPA. Additionally, the DPL reserves data subjects’ rights to seek for damages in cases of violations to personal rights, therefore data subjects can claim for damages before the courts regarding this matter.
Turkish Criminal Code defines several unlawful data processing activities as crime. Therefore, data subject can also file a complaint before the public prosecutor’s office, if such activities constitute crime as well.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Please see our explanations referred in Question 28.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Data subjects are entitled to request compensation of damages arising from the unlawful processing of their personal data. Damage may be material and non-material.
How are the laws governing privacy and data protection enforced?
The DPA has a range of powers it can exercise, including investigating whether personal data is processed in line with the DPL, either upon complaint or upon ex officio if it learns of an alleged violation or taking temporary measures (e.g. restricting or stopping the processing of personal data). The DPA can also impose administrative fines on data controllers for their breach of the obligations set out under the DPL.
What is the range of fines and penalties for violation of these laws?
Administrative Fines Under the DPL
Violation of obligation to inform
TRY 9,832 to TRY 196,684
Violation of obligation to register with VERBIS
TRY 39,334 to TRY 1,966,860
Incompliance with liabilities on data security
TRY 29,500 to TRY 1,966,860
Incompliance with the DPA’s decisions
TRY 49,167 to 1,966,860
Amount of the above listed administrative fines are applicable for 2021 and they are subject to the annual revaluation.
Criminal Penalties Under the Turkish Criminal Code
Recording personal data unlawfully
Imprisonment between 1 and 3 years* (*Up to 4.5 years in case of unlawful recording of special categories of personal data)
Delivering, acquiring or publishing personal data unlawfully
Imprisonment between 2 and 4 years
Not destructing the data which should be destructed
Imprisonment between 1 and 3 years
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?
Yes, data controllers can appeal the DPA’s decisions before the competent courts if they consider that a decision issued by the DPA is unlawful.
Estimated word count: 6261
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.