This country-specific Q&A provides an overview of Data Protection & Cyber Security laws and regulations applicable in Turkey.
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
The main legislative instrument governing data privacy practices in Turkey is the Law ontheProtection of Personal Data numbered 6698 (“Law No. 6698”), which was published in the Official Gazette on 7 April 2016 and is in effect as of this date.The Law No.6698 was modelled upon Data Protection Directive (Directive 95/46/EC – now replaced with the GDPR).The principles and procedures specified thereunder, as well as the related secondary regulation which shall be elaborated in detail below, shall be applicable for all natural persons whose personal data are processed; as well as all natural and legal persons processing personal data, construed as data controllers or processors, irrespective of the sector within which they operate.
Within the purview of the Law No. 6698, the processing of personal data is construed as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. It could thus be concluded that all activities performed upon personal data, including the mere act of displaying, shall be deemed as processing personal data within the scope of the Law No. 6698.
Alongside with the specifying principles and procedures applicable to the processing of personal data, a local data protection authority is established under theLaw No. 6698. The Personal Data Protection Board (hereinafter referred to as the “Board”) is active as of the date and has regularly been publishing secondary regulations, as well as principle decisions and guidance documents concerning the application of the Law No. 6698. The Board has also been performing activities in order to forge public opinion at a national level and to raise awareness of personal data protection.
In addition to the general privacy legislation, there are certain sector specific rules under banking and telecommunication sectors bringing specific protection requirements to financial institutions and telecom operators. Most prominently, these sector specific rules include strict data localization requirements that prescribe cross-border data transfer of certain data held by such companies.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Pursuant to Article 16 of the Law No. 6698, data controllers are under the obligation to register with the Registry of Data Controllers (“Registry”), operated by the Board. Principles and procedures relating to the fulfilment of such obligation are further provided for under the Regulation on the Registry of Data Controllers (“Regulation on the Registry”). The registration obligation is applicable to both data controllers residing in Turkey and non-resident data controllers processing personal data as a result oftheir commercial activities targeting the market / users in Turkey.Said data controller position consequently requires foreign-established entities to ensure compliance with local requirements, one of which being the obligation to register.
Further to the authority vested in the Board, the scope of the obligation to register with the Registry and the related calendar has been determined under certain board decisions. As per the said decisions, the Board decided that the below-listed data controllers shall not be required to be registered with the Registry:
Persons who process personal data as part of any data recording system, solely through non-automatic means,
Associations, foundations, and unions established in Turkey that process personal data limited to their areas of activity,
Independent Accountants and Financial Advisors and Certified Public Accountants,
Customs brokers and authorized customs brokers,
Legal entities, whose (i) annual headcount is less than 50, (ii) annual sum of financial balance sheet is less than TRY 25.000.000, and (iii) the main field of activity is not processing special categories of personal data.
It is important to note that, the aforementioned exemptions havea low possibility to be interpreted in favour of non-resident data controllers. Despite the neutral language of the exemption decisionwhich envisage applicability for all natural and legal person data controllers; the Board has concluded that such exemptions shall not be applicable for foreign data controllers. It should also be emphasized that there is no provision thereunder requiring the payment of a registration fee.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Within the purposes of the Law No. 6698, personal data is construed as all information relating to an identified or identifiable natural person; whereas the types of special categories of personal data are exclusively enumerated. Pursuant to Article 6 of the Law No. 6698, special categories of personal data includedata relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, data relating to health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Notably, data relating to “appearance and dressing” is not provided under the exhaustive list of special categories of personal data under the GDPR but is considered as such under the Law No. 6698.
What are the principles related to, the general processing of personal data or PII?
As a general principle under the Law No. 6698, the processing of personal data without obtaining the explicit consent of the data subject is prohibited. However, there are certain derogations from such general rule provided thereunder, which are set forth as conditions for processing personal data without obtaining the explicit consent of the data subject.
These conditions shall be deemed applicable where the data processing;
a. is expressly envisaged under the laws;
b. is necessary in order to protect the life or physical integrity of the data subject or another person in cases where the data subject is physically or legally incapable of giving consent;
c. is necessary for the conclusion or performance of a contract, provided that the processing is directly related to the parties of the contract;
d. is necessary for compliance with a legal obligation to which the data controller is subject;
e. shall be conducted on information that has already been disclosed to the public by the data subject;
f. is necessary for the establishment, exercise, or protection of a right;
g. is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject shall not be overridden
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
Explicit consent is construed as “freely given, specific and informed consent” under the Law No.6698. To illustrate, explicit consent must not be obtained as a condition for the provision of a service, must be limited to the relevant act of processing and have been given unambiguously by the data subject acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data.
Processing of special categories of data (includingdata relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, criminal conviction and security measures, as well as biometric and genetic data) can only be processed without the explicit consent of the data subject if such a processing is provided by laws. Data relating to health of sexual life of data subjects can only be processed without the explicit consent of the data subject if it is processed by any person or authorized publicinstitutions and organizations that have confidentiality obligation and for the purposes ofprotection of public health, operation of preventive medicine, medical diagnosis, treatmentand nursing services, planning and management of health-care services as well as theirfinancing.
In addition to above, there are two main data processing activities that are considered as necessitating consent of the data subject: (i) direct marketing and (ii) cross-border transfer of personal data.
(i) Direct marketing activities (e.g. electronic communications carried out with commercial intentions)are considered as necessitating consent of the data subject. Case-law of the Board is rather consistent in this regard. Also, unlike the clear language used in the Recital 47 of GDPR, there are no indication under Turkish privacy laws which can be interpreted as envisaging ‘legitimate interest’ as a valid legal basis for carrying out direct marketing activities.
(ii) Cross-border data transfers from Turkey is currently a very controversial and problematic topic. As will be discussed in the following questions in more detail, albeit it is impractical and unreliable in many cases, obtaining explicit consent is the most straightforward option to transfer personal data outside of Turkey under the Law No. 6698.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
Conditions for processing “special categories of personal data” are provided under Article 6 of the Law No. 6698 and a stricter protection regime is prescribed for the processing of such personal data:
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject, provided that the relevant processing activity is envisaged under the laws.
Personal data relating to health and sexual life shall only be processed without obtaining the explicit consent of the data subject for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of healthcare services by persons under the obligation of secrecy or authorized institutions and organizations.
It should be noted that, as opposed to its EU counterpart, the Law No. 6698 does not provide a derogation from the general rule prohibiting the processing of health data without obtaining the explicit consent of the data subject, in favor of employment practices.
Also, the Law No. 6698 requires certain mandatory data protection measures to be taken when processing sensitive data. These mandatory measures are listedby the Board in its Decision No. 2018/10.
How do the laws in your jurisdiction address children’s personal data or PII?
There are no provisions within the local data protection legislation specifically addressing the processing of personal data relating to children.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The Law No. 6698 does not specifically mention about ‘data protection by design’ or ‘data protection by default’ principles. Nevertheless, some of the(non-binding) guidelines published by the Board includes sections that can be interpreted as the Board has an expectation that data controllers act in consideration of the data protection aspects of their activities from the beginning.In a number of its decisions, the Board have declared that it will consider the EU practice in its interpretation of the Law No. 6698.Therefore,despite the lack of specific requirements, it is advisable for businesses to adopt ‘data protection by design and by default’ principle in the processes.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Data controllers which are subject to the obligation to register with the Registry are also mandated to prepare a personal data processing inventory.
Within the purposes of the Regulation on the Registry (elaborated in detail above under Question 2), data controllers are obliged to prepare a personal data processing inventory incorporating information on the purposes and legal reasons for processing personal data, data categories, subject groups of the data, the maximum retention period of the data and measures taken regarding the data security. Information to be provided during the registry procedure shall be determined in accordance with the inventory.
The application to the Registry must contain information on the following matters:
Information provided within the application form to be specified by the Board concerning the identification and address information of the data controller, the data controller representative if any, and the contact person,
Purposes for processing personal data,
Explanations concerning the subject group or groups of the data and the data categories relating to such persons,
Recipient group or groups to which personal data may be transferred,
Personal data to be transferred abroad,
Measures taken regarding data security as specified by the Law and the criteria determined by the Board,
Maximum retention periods of personal data as envisaged under the legislation or as required by the purpose of processing.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
There are no specific provisions under the local legislation directly requiring consultations with the regulatory authority. However, considering that data privacy regulations are rather new, and the industry practices are ever-evolving, it is recommended to establish balanced dialogues with the regulatory authority.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
There are no provisions under the local legislation directly envisaging the conduct of privacy risk assessments. However, in similar fashion, the Board refers to the conduct of a balancing test with respect to the application of the legitimate interest condition, within published guidelines.
In this respect, the Board has recently published a summary decision prescribing the following conditions for considering the legitimate interest condition as a lawful ground for processing personal data:
The fundamental rights and freedoms of the data subject and the benefit of processing personal data must be at a competing level.
Processing personal data processing must be necessary in order to reach such benefit.
The legitimate interest must be existing, specific and clear.
If the legitimate interest of the data controller concerned follows the fundamental rights and freedoms of the data subject, a benefit must be provided, and it must be impossible to obtain this benefit in any other way and method without the processing of personal data.
When determining the legitimate interest, the benefit must be based on criteria that are transparent and accountable, such as the fact that this benefit affects a large number of people, is not intended solely for profit or economic benefit, or facilitates business processes or a process (for instance, not in a unit or a small number of staff, but in a corporate manner).
In this regard, the person concerned should be kept away from any foreseeable, obvious and imminent risk in order to prevent violation of the fundamental rights and freedoms, in particular the protection of personal data,
Taking all technical and administrative measures limited to the purpose in order to ensure the proper functioning of the law in a data recording system and to prevent damages and violations,
Ensuring compliance with the general principles relating to the processing of personal data,
In the above-specified context, the balance between the fundamental rights and freedoms of the individual and the legitimate interests of the data controller are deemed to be in balance.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
There is no requirement to appoint a data protection officer under the Law No. 6698. However, two categories of responsible individualsare introduced thereunder: “representative of the data controller” and “contact person”.
Foreign entities, which are considered as data controllers are under the obligation to register to the Registry by way of their ‘data controller representative’, whom can beeither a natural person who is a Turkish citizen or a legal person established in Turkey; whereas the obligation to appoint a contact person shall be complied with by foreign entities by way of their representative and also by national entities, with regards to conveying communication between data controllers and the Board.The appointed data controller representative must have the power to represent the foreign data controller before the Board and receive and facilitate communication from the Board and from any data subject in Turkey that files an application with regard to their rights guaranteed under the Law No. 6698.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Pursuant to Article 10 of the Law No. 6698, data controllers are under the obligation to inform the related subjects on the followingat time of the data collection:
the name of the data controller and/or the representative of the data controller (if any),
to whom and for which purposes personal data shall be transferred;
the method and legal reason for collecting personal data,
rights of the data subjects as envisaged under Article 11 of the Law No. 6698.
The Board further published the Communiqué on Principles and Procedures to Be Followed When Fulfilling the Obligation to Inform (“Communiqué on the Obligation to Inform”) in order to clarify principles to be followed by data controllers while informing data subjects and obtaining explicit consent, where deemed necessary. Additionally, the Board has published a guideline document concerning the fulfillment of the obligation to inform, in order to illustrate best practices.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
The obligations set forth under the local data protection legislation are generally required to be complied with by the data controllers. However, with respect to ensuring compliance with the obligations concerning personal data security, data controllers and third-party service providers acting as data processors are jointly and severally liable.
While obliging data controllers and data processors to take all necessary measures to ensure security of personal data, the Law No. 6698 does not explicitly or directly refer to any particular data security measure. Having said,referring to theguidance document published by the Board, Personal Data Security – Technical and Organizational Measures (“Data Security Guideline”), data controllers are expected to determine appropriate security measures in order to ensure an adequate level of security in respect of processed personal data based on the sensitivity, scope and potential risks associated with the processing operations. Accordingly,with regards to the management of data processor relationships, the Data Security Guideline instructs data controllers to conclude a written agreement with the data processors, whereby processors undertake to ensure an appropriate level of data security.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
There are no specific minimum contract terms to be incorporated into service procurement agreements to be concluded with service providers and no specific regulatory restrictions are applicable to the appointment of service providers. As service providers processing personal data on behalf of the data controller are positioned as data processors, such parties are under data security and non-disclosure obligations, and the data controller is obligated to audit the service provider in this respect, pursuant to Article 12 of the Law No. 6698.
In addition to conducting necessary audits, the Data Security Guideline also places particular emphasis on concluding an agreement in writing, incorporating terms which require the data processor to (i) comply with the data controller’s instructions, the Retention and Erasure Policy of the data controller, as well as the data protection legislation, (ii) be obliged to a confidentiality obligation for an indefinite term, (iii) notify any personal data breach to the data controller. Moreover, if applicable depending on the nature of the agreement, the Data Security Guideline instructs the data controller to separately specify respective categories and types of personal data transferred to the processor.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
Electronic marketing communications are directly regulated under the Regulation on Commercial Communications and Electronic Commercial Communications, which is a separate regulation from the Law no. 6698. Direct marketing activities that are communicated to the receiver’s communication address (e.g. commercial emails or newsletters, text messages and outbound calls) fall within the scope of the regulation and they are bound to prior consent. In addition to the aforementioned legislation, the Board have declared itself as authorized to supervise direct marketing operations as such activities involve processing of personal data and therefore related operations are required to be compliant with the provisions of Law No. 6698. In summary, direct marketing operations are regulated under two separate regulations – both regulations require prior consent of the receiving data subject.
On the other hand, marketing communications that are not send to a telecommunication address, such as browser notifications or website pop-ups, are not regulated by the relevant regulation.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
There is no specific provision under the local legislation which introduces specific requirements applicable to the processing of biometric data. Biometric data such as face scans, fingerprints etc. are listed within the scope of ‘special categories of personal data’ pursuant to Article 6(1) of the Law and can only be processed with the explicit consent of the data subjects; unless a specific legal requirement for such processing is envisaged under the laws (which are quite limited in number).
Accordingly, additional measures determined by the Board in its decision Decision No. 2018/10concerning the processingand transfer of special categories of personal data, as well as ensuring the security of electronic and physical media within which data is stored, shall be applicable to biometric data.
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
Article 9 of the Law No. 6698 prescribes principles and procedures in relation with cross-border personal data transfers.
In this regard, Article 9(1) of the Law No. 6698, introduces a general rule which restricts the cross-border transfer of personal data without obtaining the explicit consent of the data subject. Article 9(2), on the other hand, further provides for a derogation from the said general rule in the following circumstances:
In the event that (i) the conditions specified under Article 5 and Article 6 of the Law No. 6698 are deemed applicable, and (ii) the recipient country ensures an adequate level of personal data protection, the related transfer operation is permitted to be performed.
In the absence of an adequate level of personal data protection within the recipient country, the related transfer operation shall be permitted provided that; (i) the data controllers in Turkey and in the recipient country undertakes to ensure an adequate level of protection in writing, and (ii) the approval of the Board is obtained.
As of May 2020, the Board has not yet published the list of “secure countries” and currently all third countries are considered as unable to provide an adequate level of personal data protection. Thus, only the explicit consent of the data subject and the written undertaking and Board approval procedure options are left for lawfullytransferring personal data from Turkey to abroad.
The written undertaking and Board approval procedure can be followed by data controllers by implementing template undertaking agreements or, especially if the data transfer taking place involves group companies, mandatory binding corporate rules (“BCR”)published by the Board on their website. Both undertaking agreements and BCR published by the Board are modelled after their EU counterparts, Standard Contractual Clauses and Binding Corporate Rules of EU Commission respectively;but as a difference they include certain strict provisions that sometimes extends the supervisory powers of the Board to the transferred data.
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Law No. 6698 obliges data controllers to take all necessary measures to ensure security of the personal data that they process. However, it does not explicitly or directly require any particular data security measures to be taken by data controllers. The data security measures to be taken by the controllers are left to their own discretion. Data controllers are expected to decide which security measures must be taken in order to ensure adequate security to the personal data they are processing based on the sensitivity, scope of and the possible risks posed to their data processing operations. So, the “risk-based approach” is recognized by the data protection legislation. The Board have published a guidance document for data controllers that illustrates data security measures that are recommended to be taken by them. However, this document is recommendatory by its nature.
While the à la carte data security measure is the rule, there are two main exemptions to this:
First, there are certain sector specific legislation which includes mandatory information security measures to be taken by the players from critical sectors such as finance, energy, telecommunication etc. These measures are generally included in the secondary legislations prepared by the relevant sectoral regulatory bodies.
Secondly, there are certain data security measures to be implemented where the data controller processes special categories of personal data (e.g. health, religion, criminal conviction). Such mandatory measures have been listed under a Board decision published on the official gazette. The mandatory measures expected to be taken includes measures such as:
Storing sensitive data by using cryptographic methods
Securely logging records of all activities performed on the data,
Providing at least two-stage authentication system if the sensitive data can be accessed remotely,
If the data is being transferred between servers in different physical locations, to transfer the data by establishing an encrypted connection.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Law No. 6698 does not provide an explicit definition of ‘security breach’. Considering the general obligation of data controllers to ensure data security, any event that adversely affect the safekeeping of personal data can be considered as a ‘security breach’ and as a failure to comply with the data security obligations if the necessary measures were not taken to prevent such outcome.
Having said, the Article 12 imposes an obligation to make a notification to the affected data subjects and to the Board in the event thatprocessedpersonal data is unlawfully obtained by third parties.As the Law No. 6698 and secondary regulations do not provide any exceptions, thresholds or limitation to this obligation to notify a breachincident, compliance to the provisions of the Law No. 6698 would require notification of such a breach even if the incident involves personal data of a single data subject. Since, Article 12 does not envisage a specific timeframe for data breach notifications, the Board specified the time limitation for submitting data breach notifications as 72 hours within the scope of theDecision No. 2019/10.
As opposed to the GDPR, the Law No. 6698 does not make any distinctions between high-risk and low-risk breaches and the number of individuals affected by the data breachwhenenforcing the notification requirement i.e. legally, all breaches are required to be notified.
Additionally, it is of capital importance to underline that the Board has issued a specific Decision (Decision No. 2019/271) specifying the minimum content of notifications to be made to data subjects in the event of a breach incident.
Accordingly, data subject notifications must include information on the following:
when the breach has occurred,
categories of data affected by the breach (in a manner differentiating between categories of personal data and special categories of personal data),
potential impacts of the breach,
measures taken or recommended to be taken, in order to eliminate the adverse effects of the breach,
contact details of persons to be communicated in order to obtain further information on the incident or other methods of communication, including the website and call center of the data controller.
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
Yes. Typically, technical legislations applicable to regulated sectors (e.g. banking and finance, telecommunications, public sector, energy)set forth mandatory information security requirements for the actors from the relevant sectors.
Legislative bodies and regulatory authorities are currently forming a cybersecurity environment in Turkey, and a legislation in this regard, is still under development. Accordingly, cybersecurity-related rules are not consolidated under a single legislative instrument; but rather scattered amongst separate sector-specific regulations. Although a uniform regulatory framework is lacking in respect of cybersecurity-related matters, entities practicing in critical sectors such as electronic communications, energy, banking and finance, insurance etc. are generally subject to enhanced information security requirements.
As far as public institutions and organizations are concerned, the recently enacted Presidency Circular on Information and Communication Security Measures numbered 2019/12 establishes extensive cybersecurity-related obligations that are mainly applicable to public bodies. Having said, there are also certain measures which are also applicable to private authorized entities as well (with a particular emphasis to the telecommunications sector).
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
With respect to breach incidents involving personal data, the Law No. 6698 and secondary legislation do not provide any exceptions, thresholds, or limitation for a breach to trigger the notification obligation. Consequently, the Law No. 6698 would require the notification of such a breach even if it involves the personal data of a single data subject.
With regards to cybersecurity-related incidents, pursuant to the Communiqué on Procedures and Principles of Establishment, Duty and Practices of the Cyber Incident Response Teams, Cybersecurity Incident Response Teams (“CIRTs”) which are construed as teams specialized in detecting causes and effects of cybercrimes and protecting information systems and data that are located therein against cybersecurity attacks.Within the scope of the Communiqué, CIRTs are construed as corporate CIRTs and sectoral CIRTs; sectoral CIRTs perform its reporting and notification obligations in conjunction with the National Cyber Emergency Response Center; corporate CITTs are under the obligation to provide their 7/24 available communication addresses to sectoral CIRTs and the National Cyber Incident Intervention Center (“USOM”).
Pursuant to the Communiqué, in principle, corporateCIRTs carry out their activities with USOM through the sectoral CIRTs they work with. Accordingly, corporate CIRTs are under the obligation to notify cybersecurity incidents to respective sectoral CIRTs and USOM; while sectoral CIRTs are obliged to notify USOM of cybersecurity incidents occurred within the respective CIRTs, without undue delay.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
With regard to the guidance by the regulatory authorities, the Ministry of Transport and Infrastructure published a number of guideline documents which are of capital importance in identifying and addressing cybersecurity related issues in Turkey, such as guidelines on the establishment and management of sectoral and institutional CIRTs, and the Guideline Document on Minimum Security Requirements for Critical Information System Infrastructures A comprehensive list of said guideline documents are available in Turkish language on the websiteof USOM.
From a data protection perspective, the Board published the Data Security Guideline, in accordance with Article 12 of the Law No. 6698, which aims to determine and illustrate primary methods for technical and organizational measures to be implemented by data controllers, including specific measures to ensure cybersecurity.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
The Board of Cyber Security has been established pursuant to Article 4 of the Cabinet Decree on Execution, Management and Coordination of National Cyber Security Works, legal duties and responsibilities of which has been envisaged under the second paragraph of Additional Article 1 of the Electronic Communications Law numbered 5809 (“Law No. 5809”).
Additionally, the Law No. 5809, assigns cybersecurity-related duties to both the Ministry of Transport and Infrastructure and the Information and Communication Technologies Authority (“ICTA”). The ICTA is authorized to impose administrative sanctions in the form of monetary fines for network and information security as well as cybersecurity-related violations.
Further to the National Cyber Security Strategy and Action Plan 2013-2014 (updated by National Cyber Security Strategy and Action Plan 2016-2019), USOM has been established within the ICTA, in order to facilitate communication between the related stakeholders and coordination thereof, as well as executing operations on the alarming, announcing, notifying of cyber security incidents and coordinating precautionary works related to the prevention of cyber threats within critical sectors, on a national and international level.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
As stipulated by Article 11 of the Law No. 6698, every data subject has the following rights in relation to their personal data, which they may use by applying to the data controller;
Learn whether their personal data have been processed,
Request information as to processing if their data have been processed,
Learn the purpose of processing of their personal data and whether data are used in accordance with their purpose,
Learn the third parties those which their personal data have been transferred,
Request rectification in case personal data are processed incompletely or inaccurately,
Request deletion or destruction of their personal data within the framework of the conditions set forth under Article 7,
Request notification of the operations made as per indents (e) and (f) to third parties to whom personal data have been transferred,
Object to the occurrence of any result that is to their detriment by means of analysis of their personal data exclusively through automated systems,
Request compensation for the damages in case they incur damages due to unlawful processing of their personal data.
As per the Article 13 of the Law No. 6698, data subjects shall convey their requests regarding the above-listed rights by means specified under the Communiqué on the Principles and Procedures to be Followed Regarding Applications to Data Controllers (“Communiqué on Applications”). Data controllers are required to finalize the received applications within 30 days and if no such responses are made or the data subject is not satisfied with the answer, it can submit a complaint to Board in order to initiate a formal complaint.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Certain individual rights are both exercisable through the judicial system and enforced by a regulator. For example, certain unlawful data processing activities (e.g. unlawful disclosure to third parties) are sanctionable under both criminal laws as well as privacy laws. To the extend such activities constitutes crime, the processes under general criminal law can be followed and according to its previous case-law, the Board generally refrain from involving itself with such judicial procedures.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
The procedure for exercising the rights under Article 11 of the Law No. 6698 is as follows: Firstly, an application to the data controller must be made and the 30-day period for responding should run out for the data subject to be able to form a complaint to the Board within 30 days. However, for processes regarding the right to compensation that will arise in case of unlawful processing of personal data, the data subjects will have to apply to civil courts.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Yes. Data subjects can claim for compensation for the damages they have suffered due to unlawful processing of their personal data. The request for compensation will be subjected to general provisions on tort law under civil law and if the claimant successfully argue that it has suffered ‘moral damages’ it is possible to request for non-pecuniary damages.
How are the laws governing privacy and data protection enforced?
There are privacy related rules under both criminal law and data protection laws of Turkey; judiciary bodies enforce the rules under the former and Data Protection Authority of Turkey enforces the latter.
What is the range of fines and penalties for violation of these laws?
Article 18 of the Law No. 6698 lists the administrative fines to be imposed for various breaches of the law.
Breach of Obligation to Inform
From TRY 5.000 up to TRY 100.000
Breach of Data Security Obligations
From TRY 15.000 up to TRY 1.000.000
Failure to Comply with Decisions Given by the Board Under Article 15 of the Law
From TRY 25.000 up to TRY 1.000.000
Failure to Register with or Notify the Registry of Data Controllers
From TRY 20.000 up to TRY 1.000.000
The aforementioned fines are updated yearly and increased in accordance with the yearly update rate. As of 1 January 2020, maximum fine amount is 1.700.000TRY+.
Certain unlawful data processing activities are considered as crimes under the Turkish Penal Code. In this respect, a criminal sanction of up to a maximum six years of imprisonment shall be imposed upon persons who (i) unlawfully record personal data, (ii) unlawfully transfer, disclose or acquire personal data and (iii) do not destroy personal data from its systems, despite of expiration of periods prescribed by laws.
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?
Yes,Board’s decision can be appealed at administrative courts of Turkey.