Personal Data Protection (GDPR) in Turkey
As Cosar & Akkaya Law Firm, we are actively taking part in many personal data protection compliance projects at every stage and level. We have a proven track record in the projects involving Personal Data Protection in Turkey. We respond to our clients’ needs from an answer to a simple generic question to set up a system to deal with the personal data in compliance with Turkish Law.
Personal Data Protection in Turkey stems from the European Union Directive 95/46/EC with a number of additions and variations as part of the European Union harmonization aiming to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to the processing of personal data and to set forth obligations, principles, and procedures which shall be binding upon natural or legal persons who process personal data.
Eventually, Turkey has a similar regulation to the General Data Protection Regulation (‘GDPR’) of the European Union, although there are worth mentioning differences. In principle, it will be insufficient for a company doing business in Turkey to be merely in compliance with the GDPR without taking into account the regulations of Turkey on the protection of personal data. In other words, all companies doing business in Turkey must comply with the laws and regulations on personal data protection in Turkey in order to avoid any failure of compliance to Turkish data protection regulations.
Personal Data Protection Law numbered 6698
as the main piece of legislation in Turkey on personal data protection was published in the Official Gazette dated 07.04.2016 and numbered 29677. The Personal Data Protection Law has been accompanied by several secondary legislation including but not limited to the following:
- Regulation on Erasure, Destruction or Anonymization of Personal Data
- Regulation on the Working Procedures and Principles of Personal Data Protection Board
- Regulation on Data Controllers Registry
- Regulation on the Organization of Personal Data Protection Authority
- Communique on Principles and Procedures for Fulfilment of Informing Obligation
- Communique on the Principles and Procedures of Application to Data Controller
Furthermore, the Decisions of Personal Data Protection Authority are considered as part of the governing rules of personal data protection in Turkey.
Personal Data Protection Authority:
Personal Data Protection Authority has been established as a public legal entity having administrative and financial autonomy pursuant to the Personal Data Protection Law to regulate and supervise the personal data protection in Turkey. The Authority is comprised of two bodies including the Board and Presidency in which the Board is given the decision-making power.
Personal Data Protection Board’s duties and powers are including but not limited to the following arising from Article 22 of the Personal Data Protection Law:
- ensuring that the personal data are processed with respect to the fundamental rights and freedoms
- concluding the complaints of those who claim that their rights in relation to personal data protection have been violated.
- examining whether the personal data are processed in compliance with the laws, upon complaint, or ex officio where it learns about the alleged violation, and to take temporary measures, if necessary.
- ensuring that the Registry of DataControllers is maintained.
- carrying out regulatory acts on the matters concerning duties, powers, and responsibilities of the data controller and of its representative.
- taking decision on the imposition of administrative sanctions provided under Personal Data Protection Law.
At this point; it should be underlined that one of the most important power of Personal Data Protection Board is to implement administrative fines to the data controllers who are failing to comply with the regulations. According to Article 18/1 of Personal Data Protection Law, companies who act contrary to the obligations arising from the subject matter Personal Data Protection Law and its relevant secondary legislation shall be imposed to pay an administrative fine of 5.000 TRY to 1.000.000 TRY.
*Who is data controller and data subject?
Data controller is defined under the Personal Data Protection Law as the real or legal person who decides the purposes and means of processing personal data, as well as Data Controller is also responsible for the establishment and management of the data filing system. Whereas data subject is defined as any real person whose personal data as per Personal Data Protection Law is protected.
What are the main obligations for data controllers arising from Personal Data Protection Law in Turkey?
Obligation to Inform
Article 10 of the Personal Data Protection Law set forth an obligation for Data Controllers to inform the data subjects about i) the identity of the data controller and data controllers’ representatives; ii) the purpose behind the processing of personal data; iii) whether the personal data to be transferred and iv) method and ground for the collection of personal data.
- Obligations concerning data security
Article 12 of the Personal Data Protection Law set forth an obligation for Data Controllers to take all the necessary administrative and technical measures in order to be able to satisfy an appropriate level of data security. Some of the administrative and technical measures include but not limited to the following:
i) Preparation of Personal Data Inventory
ii) Organizational policies including (Data Security, Erasure, Destruction, Usage, Access, etc)
iii) Making/Amending Contracts to be in compliance with the obligations
iv) Privacy Commitments
v) Risk analysis
vi) Periodic audits within the organisation
viii) Notification to Data Controllers’ Registry
i) Authorization Matrix
ii) Access Logs
iii) Management of user accounts
iv) Network security
vi) Penetration test
vii) Data Masking
viii) Precautionary systems
ix) Back-up systems
x) Erasure, Destruction or Anonymization of data
xi) Updated anti-virus systems
xii) Security walls
*In case the data processed by the data controller is obtained unlawfully by others, Data controller has a duty to notify the Personal Data Protection Board immediately.
Obligation to register with the Data Controllers’ Registry
Article 16 of the Personal Data Protection Law set forth an obligation to register with the Data Controllers’ Registry before starting to process data in Turkey. Data Controllers’ Registry is known as VERBİS which is a system accessible by the public showing each data controller’s individual status. Members of the public can check the data categories and the grounds of processing for each data controller on Data Controllers’ Registry (VERBİS). For some data controllers, it is compulsory to register with the Data Controllers’ Registry (VERBİS). Below is the list data controllers who are obliged to register with the Data Controllers’ Registry (VERBİS)
- Data Controllers having more than 50 employees or annual financial balance sheet of more than 25 million TRY
- Data controllers established outside of Turkey
- Data controllers whose main area of activity is to process special category of personal data
Obligation to respond to the application of data subject
Article 13 of the Personal Data Protection Law set forth an obligation to respond to the Data Subject latest within 30 days from the request by concluding the demand.
Obligation to fulfill the Decisions of the Personal Data Protection Board
Article 15 of the Personal Data Protection Law set forth an obligation to fulfil the Personal Data Protection Board decisions without delay and latest within 30 days from the notification.
Obligation to comply with the cross-border transfers of personal data from Turkey to abroad
Article 9 of the Personal Data Protection Law set forth that personal data cannot be transferred abroad without explicit consent of the data subject. However, personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5(which provides certain conditions where personal data can be processed without seeking the explicit consent of the data subject) and the third paragraph of Article 6 exist (which provides that personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws) and that;
- sufficient protection is provided in the foreign country where the data is to be transferred,
- the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
How does Cosar & Akkaya Law Firm assist its clients in ensuring compliance with the Personal Data Protection in Turkey?
We have an ability to involve at any stage to work and ensure the compliance to the Personal Data Protection laws and regulations in Turkey. We can provide answers from generic questions to specific case questions with a confidence and experience from practice.
Our work usually starts with having several meetings with different departments in companies in order to understand the scope of data processed. This follows by constructing an inventory for all processed personal data in the company as required by the law. After having the inventory of personal data, it is easier to set up a system of managing personal data pursuant to the Personal Data Protection Law and its secondary legislation.
We assist our clients including but not limited to the followings:
- Having general informative meetings with shareholders, Board of Directors, managers, employees
- Creating roadmaps for the necessary steps that must be taken pursuant to the Personal Data Protection in Turkey
- Having specific meetings clarifying the responsibilities, possible consequences in case of a violation, and how it should be handled within the company, and to discuss in the form of questions and answers
- Assisting to construct an inventory of personal data for the company by taking several meetings with the relevant departments
- Advising in relation to the data subject groups and the data categories which are dealt within the company.
- Preparing all the required corporate policies and procedures pursuant to Personal Data Protection Law in Turkey
- Preparing all the required texts to be placed in the website and around the company’s physical place
- Reviewing and advising in relation to the required provision that must be existed in contracts.
- Examining the standard contracts used within the company in terms of compliance with Personal Data Protection in Turkey
- Advising in relation to the cross-border transfer of personal data from Turkey to abroad
- Assisting to complete Data Controllers Registry (VERBİS) registration procedures if applicable
- Advising in relation to the technical and administrative measures to be taken regarding personal data security
- Provide information in relation to the European Union’s GDPR related obligations
- Provide training in which all employees will participate within the scope of Training and Awareness Activities
Contact Us Now to Talk Details