Data Protected - Türkiye
Contributed by KST Law (Kinstellar Istanbul)
Last updated May 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The protection of personal data has been introduced as Article 20(3) of the Constitution of the Republic of Türkiye, titled Secrecy of Private Life, following the constitutional amendment made in 2010. It entitles every individual to the protection of his/her own personal data, including the right to be informed about his/her personal data, to access to his/her personal data, to request correction or deletion thereof and to be informed of whether his/her personal data is used in accordance with a legitimate purpose.
Article 20(3) also provided that the principles and procedures in respect of protection of personal data shall be regulated under a specific law. Accordingly, Law No. 6698 on Protection of Personal Data has been introduced (“PDPL”).
Türkiye is also party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and Additional Protocol No. 181 regarding supervisory authorities and transborder data flows. These international treaties have the same effect as domestic laws under the Constitution of the Republic of Türkiye.
On 12 March 2024, the Law Amending the Code of Criminal Procedure and Certain Laws and Decree Law No. 659 was published in the Official Gazette. This makes significant amendments to align the PDPL with the GDPR. It will: (i) broaden the legal bases available to process sensitive data so that they are similar to the conditions for processing special category personal data in the GDPR; and (ii) align the rules on transborder dataflow to broadly match those in the GDPR so that it will only exceptionally be necessary to rely on explicit consent. These changes come into force on 1 June 2024, while the existing provisions on transborder dataflow prior to the amendment can be applied until 1 September 2024.
Entry into force
Article 20(3) of the Constitution of the Republic of Türkiye was published in Official Gazette No. 27580 on 13 May 2010 and entered into force on the same date.
The PDPL was published in Official Gazette No. 29677 on 7 April 2016 and partially entered into force on the same date. All the remaining provisions entered into force two years after the publication date.
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data entered into force under Turkish law on 17 March 2016. Additional Protocol No. 181 entered into force under Turkish law on 5 May 2016.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
Turkish Personal Data Protection Authority (the “Authority”)
Nasuh Akar Mahallesi Ziyabey Caddesi
1407 Sokak No:4 06520
Çankaya
Ankara Türkiye
www.kvkk.gov.tr
Notification or registration scheme and timing
Data controllers must register with the Data Controllers Registry System (“VERBIS”) established and operated by the Authority before commencing data processing activities, and also upload their data inventories to the template of that registry.
Exemptions to notification
Some data controllers are exempt from the registration requirement. This includes: (i) professional services entities such as lawyers, notaries, accountants, mediators and customs consultants; (ii) trade unions, associations and foundations; (iii) political parties; (iv) data controllers who only process personal data by non-automated means; and (v) small data controllers whose main activities do not consist of the processing of sensitive personal data, have less than 50 employees and whose annual balance sheet is less than TRY 100 million (approx. EUR 3 million).
Certain types of data processing are also exempt from registration requirement. This includes processing: (i) for the prevention or investigation of a crime; (ii) of personal data made public by the data subject; (iii) for performance of supervision, regulatory or disciplinary functions by public authorities or professional bodies; and (iv) for the protection of the economic and financial interests of Türkiye related to budgetary, tax and financial matters.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The PDPL does not set forth any rule as to the territorial scope.
However, the decisions of the Authority stipulate that the PDPL applies for the data processing carried out in Türkiye or that relates to the data of Turkish citizens or real persons residing in Türkiye. Therefore, even if a controller is not located in Türkiye, the controller, to the extent it processes the personal data of Turkish citizens or real persons residing in Türkiye, may fall under the territorial scope of the PDPL.
Is there a concept of a controller and a processor?
Yes. The PDPL uses the GDPR definitions of “data controller” and “data processor”.
Whilst most of the obligations in the PDPL apply to data controllers, data processors are jointly liable for the security of personal data.
Are both manual and electronic records subject to data protection legislation?
Yes. However, in order for the manual records to be subject to the PDPL, they must be processed within a filing system where personal data is processed according to specific parameters and criteria.
Are there any national derogations?
The PDPL contains exemptions where processing is: (i) by individuals in respect of personal data of their family members living together with them for purely personal purposes provided that it is not to be disclosed to third parties and kept secure; (ii) for official statistics and, provided they are anonymised, for other research, planning and statistical purposes; (iii) for artistic, historical, literary or scientific purposes provided that national security, public order, right to privacy and similar rights are not violated and the process does not constitute a crime; (iv) by intelligence activities to maintain national security, public order or economic security; and (v) by judicial authorities.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Personal data means any information relating to an identified or identifiable real person.
Is information about legal entities personal data?
No. However, information relating to a real person acting as a representative of a legal entity shall be considered personal data.
What are the rules for processing personal data?
The PDPL imposes general principles that broadly follow the Data Protection Directive and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Personal data must be: (i) processed lawfully and fairly; (ii) accurate and, where necessary, kept up to date; (iii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (iv) relevant, limited and proportionate to the purposes for which they are processed; and (v) retained for no longer than is necessary for the purposes of the processing.
In addition to this, the processing of personal data must have a legal basis. The primary basis is explicit consent of the data subject. However, it is not necessary to obtain explicit consent where processing is: (i) explicitly provided for by law; (ii) necessary for the protection of life or physical integrity and the individual cannot provide consent; (iii) relates to the personal data of the parties to an agreement and is directly related to the conclusion and/or fulfilment of the agreement; (iv) mandatory for the data controller to fulfil its legal obligations; (v) made manifestly public by the data subject; (vi) necessary for the establishment, exercise or protection of a right; or (vii) required for the legitimate interests of the data controller and does not violate the fundamental rights and freedoms of the data subjects.
Are there any formalities to obtain consent to process personal data?
Explicit consent must be: (i) related to a specified activity; (ii) based on adequate information; and (iii) declared by free will. According to the guidelines issued by the Authority, explicit consent must include “positive declaration of intention”.
In this respect, data controllers are required to apply an opt-in system while obtaining explicit consent, since silence of the data subject is interpreted as rejection, not acceptance. When the Authority examined Amazon's membership conditions, it decided that presenting all options which require consent in a “pre-ticked” way violated this requirement. Accordingly, explicit consent is considered valid in cases where the person actively demonstrates a declaration of will, not where the person remains silent.
PDPL does not stipulate any requirement as to the form in which for explicit consent should be provided. Accordingly, explicit consent may be obtained through any means such as orally, in writing or electronically. It should be noted that the burden of proof of demonstrating that explicit consent has been obtained belongs to the data controller. For this reason, it is important that explicit consent is evidenced, e.g. by keeping log records.
Are there any special rules when processing personal data about children?
The PDPL does not include special rules regarding the personal data of children.
Are there any special rules when processing personal data about employees?
The PDPL does not provide any specific rules for the processing of personal data of employees. However, as stated above, explicit consent of the data subject is not needed if processing of personal data is permitted by law. The Labour Code requires the employers to keep a personnel file of the employees during the employment term. The personnel file must contain the copy of identity card of the employee, diploma, resume, employment contract, social security documents, certificate of residency, performance assessment reports, health reports and any other employment related document. Therefore, processing of such data of the employee would not require explicit consent.
Pursuant to social security legislation, the employers must retain the personnel files for 10 years as of the termination of employment. As per the occupational health and safety law, files concerning the health and safety of the employee must retain for 15 years.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and biometric and genetic data are deemed to be sensitive. These are exhaustively listed in the law.
The reason “clothing” is treated as sensitive personal data is that clothing preferences of individuals may be based on their beliefs and local traditions (i.e. wearing hijab, growing beard etc) and processing of such data may cause the data subject to face discrimination or another unequal treatment.
Are there additional rules for processing sensitive personal data?
The PDPL establishes the criteria for processing sensitive personal data (Article 6) which are similar to the conditions for processing special category personal data in the GDPR. Sensitive personal data may be processed if the: (a) data subject provides explicit consent; (b) processing is explicitly provided by law; (c) processing is necessary for the protection of life or physical integrity, and the individual cannot provide consent; (d) data is made manifestly public by the data subject; (e) processing is necessary for the establishment, exercise, or protection of a right; (f) processing is mandatory for the data controller to fulfil its legal obligations in employment, occupational health and safety, social security, social services, and social assistance; (g) processing is necessary for preventive medicine, medical diagnosis, and other purposes listed in the relevant article, solely by individuals under an obligation of confidentiality; or (h) processing is carried out by non-profit organisations (subject to additional restrictions and limitations).
The decision numbered 2018/10 of Authority sets out the fundamental principles for the processing and transferring of sensitive data. The Authority states that data controllers need to take the following measures: (i) create a policy and procedure for the security of sensitive personal data; (ii) provide training to employees involved in the processing of sensitive personal data and ensure they subject to appropriate confidentiality agreements and access controls; (iii) use appropriate security measures to protect the data, such as encryption and access logging; (iv) ensure the physical environment in which the servers are stored is secure; and (v) ensure that the data secure transferred, e.g. using in encrypted form by using a corporate e-mail address or a Registered Electronic Mail (KEP) account.
As to the biometric data, Guidelines on the Matters to be Taken into Consideration for Processing Biometric Data (“Guidelines on Biometric Data”) set out fundamental processing principles and necessary technical and organisational measures for the processing of biometric data. The Guidelines on Biometric Data set out fundamental principles for the processing of biometric data, as follows: (i) its use must be fair and lawful so as to be proportionate and not, for example, infringe fundamental rights and freedoms; (ii) keep records to demonstrate compliance; (iii) do not collect genetic data unless strictly necessary; (iv) there must be a specific justification for the types of biometric information collected (e.g. fingerprint, retina); and (v) the retention period must be appropriate.
As to the genetic data, the Guideline on the Processing of Genetic Data (“Guidelines on Genetic Data”) issued by the Authority, provides a detailed definition of genetic data and the outlines key considerations for its processing. According to the Guidelines on Genetic Data, genetic data is defined as “all or part of the information extracted from the entire DNA, RNA and protein sequence encoded from the genome, cell nucleus or mitochondria of a living organism”. The Guidelines on Genetic Data stipulates that for the lawful processing of genetic data under the PDPL, it is necessary to (i) have the legal bases for processing; and (ii) adhere to the general principles regulated under the PDPL.
Are there additional rules for processing information about criminal offences?
Information about criminal convictions is treated in the same way as sensitive personal data (see above).
Are there any formalities to obtain consent to process sensitive personal data?
The same rules apply as for non-sensitive personal data (see above).
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
A contact person must be appointed if the controller is a legal entity located in Türkiye and is not exempt from registration with the Authority (see above).
Additionally, if the controller is not located in Türkiye, it must appoint a representative who must be either a Turkish legal entity or Turkish citizen.
What are the duties of a data protection officer?
The data controller’s contact person or representative is responsible for managing communications with the Authority and data subjects. Data controllers remain liable for compliance with the PDPL regardless of the appointment of a contact person or a representative.
In a communiqué published in the Official Gazette in December 2021, the Authority introduced the concept of controllers appointing a “data protection officer”. In a subsequent announcement, the Authority stated that the data protection officer must be a person with sufficient knowledge in terms of personal data protection legislation; however, this is likely to be a different role to the one defined in the GDPR.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no general accountability obligation, save in respect of data security where data controllers must conduct, or arrange, data security audits.
Are privacy impact assessments mandatory?
The PDPL does not directly impose an obligation to carry out privacy impact assessments.
However, the Authority’s guidance on data security suggests that this might impose a wide range of obligations and, while privacy impact assessments are not mandatory, it is a recommended administrative measure for providing data security.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Before processing personal data, the data controller must inform data subjects about the: (i) identity of the controller; (ii) the purposes of data processing; (iii) the recipients to whom the data can be transferred, and the purpose of the transfer; (iv) the methods and legal reasons of collection of the personal data; and (v) the data subject’s rights.
Rights to access information
Data subjects can ask a data controller if their personal data is being processed and for details of the third parties to whom their personal data has been transferred.
Data subjects can exercise their rights by contacting the data controller by post or using e-mail with an electronic signature.
Rights to data portability
The PDPL does not include a right to data portability.
However, the Authority has developed this right following a complaint. In decision numbered 2018/131 of the Authority, a legal entity applied to the data controller and requested to transfer the personal data of a data subject. After the data controller rejected this request, the legal entity has complained to the Authority. The Authority considered this portability request to be within the scope of the right to access personal data but rejected the complaint since it was made by a legal entity and not the data subject.
Right to be forgotten
Data subjects are entitled to request erasure or destruction of their personal data where the reasons for processing no longer exist or explicit consent is withdrawn.
In a number of cases, the Turkish Constitutional Court has also acknowledged that individuals have a right to be forgotten within the scope of their constitutional right to secrecy of their private lives.
Objection to direct marketing
Whilst the PDPL does not directly refer to direct marketing and profiling, data subjects can always revoke their explicit consent.
This would act as an objection to marketing and profiling unless the controller can show one of the other legal basis for processing applies (see above).
Other rights
The data subject can request the rectification of incomplete or inaccurate personal data. Data subjects can also object to decisions made about them arising from processing through exclusively automated systems.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
Data controllers must take all necessary technical and organisational measures to provide adequate levels of security for the purposes of preventing the unlawful processing of, and unlawful access to, personal data, and ensuring personal data is kept securely.
Specific rules governing processing by third party agents (processors)
There is no specific rule regarding data controllers engaging data processors beyond the fact controllers and the processors shall be jointly liable for the security of personal data.
The PDPL does not directly require controllers to enter into a contract with their processors. However, the Authority’s guidance on data security recommends entering into a contract with the persons to whom the personal data is transferred as part of the administrative measures for data security.
Notice of breach laws
The data controller must notify the Authority within 72 hours of becoming aware of a data breach and provide information to affected data subjects within a reasonable period of time. The Authority may announce such breaches on its website.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Prior to amendments to PDPL on 12 March 2024, a data controller may transfer personal data to a third country in three situations: (i) if the data subject has given explicit consent; (ii) if the third country provides adequate protection for personal data; or (iii) if both the importing and exporting data controllers give written undertaking to adequately protect that data and obtain an approval from the executive branch of the Authority.
The amended PDPL introduces more flexibility for data controllers by creating a three-step assessment that must be conducted as set out below.
First, if an adequacy decision is issued by the Authority, personal data can be transferred abroad based on this decision.
Second, in the absence of an adequacy decision by the Authority, personal data may be transferred abroad provided that one of the safeguards set out in the new provisions is in place, e.g. (i) executing a standard contractual clauses; (ii) the preparation of binding corporate rules among group companies; or (iii) obtaining permission from the Authority or the existence of a non-international agreement-like arrangement between public, international, or professional organisations and permission from the Authority. If data controllers choose to execute the standard contractual clauses as a safeguard, this should be notified to the DPA, otherwise an administrative fine of TRY 50,000 to TRY 1,000,000 (approx. EUR 1,500 to EUR 29,000) may be imposed.
Third, if the first two steps are not met, personal data may still be transferred abroad under occasional circumstances. However, the third step can only be relied upon for a non-systematic data transfer process.
Please note that the details of the application of the new scope in relation to cross-border data transfers will be determined by the Authority through secondary legislation. On 9 May 2024, the Authority published a draft communique on cross-border personal data transfers for public opinion. After preparation, it is expected that the Authority will issue a new communiqué on this matter.
Notification and approval of national regulator (including notification of use of Model Contracts)
Notification and approval of the Authority is not required for transfers made in reliance on an adequacy decision issued by the Authority.
Where there is no adequacy decision, personal data can be transferred abroad provided in the following situations, all of which require notification of, or approval by, the Authority. Those situations are: (i) the use of a non-international agreement-like arrangement between public, international, or professional organisations with permission from the Authority; (ii) the use of binding corporate rules among group companies with permission from the Authority; (iii) the use of a standard contract and its notification to the Authority; and (iv) the use of a written commitment containing provisions that ensure adequate protection related to the transfer with permission from the Authority.
As of May 2024, the Authority announced nine written undertaking letter applications they approved.
Use of binding corporate rules
As mentioned above, a data controller may use binding corporate rules to carry out cross-border data transfers if the Authority has not issued an adequacy decision. Multinational companies having affiliates in countries which do not provide accurate protection may use binding corporate rules by obtaining permission from the Authority.
_____________________________________________________________________ Top
Enforcement
Fines
Administrative fine amounts shall be determined for every year according to the rate of revaluation of the previous year. For the year 2024, breach of the PDPL or a decision issued by the Authority can result in an administrative fine of between TRY 47,303 to TRY 9,463,213 (approx. EUR 1,350 to EUR 270,000) depending on the nature, amount, and consequences of the breach.
Imprisonment
The Turkish Penal Code No. 5237 published in Official Gazette No. 25611 on October 12, 2004 introduces a range of crimes. These are: (i) violation of secrecy of communication which can be punished with one to five years imprisonment; (ii) wiretapping which can be punished with two to five years imprisonment; (iii) violation of secrecy of private life which can be punished with one to three years imprisonment (which can be doubled where the violation is by means of visual or audio recording); (iv) illegal recording of personal data can be punished with one to three years imprisonment (if the subject matter relates to certain type of sensitive personal data the punishment is increased by 50 per cent); (v) unlawful collection or transfer of personal data which can be punished with two to four years imprisonment; and (vi) breach of the requirement to destroy personal data which can be punished with one to two years imprisonment.
Compensation
Data subjects are entitled to be compensated for their losses arising from a breach of the PDPL or other laws governing the protection of personal data. Compensation will be payable by the controller and/or the processor in accordance with the general principles of civil law.
Other powers
The Authority has a range of other powers to: (i) issue regulations and communiqués for implementation of the PDPL; (ii) examine complaints and implement sanctions; and (iii) investigate whether the personal data is processed in compliance with the law ex officio or upon a complaint and take temporary measures where necessary.
Practice
According to the statement of the President of the Authority on 28 January, 2024, so far: (i) 38,789 reports, complaints, and applications have been submitted to the Authority, of which 37,010 have been concluded; (ii) out of 1,317 data breach notifications, 290 have been published on the Authority's website; (iii) as a result of the examinations conducted, administrative fines totalling TRY 463,801,000 (EUR 13,250,457) have been imposed; (iv) The Authority has provided 1,080 legal opinions on matters within its jurisdiction; and (v) 8 written letter of undertaking applications meeting the necessary qualifications for the transfer of personal data abroad have been approved by the Authority.
In September 2023, WhatsApp was fined TRY 1,9 million (approx. EUR 111,325) as a result of an ex officio investigation initiated after WhatsApp updated its Terms of Service and Privacy Policy to include the explicit consent of users regarding the processing of personal data and the transfer of personal data abroad.
In March 2023, TikTok was fined TRY 1,750,000 (approx. EUR 53,030) as a result of numerous complaints and news reports. Allegations included (i) unlawfulness in obtaining and retaining personal data; (ii) failure to obtain explicit consent in line with PDPL; and (iii) multiple security vulnerabilities in TikTok's software. In response, the Authority initiated an ex officio investigation and concluded that TikTok had not implemented all necessary technical and organisational measures to ensure data security, including non-compliance with cookie regulations.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The Regulation on Commercial Communication and Commercial Electronic Messages published in Official Gazette No. 29417 on July 15, 2015 (“Commercial Message Regulation”) regulates the sending of electronic direct marketing.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
The PDPL does not specifically refer to cookies. However, it is widely accepted that the cookies are considered to contain personal data where they able to identify an individual, and are thus subject to the PDPL.
The Authority has also issued a decision on cookie using on web-sites/mobile apps in May 2022. In the decision the Authority clarified that cookies that are essential for directly operating a website and/or mobile app are classified as strictly necessary, whereas cookies that are not necessary for operating a web-site/mobile app are classified as not strictly necessary.
The Authority stated the approach to the use of cookie practices should be as follows: (i) if a data controller uses a strictly necessary cookie, the data controller does not need to obtain explicit consent to processes personal data via such a cookie; (ii) if a data controller uses cookies other than strictly necessary cookies, the data controller must obtain the explicit consent of the relevant data subjects (i.e. they must use an opt-in mechanism rather than an opt-out mechanism); and (iii) data controllers must inform user of their usage of cookies, regardless of the types of cookies used.
Regulatory guidance on the use of cookies
In June 2022, the Authority published guidelines on the use of cookies to collect personal data and the use of personal data in online environments. In the guidelines, the Authority provides details of: (i) the definition of and types of cookies; (ii) the rules for processing personal data through cookies; (iii) when explicit consent is necessary regarding the use of cookies; (iv) examples of cookie implementations (both correct and incorrect ways of usage); (v) the types of cookies for which explicit consent is not needed, i.e. strictly necessary cookies and cookies used for the transmission of a communication; and (vi) cross-border data flows via cookies.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Commercial Message Regulation requires the approval of the receiver of any commercial electronic message.
In order to monitor and manage the approvals of the individuals for receiving commercial electronic message, an Electronic Message Management System (“EMMS”) has been established by the Ministry of Trade. EMMS is an electronic database where the approval of the individuals for receiving electronic messages may be easily listed and managed. Real persons or legal entities which involve in e-commerce activities (“Service Providers”) and which send commercial electronic message to the individuals are required to register with the EMMS and upload the approvals of the receivers.
In addition, sending an e-mail to an individual for marketing purposes is a form of personal data processing and is thus subject to the PDPL meaning the explicit consent of the data subject (or other legal basis) is necessary.
Conditions for direct marketing by e-mail to corporate subscribers
The Commercial Message Regulation permits marketing e-mails to corporate subscribers unless they have objected to those messages.
Exemptions and other issues
The Commercial Message Regulation allows electronic message to be sent without the approval of the recipient where the message: (i) relates to the change, use or maintenance of goods and services, and the recipient has given its details for that purpose; (ii) relates to a continuing subscription, debt collection, updates or the notification of a purchase or delivery; (iii) is sent due to a legal requirement; and (iv) is an information update sent by brokerage companies in capital markets to the customers.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The same rules apply as for Marketing by E-mail.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same rules apply as for Marketing by E-mail.
Exemptions and other issues
The same rules apply as for Marketing by E-mail.
_____________________________________________________________________ Top