Data Protection Law in Turkey

Under the Data Protection Law in Turkey, “processing of personal data” encompasses actions such as obtaining, recording, storing, altering, reorganizing, disclosing, transferring, acquiring, making available, or categorizing personal data, as well as restricting its usage. Personal data must be processed for specific, transparent, and legitimate purposes. It should be accurate and updated when necessary, while also being relevant and proportionate to the intended purpose. Data should only be retained for the period required by relevant legislation or its processing purpose.

In most cases, processing personal data of individuals requires explicit consent from the data subject, except for specific exceptions, such as when processing is legally mandated, necessary to protect someone’s life, linked to contract execution, essential for the data controller’s legal obligations, previously made public by the data owner, needed to establish, exercise, or defend legal rights, or serving the legitimate interests of the data controller, provided it doesn’t infringe upon the data owner’s fundamental rights and liberties.

The Data Protection Board (KVKK in Turkish), the authority responsible for enforcing the Data Protection Law and addressing complaints against data controllers for potential breaches, emphasizes that consent requests must be clear and informative. They cannot be buried within lengthy texts of privacy notices. The Board also clarifies that “opt-out” consent modes, where data processing is presumed unless the data subject opts out, are not compliant with the law; instead, an “opt-in” consent approach must be adopted.

Sensitive data, as classified by the Data Protection Law in Turkey, includes information related to race, ethnic origin, political beliefs, philosophical convictions, religion, sects, attire, association or union memberships, health, sexual activity, criminal history, and biometric/genetic characteristics. Processing such data requires explicit consent from the data subject or authorization by law.

The transfer of data follows the same rules and exceptions as data processing, with additional restrictions for international transfers. To transfer data outside of Turkey, explicit consent of the data subject or specific exceptions must exist, and either the destination country must offer adequate data protection or an agreement between the Turkish data controller and the data importer must ensure sufficient protection, subject to the Data Protection Board’s approval.

Data controllers must inform data subjects about their personal data processing, including the controller’s identity, purpose, recipients, data collection methods, legal basis, and data subject rights. In case of a data breach, data controllers must notify the Data Protection Board within 72 hours and inform affected data subjects promptly.

Data subjects have the right to know if their data has been processed, request information about the processing, request data correction or deletion, and seek damages for illegal data processing. Data controller responses to data subject requests must be provided within 30 days. If a response is unsatisfactory or denied, data subjects can file a complaint with the Data Protection Board.

Certain data processors must register with the Data Controllers Registry Information System (VERBİS in Turkish). The registration requirement applies to all data controllers, except for exemptions based on specific criteria, such as the nature of the controller’s legal entity or the volume of sensitive data processed. Turkish legal entities with over 50 employees or significant assets/liabilities must also register.

Registration deadline was December 31, 2021. Foreign data controllers processing data of Turkish residents are also subject to registration. Non-compliance may lead to administrative fines.

Exemption from registration does not exempt data controllers from other obligations under the Data Protection Law in Turkey. Regardless of registration status, data controllers should maintain an inventory of personal data processed in Turkey, including categories, purpose, retention periods, data transfers, and security measures.

The Data Protection Board has the authority to investigate non-compliance with the Data Protection Law and issue fines. However, it cannot award damages to data subjects. Data subjects with claims of rights violations may seek damages through general courts.

The Criminal Code also imposes penalties for illegal data recording, delivery, or failure to destroy data as required by law. It penalizes these offenses with imprisonment.

The right to be forgotten is recognized by the Data Protection Board and may involve actions like erasure, destruction, anonymization, or exclusion from search engine indexes. Requests for exclusion from search engine indexes should start with the data controller, the search engine. If the search engine does not respond adequately, data subjects can complain to the Data Protection Board.

The Personal Data Protection Authority introduced guidelines on the right to be forgotten in relation to search engines in 2021. These guidelines consider factors such as the nature of information, its accuracy, potential harm, and legal obligations when evaluating exclusion requests.

Overall, the Data Protection Law in Turkey seeks to balance individual privacy rights with the necessity of data processing for various purposes while providing remedies and oversight through the Data Protection Board and the judicial system.