Data Law Nav­ig­at­or | Tur­key

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 10 October 2018

Risk scale

It is expected to be Orange once all relevant secondary legislation is adopted.

Laws

  • Law on the Protection of Personal Data numbered 6698 (“Law”)
    • Regulation on Deletion, Destruction or Anonymization of Personal Data
    • Regulation on the Principles and Procedures of the Activities of the Data Protection Authority
    • Regulation on the Promotion and Change of Title of Data Protection Authority Personnel
    • Regulation on the Organization of the Data Protection Authority
    • Regulation on Data Protection Expertise
    • Regulation on the Data Controller Registry
  • Article 20 of the Turkish Constitution
  • Article 75 of the Labour Law
  • Article 73 of the Banking Law
  • Article 51 of the Electronic Communication Law
    • Regulation on the Processing and Privacy of Personal Data in Electronic Communication Sector
  • Article 10 of the E-Commerce Law
  • Article 47 of the Decree Law on the Organizations and Duties of the Ministry of Health and its Affiliates
    • Regulation on the Processing and Protection of Personal Health Data
  • 135 to 140 of the Turkish Penalty Code
  • Data Protection Authority Council Decisions
    • Decision on the “Dates for registration with VERBIS” dated 19.07.2018 and numbered 2018/88
    • Decision on the “Data Controllers being exempted from the registration with VERBIS” dated 19.07.2018 and numbered 2018/87
    • Decision on the “exemption with respect to mediators” dated 05.07.2018 and numbered 2018/75
    • Decision on the “exemption with respect to  certified public accountants” dated 28.06.2018 and numbered 2018/68
    • Decision on the “Usage of the personal data by the employees of the data controller who have access such personal data” dated 31.05.2018 and numbered 2018/63
    • Decision on the “Data Controllers being exempted from the registration with the Data Controller Registry (VERBIS)” dated 02.04.2018 and numbered 2018/32
    • Decision on the “Sufficient Precautionary Measures to be taken by Data Controllers on Special Personal Data” dated 31.01.2018 and numbered 2018/10  
    • Decision on the Protection of Personal Data in Internet Pages/Applications Offering Guidance Services” dated 21.12.2017 and numbered 2017/61  
    • Decision on the Protection of Personal Data in Service Industries such as Counters, Booths and Ticket Offices dated 21.12.2017 and numbered 2017/62

Authority

Data Protection Authority (Kişisel Verileri Koruma Kurumu)  

http://www.kvkk.gov.tr/

Anticipated changes to law

The declaration of the list of countries where an adequate level of protection with regards to Data Protection by the Data Protection Authority is to be anticipated.

If applicable: stage of legislative implementation of GDPR

As a non-EU member state, Turkey is not implementing GDPR. However, the companies processing the personal data are required to become compliant with the Law and its regulations within two years following the effective date of the Law, which was 7th April 2018.

If applicable: local derogations as permitted by GDPR 

As a non-EU member state, Turkey is not implementing GDPR. However, the Law regulates certain exceptions to its own application:

  • Article 5/2 of the Law sets forth the cases where the personal data may be processed without obtaining the explicit consent of the data subject (i.e. (a) it is expressly permitted by any law; (b) it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent; (c) it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract; (d) it is necessary  for compliance with a legal obligation which the controller is subject to; (e) the relevant information is revealed to the public by the data subject herself/himself; (f) it is necessary for the institution, usage, or protection of a right and (g) it is necessary for the legitimate interests of the data controller, if the fundamental rights and freedoms of the data subject are not harmed).
  • As per Article 6/3 the Law, sensitive data, other than those relating to health and sexual life, may be processed without seeking explicit consent of the data subject in the cases required by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by persons and authorised public institutions and organizations that have confidentiality obligation, for the purpose of the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health care services and their financing.
  • The Law shall not be applied in the following cases:
    • Processing by data subject in the context of purely personal activities of him/her or of family members living together with him in the same dwelling provided that it is not disclosed to third parties and data security obligations are complied with.
    • Processing for the official statistical and planning purposes after anonymization.
    • Processing for artistic, historical, literary, and scientific purposes or within the scope of freedom of expression without violating national defence, national security, public security, public order, economic security, right to privacy or personal rights or without constituting a crime.
    • Processing within the scope of preventive, protective and intelligence activities carried out by authorised public institutions and organizations
    • Processing by judicial/execution authorities in the context of investigation, prosecution, criminal and execution proceedings

Scope

The Law has introduced principles of data protection in Turkey that are in line with compatible principles of European Union regulations. The Law aims to protect fundamental rights of individuals, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon individuals or legal entities who process personal data. 

The provisions of the Law shall apply to individuals whose personal data are processed as well as to individuals or legal entities who process such data wholly or partially through automatic means or through otherwise than automatic means, provided that the process is a part of any data registry system.

Penalties/enforcement

The Data Protection Authority has the enforcement powers concerning administrative sanctions only. The potential administrative sanctions are (i) administrative fines up to TL 1.000.000 and (ii) suspension of the processing the data and transferring the same abroad. 

If the failure is committed within the public institutions or organizations as well as the professional organisations having the status of public institution, disciplinary procedures shall be imposed on such officers and public officials. 

If the failure constitutes a crime as per Articles 135 to 140 of the Turkish Penal Code, the criminal sanction, including imprisonments and sanctions applicable to legal entities (i.e. cancellation of activity permits, confiscation of the assets and income of the legal entity), will be imposed by the court.

Registration / notification 

Data Controllers must register with the Data Controller Registry (VERBIS) within 30 (thirty) days*, starting from the date that the data controller becomes liable to register, as per Article 8 of the Regulation on the Data Controller Registry (Certain exceptions are applicable).

* As the Data Controller Registry (VERBIS) has become active by 2nd of October 2018, the Data Protection Authority has decided to provide a transition period for the Data Controllers to register with the Data Controller Registry (VERBIS). The deadline for (i) the Data Controllers which employ at least 50 employee or have at least an annual balance sheet of TL 25 million (c. Euro 3.5 million) or (ii) the data controllers residing abroad to enrol in VERBIS is 30 September 2019. (Other deadlines are applicable to certain Data Controllers which do not fall in the above scope).

Main obligations and processing requirements

  • Information requirement (Data subject must be informed with respect to identity of the controller, purpose of the data processing, third parties to whom the data may be transferred and the purpose of such transfer, methods and legal reasons of collection of personal data and data subject’s rights)
  • Consent requirements (in particular in respect of processing data and transferring data to third parties as well as abroad. Certain exceptions are applicable to consent requirements) 
  • Registration to Data Controllers Registry (Certain exceptions are applicable)

Data subject rights

Each person has the right to apply to the controller and (i) to learn whether his/her personal data are processed or not; (ii) to request information if his/her personal data are processed; (iii) to learn the purpose of processing of his/her data and whether this data is used for intended purposes; (iv) to know the third parties to whom personal data is transferred in the country or abroad; (v) to request rectification of the incomplete and in accurate data; (vi) request the deletion or destruction of personal data under certain conditions; (vii) to request notification of his/her requests and actions taken in relation to (v) and (vi) to whom personal data have been transferred; (viii) to object to the processing, exclusively by automatic means, of his/her personal data, which leads to an unfavourable consequence for the data subject; (ix) to request compensation for the damage arising from the unlawful processing of his/her personal data.

Processing by third parties

The Law requires express consent from data subjects for transfers to third parties. (Certain exceptions are applicable)

Transfers out of Country

Personal data cannot be transferred outside of Turkey without the explicit consent of the data subject. 

In the following cases, personal data may be transferred outside Turkey without the explicit consent of the data subject:

  • The foreign country to which personal data will be transferred to has to have an adequate level of protection,
  • Where the adequate level of protection does not exist, the data controllers in Turkey and in related foreign country commit, in writing, to provide an adequate level of protection and the Authority has authorised such transfer.

*The countries where an adequate level of protection exist shall be (but have not been to date) declared by the Data Protection Authority.

Security

The data controllers are required to take all necessary technical and organizational measures to provide an appropriate level of security in order to

  • prevent the unlawful processing of personal data,
  • prevent the unlawful access to personal data,
  • safeguard personal data.

In instances where personal data is processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph.

Breach notification

In instances where others acquire processed personal data through unlawful means, the data controller shall notify the data subject and the Data Protection Board as soon as possible.

Direct Marketing

For all sorts of electronic marketing communication (i.e. phone, call centres, facsimile, e-mail, dialler machines, sound recording systems, text) directed to subjects, the parties’ consent is required. Soft opt-in (for only ’cross-over’ or same services already purchased by consumers) and opt-out regimes are applicable.

Useful links

 

Cyber Security

Last reviewed 10 October 2018

Risk scale

Laws and regulations

  • Law on Electronic Communications No. 5809
  • Council of Ministers Decision (dated 11/6/2012 No. 2012/3842) on National Cyber Security Measures and Coordination
  • Communique setting out the Procedures and Principles of the Establishment and Duties of Computer Emergency Response Team (dated 11 November 2013)
  • Regulation on Network and Data Security in Electronic Communication Sector
  • Articles 243, 244 and 245 of the Turkish Penal Code

Additionally, the Ministry of Transport, Maritime Affairs and Communications has published the following guidelines:

  • Guidelines on the Establishment and Management of Sectorial and Institutional Computer Emergency Response Team
  • Minimum Criteria on Information Security for Public Institutions
  • Minimum Security Measures on Critical Infrastructure Information Systems
  • Guideline on Classification of Information with Regards to their Degree of Confidentiality
  • Guideline on the Development of Secure Software
  • Guideline on Test of the Degree of Cyber Security Measures for Institutions 
  • List of Institutions that are included under the Public Network (KamuNet)
  • Guideline and Recommendations on Digital Security and Risk Management for OECD’s Economic and Social Welfare.

Anticipated changes to law

The 2016-2019 National Cyber Security Strategy and 2013-2014 Action Plan calls for issuance of legislation compatible with the principles of EU regulations.  

Application 

All public institutions and organisations, individuals and legal entities must comply with the principles, procedures and standards determined by the Cyber Security Authority.

Critical sectors are defined as: banking and finance, energy, transport, certain public services, water management and electronic communications.

Authority

Cyber Security Authority (Siber Güvenlik Kurulu)

Key obligations

All operators in electronic communications sectors must:

  • take necessary measures against cyber-attacks
  • set up an Institutional Computer Emergency Response Team
  • establish a control mechanism concerning IP addresses, communication portals and application protocols
  • provide protection service upon request.

Penalties/enforcement

The Cyber Security Authority does not yet have any enforcement powers. The Data Protection Authority has the power to impose administrative sanctions only.

Articles 243, 244 and 245 of The Turkish Penal Code regulates cyber-crimes. Criminal sanctions, including imprisonments and sanctions applicable to legal entities –  cancellation of activity permits, confiscation of assets and income of the legal entity – are imposed by the courts.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. TR-CERT (National Computer Emergency Response Team) (Ulusal Siber Olaylara Müdahale Merkezi) (USOM)

Is there a national incident management structure for responding to cybersecurity incidents?

TR-CERT is the authority that detects and prevents national and international cyber threats. Certain public institutions and organisations regulating the critical sectors have set up Sectoral Computer Emergency Response Teams. 

Other cybersecurity initiatives

The Cyber Security Authority sets up working group initiatives to: raise public consciousness; assist with the creation and improvement of legislation, early warning systems and emergency action plans; and determine security standards and certification criteria for critical infrastructures.

Useful links

 

< back to Overview

Authors

Alican Babalioglu
Alican Babalioglu
Partner
Istanbul