CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

The Personal Data Protection Act 2012 (PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA also provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Some key subsidiary legislation that operates alongside the PDPA include the Personal Data Protection Regulations 2021, Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection (Do Not Call Registry) Regulations 2013.

Personal Data Protection Act 2012: https://sso.agc.gov.sg/Act/PDPA2012 

2. Data protection authority

Chile does not have a Data Protection Authority.

The Personal Data Protection Commission (PDPC) 

3. Anticipated changes to local laws

There are no anticipated changes.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

The following changes to the PDPA have been passed by Singapore’s Parliament, however they have not yet come into effect:

  • Data portability – mandatory obligation for organisations to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format; 
  • provisions which exempt organisations from the proposed data portability obligation and the obligations to provide an individual with access to or to correct personal data at the individual’s request in respect of “derived personal data” (i.e. new data that is created through the processing of other data by applying business-specific logic or rules); and
  • Higher penalties – an increase in the financial penalties that may be imposed on organisations: in the case of a breach of the data protection provisions, 10% of its annual turnover in Singapore or SGD 1m, whichever is higher; and in the case of a breach of the prohibitions on the use of dictionary attacks and address-harvesting software, 5% of its annual turnover in Singapore or SGD 1m, whichever is higher. 

4. Sanctions & non-compliance

The DPL with the Turkish Criminal Law No. 5237 contains details regarding enforcement.

Administrative sanctions:

The DPA has powers to impose fines of up to the greater of:

  • TRY 9,834 to TRY 196,686 (EUR 1160 to EUR 23,267) in the case of non-compliance with information obligations;
  • TRY 29,503 to TRY 1,966,862 (EUR 3,490 to EUR 232,675) in the case of non-compliance with the data security obligations;
  • TRY 49,172 to TRY 1,966,862 (EUR 5,816 to EUR 232,675) in the case of non-compliance with the decisions of the Board; and
  • TRY 39,337 to TRY 1,966,862 (EUR 4,653 to EUR 232,675) in the case of non-compliance with the requirements regarding the registration with the Registry.
Criminal sanctions:

There are various criminal offenses under the DPL and the Turkish Criminal Law No. 5237 including: 

  • Illegal recording of personal data;
  • Illegal recording of special categories of personal data;
  • Illegal transfer or acquisition of personal data or making personal data available to the public;
  • If the illegal transfer, acquisition, or public disclosure is related to the statements or photos/videos of minors who have committed crimes as described in the Turkish Criminal Procedure Law No. 5271;
  • Not deleting the data when necessary;
  • Not deleting the data as per the provisions of the Turkish Criminal Procedural Law No. 5271;
  • Impairing or preventing the due functioning of an IT system;
  • Corrupting, destructing, amending data in an IT system or making the same inaccessible, placing data on an IT system, sending existing data to other mediums; and
  • Where the actions in the preceding paragraph have been taken with respect to the IT systems of a bank, credit institution, or a public authority.

In addition to the data controller facing the monetary penalties indicated in our responses above, individual company directors and representatives can face criminal liability, and imprisonment sanction varies between six months to eight years.

Others: 

According to article 14 of the DPL, data subjects are entitled to claim to the courts for compensation for material or non-material damage in the event of a data breach. 

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

Administrative sanctions:
  • In relation to the enforcement of the data protection provisions, the PDPC may issue fines of up to SGD 1m for each breach.
  • In relation to the enforcement of the DNC Registry provisions and the prohibition on use of dictionary attacks and address-harvesting software, the PDPC may issue a fine up to an amount not exceeding SGD 200,000 in the case of an individual, and up to SGD 1m in any other case.
  • The PDPC may also issue directions for non-compliance, which includes directions to stop collection, use or disclosure of personal data, and to destroy personal data collected. 
Criminal sanctions:
  • Imprisonment for a term not exceeding: 
    • Two years – for knowing or reckless unauthorised disclosure of personal data; knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; or knowing or reckless unauthorised re-identification of anonymised information;
    • 12 months – for unauthorised request to access or correct personal data about another individual; obstructing or hindering the PDPC in the exercise of its powers or duties; knowing or reckless false statement made to the PDPC; or knowing attempts to mislead the PDPC; or
    • Six months – for neglect or refusal to provide any information or produce any document to the PDPC or attend before the PDPC without reasonable excuse; or unauthorised use of a symbol or representation identical to or which resembles that of the PDPC. 
  • Criminal fines may also be imposed and varies depending on the specific offence, although in general not exceeding SGD 10,000 in the case of individuals, and SGD 100,000 in the case of organisations.
Others: 
  • Individuals have a private right of action and may seek relief by way of injunction, declaration or damages for damages or losses suffered directly as a result of a contravention of the PDPA.     

5. Registration / notification / authorisation

Unless they benefit from an exemption as outlined under the DPL and the secondary legislation, all data controllers (foreign or residing in Turkey) engaged in data processing in Turkey are obliged to sign up to the Registry.

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

There is no requirement for organisations to register with the PDPC. However, voluntary registration of the Data Protection Officer is encouraged. 

6. Main obligations and processing requirements

The DPL requires data controllers to either obtain the explicit consent of the data subject for data processing or rely on one of the legal bases below:

  • Such processing is explicitly allowed under the relevant legislation;
  • Such processing is necessary to protect the vital interests or the bodily integrity of the data subject or of any other person who is physically or legally incapable of giving explicit consent;
  • It is necessary to process the personal data of persons party to a contract where such processing is necessary to enter into the said contract or fulfil its terms;
  • The processing of the personal data is necessary for the data controller to fulfil a legal obligation;
  • The personal data has been made public by the data subject;
  • The processing of the personal data is necessary to establish, use or preserve a right; or
  • The processing of the personal data is necessary for the legitimate interests of the data controller on the condition that such processing does not infringe upon the fundamental rights and freedoms of the data subject.

Besides, personal data, in general, may only be processed in accordance with the relevant procedures and principles set out under the DPL and the relevant pieces of legislation. 

Further distinctions with respect to the procedures and principles applicable to the processing of sensitive personal data (özel nitelikli kişisel veri) are also applicable under the DPL.

Penalties for breaches of the DPL

See our responses to “Sanctions & non-compliance” above.

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

Organisations, wherever located, that process personal data of individuals in Singapore are required to comply with the PDPA.

The PDPA sets out ten main data protection obligations which are to be complied with when processing personal data.

Under the PDPA, to collect and process personal data lawfully, organisations must comply with the following obligations:

  1. Consent Obligation – to obtain the consent of the individual; 
  2. Purpose Limitation Obligation – to collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
  3. Notification Obligation – to notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
  4. Access and Correction Obligation – upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
  5. Accuracy Obligation – make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
  6. Protection Obligation – make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
  7. Retention Limitation Obligation – cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
  8. Transfer Limitation Obligation – ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA; 
  9. Data Breach Notification Obligation – assess whether a data breach is notifiable and notify the affected individuals and/or PDPC where it is assessed to be notifiable; and
  10. Accountability Obligation – implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available and to appoint a data protection officer.

Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”. 

A data intermediary that processes personal data pursuant to a written contract will only be responsible for the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation – protecting the personal data in its care, ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so, and notifying the organisation or public agency for which it is processing personal data on behalf of where the data intermediary discovers that a data breach has occurred.

7. Data subject rights

The data subject must be granted the following rights:

  • The right to learn whether his/her personal data has been processed and if so, demand information about such processing/transfer;
  • The right to learn the purpose of such data processing and whether the use of his/her personal data is in line with the intended purpose of processing/transfer;
  • The right to learn about the third parties to whom the data subject’s personal data has been transferred (in Turkey or abroad);
  • The right to demand correction in the event that the personal data has been processed in a deficient or wrongful manner;
  • The right to demand deletion, disposal, or anonymisation of the personal data in accordance with the provisions of the DPL or if the grounds for the processing of the personal data are no longer applicable, notify the third parties to whom the data subject’s personal data was transferred about the said correction, deletion, disposal, and anonymisation procedures;
  • The right to object to the results if the personal data has been analysed by automated systems and this has produced results that are unfavourable for the data subject; and 
  • The right to demand compensation if the processing of the personal data in violation of the DPL has resulted in damages for the data subject.

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.

Cancellation

The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

Under the PDPA, individuals have the following rights:

  • private right of action for direct loss or damage suffered directly as a result of the contravention of the PDPA; 
  • right to ask the organisation to provide the contact of a person who can answer, on behalf of the organisation, their questions about the collection, use or disclosure of the personal data;
  • right to withdraw their consent for the collection, use or disclosure of their personal data by an organisation at any time, with reasonable notice;
  • right to request access to their personal data that an organisation possesses or controls, including to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request;
  • right to request an organisation to correct an error or omission in their personal data; and
  • right to file a complaint.

8. Processing by third parties

Under the DPL, a data processor (veri işleyen) is considered as the natural or legal person who processes personal data on behalf of the data controller upon the authorisation of such data controller.

Where this third party is to receive the personal data to be processed from the actual data controller, the rules regarding the domestic transfer of personal data would become applicable. Accordingly, a data controller would be able to transfer such personal data to a data processor if: 

  • Explicit consent is obtained from the data subject;  
  • This data transfer is explicitly allowed under the relevant legislation;
  • The data transfer is necessary to protect the vital interests or the bodily integrity of the data subject or of another person and the data subject is physically or legally incapable of giving his/her consent;
  • The transfer of the personal data of the parties of a contract is necessary, on the condition that the processing is directly related to the execution or performance of such contract;
  • The data transfer is mandatory for the data controller to fulfil its obligations;
  • The data to be transferred has been made public by the data subject;
  • The transfer is necessary for the establishment, exercise, or defence of a legal claim; or
  • The data transfer is necessary for the legitimate interests of the data controller on the condition that such processing does not infringe upon the fundamental rights and freedoms of the person in question. 

Please note that the DPL indicates that special categories of personal data, except for those relating to the sexual life and the personal health of the data subject may be transferred based on explicit consent or if such processing is allowed under the relevant pieces of Turkish legislation and the necessary precautions have been taken for the protection of the data in question.

Whereas any personal data relating to the sexual life and the personal health of an individual may only be transferred based on explicit consent or, on the condition that the necessary precautions have been taken for the protection of the data in question and the data is transferred by and for the purposes of:

  • Persons who are bound by the confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, planning, managing, and financing of treatment and medical care services; or
  • Authorised entities and institutions that hold the purposes indicated in the preceding paragraph.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

An organisation must observe the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself.

Data intermediaries that process personal data on behalf of and for the purposes of another organisation pursuant to a written contract will only be subject to the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation.

9. Transfers out of country

In principle, the DPL requires either the explicit consent of the data subject for the transfer of his/her personal data to foreign jurisdictions or relying on another legal basis for such transfer.

In the latter (ie where the transfer is based on a legal basis other than consent), personal data may be sent to a foreign jurisdiction only if:

  • There is sufficient protection of personal data in that jurisdiction. The Board decides and announces which countries have sufficient protection, or
  • If the related jurisdiction does not provide sufficient protection, the authorisation of the Board is required upon written assurances (in the form of model clauses of or Binding Corporate Rules, where multiple group companies are in question) by the data controllers both in Turkey and in the foreign country where personal data is transferred.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

There is a limitation on transfers of personal data outside Singapore unless conditions are met. The transfers of personal data outside of Singapore requires the recipient of the personal data to provide safeguards equivalent to or greater than the requirements under the PDPA. The PDPA does not provide a white-list of countries that are deemed to have equivalent protection.

As such, organisations may transfer personal data overseas if they have taken appropriate steps to comply with the data protection provisions in respect of the transferred personal data while such personal data remains in their possession or control. When the personal data is transferred to a recipient outside of Singapore, organisations need to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Such legally enforceable obligations include obligations imposed under law, any contract or binding corporate rules. In addition, organisations and data intermediaries that are certified under the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System are deemed to be bound by legally enforceable obligations for the purpose of transfers of personal data outside Singapore. 

10. Data Protection Officer

The Data Protection Officer concept is not recognised under the DPL. 

However, all data controllers that are obliged to register with VERBIS must appoint either a “data controller’s representative” and a contact person if they are resident in a foreign jurisdiction or only a “contact person”, if they are resident in Turkey.

In each case, the related individual should have no liability for the data controllers’ failure to comply with its statutory obligations, but merely acts as an intermediary between the data controller and the DPA.

There is no legal requirement for the appointment of a Data Protection Officer.

Organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. 

The business contact information of the DPO must be made available to the public. Although not a legal requirement, in practice, the PDPC does request for the information of the DPO to be registered with it.

11. Security

A specific list of technical and administrative measures to be implemented is not available under the Turkish data protection legislation. 

However, the Board has made one decision whereby it obliges any entities/persons processing special categories of personal data to take additional protective measures for the protection of any sensitive personal data processed by them (decision dated 31 January 2018 numbered 2018/10).

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and the loss of any storage medium or device on which personal data is stored.

12. Breach notification

Under the DPL, the data controllers are required to notify the DPA within 72 hours of becoming aware of a breach. Where the data controller fails to inform the DPA accordingly, it must also inform the DPA of the causes in the delay of its notification.

Further, the data controller must also notify the data subjects who have been affected by the said breach. 

There is no legal obligation to notify to the authority data breach events.

Organisations are required to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach is assessed to be notifiable where: 

  • the scale of the data breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals; or 
  • the data breach causes significant harm to affected individual(s) where the compromised personal data relates to: 
    • the individual’s full name or alias or identification, in combination with: (a) financial information that is not publicly disclosed; (b) identification of vulnerable individuals; (c) life, accident and health insurance information that is not publicly disclosed; (d) specified medical information; or (e) information related to adoption matters; or (f) private key used to authenticate or sign an electronic record or transaction; or 
    • individual’s account identifier and data for access into the account.

Organisations must notify the PDPC as soon as practicable, but no later than 72 hours after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC). 

In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation or a public agency are not required to assess whether the breach is notifiable or to notify the PDPC, but are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay. 

Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification under different timelines. 

13. Direct marketing

B2C direct marketing is regulated under the Turkish Law on the Regulation E-Commerce No. 6563, which prohibits unsolicited electronic communications for direct marketing purposes without prior consent from the data subjects, unless:

  • The data subject has provided his/her contact information to the service provider to receive the electronic communications related to the change, use, and maintenance of the goods or services already obtained.
  • Electronic communication does not promote new goods or services; and it solely relates to the collection of a debt, the information update, or similar actions concerning an ongoing subscription, membership, or partnership.
  • The electronic communication solely contains information on intermediary activities of the message sender regulated by the capital market legislation. 

Please also note that although this matter is not specifically regulated under the DPL, as use of personal data for marketing would be considered as data processing, such marketing activity would also be subject to the general principles of the DPL as indicated above.

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

The DNC provisions of the PDPA generally prohibit organisations from sending marketing messages (in the form of voice calls, text or fax messages) of a commercial nature to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry, unless the consumer has provided their clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.

The organisation may still send a direct marketing message where the sole purpose of the message is: 

  • to facilitate, complete or confirm an earlier transaction between the sender and recipient; 
  • to provide warranty information, product recall information, or safety or security information with respect to a product/service purchased by the recipient;
  • to deliver goods or services that the recipient is entitled to receive under an existing transaction; or 
  • related to the subject matter of an ongoing relationship between the sender and the recipient. 

Individuals may subsequently opt out of receiving direct marketing messages. Upon receiving an individual’s opt-out request, the organisation must stop sending such messages to that individual's telephone number 21 days after the opt-out.

Under the PDPA, organisations are not permitted to send, cause to be sent or authorise to send any message with a Singapore link to telephone numbers generated or obtained through the use of a dictionary attack or address harvesting software. This prohibition also applies with respect to electronic messages generated or obtained through the use of a dictionary attack or address harvesting software under the Spam Control Act. 

In addition, under the Spam Control Act, organisations are prohibited to send, cause to be sent or authorise to send any unsolicited commercial electronic messages in bulk if they do not comply with the statutory conditions (e.g. the message needs to include an email address to which the recipient may submit an unsubscribe request).

14. Cookies and adtech

Cookies are subjected to the general principles of the DPL as indicated above.

The CDPL does not directly regulate the use of cookies or similar technologies. 

The PDPA applies to the collection, use or disclosure of personal data using cookies.

However, consent is not required for cookies that:

  • do not collect personal data; and
  • for internet activities clearly requested by the user where the individual is aware of the purposes of such collection, use and disclosure and has voluntarily provided his personal data for such purposes.

If the individual configures his browser to accept certain cookies but rejects other, he may be found to have consented to the collection, use and disclosure of his personal data by the cookies he has chosen to accept. In such a circumstance, the PDPC has confirmed that consent can be implied. However, the failure of an individual to actively manage his browser settings does not imply that he has consented to the collection, use and disclosure of his personal data.

15. Risk scale

Severe.

Low

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

The decisive applicable laws and regulations related to cybersecurity matters are the following:

Please also note that other pieces of legislation related to cybersecurity, usually enacted on a sector-specific basis, are also in effect but have not specifically been mentioned as these are not of a general nature but concern specific sectors (eg banking, e-commerce).

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system

The Cybersecurity Act 2018 governs the prevention, management and response to cybersecurity threats and incidents, and regulates owners of critical information infrastructure and cybersecurity service providers. The provisions generally apply to any critical information infrastructure, computer and computer system located wholly or partly in Singapore. The provisions also apply to the Singapore Government, except that the Singapore Government will not be liable to prosecution for an offence. 

The related regulations and code of practice that operate alongside the Cybersecurity Act 2018 are the Cybersecurity (Critical Information Infrastructure) Regulations 2018, Cybersecurity (Confidential Treatment of Information) Regulations 2018 and the Cybersecurity Code of Practice for Critical Information Infrastructure. 

The Computer Misuse Act (CMA) is the principal legislation on cybercrimes. The CMA applies to any person regardless of nationality and citizenship, outside as well as within Singapore, where the accused, computer program or data was in Singapore at the material time of the offence or the offence causes or creates a significant risk of serious harm in Singapore.  

Local cybersecurity laws also include sector-specific rules, such as guidelines and notices issued by the Monetary Authority of Singapore for the financial sector (MAS rules). 

2. Anticipated changes to local laws

Amendments to the cybersecurity legislation of Turkey and related changes are expected to be enacted based on the National Cyber Security Strategic Action Plans, which have been published by the Ministry of Transportation and Infrastructure (“Ministry”) since 2013 and each of which have covered a period of several years. 

The latest Strategic Action Plan was published in 2020 for the period of 2020-2023. Strategic objectives were the protection of critical infrastructure and increasing their resilience, enhancement of national capacity, the development of an organic cybersecurity network, ensuring the security of new generation technology, fighting against cybercrimes, the development of national technology, the integration of cybersecurity into national security and improving international cooperation. As such, the aim is to reduce and deter cybercrime, apply general international standards of information security in public and private sectors, and establish a national certification mechanism. 

Since the 2017 announcement by the Minister of Transportation, Maritime Affairs and Communication that a draft for the Cyber Security Law had been prepared, no further developments have been publicly communicated. 

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

Cybersecurity Act 2018: Provisions relating to the licensing of cybersecurity service providers are not yet in effect. The Cyber Security Agency of Singapore has stated that the implementation of the licensing framework will be communicated at a later date.

3. Application 

Law No. 5809

The Law No. 5809, implemented in Turkey on 5 November 2008, applies to the provision of electronic communication services, the operation of communication infrastructure and networks, the production, import, sale, establishment of electronic communication equipment and systems of any kind and regulation, inspection, and the authorisation of these aspects.
 
To this effect, the Law No. 5809 regulates the duties and authorities of the Ministry, Information and Communication Technologies Authority (“Authority”) and finally the Cyber Security Council (“Council”) alongside the rights and obligations of operators and consumers. 

Law No. 5651

Law No. 5651 regulates the obligations and the liabilities of the content providers, access providers and collective usage providers and the procedure and principles regarding fighting against certain crimes committed via the use of services provided by content providers, access providers and hosting services providers. It also grants powers to the Authority regarding detection and prevention of cyberattacks, ensuring coordination between content providers, access providers and hosting service providers regarding this matter and for taking the necessary measures in this respect.

Law No. 5237

Turkish Criminal Code No. 5237 is the key piece of legislation setting out all criminal law related matters in Turkey and has a specific section on cybersecurity. This section regulates and defines crimes such as the penetration into an information system, hampering and breaking an information system, destroying, or changing data within such systems, as well as the related penalties applicable to such crimes. 

Decree No. 2012/3841

Decree No. 2012/3841 determines the duties of the Council, specifically determining the measures related to cybersecurity matters and approving the related plans, programmes, reports, procedures, principles, and standards. The related duties of the Ministry are also determined with Decree No. 2012/3841, which include preparing, executing, and managing national cybersecurity policies, strategies, and action plans. 

The Regulation

This Regulation regulates the procedure and principles that must be complied by operators to ensure the security of network and information. The Regulation has been enacted based on the Law No. 5809

N/A

  • Cybersecurity Act 2018: The Cybersecurity Act 2018 requires and authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents; regulates owners of critical information infrastructures (CIIs); establishes the framework for the sharing of cybersecurity information; and regulates cybersecurity service providers. It also provides the regulator with the power to investigate cybersecurity threats or incidents in order to determine their impact, prevent further harm and future incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore; not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.
  • CMA: The CMA makes provision for securing computer material against unauthorised access or modification, and to require or authorise the taking of measures to ensure cybersecurity. In particular, the CMA criminalises cybercrime such as ecommerce scams and hacking, and also makes it illegal for: (a) any person to provide or receive personal information which he suspects was obtained through unauthorised means; and (b) any person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programmes, passwords or access codes).
  • MAS Rules: The MAS Rules, amongst other things, require regulated entities to: (a) conduct system and penetration testing; (b) continuously monitor and detect network and other types of cyber intrusions; and (c) require the board and senior management of the regulated entities to effectively implement that entity’s cyber resilience programme.

4. Authority

  • Ministry of Transportation and Infrastructure, General Directorate of Communications (Cyber Security Council): https://hgm.uab.gov.tr/
  • Information and Communication Technologies Authority
  • Computer Emergency Response Team (National Centre for Intervention to Cyber Incidents): https://www.usom.gov.tr/

N/A

5. Key obligations 

Obligations Arising from Law No. 5809 and Related Regulation

  • The Ministry must determine national cybersecurity policies, strategies, aims, procedures, and principles to ensure cybersecurity for real and legal persons, prepare action plans and facilitate the coordination of related operations.
  • The Authority must take every necessary measure to protect public institutions, real and legal persons against cyberattacks and ensure deterrence of any such attacks. 
  • The Council must take any necessary decisions for the nationwide application of policies, strategies, and action plans regarding cybersecurity, resolve proposals on determining critical infrastructure and determine institutions and organisations that are exempted from cybersecurity regulations.

The duties of the operators mentioned under the Law No. 5809 have been outlined under a separate piece of legislation, namely, the Regulation, indicated above, which has been enacted based on the Law No. 5809.

According to the Regulation, the operators are obliged, among others to: 

  • establish a “Cyber Incidents Intervention Team” within themselves; 
  • set up protection mechanisms on their IP addresses, communication ports and application protocols such as user verification or access control;
  • provide protection services against cyberattacks upon request;
  • take all necessary measures against cyberattacks such as DoS/DDoS attacks, propagation of malicious software;
  • if the resource of the cyberattack informed by the Computer Emergency Response Team is one of the users of the operator, notify the related user and suspend the electronic communication service if requested by that user; and
  • if the resource of the cyberattack informed by the Computer Emergency Response Team is one of the users of another operator, ensure that the related operator is notified.   

Obligations Arising from Law No. 5651:

  • The Authority must facilitate the coordination between content providers, hosting service providers, access providers and other related institutions and organisations regarding the determining and preventing of cyberattacks, execute the operations for taking the necessary measures and conduct necessary studies. 
  • Collective usage providers are obliged to take the necessary measures to fight against crimes and detect criminals within procedures and principles as determined under the applicable legislation. 

Obligations Arising from Decree No. 2012/3841:

  • Please see above the obligations arising from Law No. 5809.

N/A

Cybersecurity Act 2018:
  • Owners of critical information infrastructure must: (a) comply with codes and directions; (b) conduct audits and risk assessments; (c) report cybersecurity incidents; and (d) participate in cybersecurity exercises; and
  • Certain cybersecurity service providers will need to be licensed.
CMA:
  • The following activities are prohibited: (a) unauthorised access or modification of computer material; (b) unauthorised use or intercept of computer services; (c) obstructing the use of computers; (d) unauthorised disclosure of computer access codes; (e) providing, receiving or supplying personal information which the person knows or suspects was obtained through unauthorised means; and (f) dealing with items designed for, adapted to and used to commit computer crimes. 
MAS Rules:
  • Establish methodologies for system testing, conduct penetration testing and source code review, and enable recovery measures and user access controls;
  • Board and senior management of regulated entities are to: (a) ensure appropriate accountability structure and organisational risk culture is in place, and (b) be trained in technology risk and cybersecurity;
  • Notify the MAS of breaches of security and confidentiality of financial institutions’ customer information (MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing); and
  • Implement cybersecurity measures to protect IT systems, and prevent and mitigate against cyberattacks (MAS Notices on Cyber Hygiene).   

6. Sanctions & non-compliance 

Administrative sanctions:

Law No. 5809

The Authority is authorised to inspect and monitor the compliance of operators and consequently has the right to impose, among others, the following sanctions:

  • an administrative fine of up 3% of the operator’s net sales of the previous calendar year;
  • the suspension of the operator’s authorisation, in the case of gross negligence;
  • if the operator initiated its operations recently, an administrative fine from TRY 1,000 to TRY 1m, or other sanctions specified within the Law considering the circumstances applicable;
  • the suspension of the operator’s operations temporarily or imposition of other tangible measures in the occurrence of cases as specified in the applicable regulations in effect prior to the incident.

Law No. 5651

As mentioned in our responses to “Key Obligations” above, collective usage providers must take the necessary measures to fight against crimes and detect the individual engaged in such criminal activity. Commercial collective access providers who violate this liability shall receive a warning, an administrative monetary fine and/or the suspension of their business operations for up to three days. 

Criminal sanctions:

Law No. 5237

Various penalties for cybercrimes have been determined under the Law No. 5237. These are as follows:

Any person who unlawfully accesses, partially or fully, a data processing system, or remains within such system, shall be subject to a penalty of imprisonment for a term of up to one year or a judicial monetary fine.

Where the act defined in the paragraph above is committed in relation to a system that is only accessible upon the payment of a fee, the penalty shall be decreased by up to a half.

Where any data within any such system is deleted or altered because of this act, the penalty to be imposed shall be a term of imprisonment of six months to two years.

Any person who prevents the functioning of a data processing system or renders such system useless shall be subject to a penalty of imprisonment for a term of one to five years.

Any person who deletes, alters, corrupts, or bars access to data, or introduces data into a system or sends existing data to another medium shall be subject to a penalty of imprisonment for a term of six months to three years.

Where this offence is committed in relation to a data processing system of a public institution or establishment, bank, or institution of credit, then the penalty to be imposed shall be increased by a half.

Where a person obtains an unjust benefit for himself or another by committing the acts defined in the aforementioned paragraphs, and such acts do not constitute a separate offence, this person shall be subject to a penalty of imprisonment from two years to six years and a judicial fine of up to 5,000 days.

Any person who produces, imports, transfers, stores, accepts, sells, supplies for sale, purchases, gives to another person, or holds an equipment, computer program, password or other security code which was produced or created for committing abovementioned crimes or other crimes that could be committed by using information systems shall be subject to imprisonment of one to three years and judicial fine of up to 5,000 days. 

Others: 

N/A

N/A

Administrative sanctions:

Cybersecurity Act 2018: 

  • Fines not exceeding SGD 10,000 for each contravention or non-compliance which is not an offence, but not exceeding SGD 50,000 in aggregate.
Criminal sanctions:

Cybersecurity Act 2018:

  • Varies depending on the specific offence, although in general a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding two to ten years or both.

CMA:

  • A criminal fine not exceeding SGD 50,000 or imprisonment for a term not exceeding ten years or both; and
  • In respect of protected computers, a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding 20 years or both.
Others: 

CMA: 

  • Compensation for damage caused to computer, programme or data. 

MAS Rules:

  • Varies depending on the type of regulatory instrument that set out the specific rules (e.g. directives, guidelines, notices or circulars). For example, the contravention of guidelines is not a criminal offence and does not attract civil penalties but may have an impact on the regulator's overall risk assessment of that entity and renewal of licences issued by the regulator. Circulars, on the other hand, are documents sent for the relevant entities’ information have no legal effect. Notices primarily impose legally binding requirements on a specified class of financial institutions or persons. 

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, the Computer Emergency Response Team (National Centre for Intervention to Cyber Incidents - USOM) (the “Team”) was founded within the Authority to detect the threats within the cyberspace, develop measures to prevent and minimise the effects of potential cyberattacks and share information with relevant actors when necessary. The Team also evaluates the cyberattack notifications and facilitates the coordination between relevant public and private organisations. 

Additionally, once again within the Authority, the Intervention Team for Sectoral Cyber Incidents and the Intervention Team for Institutional Cyber Incidents have been established under the abovementioned Team. 

  • The Intervention Team for Sectoral Cyber Incidents ensures that measures aimed at, among others, cyberattacks, DoS/DDoS attacks and sprawling of malicious software are taken against the energy, banking and finance, transportation, critical public services, water management and electronic communications sectors. In accordance with these sectors and matters, in cases that fall within the responsibility of the Intervention Team to Sectoral Cyber Incidents, it is reported to and handled under the coordination of the Team. 
  • The Intervention Team for Institutional Cyber Incidents operate likewise the Intervention Team for Sectoral Cyber Incidents, but for matters that are connected to ministries, separate public institutions and other public institutions holding information systems. 

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

Yes, the Singapore Computer Emergency Response Team (SingCERT) responds to cybersecurity incidents for its Singapore constituents. It was set up to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet.

8. National cybersecurity incident management structure

Please see above our responses to “Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?”

Yes, see above.

According to Singapore’s Cybersecurity Strategy, the National Cyber Security Centre (part of the CSA) will coordinate with sector regulators to provide a national level response and facilitate quick alerts to cross-sector threats.

9. Other cybersecurity initiatives 

The Cybersecurity Initiative was established under the Board of Internet Development, an organ within the Authority. The aim of the Cybersecurity Initiative is to conduct studies and present new ideas regarding the cybersecurity matters to the Ministry by working with sectoral stakeholders, facilitating exchange of ideas and coordination among relevant institutions, and revealing new common ideas. 

No.

Singapore’s Cybersecurity Strategy sets out Singapore’s vision, goals and priorities for cybersecurity. It engenders coordinated action and facilitates international partnerships for a resilient and trusted cyber environment - see more here.

Portrait of Döne Yalçın
Döne Yalçın
Managing Partner Turkey
Istanbul
Portrait of Sinan Abra
Sinan Abra
Iremgül Mansur
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Partner
Santiago
Sheena Jacob