This post is authored by guest blogger, Naz Değirmenci, BTS & Partners. Not affiliated with Covington & Burling LLP.
On April 7, 2016, Turkey’s law on Personal Data Protection, number 6698 (the “Law”) was published in the Official Gazette and came into force. Although the Turkish Constitution establishes a general right to privacy, and there are a patchwork of personal data protection provisions contained within sector-specific regulations, the Law represents Turkey’s first dedicated privacy and data protection statute. The Law is based on the European Union’s 1995 Data Protection Directive (95/46/EC) (the “Directive”), but differs from the Directive in a number of important respects.
The Law will be implemented during a two-year transitional period, whereby various provisions will enter into force at different times. For example, the Law’s provisions governing data processing are effective from the date of publication in the Official Gazette. Other provisions, such as those governing the transfer of personal data to third parties and those outside of Turkey, will take effect six months after the date of publication. The Turkish Data Protection Authority (the “DPA”) also will be established within this period. Secondary legislation establishing rules on the erasure, destruction, and anonymization of personal data, the Data Controllers Registry, and the operational rules of the DPA will take effect not later than 12 months after the date of publication.
The Law protects the private life and the fundamental rights and freedoms of natural persons with respect to the processing of personal data, and regulates the procedures and principles by which such data are processed. The Law applies to all natural persons whose personal data are processed and to all natural and legal persons who, whether wholly or partly, process personal data.
The Law creates exemptions where the data are (i) used by a natural person in the course of a purely personal, household activity; (ii) used for historical, statistical or scientific aims, provided that the data are anonymized; (iii) processed within the scope of art, history, literature, scientific purpose, and freedom of speech, provided that such processing does not violate personal rights or the right to privacy, economic security, public order, public security, national security or national defense; (iv) processed within the context of intelligence activities and to maintain national defense, national security, public order, public security or economic security; or (v) processed where necessary for the protection of the economic or financial interests of the State, including in relation to monetary, budgetary, and taxation matters.
Personal Data Processing
The Law defines the processing of personal data — that is, all types of information relating to an identified or identifiable natural person — as any operation which is performed in relation to such data, including their retrieval, recording, storage, alteration or transfer to third parties or those outside of Turkey. Personal data may only be processed after informing the data subject and, significantly, having obtained the data subject’s explicit and freely-given consent.
That said, the Law provides several exceptions to the requirement that a data subject’s consent first be obtained. These include where (i) the processing is explicitly provided by the Law; (ii) the processing is intended to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; (iii) the processing is directly related to the performance or establishment of a contract; (iv) the processing is necessary for the establishment, exercise or defense of legal claims; (v) the processing is required so that the data controller can fulfil its legal obligations; (vi) the processing is required in order for the data controller to perform an official duty, such as the disclosure of employees’ data to third-party financial auditors for accountancy purposes; and (vii) the personal data are made publically available by the data subject.
The Law defines special categories of personal data as those data which reveal a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, dress and appearance, political or professional associations, trade union memberships, health and sex life, criminal convictions and security measures, or biometric and biological data.
Other Key Provisions
Transfer of Personal Data to Third Parties and Abroad. Personal data may only be transferred abroad if the data subject has given explicit consent, albeit the exceptions relating to the processing of personal data noted above also apply to data being transferred outside of Turkey. Where the country to which personal data are being transferred does not offer an adequate level of protection, the data controller in Turkey and the data importer must enter into a written agreement and undertake to provide an adequate level of protection for the data. Such agreements are subject to the approval of the Board, i.e., the decision-making body of the DPA.
The Board is authorized to prohibit the transfer of personal data abroad where the interests of Turkey or the data subject may be seriously harmed, and will seek the opinions of the relevant public institutions when making its decision. Data transfer obligations arising from international treaties constitute an exception to this rule.
Information to be Provided to the Data Subject. Data subjects have the right to request information concerning whether their data are or have been processed, the purposes for which they are processed, the means and legal basis of the data collection, and to whom the data are or have been transferred. Data subjects also have the right to request the disclosure of activities related to their personal data, such as the erasure, deletion or rectification of such data by the data controller. Finally, data subjects may object to a decision based solely on the automated processing of data relating to them, and may claim compensation for damages suffered as a result.
Data Controllers’ Obligations. Data controllers must register with the Data Controllers’ Registry before commencing data processing, unless they can rely on one of the exceptions provided by the Law. Data controllers must respond to data subjects’ access and other requests free of charge and, depending on the purpose of the application, should do so as soon as possible and not later than 30 days after the request is made. They must also provide information to data subjects, when requested, and fulfil their security obligations to ensure that data cannot be unlawfully accessed or processed.
Data Processors’ Obligations. Data processors are directly subject to the Law. Accordingly, they must comply with its principles governing data processing activities, and share responsibility with the data controller to take the measures necessary to maintain data security and to prevent unlawful access to personal data.
Sanctions. Administrative fines of up to TRY 1,000,000 (EUR 311,000) and/or imprisonment of one to four years may be imposed for breaches of the Law.