Turkey’s Law on Protection of Personal Data No. 6698

Turkey’s Law on Protection of Personal Data No. 6698, also known as the Data Protection Law for short, is a comprehensive data protection law that was passed in Turkey in 2016. Prior to the passing of the Data Protection Law, Turkey had yet to adopt any legislation related to the protection of data privacy rights. As such, Turkey sought to provide the citizens of their country with data protection rights on the same level as those offered by the EU’s General Data Protection Regulation (GDPR). To this end, the Data Protection Law outlines the various restrictions and responsibilities that data controllers must abide by when processing the personal data of Turkish citizens.

What is the scope and applicability of the Data Protection Law?

Unlike the General Data Protection Regulation, Turkey’s Data Protection Law does not contain any specific territorial scope. Alternatively, the Data Protection Law applies to:

• Natural persons whose personal data is proceeded
• Natural or legal persons who process such data fully or partially through automatic or non-automatic means only for the process which is part of any data registry system set out in the Law.

In terms of the material scope of the law, the Data Protection Law defines personal data to mean “as an operation that is carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic or non-automatic means only for the process which is a part of any data registry system”. As such, any structured system that is used to facilitate the access to the personal data of Turkish citizens according to a specific criterion will fall under the scope of the Data Protection Law.

What are the requirements of Data controllers under the Data Protection Law?

As is the case with many other privacy laws around the world, the Data Protection Law establishes various data protection principles that data controllers must adhere to when processing the personal data of data subjects. These principles include:

• Personal data must be processed both lawfully and fairly.
• Personal data must be accurate and where necessary, kept up to date.
• Personal data must be processed for specific, explicit, and legitimate purposes.
• Personal data must be relevant, limited, and proportionate to the purposes for which they are processed.
• Personal data may only be retained for the period of time that is determined by the law, or for the period deemed necessary for the intended purposes of data processing.
• Data controllers are obliged to prevent both the unlawful processing and access of personal data, and ensure the retention of personal data.
• Data controllers are obliged to carry out necessary audits to ensure that they maintain compliance with the law.
• Data controllers are required to comply with data transfer conditions for data transfers within the country, as well as cross-border data transfers.
• Data controllers are also responsible for creating a data inventory for all personal data processed within Turkey. This data inventory must include identifying information, data categories, the intended purpose of data processing, data subject groups, recipient or recipient groups to which personal data may be transferred, information concerning whether the relevant data category is transferred abroad, data security measures that are to be undertaken by associated data controllers, and the maximum period of time for which personal data will be processed.

What are the rights of data subjects under the Data Protection Law?

Under the Data Protection Law, data subjects are granted a variety of rights in accordance with the law. These rights include the following:

• The right for a data subject to request information concerning whether their personal has been or is being processed.
• The right to request information related to how their data was processed, if a data subject’s personal data has been processed.
• The right to request information related to the intended purpose for data processing, as well as whether a data subject’s data has been used in a manner that is consistent with this intended purpose.
• The right to request information regarding the identities of natural or legal persons with whom a data subject personal data may have been shared with.
• The right to request that a data controller correct, erase, or remove personal data pertaining to a data subject.
• The right to request information confirming whether or not a data subject’s data is transferred, as well as the right to request information relating to whether or not the associated data controller has advised any third parties to which this data has been transferred concerning the correction, erasure, and removal of said data, if such changes are requested by the data subject.
• The right to object to any negative consequence that may result from a data subject’s data being analyzed exclusively through the use of automated systems.
• The rights to access, rectification, erasure, and to be informed.
• The right to seek compensation in the event that any of the rights stated above are violated.

In terms of sanctions and penalties for non-compliance, data controllers who are found to be in violation are subject to a variety of punishments. These punishments include a prison sentence of six months to four years and administrative fines ranging from TRY 5,000 ($575) to TRY 1 million ($115,190), as well as the right for data subjects to claim compensation for the unlawful collections or processing of their personal data. What’s more, there are also sector-specific fines that can be levied against businesses and organizations who violate the law, which can include up to 3% of an agency’s calendar year’s net sales.

As Turkey was one of the many countries around the world that had yet to pass comprehensive data privacy legislation prior to the passing of the Data Protection Law in 2016, the law serves as a resource for the protection of the data privacy rights of Turkish citizens. As the goal was to provide Turkish citizens with the same level of data protection as is offered by the EU’s General Data Protection Regulation, Turkey’s Data Protection law provides steep punishments for data controllers who are found to be in non-compliance. To this end, the data protection rights of Turkish citizens can be protected at all costs.