The right to the protection of personal data is regulated under Article 20(3) of the Constitution of the Republic of Turkey, as amended in 2010. The right to data protection, as defined under the Constitution, includes the right to be informed about the processing of personal data, the right to access, the right to rectification or deletion, and the right to be informed about whether personal data is being used in accordance with its proposed purposes. The Constitution also states that personal data may be processed in certain cases stipulated under the law, or upon the explicit consent of the data subject.
On 24 March 2016, Turkey adopted the Turkish Data Protection Law No. 6698 (TDPL), which is Turkey’s first comprehensive data protection law. The TDPL came into force on 7 April 2016 and offered a two-year grace period for bringing practices concerning the personal data collected prior to enforcement of the TDPL into compliance with the new regime. The TDPL has been completely in force since 7 April 2018, apart from the data controller notification requirement, which will gradually enter into force starting in June 2020.
The TDPL is part of Turkey’s long-lasting efforts to align its national legislation with the European Union acquis, as the TDPL is based primarily on the GDPR’s predecessor, EU Directive 95/46/EC. Generally, the TDPL implements principles and conditions concerning accountability and transparency, which are applicable to the processing, transfer and destruction of personal data, as well as the rights of data subjects. The TDPL predominantly follows European terminology for data protection concepts, although there are certain differences that may take effect in specific scenarios. The Turkish data protection regime is primarily regulated through the obligations set out for data controllers.
The TDPL established the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu – KVKK) as the main regulatory and supervisory body, which has administrative and financial independence and is in charge of regulating the data protection activities pursuant to the principles set forth in the TDPL, as well as monitoring compliance with the TDPL and protecting the rights of individuals through compliance and audit mechanisms.
The KVKK is tasked with following the legal and practical developments in relation to its duties, providing opinions and suggestions, conducting research and investigations, collaborating with public institutions, non-governmental organisations, professional organisations and universities, and performing other duties stipulated in the legislation. The KVKK’s Board is the decision-making body of the authority, whose duties include the following:
The KVKK has issued secondary legislation to further develop the data protection framework with regard to the obligations of data controllers, such as data controller notification, deletion, the destruction and anonymisation of personal data, data subject access requests, and data processing (privacy) notices.
The KVKK is significantly understaffed compared to its European counterparts, but since its establishment in 2017 has taken an active role in publishing guidelines, issuing secondary legislation and resolutions, and raising public awareness through various activities. The KVKK has been allocated a budget of TRY46.3 million (EUR7 million) for 2020, which may be comparable with pre-GDPR budgets seen throughout the EU, but is at the lower end in comparison to post-GDPR budgets.
The KVKK Board is authorised to conduct investigations upon complaint or ex officio. The investigation procedure is broadly regulated. During investigations, the KVKK Board may request information from the data controller, which the data controller must then provide within 15 days. Following the investigation, the KVKK Board may issue an administrative fine and/or order the data controller to bring processing operations into compliance with law, which must be carried out within 30 days.
Data controllers may seek judicial remedy against the KVKK Board’s decisions. Data controllers may file objections against the KVKK Board’s decisions on administrative fines before the Criminal Court of Peace within 15 days. The decisions of the Criminal Court of Peace may be appealed before another Criminal Court of Peace in the same district. Other KVKK Board decisions fall under the jurisdiction of the administrative courts, the decisions of which may be appealed before the Council of State.
The Turkish Criminal Code stipulates three categories of criminal penalties that may also be triggered by non-compliance with the TDPL. Criminal penalties may be prosecuted without any complaint – ie, ex officio, by public prosecutors or upon reports filed by the KVKK subject to Turkish criminal procedure law.
Turkey is not part of any multinational privacy system, but the European system has a significant effect on the Turkish data protection regime. Turkey was one of the first countries to become a member of the Council of Europe, and despite having been a signatory state to Convention No. 108 since 28 January 1981, Turkey only ratified the convention in 2016 after adopting its national comprehensive data protection legislation, the TDPL. Turkey has not yet signed the Modernised Convention No. 108+. In 2019, the KVKK was accredited to the European Conference of Data Protection Authorities.
As a candidate country for EU membership, Turkey continuously takes steps to align its national legislation with the EU acquis. This also includes harmonising the EU data protection framework with Turkish legislation; as such, the TDPL was drafted mostly in line with EU Directive 95/46/EC. Therefore, the TDPL application is significantly influenced by European data protection practice, and serious consideration is given to pre-GDPR practice as well as the current GDPR practice in Europe. Turkey also adopted regulations mostly in line with EU Directive 2002/58/EC, albeit spread out in separate legal instruments. Turkey is looking to amend the TDPL to harmonise its national legislation with the GDPR, as specified in Turkey’s 2019-2023 Development Plan.
A handful of NGOs have been established in the form of associations that aim to generate public and academic debate about contemporary privacy issues, raise public awareness, and help develop the Turkish data protection practice.
Most industry-specific legislation has not been revisited after the adoption of the TDPL. Therefore, industry-specific organisations have a significant role in determining the best practices for their respective industries. A number of such industry-specific organisations have drafted codes of conduct to help companies establish practices in compliance with the TDPL as well as industry-specific regulations.
Being a signatory state to the Council of Europe’s Convention No. 108 and a candidate country for EU membership, Turkey follows the EU data protection model. The TDPL functions as the comprehensive data protection framework. The Turkish data protection regime can be considered as a developing data protection system. The TDPL provides the core values of data protection and sets out several mechanisms to ensure accountability and transparency; however, the TDPL’s instruments are less effective than those of the GDPR, which is understandable considering that the TDPL is based on EU Directive 95/46/EC rather than the GDPR. This is largely considered an informed choice, and the TDPL is seen as a stepping-stone to set the baseline and raise awareness about data protection compliance until a more extensive framework is introduced. Although administrative fines are significantly lower with respect to the GDPR, TDPL enforcement is relatively more aggressive than in EU practice.
Turkey does not have a comprehensive data localisation requirement, and the TDPL enables cross-border transfers similar to the GDPR’s regime, requiring additional safeguards to be taken if the personal data is transferred to countries without an adequate level of protection (please see 4.2 Mechanisms That Apply to International Data Transfers). However, further to the sectoral data localisation requirements discussed in 2.2 Sectoral and Special Issues, Turkey’s goals as listed in the 2019-2023 Development Plan include establishing the framework for cross-border transfers and defining which data must be stored in Turkey for security and strategical reasons. The 2019-2023 Development Plan also includes amending the TDPL in light of the GDPR and incentivising privacy-enhancing technologies. The TDPL’s alignment with the GDPR would also be a positive development in relation to resolving the issues regarding the TDPL’s cross-border data transfer regime, and would help Turkey be recognised as a country providing adequate levels of protection.
Presidential Circular No. 2019/12 on Information and Communications Security published in July 2019 lists a number of measures that must be taken in order to maintain the confidentiality, integrity and accessibility of critical data. The Presidential Circular sets out obligations for public institutions and electronic communications service providers, although more stakeholders are likely to be affected. As per the Presidential Circular, civil registry, health, communications, genetics and biometric data must be stored in Turkey. Critical data retained by public institutions must be stored in closed and secured networks; public institutions can only store data in their own servers or use cloud services provided by local operators authorised by the ICTA; and the development of local encryption technologies will be incentivised.
The TDPL sets out a comprehensive data protection framework built on the principles of accountability and transparency.
The TDPL does not include a provision on its territorial scope, and does not determine when a foreign data controller’s processing of personal data would trigger the TDPL’s application. Nevertheless, the KVKK has issued secondary legislation requiring data controllers established outside of Turkey to notify the KVKK of their data processing activities, effectively placing foreign data controllers under the scope of the TDPL. The KVKK has even enforced the TDPL against foreign data controllers, imposing a number of administrative fines on the grounds of insufficient technical and organisational measures to safeguard lawful processing. Although neither the TDPL nor the KVKK provides any criterion concerning extra-territorial application, the GDPR’s provision on territorial scope and the European Data Protection Board’s relevant guidelines serve as reference points for the KVKK’s practice.
Data controllers not established in Turkey must appoint a natural or legal person in Turkey as their data controller representative, who acts as the point of contact for the KVKK and data subjects in Turkey.
Data controllers must process personal data in accordance with the principles of processing, must rely on one of the legal grounds for processing, and must provide information to the data subjects regarding their processing activities (ie, a privacy notice). While the principles of processing regulated under the TDPL are almost identical to the principles found under EU Directive 95/46/EC and the GDPR, the legal grounds of processing have certain differences from the European approach; however, in most cases, these differences are practically inconclusive, although careful consideration is necessary. The legal grounds for processing include explicit consent, the performance of a contract, legitimate interests, rule of law, legal obligations, the exercise or defence of legal claims or rights, that the data was made public by the data subject, and vital interests. The provision on privacy notices is similar to the European approach; however, practice is still evolving and best practices are still under debate. The KVKK issued a separate communiqué to elaborate the content of privacy notices and to address the manner of providing a notice if personal data was not obtained from the data subject. The legislation does not provide any exceptions to this requirement, such as if the data subject already had the information or where the provision of such information was impossible or would have involved a disproportionate effort. Internal facing privacy policies are not mandatory but the adoption of such policies is regarded as an organisational measure to ensure the lawful processing of personal data.
The TDPL requires certain data controllers to keep records of their processing activities by preparing a personal data processing inventory, to notify the KVKK regarding their data processing activities and also to prepare a data retention and destruction policy (please see Record Keeping and Notification Requirements in the Trends & Developments section for further information).
Data controllers must ensure that all of the necessary technical and organisational measures are taken to provide an appropriate level of security for the purposes of preventing unlawful processing and unlawful access, and to ensure the retention of personal data. Data processors are jointly liable with data controllers with regard to such technological and organisational measures. The TDPL obliges data controllers to notify the KVKK and the data subjects if personal data has been acquired by third parties through unlawful means. Unlike under the GDPR, breach notification is not preceded by a risk assessment to determine if a breach is notifiable. The KVKK’s secondary legislation requires breach notifications to be made within 72 hours; they can be filed online on the KVKK’s website.
The TDPL does not require data controllers to appoint a data protection officer, although public institutions are required to appoint a co-ordination manager. The concepts of privacy by design and privacy by default are not embedded in the TDPL, but are considered best practices and, in certain cases, a necessity to comply with the principles of data processing. Privacy impact assessments are not specifically regulated either, although the KVKK considers them to be an organisational measure to safeguard personal data.
Data subjects have the right to be informed about the processing of their data, the purposes of the processing and the recipients of their data, and have the right to erasure and rectification, the right to have such erasures and rectifications communicated to the recipients of data, and the right to object to adverse decisions about them based solely on automated processing. The TDPL also grants data subjects the right to seek compensation if they incur damages due to the unlawful processing of personal data. The right to data protection roots back to the right to privacy, which is protected as a personal right under Turkish Civil Law. Although the right to seek compensation under the TDPL has not yet made its way to court precedents, compared to Turkish legal practice surrounding the right to privacy, data subjects should be able to request pecuniary damages as well as moral damages on the grounds of loss of reputation, emotional distress, embarrassment, and encroachment on dignity or personal autonomy.
Data controllers must erase, destroy or anonymise the personal data after the end of the retention period necessary for the purposes of processing. The KVKK’s Regulation on Erasure, Destruction or Anonymisation of Personal Data regulates a secondary period (30 days or six months) in which the erasure, destruction or anonymisation procedure must be carried out.
The KVKK’s regulation seeks absolute anonymisation, where the data cannot be attributed to an identified or identifiable natural person irreversibly, even upon linking with other data by the data controller or other recipients. In 2017, the KVKK published its guidelines regarding erasure, destruction and anonymisation methods. Pseudonymisation is regarded as a technical measure to safeguard the data, as such procedure is irreversible.
There are no specific restrictions on profiling, automated decision making, online monitoring or tracking, Big Data analysis, artificial intelligence, or algorithms. As such, the general rules would apply.
The TDPL sets forth a separate regime for the processing of special categories of personal data, which include race, ethnicity, political opinions, philosophical, religious, sect or other beliefs, clothing and attire, association, foundation or trade union membership, health and sexual life, criminal records and security measures, and biometric and genetic data. The TDPL prohibits the processing of special categories of personal data unless the data subject grants consent. Except for health and sexual life data, special categories of personal datamay be processed without consent, but only under the circumstances stipulated by law. Health and sexual life data may only be processed without consent by individuals or organisations who are under the obligation of confidentiality and for the purposes of public health, preventative medicine, medical diagnosis, treatment and care services, and to plan and manage health services and financing.
In 2018, the KVKK issued a board decision regarding the adequate measures to be taken by data controllers when processing special categories of personal data. The decision introduces additional measures to be taken in relation to special categories of personal data, such as issuing a separate policy governing the processing of special categories of personal data, entering into confidentiality agreements with employees, encrypting stored data, and using two-factor authentication for remote access to the data.
Sector-specific regulations may apply in relation to certain significant categories of data, such as health data, financial data and communications data, although the latter two are not categorised as special categories of (sensitive) personal data.
Except for healthcare and related industries, health data may only be processed with explicit consent. The processing of health data in relation to the provision of healthcare services is regulated by the Ministry of Health’s Regulation on Personal Health Data, which outlines how health data must be handled, as well as tackling de-identification, masking, and other technical measures and special rules regarding children’s health data. Even if health data is processed for the purpose of providing healthcare services, the TDPL still requires explicit consent if a person with no confidentiality obligation can access the data, such as assistants, accountants and other personnel. Therefore, in practice, patients would most likely be expected to sign explicit consent forms before being cared for or treated.
Processing financial data is also regulated by the relevant regulatory authorities, predominantly the Banking Regulation and Supervision Agency (BDDK), in addition to being subject to the general TDPL framework and the KVKK’s regulations. The BDDK, as per its regulations, requires banks and other financial institutions to take further measures to ensure the security of their processing operations, and also to maintain their IT systems (and, in some cases, third-party cloud computing systems) in Turkey, thereby enforcing data localisation for certain regulated financial entities.
In March 2020, the Banking Law was amended, setting forth that banks cannot transfer confidential customer data related to banking activities to third parties in Turkey or aboard, even if the customer grants their consent, except where such transfer is legally required or requested/instructed by the customer. The BDDK is authorised to decide whether cross-border transfers are appropriate, and may prohibit cross-border data transfers as per its evaluation on economic safety, or issue resolutions on the scope of data localisation requirements.
Similarly, the Capital Markets Board’s Communiqué on Information Systems Management requires the Istanbul Stock Exchange (Borsa Istanbul), other stock exchanges and markets, retirement investment funds, portfolio and fiduciary service providers, capital markets institutions and public companies to maintain their primary and secondary systems in Turkey. Although not expressly defined, this data localisation provision is generally interpreted to relate only to the relevant data with respect to the Capital Markets Board’s jurisdiction.
The Turkish telecoms authority (ICTA) issued its first regulation on data protection in 2004, drafted in accordance with EU E-Privacy Directive 2002/58/EC, well before Turkey adopted the TDPL. The ICTA’s data protection regulation was restructured in 2012, embedding data retention requirements stricter than EU Data Retention Directive 2006/24/EC and prohibiting cross-border transfers of personal data without exception. In 2014, the Turkish Constitutional Court annulled the provision in the Electronic Communications Law (ECL) empowering the ICTA to issue regulations concerning data protection. Although the ECL was later amended to cover the general framework of the EU E-Privacy Directive with certain adjustments, the ICTA has yet to reissue a regulation; however, data retention requirements have been included in other regulations governing electronic communications providers. The electronic communications providers may only process traffic or location data under the specific circumstances stipulated in the ECL or on grounds of explicit consent given by subscribers or users. Although the EU’s e-privacy regime is supplementary to the general data protection framework, which is outlined by the TDPL in Turkey, the ICTA is still in charge of regulating the Turkish e-privacy regime towards regulated electronic communications providers because they are embedded in the ECL. The ICTA is currently working on a data protection regulation in line with both the ECL and the TDPL, and also in consideration of the proposed EU E-Privacy Regulation, which the EU is looking at as a replacement for the EU E-Privacy Directive.
There is no specific protection or regulation for vulnerable groups within the general framework of data protection, such as children or people with disabilities. The general consensus is that, in accordance with the Turkish Civil Code, children lack the legal capacity to enforce their rights until they are 18 years old; in the absence of any specific regulation in the TDPL, this also applies to data subject rights stipulated in the TDPL. Although the TDPL does not regulate parental consent or mechanisms to ensure parental oversight in relation to children’s rights as data subjects, the general principles of law would necessitate a similar practice and require consent from their parents or guardians.
The Code of Obligations provides that employers may only process employee data in relation to employability or the performance of the employment agreement. Labour Law and work health and safety regulations set forth a wide range of data retention and government disclosure requirements, some of which cover the processing of employee health data. The validity of explicit consent granted by employees is considered a risk due to the unequal nature of their relationship with the employer, which may prohibit the explicit consent from being made with free will. However, with respect to the highly restrictive regime for processing health data, many organisations resort to relying on explicit consent for processing the health data of their employees (please also see 2.4 Workplace Privacy).
For historical reasons explained above regarding the ECL, cookies are regulated in the ECL but such provisions only concern electronic communications providers; other data controllers are merely subject to the general framework. Although the general framework of the TDPL necessitates legal grounds similar to the European approach (ie, notification-only mechanisms for certain types of cookies and consent mechanisms for certain types of cookies), the KVKK has not yet provided any guidance on this topic.
There is also no specific data protection regulation regarding browsing data, viewing data, beacons, location data, do not track and tracking technology, behavioural advertising, or activities of social media, search engines or large online platforms, and therefore general provisions of the TDPL apply in each case.
Certain crimes committed online are subject to Law No. 5651, which establishes the framework against the crimes committed on the internet and regulates hosting providers, content providers and access providers, setting forth data retention requirements and the procedures for removing unlawful content and access bans. Law No. 5651 establishes different takedown/access ban regimes depending on the nature of the unlawful content. There are four categories of legal grounds for content takedowns or access bans:
Access ban decisions may be rendered by courts or, in certain cases, by public prosecutors or the ICTA.
The general framework for unsolicited communications is set out in Law No. 6563 on the Regulation of Electronic Commerce (E-Commerce Law) and is enforced by the Ministry of Commerce. The E-Commerce Law was drafted in accordance with EU Directive 2002/58/EC but also covers a large portion of EU Directive 2000/31/EC. The Turkish commercial communications regime is based on the opt-in requirement applicable to B2C (business to customer) communications, while commercial communication is allowed for B2B (business to business) communications if the recipients do not opt-out. In contrast with EU Directive 2002/58/EC, soft opt-in consent does not suffice under the Turkish legislation to send electronic messages regarding the promotion of goods or services similar to those purchased by the recipient. The Ministry of Commerce issued a new regulation in January 2020 and established a centralised opt-in and opt-out register (IYS). All persons willing to send commercial electronic messages are obliged to register with the IYS and upload the opt-in consent previously collected before June 2020, and to keep the IYS records up to date. Starting in June 2020, service providers will only be able to send electronic commercial SMS messages to persons listed under the IYS’s opt-in register relating to each service provider.
Unsolicited communications are broadly considered to be subject to both the E-Commerce Law and the general framework set out by the TDPL. Both the Ministry of Commerce and the KVKK assume jurisdiction and impose sanctions. The ICTA has also inaugurated separate unsolicited communications rules applicable for electronic communications providers that prevail over the E-Commerce Law.
There is no specific constraint on behavioural advertising; the general framework of the TDPL applies. Behavioural advertising is, in principle, performed on the basis of explicit consent.
Workplace privacy is governed by the TDPL, while the Code of Obligations sets out that employers may only process employee data in relation to employability or the performance of employment agreements, and the Labour Law regulates that the employer must process employee data fairly and lawfully, and may not disclose data if the employee has a legitimate interest in confidentiality.
The monitoring of workplace communication or employee performance, as well as the use of data loss prevention or similar technologies implemented for information security purposes, can be carried out on the basis of the employer’s legitimate interests, as long as the processing is adequate, necessary and proportionate, and the employee does not have a reasonable expectation of privacy in the relevant context. Informing employees of the nature of the processing via privacy notices is expected.
CCTV use is not considered lawful if the CCTV is placed in resting areas or similar places where the employee may have a reasonable expectation of privacy.
Imposing the widespread use of biometric authentication for access to the workplace is considered unlawful unless it is optional or limited to cases where the employer has an overwhelming interest in such authentication, such as access to a server room.
The TDPL stipulates four types of administrative fines, the amounts of which are adjusted each year for inflation. According to the administrative fines applicable for 2020, data controllers who:
The KVKK does not have an established fine calculation model, unlike some European countries. However, the Law of Misdemeanours requires administrative fines to be determined in consideration of the nature of the misdemeanour, the perpetrator’s fault, and economic status.
In April 2019, the KVKK imposed an administrative fine of TRY1,650,000 (EUR250,000) on Facebook because of a photo API bug that allowed third party access to user photos. In September 2019, the KVKK imposed an administrative fine of TRY1,600,000 (EUR242,400) on Facebook due to a breach that occurred in the “View As” mode used in the video upload tool. Other notable publicly announced enforcements by the KVKK include Marriott International Inc. (TRY1,450,000 – EUR220,000), Dubsmash Inc (TRY730,000 – EUR110,600), Clickbus (TRY550,000 – EUR83,300), and Cathay Pacific Airway Limited (TRY550,000 – EUR83,300).
The Turkish Criminal Code (TCC) stipulates three crimes and corresponding sanctions with respect to data protection. According to the TCC, persons who:
Data subjects may file civil claims seeking compensation for their pecuniary and moral damages against data controllers and also against data processors, considering that the TDPL sets forth a joint liability regime for these two actors. Turkish procedural law does not allow class actions but associations or other legal persons may file group actions, aiming to determine the rights of the data subjects involved, rectify the unlawfulness, and prevent any future violations.
The TDPL does not apply in the following circumstances:
The main principle is that an independent judicial decision is required in order for public prosecutors and law enforcement agents to obtain access to personal data or other methods of collecting personal data, such as the search and seizure of electronic equipment and databases or the interception of communications. There are certain exceptions to this principle. For instance, under certain circumstances, where a time delay would have an adverse effect on the matter, the prosecutor or relevant law enforcement body may carry out the relevant data collection procedure and seek judiciary approval later. Moreover, prosecutors and law enforcement bodies may request information from public institutions without the need of approval from the judiciary.
Judicial review, where applicable, serves as a safeguard to protect privacy, as well as the KVKK’s oversight over data controllers. Despite the relevant processing activities of public agencies not being covered by the TDPL, data controllers granting access to the agencies are still subject to the TDPL, and the KVKK has issued an administrative fine on a bank that provided more (potentially irrelevant) personal data to the Turkish court than was requested.
The National Intelligence Agency is authorised to request any information from any entity or person. Judicial decisions and judicial approval processes are similar to the discussions under 3.1 Laws and Standards for Access to Data for Serious Crimes.
The TDPL is unclear as to whether a foreign government’s data access request would qualify as a legitimate basis upon which to collect or transfer personal data outside of Turkey. One of the legitimate bases of processing if the TDPL applies is if the processing is mandatory to comply with a legal obligation to which the data controller is subject. However, the wording of the TDPL does not imply or exclude relying on this basis when the legal obligations imposed on data controllers stem from foreign jurisdictions.
The key issues and public debates with regard to the TDPL broadly consist of subjects surrounding the lack of a provision determining the TDPL’s extraterritorial application, the unpublished list of countries providing an adequate level of protection, the lack of appropriate and feasible instruments applicable for restricted cross-border transfers, the complexity of the VERBIS registration system, and the restricted regime for the processing of special categories of personal data. Most of these issues are expected to be addressed in a future amendment to the TDPL.
The TDPL’s cross-border personal data transfer regime is based on EU Directive 95/46/EC, even though there are significant structural differences. As per the general framework of the data protection regime, cross-border transfers relying on the data subject’s consent are not restricted. All cross-border transfers relying on other legal grounds for transferring data are restricted if the receiving country does not provide an adequate level of protection. The TDPL does not make a distinction based on the nature of such cross-border transfers, so there are no derogations that apply for occasional, not repetitive, and limited transfers. If the legal grounds for the transfer is not consent and the personal data is being transferred to a country that does not provide an adequate level of protection, the data controller exporting the personal data outside of Turkey must resort to the safeguarding instruments discussed in 4.2 Mechanisms That Apply to International Data Transfers.
The list of countries providing an adequate level of protection should be published by the KVKK. The KVKK is in the process of reviewing a number of countries in this regard; however, no countries have been listed as of January 2020.
Further restrictions may apply to cross-border transfers of personal or non-personal data in sector-specific regulations enforced by the relevant regulatory and supervisory bodies (please see 2.2 Sectoral and Special Issues for sectoral restrictions on cross-border transfers).
The TDPL only specifies one mechanism that applies if the cross-border transfer relies on a legal ground other than consent and where the receiving country does not provide an adequate level of protection. In the case of such restricted cross-border data transfers, the TDPL requires the data exporter and the data importer to undertake adequate protection in writing and to obtain approval from the KVKK Board. The KVKK published its own set of standard contractual clauses (SCCs) to determine the minimum content that must be included in agreements between the data exporters and data importers. The two sets of SCCs include a controller-to-controller agreement and a controller-to-processor agreement, which have slight variations from the EU Commission’s SCCs. As far as is known, the KVKK has not yet approved any cross-border data transfers, as of January 2020.
The TDPL does not specifically mention Binding Corporate Rules as a mechanism to safeguard cross-border intra-group data transfers, but the KVKK is working on implementing a BCR mechanism.
If the data exporter and the data importer use SCCs as a safeguard mechanism, the KVKK’s approval is required prior to performing the data transfer (please see 4.2 Mechanisms That Apply to International Data Transfers).
Moreover, the TDPL has an additional provision about cross-border personal data transfers, which states that personal data may only be transferred abroad if the relevant public institution is of the opinion that there is a risk that Turkey or the data subjects may be significantly harmed, without prejudice to international treaties. However, it is unclear how this provision would be applied in practice and particularly which public institution’s opinion would be required.
There is no comprehensive data localisation requirement. However, certain sector-specific regulations dictate that the relevant regulated companies must store certain personal data in Turkey (please see 2.2 Sectoral and Special Issues for further information and 1.8. Significant Pending Changes, Hot Topics and Issues for potential developments with regard to data localisation).
The ICTA’s regulation on encrypted communications requires public and private entities that have coded/encrypted electronic communications in place to file an application to the ICTA for authorisation, during which the entities should provide a copy of the code/encryption to the ICTA. Exceptions apply.
There are no specific limitations on the collection or transfer of personal data in connection with foreign government requests or foreign litigation proceedings; the general framework of the cross-border transfer regime would apply (please see 4.1 Restrictions on International Data Issues and 4.2 Mechanisms That Apply to International Data Transfers).
There is no “blocking” statute in place that blocks the extra-territorial application of third country data protection legislation.
The TDPL does not include any specific data protection regulations regarding Big Data analytics, automated decision-making, profiling, artificial intelligence (including machine learning), IoT, autonomous decision-making (including autonomous vehicles), geolocation or drones. The KVKK has not yet published any extensive guidance on these topics either. These topics are currently being considered by practitioners through deductions made from the general framework and principles of the TDPL, the practice of the European authorities and guidelines published in the Article 29 Working Party and the EDPB.
Facial recognition technology is considered a use of biometric data, which is a special category of personal data defined in the TDPL. In most cases, processing biometric data may only rely on explicit consent. The KVKK considers facial recognition and biometric data with respect to whether the processing is adequate, relevant and necessary, and generally regards the excessive use of biometric data, especially for biometric authentication systems, to be unlawful (please see 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation).
Drones invoke a privacy concern due to their operating capabilities. The KVKK has not published any guideline about its approach to drones, but the Civil Aviation Authority has taken certain measures, such as requiring registration for pilots flying drones heavier than 500 grams and requiring flight clearance to fly drones in certain areas. Although the aviation regulations do not relate directly to data protection, they do attribute a certain level of accountability to the pilot.
The TDPL does not require organisations to create a data protection officer role within their corporate structure, but some organisations still create an office to oversee their data practices and data protection compliance, depending on the size and nature of their business. For the purposes of maintaining compliance and co-ordination throughout business processes handled by numerous internal stakeholders, organisations usually establish data protection committees or work groups.
Sector-specific associations and NGOs issue white papers and guidelines to establish fair data protection practices within their relevant sectors and in relation to emerging digital technologies, as discussed in 1.5 Major NGOs and Self-Regulatory Organisations.
In May 2019, the KVKK issued an administrative fine against a gym, on the grounds of its use of biometric authentication as the only method for customers to access its facilities. The KVKK found that such practice is excessive and against the data minimisation principle, and that the consent collected by the gym was invalid on the grounds that it was presented as a mandatory procedure for all customers, rather than granted by their free will (please see 2.5 Enforcement and Litigation for information on data protection litigation).
The TDPL establishes a joint liability regime between data controllers and data processors. Therefore, due diligence is particularly important for data controllers when engaging with vendors, suppliers and other businesses that would act as data processors.
Another issue regarding due diligence is the data transfer carried out during the due diligence process itself. It is likely that the data controller subject to due diligence would transfer or allow access to documents or information containing personal data to the other party. Generally, data controllers may rely on legitimate interests for such transfers, although the documents would often need to be redacted in order to carve out excessive personal data that is not adequate, relevant or necessary for the purposes of processing. If the due diligence process requires a cross-border transfer of personal data or access to personal data from outside of Turkey, such as if the parties use a virtual data room hosted abroad, the data controller would need to facilitate one of the mechanisms explained in 4.2 Mechanisms That Apply to International Data Transfers.
Recent developments have proved that data protection due diligence should not be neglected in M&A transactions. A large number of M&A due diligence projects now cover data protection risks as well as information security risks, and share purchase agreements include data protection compliance as a representation and warranty clause to facilitate indemnity with regard to the legacy data processed or handled before the M&A transaction.
Data controllers that are subject to the data controller notification requirement must disclose a list of the technical and organisation measures they have taken on the publicly available VERBIS, chosen from among the list of generic categories pre-determined by the KVKK.
As per the Capital Markets Board regulations, companies looking to launch a public offering should prepare a prospectus for investors and provide information about the risk factors in relation to their business. Although there are no specific requirements to include cybersecurity or data protection-related risks in the risk factors section, they should be covered in the prospectus if they are crucial to the relevant business. Depending on the specifics of the relevant incident (eg, a material data breach that may have an impact on the trading price of the shares), public companies may be required to make a general public disclosure.
There are no other significant issues.
Turkish Data Protection Law
Turkey was relatively late to enter the realm of data protection. Despite being a signatory party to the Council of Europe’s Convention No. 108 since 28 January 1981, Turkey only ratified the convention in 2016 after adopting its national comprehensive data protection legislation, namely the Turkish Data Protection Law (TDPL), which was enacted on 24 March 2016 and came into force on 7 April 2016. The TDPL aimed for a smooth transition into the data protection regime by introducing a two-year grace period, which ended on 7 April 2018. The TDPL constitutes Turkey’s first comprehensive data protection legislation, but the protection of personal data was first addressed by Article 20 of the Constitution of the Republic of Turkey (as amended in 2010) as an extension of the constitutional right to privacy. Earlier legislation concerning data protection included the Turkish Criminal Code No. 5237, which specified three separate crimes with respect to personal data, and the Turkish Code of Obligations and several sector-specific laws and regulations. The TDPL is part of Turkey’s long-lasting efforts to align its national legislation with that of the European Union, as the TDPL was drafted primarily based on the GDPR’s predecessor, EU Directive 95/46/EC.
The TDPL established the Turkish Data Protection Authority (KVKK), an independent regulatory and supervisory authority with financial and organisational autonomy to achieve its goals to provide for data protection and develop public awareness. Since its establishment in 2017, the KVKK has taken an active role in publishing guidelines, issuing secondary legislation in relation to the data controller notification, the deletion, destruction and anonymisation of personal data, data subject access requests and data processing notices to complement the TDPL, and organising sector-specific data protection events and conferences to raise public awareness.
The KVKK is significantly under-staffed compared to its European counterparts, but this does not set it back when it comes to imposing hefty administrative fines on data controllers who fail to comply with the TDPL.
The TDPL does not specify its territorial scope, and does not determine when a foreign data controller would trigger its application. As per the general principles of Turkish law, state sovereignty is limited to state boundaries, and Turkish laws – in principle – may only have extra-territorial application if they are specifically regulated as such. Nevertheless, the KVKK has issued secondary legislation effectively requiring data controllers established outside of Turkey to notify the KVKK of their data processing activities, and the KVKK has even enforced the TDPL against foreign data controllers, imposing a number of administrative fines on the grounds of insufficient technical and organisational measures to safeguard lawful processing. Although neither the TDPL nor the KVKK provides any criterion concerning extra-territorial application, the GDPR’s provision on territorial scope and the EDPB’s relevant guidelines serve as reference points for the KVKK’s practice, considering their intention is to align with the EU’s practice. The uncertainty surrounding the TDPL’s extra-territorial application sets back many foreign data controllers to effectively include the TDPL within their global data protection governance programmes. The inclusion of a definitive legal basis for the extra-territorial application is one of the most prominent goals of the anticipated amendment to the TDPL, the details of which are still unclear.
Record keeping and notification requirements
In relation to record keeping and data controller notifications, the TDPL requires data controllers to prepare personal data processing inventory, and to register their data mapping with the KVKK. These requirements stem from the notification requirement under EU Directive 95/46/EC and the record keeping requirement under Article 30 of the GDPR.
Data controllers are required to prepare a personal data processing inventory, which in principle is very similar to the records of data processing under the GDPR, although the KVKK expects the combination of every category of data, the data subjects, the purposes of the processing, and the recipients to be carefully mapped. Data controllers are also required to file a notification regarding their data processing activities with the KVKK via the Register of Data Controllers Information System (VERBIS). There are general and categorical exemptions from both requirements. The general exemptions cover data controllers who have a balance sheet total of less than TRY25 million and employ fewer than 50 employees, so long as the company’s main activity does not concern the processing of special categories of data. Categorical exemptions cover attorneys, notaries public, political parties, mediators, accountants and customs consultants, and certain associations, foundations, labour unions, and data controllers who only process personal data via non-automatic means. No exemptions apply for data controllers established outside of Turkey and the KVKK requires foreign data controllers’ branches established in Turkey to also register on VERBIS if they qualify as separate data controllers. Furthermore, the KVKK requires data controllers (if not exempt) to prepare a data retention and destruction policy, the contents of which are stipulated in the KVKK’s secondary legislation.
VERBIS operates through a multiple-step online registration form, where the data controller is prompted to select a category from amongst the predetermined categories of data, data subjects, recipients, and purposes of processing, as well as the categories for technical and organisational measures. Foreign data controllers are required to appoint a data controller representative in Turkey, who should appoint a Turkish citizen contact person. The contact person is tasked with entering information about the data controller’s data processing activities through the VERBIS online platform. In practice, if the data controller already has GDPR-compliant records of processing activities, the existing GDPR documentation can be converted into the format required by the KVKK; however, in many cases, this process would mean rediscovering and reanalysing the mapped processes. The KVKK also expects data controllers to keep records of their data retention periods on the basis of each type of personal data, each category of personal data, and each processing activity.
The deadline for registering on VERBIS was extended twice in 2019. According to the KVKK’s most recent decision in December 2019, the general deadline for registration is 30 June 2020, covering data controllers whose annual balance sheet total exceeds TRY25 million or whose total number of employees exceeds 50, as well as data controllers established outside of Turkey. Data controllers not meeting either threshold but whose main activity concerns the processing of special categories of data must register on VERBIS before 30 September 2020, and public institutions must register before 31 December 2020. These deadline extensions have been largely welcomed by the practice, as a great number of data controllers are still having difficulty compiling a data map in the complex format required by VERBIS.
Cross-border data transfers
The TDPL’s cross-border personal data transfer regime is similar to the regime stipulated in EU Directive 95/46/EC, save for certain differences. There are three possible scenarios that may allow personal data to be transferred abroad from Turkey:
In June 2019, the KVKK published the criteria that would be the basis for its adequacy decisions, but it has yet to publish the list of countries providing an adequate level of protection. The KVKK published two sets of standard contractual clauses covering the minimum requirements that the data exporter and data importer should guarantee, but has yet to approve any standard contractual clauses for cross-border data transfers. Therefore, the only functional mechanism currently used for cross-border data transfers from Turkey to third countries is the data subject’s consent. Unlike EU Directive 95/46/EC (or the GDPR), the TDPL does not provide any derogations for specific, occasional and not repetitive transfers, effectively requiring any single cross-border transfer of personal data to be covered in the safeguard mechanisms described above.
In practice, many data controllers whose business model does not allow consent to be obtained from each individual remain non-compliant, and reluctantly wait for developments outlining the appropriate actions they should take. This uncertainty over cross-border data transfers jeopardises the lawfulness of a number of usual business practices, particularly when it comes to cloud computing, centralised IT infrastructure, and intra-group transfers. The KVKK is working on a solution by implementing a binding corporate rules mechanism to address intra-group transfers.
Special categories of personal data
The TDPL sets forth significantly restrictive rules for the processing of special categories of personal data. It prohibits the processing of special categories of personal data without the data subject’s consent. Most of the exceptions found in EU Directive 95/46/EC or the GDPR are not applicable in the TDPL. Special categories of personal data, except for health and sexual life data, may be processed without consent, but only under the circumstances stipulated in the law. Individuals or organisations may only process health and sexual life data without consent under the obligation of confidentiality, for the purposes of public health, preventative medicine, medical diagnosis, treatment and care services, and to plan and manage health services and financing. The absence of any exceptions applicable in usual business practices compels data controllers to either cease the relevant processing activities or to seek the data subjects’ consent, in cases where consent would not normally be considered appropriate with respect to its freely given and unconditional nature.
Processing special categories of personal data is also subject to stricter rules in terms of the technical and organisational measures to be taken. In 2018, the KVKK issued a board decision regarding the adequate measures to be taken by data controllers when processing special categories of personal data. The decision introduces additional measures to be taken in relation to special categories of personal data, such as issuing a separate policy governing the processing of special categories of personal data, entering into confidentiality agreements with employees, encrypting stored data, and using two-factor authentication for remote access to the data.
The TDPL predominantly sets the obligations for data controllers and the rights of data subjects. Data controllers’ obligations include taking all of the necessary technical and organisational measures to provide an appropriate level of security for the purposes of preventing unlawful processing and unlawful access, as well as ensuring the retention of personal data. Data processors are jointly liable with data controllers with regard to such technological and organisational measures. The TDPL obliges data controllers to notify the KVKK and the data subjects if personal data has been acquired by third parties through unlawful means. Unlike under the GDPR, the breach notification does not specify a risk assessment to determine if a breach is notifiable. The KVKK’s secondary legislation requires a breach notification to be made within 72 hours, and the KVKK has also published an online form for such use.
The TDPL stipulates four types of administrative fines, the amounts of which are adjusted each year for inflation. According to the administrative fines applicable for 2020, data controllers:
As per the KVKK’s 2018 Annual Report, the KVKK received 310 complaints in 2018, 140 of which have been concluded and eight of which resulted in the imposition of TRY870,000 worth of administrative fines. Although the KVKK’s 2019 Annual Report has not yet been published, the KVKK’s publicly announced enforcement actions in 2019 demonstrate that the total amount of administrative fines imposed in 2019 should exceed TRY8,000,000 (EUR1,210,000). Noteworthy fines publicly announced by the KVKK in 2019 include Facebook (TRY1,650,000 and TRY1,600,000 – total EUR492,400), Marriott International Inc. (TRY1,450,000 – EUR220,000), Dubsmash Inc. (TRY730,000 – EUR110,600), Clickbus (TRY550,000 – EUR83,300), and Cathay Pacific Airways Limited (TRY550,000 – EUR83,300).