Data Protection & Privacy 2023

Last Updated March 03, 2023

Turkey

Law and Practice

Authors



YAZICIOGLU Legal is an Istanbul-based boutique technology law firm. The firm focuses on legal matters related to technology, media telecommunications and data protection/cybersecurity. It also has a solid expertise in cross-border transactions, corporate and commercial matters, intellectual property, regulatory compliance, e-commerce, consumer protection and dispute resolution. Yazıcıoğlu Legal has a dedicated team of 15 lawyers working on data protection and cybersecurity. The majority of the firm’s workload consists of data protection-related matters. In particular, the firm is known for successfully representing its clients on investigations and data breaches before the Turkish Data Protection Authority. The firm is ranked in several legal directories on TMT and is also a Bronze Corporate Member of International Association of Privacy Professionals (IAPP).

The right to protection of personal data is regulated under the Constitution of the Turkish Republic (Constitution) as an individual right since its amendment in 2010.

According to Article 20(3) of the Constitution, the right to the protection of personal data includes the right to:

  • be informed about the processing of personal data;
  • have access to personal data;
  • rectification or deletion of the personal data; and
  • be informed about whether personal data is used in accordance with the appropriate purposes.

According to the same article, personal data may be processed only if the processing is allowed by the laws or the data subject gives his/her explicit consent. The article finally states that the procedures and principles of processing personal data must be regulated by the laws.

The Turkish Data Protection Law

Pursuant to Article 20(3) of the Constitution, Turkish lawmakers enacted the Turkish Data Protection Law No 6698 (“DP Law”) to regulate the procedures and principles of processing personal data, which is the first general law that specifically regulates the procedures and principles of processing personal data in Türkiye and entered into force on 7 April 2016.

Although it came into force only one month before the European Union General Data Protection Regulation (GDPR), the DP Law was drafted by considering only EU Directive 95/46/EC. Currently, there are ongoing efforts to revise the DP Law in line with the GDPR (see also 1.8 Significant Pending Changes, Hot Topics and Issues.)

Important secondary regulations issued by the Personal Data Protection Authority (“DP Authority”) include:

  • the By-Law on the Deletion, Destruction or Anonymization of Personal Data;
  • the By-Law on the Registry of Data Controllers;
  • the Communique on Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform; and
  • the Communique on Principles and Procedures for the Request to Data Controller;

The DP Authority has also published several guidelines and recommendations on different aspects of the DP Law. The main topics of these guidelines and recommendations include:

  • good practices on personal data protection in the banking sector;
  • cookie practices;
  • the right to be forgotten;
  • processing of biometric data;
  • artificial intelligence (AI);
  • preparing an inventory of personal data processing;
  • fulfilment of the obligation to inform;
  • technical and organisational measures;
  • deletion, destruction or anonymisation of personal data; and
  • the concepts of controller and processor.

In addition to these, the Personal Data Protection Board (“DP Board”) adopts resolutions, which are published on DP Authority’s official website and/or the Official Gazette.

The Turkish Criminal Law

Certain actions, which violate protection of personal data, are defined as crimes in the Turkish Criminal Code (TCrC) (see also2.5 Enforcement and Litigation).

The Turkish Civil Law

Personal data is considered as a part of personality under Turkish law; hence it is also protected under the protection of personality rights in the Turkish Civil Code (TCiC).

Other

In addition to the above, there is some sector-specific legislation on the processing of personal data in certain sectors such as telecommunications, banking, electronic payment and health sectors.

The primary supervisory and regulatory authority in Türkiye is the DP Authority. It is an independent administrative institution which has administrative and financial autonomy.

The DP Authority has the power to regulate data protection activities and to protect the rights of data subjects.

The decision-making body of the DP Authority is the DP Board. Some of the main duties and powers of the DP Board are as follows:

  • conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;
  • concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
  • maintaining the Registry of Data Controllers (VERBIS);
  • imposing administrative sanctions that are provided in the DP Law;
  • determining and announcing the countries with adequate levels of protection of personal data for the purpose of international data transfers; and
  • approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.

The Ministry of Trade is authorised to oversee marketing communication.

Apart from the above, sector-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB) and the Information and Communication Technologies Authority (ICTA) are also entitled to regulate the processing of personal data in their respective sectors.

The DP Board’s investigations may be initiated based on a data subject’s complaint received by the DP Board or ex officio if it becomes aware of the alleged violation.

The Course of an Investigation

The DP Board may request information and/or documents from controllers in the course of its investigations. Controllers must provide this information and/or relevant documents within 15 days, except where the information and documents constitute a state secret. The DP Board may request further information and/or documents during an investigation.

A controller must enable on-site inspections if the DP Board considers it necessary.

Administrative Fines

If the DP Board identifies a violation of the DP Law, it can impose administrative fines, which may vary between TRY29,852 and TRY5,971,989 depending on the type of violation.

As per the Misdemeanours Law No 5326, when determining the amount of fines, the DP Board must consider the severity of the breach, the fault of the breaching party and its economic condition.

Administrative Orders

The DP Board may also order the controller to bring processing activities in compliance with the DP Law.

The DP Authority is also entitled to decide to cease certain data processing activities or personal data transfers abroad if it finds that such data processing activities result in damages which are difficult or impossible to compensate for and, at the same time, the act would be clearly unlawful.

In case the DP Board issues an order to the controller to bring its processing activities into compliance with the DP Law, this decision must be implemented without any delay and, at the latest, within 30 days upon receipt of the notification by the controller.

Appeal of a Sanction

The controller has the right to appeal against the DP Board’s decisions.

If the DP Board’s decision includes only an administrative fine, the controller may object to this decision before the Magistrate Criminal Court within 15 days from receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.

Where the DP Board’s decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions can be appealed to the Council of State.

Even though Türkiye does not belong to any multinational system such as the European Union or the European Economic Area, the European system has a highly noticeable effect on the DP Law practice.

Firstly, Türkiye was one of the first countries that became a member of the Council of Europe and signed Convention No 108. Although Türkiye signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before the adoption of the DP Law. On the other hand, Türkiye has not yet signed the Modernized Convention (also known as Convention 108+).

As a candidate member state of the EU, Türkiye aims to align its national legislation with the EU acquis. The DP Law is mostly influenced by the EU Directive 95/46/EC.

Currently, amending the DP Law to harmonise it with the GDPR is on Türkiye’s agenda.

The DP Authority has been one of the accredited members of the European Conference Data Protection Authorities since May 2019. The DP Authority also hosted the 44th Global Privacy Assembly in 2022.

Although their number is relatively small, there are some associations established mainly by legal professionals to raise awareness about the DP Law among the public.

Certain industry-specific organisations and chambers of commerce/industry have created working groups to assist their members in complying with the DP Law. 

The DP Authority obtains opinions from these NGOs while drafting legislation.

Türkiye follows the EU omnibus model. The DP Law draws a framework for the DP Authority and controllers by providing a general perspective of the obligations and principles that must be sought for data processing activities. The DP Authority steers the data processing practice by regulating secondary legislation and publishing guidelines and/or the DP Board’s resolutions.

The DP Authority seeks to take a proportionate approach to enforcement, prioritising cases with a significant risk of harm to individuals. The amounts of the administrative fines set forth in the DP Law are considerably lower than those set forth in the GDPR. However, the DP Authority’s tendency for enforcement is relatively higher, in particular on data breaches, when compared to its European counterparts.

Key developments in Türkiye in the past 12 months are as follows:

  • announcement on the consideration of extraordinary conditions for the assessment of deadlines for data subjects, controllers and lawyers affected by the earthquake of 6 February 2023;
  • publication of the Guideline on Good Practices for Personal Data Protection in the Banking Sector (Guideline on Banking Sector);
  • publication of the Guideline on Practices of Cookies (“Cookie Guideline”);
  • publication of the By-Law on the Collection, Storage and Sharing of Insurance Data (“By-Law on Insurance Data”);
  • DP Board’s decision on joint data controllership (see also 1.8 Significant Pending Changes, Hot Topics and Issues);
  • DP Board’s decision on accepting the validity of explicit consent for transferring employment data abroad in case of the employer is established abroad (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers);
  • publication of the Draft Guideline on Assessment of Loyalty Programs Within the Scope of Personal Data Legislation for public consultation (“Draft Guideline on Loyalty Programs”); and
  • publication of the Draft Guideline on the Issues to be Considered in the Processing of Genetic Data for public consultation (“Draft Guideline on Genetic Data”).

Personal Data Transfer Abroad and Amendments to the DP LAW

Personal data transfer abroad has been the most problematic and controversial issue under the DP Law since its enactment (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

According to the Economic Reform Action Plan by the Ministry of Treasury and Finance of the Republic of Türkiye (Action Plan), which was announced on 12 March 2021, the DP Law is under review to have its provision on data transfer abroad (Article 9) be amended in line with the GDPR.

However, the scope of the revisions may be broader as per the 2019–23 Development Plan, dated July 2019, and the Human Rights Action Plan, dated April 2021. Although the targeted date for the entry into force of this amendment was 31 March 2022, there is still no development announced to date and preparatory works are still ongoing.

Cookies

The Cookie Guideline was published by the DP Authority on 20 June 2022 after public consultation. In this guideline, the DP Authority clarifies the definition and the scope of cookies, and the conditions of processing personal data in terms of cookies within the scope of the DP Law. Although principles set forth in the guideline are generally in line with EU legislation on cookies, certain principles, in particular obligation to inform, are significantly different.

Disinformation

A series of amendments to some major laws were made by the Law on the Amendment of the Press Law and Further Laws (so-called Disinformation Law) on 18 October 2022. Some of these amendments criminalise disseminating any misleading information concerning internal or external public security, public order or public health with the motive of disturbing the public peace, creating anxiety, fear or panic among the public. The Disinformation Law has been criticised by the public and some scholars claiming that it may lead to censorship. Amendments introduced by the Disinformation Law also impose certain obligations on Social Network Providers (SNP) (see also 2.2 Sectoral and Special Issues.)

Joint Data Controllership

Unlike the GDPR, there is no explicit provision in DP Law on joint controllership. However, in January 2022, the DP Board published a decision in which it considered the relationship between several car rental companies, which benefit from the same software, to create and maintain a blacklist for potential car rental customers, as a joint data controllership. In addition to this decision, the DP Authority has referred to this concept in its recent guidelines. However, the assessment of the DP Board/Authority on this concept is quite limited and lacks a clear criterion or instructions on how to act in case of joint controllership.

Territorial Applicability

Unlike the GDPR, the DP Law is silent on the subject of territorial scope. As a general rule on the territoriality principle, the DP Law applies to controllers and processors established in Türkiye.

The DP Authority has not yet set certain criteria for determining the DP Law’s extraterritorial scope. On the other hand, based on the DP Board’s decisions, it seems that it is of the view that when the relevant data processing activities are realised in Türkiye or related to data subjects located in Türkiye, the DP Law shall be applicable.

Obligation to Register with VERBIS (Data Controllers’ Registry)

Controllers who meet certain criteria set by the DP Law are obliged to register with VERBIS. Those who are obliged to register with VERBIS are controllers who are:

  • established in Türkiye and have equal to or more than 50 employees or whose total annual financial balance sheet is equal to or more than TRY25 million;
  • established in Türkiye and have less than 50 employees and an annual financial balance of less than TRY25 million but whose main activity is processing special categories of personal data; and
  • established outside of Türkiye.

In order to register with VERBIS, controllers who are based outside of Türkiye are required to appoint a representative to represent controllers before the DP Authority and data subjects. The representative may be either a Turkish citizen or a legal person in Türkiye.

Those obliged to register with VERBIS should also appoint a “contact person”, who may only be a natural person in Türkiye and is mainly responsible for submitting certain information to VERBIS and facilitating the communication between the DP Authority and controllers.

Data Protection Principles

The general principles which must be followed in all data processing activities are set out under Article 4 of the DP Law, and are as follows:

  • lawfulness and fairness;
  • being accurate and kept up to date where necessary;
  • being processed for specified, explicit and legitimate purposes (purpose limitation);
  • being relevant, limited and proportionate to the purposes for which they are processed (data minimisation); and
  • being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data is processed (storage limitation).

Lawful Basis for Processing of Personal Data

In order to ensure that the data processing is lawful, controllers must satisfy one of the following legal bases (provided by Article 5 of the DP Law):

  • explicit consent of the data subject is obtained;
  • it is expressly provided for by the laws;
  • it is necessary for the protection of life or physical integrity of the person himself/herself, or of any other person who is unable to explain their consent due to physical disability or whose consent is not deemed legally valid;
  • processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
  • it is necessary for compliance with a legal obligation to which the controller is subject;
  • personal data has been made public by the data subject themself;
  • data processing is necessary for the establishment, exercise, or protection of any right; and
  • processing of data is necessary for the legitimate interests pursued by the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Lawful Basis for Processing of Special Categories of Personal Data

For this purpose, please see 2.2 Sectoral and Special Issues.

Privacy Impact Analyses

Data protection impact assessment is not specifically regulated in the DP Law, but it may be considered a technical and organisational measure that the controllers should take as per the DP Authority’s guidelines.

Application of “Privacy by Design” or “Privacy by Default” Concepts

The DP Law does not include the concepts of “privacy by design” or “privacy by default”. However, controllers may be required to apply ”privacy by design” and/or “privacy by default” concepts to comply with the DP Law, particularly the general principles and data processing conditions it sets forth.

Internal or External Privacy Policies

Controllers must provide privacy notices to data subjects. Such privacy notice must at least include:

  • the identity of the controller and its representative (if any);
  • the purpose(s) of the processing of personal data;
  • to whom and for which purposes the processed personal data may be transferred;
  • the method and legal basis of the collection of personal data; and
  • the rights of data subjects.

Moreover, the DP Authority expects that personal data (and/or categories of personal data), purposes, legal basis and collection methods are to be matched in privacy notices. 

Controllers, who are obliged to register with VERBIS, are also obliged to:

  • maintain a data processing inventory; and
  • adopt a Personal Data Retention and Destruction Policy, details of which are as set forth under the By-Law on the Deletion Destruction or Anonymization of Personal Data.

Further, as per the DP Board’s decisions, controllers are also required to maintain:

  • procedures on responding to data breaches; and
  • a specific privacy policy for the processing of special categories of data.

Except for the above, controllers are not directly obliged to adopt internal or external privacy policies. However, the DP Board considers having internal and external privacy policies on data protection and cybersecurity as one of the organisational measures that controllers should take. Thus, it is recommended to adopt internal and external privacy policies.

Anonymisation, De-identification and Pseudonymisation

The DP Law obliges controllers to erase, destroy or anonymise the personal data, ex officio or upon the request of the data subject(s), in the event that the purposes for the processing no longer exist.

The DP Law and the By-Law on the Deletion, Destruction or Anonymization of Personal Data define the concept of anonymisation as a technique that is used to ensure that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

A reference to de-identification is only made in the By-Law on Processing of Personal Health Data (By-Law on Health Data) issued by the Ministry of Health. This By-Law requires controllers who process health data to take partial de-identification or masking measures on health data such as medical diagnosis and examination in printed materials, as well as other measures to make it difficult to determine the data subject in cases of access by unauthorised persons. 

Pseudonymisation is not specifically referred in any of the legislation, but the DP Authority regards pseudonymisation as one of the technical and organisational measures that data controllers must take.

Injury or Harm

There is no requirement under the DP Law to prove any “harm” or “injury” to be held responsible by the DP Authority for non-compliance with the DP Law from an administrative law or criminal law perspective.

On the other hand, for a data subject to seek for compensation from a controller (or processor) due to its non-compliance with the DP Law, such a data subject must prove that they have been harmed or injured (see also 2.5 Enforcement and Litigation).

Data Breach Notification Process

Unlike the GDPR, pursuant to the DP Law, controllers are obliged to notify the DP Board of all data breaches, regardless of whether or not there is a risk to the rights and freedoms of natural persons.

The notification must be made to the DP Authority within 72 hours of the controller becoming aware of the incident, and within the shortest time possible to the data subjects who are affected by the breach.

Rules on Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis, AI, Algorithms

According to the DP Law, “the data subject has right to object to the occurrence of a result against themself by analysing the data processed solely through automated systems”. This right may be at stake in cases of big data analytics, automated decision-making, profiling or microtargeting, artificial intelligence (including machine learning) and autonomous decision-making (including autonomous vehicles). However, the application sphere of this provision is not yet clarified by the DP Board.

Apart from the above provision, there are no specific regulations about profiling, automated decision-making, online monitoring or tracking, big data analysis, artificial intelligence, or algorithms. Therefore, the general rules would apply.

Data Protection Officers (DPOs)

Unlike the GDPR, there is no requirement to appoint a DPO for any controller, in the public or private sectors. Neither the representative nor the contact person may be considered to have the same role as the DPO in the GDPR.

The DP Authority published the Communique on Principles and Procedures of the Mechanism About Personnel Certification on 6 December 2021. Even though the concept of DPO defined in this Communique seems similar to the concept of the GDPR’s DPO, the DP Authority announced that the DPO in the Communique has a different role.

The Union of Turkish Bar Associations requested the annulment of the Communique from the court on the ground that, according to the Attorneys Act, only lawyers can advise on Turkish law. The approach of the court remains to be seen.

Special Categories of Personal Data

According to the DP Law, special categories of personal data are as follows:

  • racial or ethnic origin;
  • political opinions;
  • philosophical, religious, sect or other beliefs;
  • clothing and attire;
  • association, foundation, or trade union membership;
  • health and sexual life;
  • criminal convictions and security measures on individuals; and
  • biometric and genetic data.

Special categories of personal data may be processed if the data subject’s explicit consent is obtained.

Except for data on health and sexual life, special categories of personal data may only be processed without the data subject’s explicit consent in the cases provided by laws.

Data on health and sexual life may be processed by the persons subject to a confidentiality obligation (eg, doctors) or competent public institutions and organisations (eg, hospitals, social security institutions) for the following purposes:

  • protection of public health;
  • operation of preventive medicine;
  • medical diagnosis;
  • treatment and care services;
  • planning and management of health services; and
  • financing of healthcare services.

In 2018, the DP Board issued a resolution on the additional technical and organisational measures to be taken by controllers to ensure that an adequate level of protection must be provided while the special categories of data are being processed, such as adopting a separate processing policy and implementing two-factor authentication for remote access to data.

In 2021, the DP Board published a guideline on biometric data. The guideline provides a definition of biometric data, mentions the general principles that need to be respected and technical and organisational measures in addition to those mentioned above.

In 2022, the DP Authority published a Draft Guideline on Genetic Data. The draft guideline refers to the GDPR for the definition of genetic data and sets forth the general principles to be complied with when processing genetic data, as well as additional technical and organisational measures to be taken.

Problems with Processing Health Data

The above-mentioned limited legal basis for the processing of health data causes controllers to face some challenges, particularly in an employment context.

In certain situations, such as absence due to sickness, occupational sickness or workplace accidents, employers need to process the health data of employees in the course of the employment relationship. In fact, the Occupational Health and Safety Law No 6331 (OHCL) requires employees to do so. However, due to limitations on the legal basis of processing health data as per the DP Law, employers can process health data (i) via an occupational doctor, which is not always a viable option in practice, or (ii) by obtaining explicit consent from their employees. However, obtaining employees’ explicit consent creates a significant problem for a data processing activity, which must be carried out by a controller, considering that explicit consent must be freely given and can be withdrawn anytime.

This article is also expected to be amended as per the Action Plan.

Employment Data

There is no detailed legislation in Türkiye except Article 419 of the Turkish Code of Obligations (TCO), Article 75 of the Turkish Labour Law and Article 15(5) of OHCL, which draws the framework for employers to process their employees’ personal data (see also2.4 Workplace Privacy). Thus, the general rules apply to personal data processing in the employment context.

Children’s Data

Unlike the GDPR, there is no special provision in the DP Law on the collection and/or processing of minors’ personal data. Only the By-Law on Health Data sets forth the parents’ right to access to their child’s health data.

However, the DP Board stated in one of its decisions that personal data is strictly considered as an element of personal right. Thus, a minor who has the power of discernment, as well as the legal representative of the minor, should be able to exercise data protection rights according to the TCiC.

More recently, the DP Board imposed a fine on TikTok – among others – for failing to take necessary measures to protect children’s data. In particular, it focuses on the protection of data of children under age 13, a criterion which is not included in DP Law. Hence, in the authors’ view, the grounds for this decision are debatable (also see5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation)

In addition to the above, the Cookie Guideline states that if the product and services of a website is targeting children, the privacy notice on cookies should be drafted in accordance with their perception level, and if required, must be supported with images, etc.

Also, SNPs must take necessary measures to provide separated services for children.

Due to the lack of concrete legislation, despite the DP Board’s above-mentioned decisions and guidelines, the questions as to whether minors may give consent for processing personal data without obtaining their legal representative’s approval – and, if so, which age group is considered to have the power to give consent by themselves from a data protection standpoint – is not crystal clear.

Confidential Customer Data in the Banking Sector

Except for certain exemptions or as otherwise stipulated by the laws, personal data specific to banking relationships is also considered as customer secrets regarding Article 73 of the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad, without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained as per the DP Law. This provision is highly criticised under Turkish data protection practice.

Based on its assessment on economic security, the BRSA is authorised (i) to ban disclosing or transferring of any kind of data abroad, including customer secrets or bank secrets, to third parties, (ii) to order banks to keep the information systems and back-ups that are used in carrying out their activities, in Türkiye (obligation of data localisation).

In addition to above, the Guideline on Banking Sector published by the DP Authority in July 2022, refers to technical and organisational measures to be taken for transfer of customer secrets.

Insurance Data

The By-Law on Insurance Data was published in the Official Gazette on 18 October 2022. The By-Law defines insurance data as “all data that are related with insurance contracts, insurant and insurance companies’ parties of an insurance contract, insured, beneficiaries and other third parties who directly or indirectly benefit from an insurance contract, and consist of a basis for risk assessment”. It sets forth the principles for processing and sharing of insurance data.

Internet, Streaming and Video Issues

The Law on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication No 5651 (“Internet Law”) sets forth certain obligations to hosting/platform providers, content providers and access providers such as removing unlawful content (see also1.8 Significant Pending Changes, Hot Topics and Issues, and the Social Media section below).

Voice Telephony and Text Messaging and Content of Electronic Communications

Personal data processed in the telecommunications sector is subject to the By-Law on Processing of Personal Data and Protection of Confidentiality in Electronic Communication Sector. The provision of this By-Law is in line with the DP Law – however, this By-Law includes more specific provisions on traffic data and location data.

Voice communications and text messages are protected under the fundamental right to privacy (Article 20) and freedom of communication (Article 22) of the Constitution. Certain types of crimes are defined in the TCrC to protect communication secrecy and private life. Only under specific and very limited circumstances and by a judge’s decision, or a public prosecutor’s decision in the cases of peril in delay, is it allowed to intervene in private communication (see also3.1 Laws and Standards for Access to Data for Serious Crimes).

Cookies and Other Similar Technologies

Electronic Communication Law No 5809 includes a provision on cookies. However, such provision is only applicable to electronic communication service providers.

Although there is no specific provision on cookies under the DP Law, the DP Authority published the Cookie Guideline in June 2022 (see also1.8 Significant Pending Changes, Hot Topics and Issues).

Social Media

As per some of the amendments introduced by the Disinformation Law, SPNs are required to establish a mechanism for complaints on the removal of hashtags and featured contents in co-operation with ICTA. Accordingly, SNPs will be held liable for crimes committed through posting third-party content via hashtags or featured content, if such illegal content has not been removed at the latest within four hours of receiving a notification of such.

SNPs, whose daily access is more than 1 million, must also report to ICTA on information on hashtags, algorithms for featured or reduced content, advertisements, and transparency policies. This report should also include information on the measures taken to enable users to update their preferences regarding suggested contents and options provided to users for limiting the use of personal data. ICTA may request any kind of information from SNPs including regarding data processing mechanisms.

Natural and legal persons claiming that their personal rights have been violated due to content available online may apply for the removal of such content. SNPs, whose daily access is more than 1 million, are required to answer to applications regarding the violation of personal rights or the right to privacy within 48 hours of receiving such applications (also see the discussion on Internet, Streaming and Video Issues above).

The Disinformation Law also places other obligations on SNPs, such as data retention (see also4.4 Data Localisation Requirements),

There is no specific regulation regarding browsing data, viewing data, beacons, tracking technology, behavioural or targeted advertising, search engines, large online platforms and intermediary liability for user-generated content. Thus, the data processing activities that deal with this kind of data or technologies are subject to the general provisions of the DP Law (see also1.8 Significant Pending Changes, Hot Topics and Issues). On the other hand, the Draft Guideline on Loyalty Programs gives significant importance to establishing certain principles on processing of data via location-tracking technologies.

Addressing Hate, Discrimination and Deepfake

According to the Constitution and TCrC, everyone – regardless of their language, race, nationality, skin colour, gender, political opinion, philosophical belief, religion or sect, etc – is equal before the law.

The TCrC criminalises and sets forth imprisonment for certain acts which aim to incite hate and/or discrimination between persons based on language, race, nationality, skin colour, gender, disability, political opinion, philosophical belief, religion or sect, etc.

Moreover, the TCrC criminalises and sets forth imprisonment for preventing someone from disposing of property, receiving services, being recruited for a job, or undertaking an ordinary economic activity on the ground of hatred based on differences of language, race, nationality, colour, gender, etc. There is no specific regulation regarding deepfake. As long as deepfake leads to a crime, it may be punishable, depending on what crime is committed. On the other hand, the input data, such as the voice or image that is used to generate deepfake is also part of a personality right and is classified as personal data. Hence, the general provisions that cover personality rights and personal data are also applicable in these cases.

Data Subject’s Rights

According to Article 11 of the DP Law, data subjects’ rights are as follows:

  • learning whether their personal data is processed or not;
  • requesting information as to whether their personal data has been processed or not;
  • learning the purpose(s) of the processing of their personal data and whether such personal data is used in compliance with the purpose or not;
  • finding out the third parties to whom their personal data is transferred, in-country or abroad;
  • requesting rectification of any incomplete or inaccurate data;
  • requesting erasure or destruction of their personal data under the conditions referred to in Article 7 of the DP Law;
  • requesting information about third parties to whom their personal data has been transferred;
  • objecting to the occurrence of a result against themself by analysing the data processed solely through automated systems; and
  • claiming compensation for the damage arising from the unlawful processing of their personal data.

Unlike the GDPR, a data portability right is not set forth in the DP Law.

Right to Be Forgotten

Currently, no specific legislation in Türkiye regulates the “right to be forgotten”. However, it is accepted by Turkish Constitutional Court decisions that data subjects have the right to be forgotten. Also, the DP Authority published an opinion on the right to be forgotten and made a publicly announced resolution that outlined the criteria on exercising the right to be forgotten.

The 2020 amendment to the Internet Law includes a provision to ease the use of the right to be forgotten by specifically obliging search engines to delist the links from the search results upon a court order.

Online marketing is governed by the Law on Regulation of Electronic Commerce No 6563 (“E-Commerce Law”), the By-Law on Commercial Communication and Commercial Electronic Messages (“By-Law on Commercial Communication”) as well as the DP Law.

According to the E-Commerce Law and the By-Law on Commercial Communication, the recipient’s prior explicit consent must be obtained to make calls or send SMS or emails for marketing purposes (marketing communication). The DP Board also seeks data subjects’ consent for controllers to send push messages.

However, it is permissible to make a marketing communication without prior consent in the business-to-business (B2B) model, unless the receiver opts out.

The contents of a marketing communication must include certain identification information of the sender, as well as an option to opt out.

The Message Management System (MMS) is an online platform where receivers can manage their consents for receiving marketing communications and withdrawals from the same (ie, opt-outs). All senders of marketing communications must register with the MMS and upload the information regarding the consents/withdrawals for this purpose. Any consent or withdrawal received by the sender must be uploaded to the MMS within three business days upon their receipt.

There are no specific provisions for behavioural and targeted advertising under Turkish law. Therefore, the relevant processing activities are subject to general provisions of the DP Law. In this regard, based on the DP Board’s approach to this matter, it may be argued that – in order to carry out behavioural or targeted advertisement – prior consents of the data subjects must be obtained.

Privacy in the workplace is not specifically regulated in Turkish law but can be considered within the scope of the DP Law.

On the other hand, there are provisions regarding this matter in various laws, for example:

  • pursuant to Article 419 of the TCO, an employer can use the personal data of their employee only to the extent that it is necessary for the employee’s employability or the performance of the employment contract;
  • pursuant to Article 75 of the Turkish Labour Law, an employer is obliged to use the information obtained about their employee in accordance with the rules of good faith and law, and not to disclose any information that the employee has a justified interest in keeping confidential; and
  • pursuant to Article 15(5) of the OHCL, health data must be kept confidential in order to protect the private life and reputation of the employee who has undergone a medical examination.

Monitoring Workplace Communications

According to the decisions of the Constitutional Court and DP Board, an employer is entitled to monitor the work computers, work mobile phones and other electronic devices, which it provides to its employees, provided that it fulfils the following conditions: 

  • employees should be informed in advance that their correspondence and transactions in electronic devices may be monitored by clearly stating the purposes, legal basis of the monitoring (eg, by way a privacy notice addressed to the employees);
  • there should be a legitimate purpose for accessing/monitoring the devices (eg, a compliance investigation based on a reasonable doubt); and
  • access/monitoring should be proportional to the legitimate purpose (eg, if it is clear from the subject of the email/file that it is a personal email/file, then it should not be opened and reviewed).

The principles above shall also be applied to the implementation of cybersecurity tools and insider threat detection and prevention programs.

Processing Special Categories of Personal Data

As a general principle for processing special categories of employees’ personal data, the explicit consent of employees must be obtained unless a justifying ground is provided by laws; see 2.2 Sectoral and Special Issues.

The DP Board decided that the processing of employees’ biometric data for security purposes breaches data minimisation (proportionality) principles. However, a case-by-case analysis of that principle is necessary – for instance, where high-security precaution is needed due to the quality of the data, processing biometric data of the relevant employees might not be violating the data minimisation (proportionality) principle.

Regulators

Under the DP Law, the DP Board has extensive enforcement powers, as described in 1.3 Administration and Enforcement Process. The DP Board may be considered to have a higher tendency for imposing administrative fines compared to its EU counterparts, in particular for data breaches.

So far, the DP Board has investigated and fined several national and international companies, including Marriot International Inc, Facebook, Amazon Türkiye, WhatsApp and TikTok.

There are four types of violations that are set forth in the DP Law; the amounts of administrative fines for these violations are subject to adjustment each year. The amounts of administrative fines which apply in 2023 are as follows:

  • failure to inform data subjects of processing activities may be subject to an administrative fine of TRY29,852 to TRY597,191;
  • failure to take the necessary technical and organisational measures (interpreted very broadly, including unlawful data transfer abroad, breach of fundamental principles) may be subject to an administrative fine of TRY89,571 to TRY5,971,989;
  • failure to comply with the decisions issued by the DP Board may be subject to an administrative fine of TRY149,285 to TRY5,971,989; and
  • failure to comply with the obligation to register with VERBIS and not submitting information to VERBIS may be subject to an administrative fine of TRY119,428 to TRY5,971,989.

The highest fine issued by the DP Board so far is TRY1.95 million, which was issued to WhatsApp.

The DP Authority is also entitled to decide to cease certain data processing activities or personal data transfers (see also1.3 Administration and Enforcement Process).

Criminal Sanctions

There are also criminal sanctions that are regulated under TCrC, as follows:

  • unlawful recording of personal data is subject to imprisonment of one to three years;
  • unlawful transfer, publication or acquisition of personal data is subject to imprisonment of two to four years – if these are realised by exploiting the advantages of a profession or art, such actions are subject to imprisonment of three to six years; and
  • failure to destroy personal data after the retention period set forth in the law has been passed is subject to imprisonment of two to six years.

The investigation may commence without the need for any complaint – ie, ex officio by public prosecutors. However, there is no established jurisprudence on how criminal sanctions will be applied in harmony with the DP Law.

Private Litigation

Right to seek compensation is clearly stated as one of the data subject rights under the DP Law.

Moreover, data subjects can seek compensation and ask the court to prevent a threatened infringement, to cease an existing infringement, to make a declaration that an infringement is unlawful, as per Articles 24–26 of the TCiC and Article 49 of the TOC.

The controller is jointly liable for the lack of technical and organisational measures which must be taken by the processor from a civil law perspective.

There is no class action concept under the Turkish legal system.

The following activities are among those excluded from DP Law coverage:

  • processing of personal data by judicial authorities or execution authorities regarding the investigation, prosecution, judicial or execution proceedings; and
  • processing of personal data by public institutions and organisations duly authorised and assigned by law regarding maintaining national defence, national security, public security, public order or economic security within the scope of preventive, protective and intelligence activities.

The Turkish Law of Criminal Procedure (TLCP) is the primary source with respect to law enforcement’s access to data for the investigation of serious crimes.

Other relevant laws are as follows:

  • the Law on Police Duty and Authority;
  • the Law on Gendarmerie Organisation Duty and Authority; and
  • the Law on Governmental Intelligence Services and National Intelligence Agency.

Law enforcement authorities may request information on personal data to investigate criminal offences.

However, in certain situations, an independent judicial decision is necessary for public prosecutors and law enforcement officers to interfere with IT systems or intercept communications.

In the case of peril in delay, the public prosecutor or law enforcement officer may interfere with IT systems or intercept communications by the public prosecutor’s order, which must be approved by a court afterwards.

Very similar rules to those discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes apply in the field of national security. In these cases, the authorities can demand information if it is necessary for the prevention of imminent threats.

The National Intelligence Agency is authorised to request any information within its powers and duties, including any personal data. Those who fulfil these requests cannot be held legally or criminally liable.

The provisions of the DP Law do not provide a clear legitimate basis for invoking a foreign government’s request for collecting or transferring data. However, since the fulfilment of a foreign government’s request may lead to data transfer abroad, the rules on data transfer abroad set forth in the DP Law must be complied with (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

On the other hand, Türkiye is a signatory in many bilateral or multilateral agreements which aim to promote co-operation between states, especially on issues related to judicial co-operation and extradition requests. Personal data processing activities that arise from these obligations are not exempted from the scope of the DP Law, and public institutions are also obliged to comply with DP Law (see also2.1 Omnibus Laws and General Requirements, 2.2 Sectoral and Special Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers).

Türkiye does not participate in a Cloud Act agreement with the USA.

One of the key privacy issues is inadequate and uncertain regulations about governmental access to data. Although the DP Law is applicable to data processing activities of governmental bodies, the exceptions set forth in the DP Law are of a broad range. The DP Law is criticised due to the broadness of exceptions about the application of the DP Law, because this causes the application of the DP Law within governmental bodies to be interpreted as extenuated, which does not facilitate accurate implementation.

Indeed, especially compared to the GDPR, many issues are completely left out of the scope of the DP Law. This is criticised under Turkish data protection practice.

International transfer of personal data is subject to the DP Law. Data transfer abroad is restricted unless:

  • explicit consent of the data subject is obtained;
  • the importing country provides adequate level of data protection; or
  • regulatory approval of DP Board is obtained.

See 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

The DP Law also states that provisions on data transfer abroad in other laws are reserved. On the other hand, sector-specific regulations may impose further restrictions regarding data transfer abroad (see also 4.4 Data Localisation Requirements).

Based on its decisions, the DP Board seems to consider direct collection of personal data by data controllers located abroad, also as data transfer abroad, which is, in the authors’ view, a debatable approach. 

According to DP Law, the transfer of personal data abroad is permissible if the data subject’s explicit consent is obtained for such transfer.

In the event that the exporter relies on any legal basis other than explicit consent, then the following applies.

  • The foreign country to which the personal data will be transferred must have an adequate level of protection for personal data. These countries will be determined and announced by the DP Board (ie, the “Whitelist”).
  • In case there is not an adequate level of protection, an exporter controller in Türkiye and data importer abroad must execute a standard-form written undertaking to commit to provide an adequate level of protection, similar to Standard Contractual Clauses in GDPR practice (ie, “undertaking”). Then, such undertaking must be submitted to the DP Board, and the approval of the DP Board must be obtained for the relevant data transfer.
  • If data transfer abroad is only within multinational group companies, a data exporter located in Türkiye may obtain approval from the DP Board for binding corporate rules (BCR).

As any Whitelist has not yet been announced by the DP Board, only consent, undertaking, BCR remain for controllers to transfer data abroad. On the other hand, the DP Board states in its several decisions that “the provision of a service cannot be made conditional upon consent”. This principle is based on the argument that if the provision of a service is made conditional upon obtaining consent for data processing (including transfer), such consent is deemed to be not freely given, hence may be considered as invalid.

On the other hand, in one of its recent decisions, the DP Board has accepted that an employer located abroad may rely on explicit consent of its employees in Turkey to collect personal data (which the DP Board seems to consider as data transfer aboard), as consent is the only option for an employer located abroad to collect personal data of its employees in Turkey.

Although obtaining valid explicit consent has its own challenges, obtaining regulatory approval from the DP Board is just as challenging. Only five data controllers have managed to obtain regulatory approval by executing an undertaking with the importers since the enactment of the DP Law.

As mentioned in 4.2 Mechanisms or Derogations that Apply to International Data Transfers, undertaking and BCRs require the DP Board’s approval.

On the other hand, as per Article 9(5) of the DP Law, without prejudice to the provisions of international agreements, in cases where the interest of Türkiye or the data subject shall be seriously harmed, personal data may only be transferred abroad upon permission of the DP Board. The DP Board must obtain the opinions of relevant public institutions and organisations before it grants its permission.

It should be noted that sector-specific regulations may seek further notifications or approvals regarding data transfer abroad (see also 2.2 Sectoral and Special Issues).

Even though there is no data localisation requirement in the DP Law, there are certain sector-specific regulations that have been set forth for specific sectors in Türkiye.

Banking and Finance Entities

The following entities must keep their primary and secondary information systems in Türkiye:

  • banks;
  • payment institutions and electronic money institutions;
  • insurance and private pension companies (except for services such as email, teleconference, or videoconference);
  • certain public companies, as well as certain capital markets institutions; and
  • financial lease, factoring and finance companies.

Electronic Communication Providers

In principle, electronic communication providers cannot transfer traffic data and location data abroad due to national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of the data subject. 

Social Network Providers (SNPs)

SNPs, whose daily access is more than 1 million, must take necessary measures to retain data of their Turkish users in Türkiye.

Public or private institutions that will use coded/encrypted electronic communication within their electronic communication services must apply to the ICTA and obtain permission in order to be authorised in accordance with the ICTA’s regulations. A copy of the code/encryption must be provided to the ICTA with this application.

There are no specific limitations or considerations that apply to an organisation for collecting or transferring data in connection with foreign government data requests and foreign litigation proceedings.

Please see 3.3 Invoking Foreign Government Obligations and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

Türkiye does not have specific “blocking” statutes, but there are general statutory provisions that prevent the disclosure of matters relating to national interests.

The DP Authority issued its Recommendations on AI in September 2021. It is noteworthy that the Recommendations on AI do not provide a detailed view on artificial intelligence technologies, even though it succeeds in covering a number of fundamental topics.

Biometric data has been a point of further discussion in the field of data protection and the processing of biometric data has been assessed extensively in both DP Authority-issued documents and DP Board decisions (see also 2.4 Workplace Privacy for the use of biometric data in an employment context).

Establishing protocols for digital governance and fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies are not mandatory and/or common practices in Türkiye.

Due to various news stories and complaints, the DP Board has initiated an investigation and fined TikTok for the following reasons (the decision was published on 1 March 2023).

  • TikTok updated its privacy policy in January 2021 and changed the default privacy setting to “private” for users aged between 13-15. However, before this update, the profiles of minors were publicly viewable by default, which posed a risk with respect to this vulnerable age group. 
  • Prior to this update, the personal data of minors under the age of 13 was viewable, and minors’ data was collected by TikTok without appropriate parental consent.
  • Although TikTok’s privacy policy includes the legal bases for processing, there is a lack of clear information on what personal data is processed for what purpose and on which legal basis.
  • Users are deemed to have accepted TikTok’s terms of service and privacy policy while creating an account. However, the terms of service have not yet been translated into Turkish, and thus, it may not be possible for users to understand it clearly.
  • Although TikTok provides its privacy policy to users to fulfil its obligation to inform, it uses the same document also to obtain users’ explicit consent. However, the privacy policy and explicit consent text should be presented to data subjects separately.
  • TikTok does not obtain explicit consent from users for the use of cookies for profiling purposes.

Accordingly, TikTok was fined TRY1.75 million and instructed to translate the terms of service into Turkish and revise its privacy policy to be compliant with DP Law.

Carrying out a due diligence over a target entity is considered to be on the legal basis of “legitimate interest”.

On the other hand, when requesting and sharing personal data during a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

In the event that a due diligence process requires data transfer abroad, then the controller must comply with data transfer abroad provisions. It should be noted that using virtual data rooms, whose servers are located abroad, would constitute a data transfer abroad (see also 4.2 Mechanisms or Derogations that Apply to International Data Transfers.)

The Turkish Data Controllers Registry (VERBIS) is an online public registry, which shows the personal data processing inventory of controllers who have registered with, and submitted information to, VERBIS (see also 2.1 Omnibus Laws and General Requirements).

The information, which is submitted to VERBIS and is hence publicly available, is as follows:

  • the categories of personal data;
  • the data processing purposes for each data category;
  • retention periods of each data category;
  • data subjects for each data category;
  • data transferees;
  • information on data transfer abroad, for each data category; and
  • technical and organisational measures.

The relevant capital markets regulations impose an obligation on the companies, which will make a public offering, to state the risks of the business before such public offering. Although there is no specific requirement to state the risks on data protection and cybersecurity, since these may also include risks regarding data protection, such risks should be mentioned in the course of a public offering.

In the course of 2022, E-Commerce Law and its secondary legislation was amended with the aim of maintaining an effective and fair competition environment on e-commerce platforms. Most of these amendments have entered into force as of 1 January 2023.

These amendments impose significant obligations on e-marketplaces and e-sellers. Some of these obligations reflect certain principles brought by the Digital Services Act.

According to these amendments, e-marketplaces:

  • shall remove unlawful content submitted by the seller;
  • shall not lower the seller’s position in the ranking or recommendation system without any objective criteria set forth in the agreement executed with the seller;
  • shall not use the data obtained from sellers and buyers with a purpose other than providing intermediary services, in particular to compete with sellers; and
  • provide technical facilities, free of charge, to the seller for transferring the data they collected through their sales and for accessing the processed metadata.

The amendment has adopted an incremental system based on total transaction number and net transaction volume per year for the obligations, and non-compliance with these obligations is subject to administrative monetary fines. These fines vary between TRY10,000 and TRY40 million and certain fines are calculated on a percentage basis, varying between 0.05% and 10% of the net sales amount of the preceding year.

Although not in force yet, significant amendments are expected in the Law on Protection of Competition No 4054. Most of the amendments brought by the draft amendment reflect the ex-ante approach of the Digital Market Act and include certain definitions introduced by the same. Although these amendments have not entered into force yet, they may be considered as a significant step to ensure further compliance with the European omnibus model.

There are no other significant issues.

YAZICIOGLU Legal

NidaKule – Goztepe
Merdivenköy Mahallesi Bora
Sokak No:1
Kat:7 34732 Kadıköy / İstanbul
Türkiye

+90 216 468 88 50

+90 216 468 88 01

info@yazicioglulegal.com www.yazicioglulegal.com
Author Business Card

Law and Practice

Authors



YAZICIOGLU Legal is an Istanbul-based boutique technology law firm. The firm focuses on legal matters related to technology, media telecommunications and data protection/cybersecurity. It also has a solid expertise in cross-border transactions, corporate and commercial matters, intellectual property, regulatory compliance, e-commerce, consumer protection and dispute resolution. Yazıcıoğlu Legal has a dedicated team of 15 lawyers working on data protection and cybersecurity. The majority of the firm’s workload consists of data protection-related matters. In particular, the firm is known for successfully representing its clients on investigations and data breaches before the Turkish Data Protection Authority. The firm is ranked in several legal directories on TMT and is also a Bronze Corporate Member of International Association of Privacy Professionals (IAPP).

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.