The Law on Protection of Personal Data No. 6698 (“LPPD”) was published in the Official Gazette on 7 April 2016 and entered into force. LPPD is mainly based on EU Directive 95/46/EC on data protection and aims to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. Also Data Protection Authority (“DPA”) was established as an independent regulatory authority having organisational and financial autonomy and having a public legal entity in order to fulfil the duties under LPPD.
Important Concepts Introduced by the LPPD
Personal Data: In the LPPD, the personal data is defined as all the information relating to an identified or identifiable natural person
Sensitive Personal Data: In the LPPD, the sensitive personal data is defined as personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data
Processing of Personal Data: This is defined as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially, through automatic means or provided that the process is a part of any data registry system, through non-automatic means
Data Subject: This is defined as the natural person, whose personal data is processed
Controller: In the LPPD, the controller is defined as the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system
Processor: In the LPPD, the processor is defined as the natural or legal person who processes the personal data on behalf of the controller upon his authorization
Explicit Consent: This is defined as freely given, specific and informed consent in the LPPD.
Processing of Personal Data:
The general principles for processing of personal data are regulated in Article 4 of the LPPD. According to this Article the personal data must be
- Processed lawfully and in conformity with bona fide rules
- Accurate and up-to-date where necessary
- Processed for specific, explicit and legitimate purposes
- Relevant, limited and proportionate to the purposes for which they are processed
- Retained for the period of time stipulated by the relevant legislation or the purpose which they are processed.
Personal data cannot be processed without the explicit consent of the data subject. Article 5 and Article 6 of the LPPD set forth the specific conditions for processing personal data and sensitive personal data without seeking the explicit consent of the data subject.
Transfer of Personal Data:
The LPPD sets out the transfer of personal data to third persons in Article 8. According to this Article personal data cannot be transferred without the explicit consent of the data subject. However, there are some exemptions set forth in Article 8 in terms of transferring personal data without seeking the explicit consent of the data subject. Article 9 of the LPPD regulates the transfer of personal data outside of Turkey. Accordingly, the personal data cannot be transferred abroad without the explicit consent of the data subject. Article 9 stipulates additional requirements for transferring the personal data apart from the exemptions enumerated in Article 8. According to this, sufficient protection should be provided in the country where the personal data is to be transferred. Unless there is no sufficient protection in the country where the personal data is to be transferred, the data controllers in Turkey and in the related foreign country should guarantee the sufficient protection in written and the Personal Data Protection Board (“Board”) of Turkey should authorize such transfer as well.
Obligations of Data Controllers:
Obligation to Inform the Data Subject:
Data controllers are obliged to inform the data subject when processing their personal data. As per Article 10 of the LPPD, data controllers must inform the data subject about the following:
- The identity of the data controller and its representative (if any)
- The purpose of data processing
- To whom and for what purposes the processed data may be transferred
- The method and legal reason for collecting personal data
- Other rights referred to in Article 11 of the LPPD
Data controllers who fail to comply with the obligation to inform the data subject within the above framework shall be subject to an administrative fine of 5.000 TL to 100.000 TL.
Obligation to Delete, Destroy or Anonymize the Data:
Article 7 of the LPPD stipulates the personal data to be deleted, destroyed or anonymized upon the request of the data subject where the reasons for processing the personal data no longer exist. In such a case, data controllers are required to delete, destroy or anonymize the relevant personal data although it was being processed under the provisions of the LPPD or the relevant legislation. The relevant provisions are being regulated in detail by the Regulation on Deletion, Destruction and Anonymization of the Personal Data which was published in the Official Gazette on 28 October 2017.
Data controllers who fail to comply with the obligation of deleting, destroying or anonmyzing the personal data shall be subject to criminal sanctions as per the Article 138 of the Turkish Criminal Law numbered 5237.
Obligations Related Data Safety:
According to Article 12 of the LPPD, data controllers are required to take all necessary technical and administrative measures in order to provide a level of security for the following purposes:
- To prevent the illegal processing of personal data
- To prevent unauthorized access to personal data
- To ensure the protection of personal data
Data controllers who fail to comply with the above mentioned-obligation shall be subject to an administrative fine of 15.000 TL to 1.000.000 TL.
Obligations Related to Applications:
Pursuant to Article 13, the data subject shall file an application in writing to the data controller about his/her demands regarding the implementation of the LLPD. In such cases, data controllers are obliged to conclude those applications latest within 30 days without charging a fee to the data subject in principle. The data controller shall accept the application or decline it by explaining the reasons for declining the application and conveys the response of the application to the data subject in writing or in electronic media.
Article 14 states that if the application is declined or the response is found unsatisfactory or the response is not given in due time, the data subject may file a complaint before the Board within 30 days as of receiving the response of the data controller or within 60 days as of the date of the application.
Obligation to Register to Data Controller’s Registry
Data Controller’s Registry (VERBIS) is a registration system where data controllers shall be enrolled and record the data processing activities which they are engaged in. This system is held by the DPA under the supervision of the Board. As per Article 16 of the LPPD natural or legal persons who process personal data are obliged to enrol in the Data Controller’s Registry before processing personal data. However, certain data controllers may be exempted from the obligation of registering in the Data Controller’s Registry by the resolution of the Board. Application to the Data Controller’s Registry should include the following:
- Identity and address of the data controller and its representative (if any)
- Purposes for which the personal data to be processed
- Explanations about groups of data subjects and the data categories of those data subject
- Recipients to whom the personal data may be transferred
- Personal data which may be transferred abroad
- Measures taken regarding data safety
- Maximum period of time required for the purpose of data processing
The procedures and principled regarding the Data Controller’s Registry are being regulated under the Regulation on the Data Controller’s Registry dated 30 December 2017.
Data controllers who fail to comply with the obligation of enrolling in the Data Controller’s Registry shall be subject to an administrative fine of 20.000 TL to 1.000.000 TL.
This Article aims to provide a brief and general overview of the Turkish data protection law, but does not intended to serve as a legal advice. Before taking any action or relying on the information given, addressees of this Article should seek specific advice on the matters which concern them.