Turkey’s Data Protection Law: Long-Awaited Legislation Finally Takes Effect

Turkey enacted Law No. 6698 on “Protection of Personal Data” (Kişisel Verilerin Korunması Kanunu) (The “Law”), on April 7, 2016. This long-awaited law, largely based on EU Directive 95/46/EC, was enacted following the ratification of the European Council’s Convention for the protection of individuals with regard to the processing of personal data and on the free movement of such data and its related protocol.

As part of its accession process to the European Union, Turkey must align its legislation with the acquis communautaire. Enactment of specific legislation relating to the protection of personal data is one important step in the alignment process. Additionally, increasing cooperation between European and Turkish security agencies, in particular on counter-terrorism measures, requires sharing of personal data and information. The lack of specific legislation in Turkey and doubts as to whether Turkey maintained an adequate level of protection in this regard have led to the information exchange process necessarily being limited.

Different pieces of domestic legislation, including the Constitution, purport to protect personal data. However, it is generally agreed that specific legislation is necessary to determine the scope of protection and enforcement methods.

Although passed in April 7, 2016, the Law provided a phasing-in timeline for the accomplishment of certain tasks envisaged therein.

Data Protection Before the Law

The right to privacy is a right guaranteed in the Turkish Constitution. It is also protected under different pieces of legislation including the Civil Code, the Turkish Code of Obligations, the Criminal Code, the Labor Law, the Banking Law, the Law on the Regulation of Electronic Commerce and other regulation relating to electronic communication.

The Turkish Constitution sets forth the following general principles on data protection: The right to request protection of personal data includes the right to being informed of, having access to, and requesting the correction and/or deletion of a person’s personal data, as well as the right to be informed whether the use of such data is relevant and legitimate. Personal data may be collected and processed only if required by law or with the relevant individual’s express consent. The protection provided by the Constitution is extended to both individuals and legal entities.

Under the Criminal Code, breach of the secrecy of private life, unlawful registration, acquisition or transfer of personal data and failure to properly destroy personal data while under an obligation to do so are criminal acts. Aggravating factors of the crime include acquisition or transfer of data by a public official through abuse of office or, in general, by taking advantage of someone’s profession. Breach of certain obligations under the Law is a criminal act and is punishable with imprisonment pursuant to the Criminal Code.

What Does the Law Bring?

The Law defines three parties involved in the processing of data: 1) data processors, 2) data controllers, and 3) data subjects. The Law aims to regulate the processing of personal data and sets forth the rights and obligations of the individuals (data subjects) to whom the data relate and lists fundamental principles applicable for the protection of personal data. These include compliance with general laws and principles of good faith, keeping data accurate and updating when necessary and processing data only for identifiable, clear and legitimate purposes. Data must be processed in a manner that is related to and proportionate with the purpose and kept only for the time required to realize the purpose of processing.

The Law also envisages establishment of the Data Protection Authority (“DPA”), a financially and administratively independent supervisory authority  empowered to draft secondary legislation and monitor compliance. The DPA will be headed by the Data Protection Board, a decision-making executive body composed of nine members, five to be appointed by the Parliament, two by the President and two by the Council of Ministers. The Law sets forth a six-month timeline for the establishment of these bodies and one year for the promulgation of secondary legislation. Members of the Data Protection Board took oath before the Court of Appeals on January 12, 2017, and officially took office. In addition, secondary legislation in the form of the Regulation on the Processing and Protection of Privacy of the Personal Health Data was published in October 2016, which regulates the processing, protection, transfer and removal of health data and envisages establishment of the Personal Health Data Commission under the Undersecretary of the Ministry of Health. Additional regulations and piece of legislation is expected to be published in the upcoming months.

The Law also requires the Data Protection Authority to maintain and make publicly available information on data controllers through a Data Controllers’ Registry.

What is the Scope of Protection?

Personal Data

The Law aims to protect the personal data of individuals. “Personal data” is defined as any information relating to an identified or identifiable person. The Law does not provide specific examples of personal data; however this may include name, address, date of birth, e-mail address and employment-related information.

The Law defines more broadly than the EU Directive certain types of “special personal data,”  to include information on the appearance and clothing of the person, criminal records, biometric and genetic data.

Processing

“Processing” is broadly defined to incorporate any operation involving personal data; including collection, recording, storage, alteration, rearranging, use, disclosure by transmission, dissemination or otherwise making available, blocking, erasing and the partial or complete destruction of personal data.

In line with European Union legislation, the Law distinguishes between “data controllers” and “data processors” and sets out their respective responsibilities. A data controller (veri sorumlusu) determines the objectives of, and means for, processing data. A data controller is responsible for the establishment and management of the data recording system. A data processor (veri işleyen) processes personal data based on authority given by the data controller. Data controllers and data processors may be individuals or legal entities.

There may be a variety of reasons to process personal data; however whatever the purpose, processing must comply with the general principles set forth by the Law. Accordingly, personal data must be processed lawfully, fairly and accurately and, where necessary, kept up to date. Data collected must be for a specific, explicit and legitimate purpose, be relevant and not disproportionate to the purpose for which it is being processed and must not be held for longer than is required for such purpose.

Processing may only be made with the express consent of the data subject. The Law provides for certain exceptions depending on whether the information collected can be classified as special personal data. Regular, non-special, personal data may be processed without the owner’s consent if:

• Processing of such data is explicitly required by law;
• Processing is required to protect the life of the owner or a third party if the owner of the data is physically or legally incapable of providing consent;
• Processing is directly related to the execution or performance of a contract in which case only the personal data of the parties may be processed;
• Processing is required for the data controller to fulfill its own legal obligations;
• Such personal data was previously made public by the owner;
• Processing is necessary to establish, use or protect a right;
• To the extent that processing does not harm the rights of the data owner, processing is required for the legitimate benefit of the data controller.

Special personal data, except for data related to health conditions or sexual life of the owner, may be processed without the express consent of the owner if such processing is required by law. Data related to health conditions and sexual life may be processed without the express consent under certain circumstances stipulated in the Law (e.g. processing is required for protecting public health, for medical diagnosis, etc.) but may only be processed by persons under a statutory confidentiality obligation.

Transfer of Data

Transfer of data is subject to the same rules and exceptions as the processing: In general, no transfer may be made without the express consent of the subject but under certain circumstances data may be transferred without consent. The same set of exceptions to the consent requirement applies to transfer of data.

Transfer of personal data without consent is subject to further restrictions if the data is transferred outside of Turkey. Transfer of data to foreign countries is particularly important for companies with headquarters or offices outside of Turkey and for companies that keep personal data off-site as part of their general data management scheme or disaster recovery plans.

To transfer data outside of Turkey, either the data subject’s consent must be obtained directly or one of the following two conditions must be met: (i) the country to where the data is transferred must also offer an adequate level of protection or
(ii) the data controller in Turkey must conclude an agreement with the data importer to impose an adequate level of protection for the personal data. This agreement must be submitted to and approved by the Board. In relation to condition (i) above, the Board will issue a list of countries deemed to have an adequate level of protection.

Deleting personal data, data anonymization

Duly processed data must be deleted or anonymized if and when the processing is no longer needed. Anonymization is the process of taking out all personally identifiable data so that the data cannot be associated with any specific or identifiable person. Data is deleted or anonymized by the data controller ex officio or upon request by the data subject. The Law does not provide the details of  the request process.

Obligations of Data Controllers

A data controller or its representative has disclosure obligations against the data subjects which include the identity of the data controller or its representative, reasons for processing, to whom the data may be disclosed (recipient) and for what purpose.

Data controllers must take any required administrative and technical precaution to maintain the necessary level of data security. If data is processed by another individual or legal entity on behalf of the data controller, the data controller is jointly responsible with the processor individual or legal entity for taking such precautions.

Data controllers and processors may neither disclose personal data if not required by law nor use such data for a purpose other than the defined collection purpose.

Data controllers must carry out necessary monitoring and audits to ensure compliance.

Data Subject’s Rights

The data subject has the right to know if their personal data has been processed and, if so, to request any information related to the processing, usage or storage of the personal data, or persons or entities (in Turkey or abroad) to whom the personal data has been disclosed. The data subject may demand correction of their data or, if there is no longer a need to process such data, its deletion. The data subject may ask for damages due to the illegal or irregular processing of personal data. Data subject information requests from a data controller must be processed within 30 days of the request. If the data controller fails to respond, rejects the application or provides an unsatisfactory response, the data subject may submit a complaint to the Board.

Data Controllers’ Registry

The Data Controllers’ Registry is to be a publicly available database to be kept by the Board. Unless exempt from the requirement, data controllers must be recorded with the Registry prior to processing any personal data. Application for registration must include, among other things, the identity and contact information of the data controller or its representative, the purpose of processing, the reason for transfer of data abroad, precautions taken to protect personal data and the maximum period for processing.

Breach of Obligations Under the Law

Administrative fines of up to 1,000,000 Turkish Lira (approximately US$280,000) and/or imprisonment for one to four years may be imposed for breaches of the Law.

Depending on the controller and type of personal data processed, e.g., breach of secret banking information by banks, other sanctions may be applicable.

Exceptions to the Scope of Law

The Law stipulates that it excludes the processing of data under certain circumstances, including processing by an individual for purely personal activities, the processing of data for the purposes of research and statistics after anonymizing it and the processing of data in relation to legal investigations, prosecution, adjudication or execution of a sentence or for intelligence gathering purposes.

What should companies do?

The Law has been the subject of criticism for two main reasons. First is the fact that it is not fully based on the EU Directive and provides wider protection exceptions compared to the EU Directive. The second is the fact that although the Board is supposed to be independent it is attached to the Prime Ministry raises doubts about the intended nature of the Data Protection Authority.  As of the date of publication of this article, secondary legislation has not been set to clarify which technical and administrative measures must be in place in data processing companies.

In today’s world, companies record the personal data of a variety of different data subjects for a variety of different reasons. Data processed includes that of business partners, shareholders, employees, job applicants, clients, customers and vendors. Companies must evaluate the mechanisms employed to gather such data, the methods used for protection of such data and understand where the data is transferred within and outside of the company. It is advisable for companies to develop an internal data protection policy. Such a policy should designate personnel responsible for compliance with the policy, as well as applicable national and international laws. Companies must comply with the obligation to inform the data subjects of their rights and the purposes of data processing and obtain their consent to process their personal data.  Companies should put in place cross-functional control measures, such as limiting access to data by employees, using encrypted flash drives to transfer data, etc. Self-assessment checklists providing the basic principles of data processing also help data controllers and data processors with compliance. An external data collection and processing statement capturing both the internal policies and compliance measures should be provided to customers or business partners upon request.

The Law provides for a multiphase compliance process. The most critical provisions and obligations will arise when the Registry is established. Data controllers have a two-year transition period to ensure compliance in regard to data obtained prior to enactment of the Law.

Timeline for compliance

The Law provides for a multiphase compliance process.  Please see below for further details.