lighted bridge over water at night time

Sensitive data under Turkish data protection law

March 02, 2020

What is sensitive data?

Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, clothing and appearance, membership in associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, biometric and genetic data are defined as sensitive data in Turkish data protection legislation.

Processing of sensitive data

As with regular (non-sensitive) personal data, sensitive data may be processed upon explicit consent of the data subject. It may also be processed without an explicit consent under the following conditions:

  • Sensitive data, excluding those relating to health and sexual life, may only be processed if provided for under applicable legislation. For example, labor legislation requires information on union membership to be included in employee files.
  • Sensitive data relating to health and sexual life may only be processed by persons under a duty of confidentiality or by authorized institutions and organizations for the purposes of protection of public health, protective medicine, medical diagnosis, treatment and nursing services, planning and management and financing of health-care services.

Transfer of sensitive data

Sensitive data may be transferred outside of Turkey upon receipt of explicit consent from the data subject. In the absence of an explicit consent, if one of the exceptions (see above) to the consent requirement exists and

(i). if the country to which the data will be transferred is one of the “white list” countries, deemed to have an adequate protection and approved by the Turkish Data Protection Authority (the “DPA”)


(ii). if the data controller in Turkey and the data controller/processor in the recipient country guarantee in writing an adequate level of protection and such undertaking is approved by the DPA, then sensitive data may be transferred abroad without explicit consent.

The DPA has still not released the list of “white list” countries. Therefore, in the absence of explicit consent, in order to transfer sensitive data outside of Turkey not only must one of the exceptions to the consent requirement must exist but there must also be an approved undertaking between the data controller in Turkey and data controller/processor in the recipient country.

Required measures

The DPA published a set of measures to be taken by data controllers who process sensitive data. This is not an exhaustive list and data controllers must proactively take any other measures, technical or administrative, as may be required by their operations.

Some of the measures to protect sensitive data listed by the DPA are as follows:

  • Separate compliance policy including rules and procedures to protect sensitive data.
  • Measures for employees who work in data processing operations, including regular trainings, confidentiality agreements, having periodical access authority controls.
  • Data processed through electronic means attracts specific measures, including using cryptographic methods, regular security updates, security tests, two-tiered authorization for remote access.
  • Depending on the environment and means of transfer, if data is transferred additional security measures must be taken, for example, using an encrypted corporate address if data is transferred by email, encrypting and storing separately memory sticks, CDs or DVDs if these are used to transfer data.