The Data Protection Law provides the guidelines, in line with the constitutional principles protecting privacy and confidentiality of personal life, applicable to the processing of personal data. The Data Protection Law, modelled after European Union practices, is applicable to any entity that processes, for any reason, any kind of personal data of real persons. 

For the purposes of the Data Protection Law, “processing of personal data” means obtaining, recording, storing, retaining, changing, re-arranging, disclosing, conveying, acquiring, making available or categorizing personal data as well as blocking its usage. Personal data must be processed for specific, clear and legitimate purposes. Processed personal data must be accurate and must be updated when necessary. Furthermore, such data must be relevant to and limited/proportionate to the purpose for which it is being processed. Personal data must be maintained only for the time required by the relevant legislation or for the purpose for which it is processed. 

Subject to certain exceptions, the personal data of real persons may not be processed without the data subject’s explicit consent. Where such legitimate purpose ceases to exist and the processing of the data is no longer required, data controllers must either ex officio or upon request erase, destroy or anonymize the stored data. Data controllers must also ensure compliance with such requirements by any data processors to which the data was transmitted.

The Data Protection Board (KVKK), the ultimate authority responsible for enforcing the Data Protection Law and resolving complaints against data controllers arising out of alleged breaches of the Data Protection Law, has clarified that an explicit consent request must be sufficiently informative in nature. It may not, for example, be obscured in a lengthy text on the data processor’s confidentiality notice. Furthermore, the Data Protection Board has clarified in its decisions that “opt-out” modes of obtaining consent, whereby the data subject is automatically and by default presumed to have consented to data processing, violate the Data Protection Law and that an “opt-in” mode of obtaining consent must be adopted.

There are certain limited exceptions to the consent requirement, for example if:

  • Processing of such data is explicitly required by law;
  • Processing is required to protect the life of the owner or a third party, for example, if the owner of the data is physically or legally incapable of providing consent;
  • Processing is directly related to the execution or performance of a contract, in which case only the personal data of the parties may be processed;
  • Processing is required for the data controller to fulfill its own legal obligations;
  • Such personal data was previously made public by the owner;
  • Processing is necessary to establish, use or protect a right;
  • To the extent that processing does not harm the fundamental rights and liberties of the data owner, processing is required for the legitimate benefit of the data controller.

The Data Protection Law classifies certain data as “sensitive.” These are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect and other beliefs, attire, membership in associations, foundations or trade unions, health-related information, criminal record and biometric and genetic features. These types of data must be processed based on the data subject’s explicit consent or if allowed by law. 

Within the category of sensitive data, the Data Protection Law provides further protections for special data relating to health and sexual activity. This data may only be processed if the data subject provides explicit consent or for a limited set of purposes, including safeguarding public health and carrying out healthcare activities and only by those who are under a statutory duty of confidentiality or by authorized agencies.

The transfer of data is subject to the same rules and exceptions as the processing of data; however, further restrictions apply if data will be transferred abroad. To transfer data outside of Türkiye, either the data subject’s explicit consent must be obtained or one of the exceptions to the consent requirement must exist and in addition to the existence of such exceptions, (i) the country to where the data will be transferred must offer an adequate level of protection, or (ii) the transferring data controller in Türkiye must conclude an agreement with the data importer to impose an adequate level of protection for the personal data. This agreement must contain the minimum required content announced by the Data Protection Board and must be submitted to, and approved by, the Data Protection Board. In relation to condition (i) above, the Data Protection Board is expected to announce the whitelisted countries approved as having an adequate level of protection.

Under the applicable rules, the data controller must provide, among others, the following information to data subjects whose personal data is processed:

  • The identity of the data controller and its representative, if any;
  • The purpose of processing;
  • To whom and for what purpose the data will be transferred; and
  • The method of collection of personal data and the legal reason for collection and rights of the data subject.

In the case of an unlawful access to personal data (that is, data breach), data controllers must notify the Data Protection Board within 72 hours of the incident, using the breach notification form published by the Data Protection Board. Affected data subjects must be notified as soon as reasonably possible. 

Data subjects have the right to know if their personal data has been processed and, if so, to request any information related to the processing, usage or storage of the personal data, or persons or entities (in Türkiye or abroad) to whom the personal data has been disclosed. The data subject may demand correction of their data or, if there is no longer a need to process such data, its deletion. The data subject may ask for damages due to the illegal or irregular processing of personal data. Data subject information requests from a data controller must be processed within 30 days of the request. As discussed in more detail below, if the data controller fails to respond, rejects the application or provides an unsatisfactory response, the data subject may submit a complaint to the Data Protection Board.

Because data processing is a regulated activity, certain data processors are required to register with the Data Controllers Registry Information System (VERBİS), a publicly available database kept by the Data Protection Board. Unless exempt from the requirement, all data controllers (individuals, as well as domestic or foreign legal entities) that process personal data pursuant to the Data Protection Law must be recorded with VERBİS prior to processing any personal data. It is important to note that there are certain exceptions to the registration requirements for real person data controllers (for example, lawyers, accountants) and certain legal entities such as associations or foundations.

Turkish legal entities, unless exempt, must register with VERBİS if they employ 50 employees on an annual basis or if their total assets or liabilities stated in the annual balance sheet exceed Turkish Lira 100m. Legal entities that do not fulfill the above requirements but whose main business is processing sensitive personal data must also register with VERBİS. This is a one-time registration to be updated as necessary.

When assessing the registration obligation of foreign data controllers, the Data Protection Board has not taken into consideration any criteria such as the number of employees, annual financial statements or the scope of activities. The Data Protection Board has stated that it is required and sufficient that a foreign data controller processes personal data of data subjects resident/located in Türkiye and there seems to exist no de minimis threshold for registration. 

If a data controller becomes subject to the registration requirement (if it fulfils the criteria), then it must register with VERBİS within 30 days upon fulfilment of the criteria. 

Exemption from the registration requirement does not relieve data controllers of other duties and obligations under the Data Protection Law. Regardless of whether they are obliged to be registered with VERBİS, data controllers should prepare an inventory of all personal data processed in Türkiye. The inventory should include information on (i) categories of personal data collected, (ii) purpose of processing, (iii) maximum retention period, (iv) information on whether the personal data is being transferred abroad and to where and (iv) security measures taken by the data controller to safe guard the data.

As the ultimate enforcer of the Data Protection Law, the Data Protection Board may investigate allegations of non-compliance either through a complaint lodged by a data subject before it or ex officio. To lodge a complaint before the Data Protection Board, a data subject alleging a violation must first petition the data controller requesting information or seeking a remedy to the alleged violation. The data controller must adequately respond to the data subject’s request within 30 days. Upon receipt of the response, the data subject has the right to lodge a complaint before the Data Protection Board within 30 days. Data subjects must therefore contact their data controllers before petitioning the Data Protection Board. 

The Data Protection Board has a diverse array of powers in its arsenal to ensure compliance with the Data Protection Law. These range from issuing administrative fines to non-compliant data controllers (except for public institutions) to making requests that data controllers revise their relevant texts and notifications relating to data processing. If the Data Protection Board considers that the facts of the case trigger criminal responsibility, it will also inform relevant government bodies (for example, prosecutors and other investigative authorities as the case may be). Below is a table summarizing the most commonly issued administrative fines by the Data Protection Board with the corresponding offenses applicable for the year 2023.

 
Offense Administrative fine
Failure to comply with information obligations Up to ₺597,191
Failure to take measures to safeguard data Up to ₺5,971,989             
Failure to comply with the Data Protection Board's decisions Up to ₺5,971,989
Failure to register with VERBİS

Up to ₺5,971,989

 

Despite these extensive powers, the Data Protection Board has ruled on numerous occasions that it is not in a position to, nor authorized to, award damages to data subjects. It therefore refers the aggrieved party to general courts for damage claims. 

Since non-compliance with the Data Protection Law may simultaneously violate rights of personhood protected by the Civil Code, data subjects who allege a violation of such rights may pursue damages or other restitution requests provided in the Civil Code through general courts, independent of any complaint they may or may not have lodged before the Data Protection Board.

Also, as per the Criminal Code, any person

  1. Who illegally records personal data will be sentenced to imprisonment for a period of one to three years (this penalty shall be increased by half in case sensitive data will be the subject of the recording); 
  2. Who illegally delivers, circulates or transfers personal data to any third person or illegally obtains personal data will be sentenced to imprisonment for a period of two to four years;
  3. Who fails to destroy data from the system (who is authorized to do so), even though the retention period set forth in the relevant law has expired, will be sentenced to imprisonment for a period of one to two years.

Right to be forgotten

The Data Protection Board has ruled that the right to be forgotten is a general concept which may, based on the case at hand, be exercised by requesting the use of various tools such as “erasure,” “destruction,” “anonymization” or “exclusion from the index.” Because the Data Protection Board has ruled that search engines qualify as data controllers and that indexing activities conducted by search engines to sort and show search results qualify as data processing activities under the Data Protection Law, requests for exclusion from the index should be based on the right to be forgotten. 
 
Individuals seeking exclusion from the index should first file a request with the search engine as data controller. Should the search engine fail to respond, reject the application or respond insufficiently, the data subject may then file a complaint with the Data Protection Board. 
 
For the purpose of clarifying issues relating to exercising the right to be forgotten, the Personal Data Protection Authority in 2021 introduced guidelines on the right to be forgotten as applied to search engines. The guidelines seek to promote a balance between public interest in obtaining information and a data subject’s fundamental rights and freedoms. The Data Protection Board has deemed that certain criteria should be taken into consideration when evaluating an exclusion request. These criteria include, but are not limited to, whether the information (i) relates to a public figure or a minor, (ii) is inaccurate, insulting or degrading or relates to sensitive data, (iii) relates to the professional life of the individual, (iv) constitutes prejudice toward or puts the data subject at risk, (v) was published by the data subject themselves, (vi) includes content originally processed within journalistic activities, (vii) must be published out of legal obligation or (viii) relates to a penal offence.
 
lighted bridge over water at night time

Inside Türkiye

Read our blog


Contact

Ayşe Yüksel Mahfoud
Ayşe Yüksel Mahfoud
Global Head of Corporate, M&A and Securities
Email
ayse.yuksel@nortonrosefulbright.com
T: +1 212 408 1047

Practice area:

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now