As our readers will recall from our article dated 11 April 2016, the Law on the Protection of Personal Data (“Data Protection Law”) was published in the Official Gazette on 7 April 2016 and stipulated a gradual entry into force, providing for a six-month period before the articles relating to (i) transfer of personal data, (ii) rights of the data subject, (iii) data controllers’ registry, (iv) administrative fines, and (v) criminal penalties become effective.
As of 7 October 2016, the Data Protection Law shall be fully effective. Although the supervisory data protection authority (“Data Protection Board”) is yet to be established, we highly recommend our clients to take the necessary steps towards full compliance with the Data Protection Law, considering both the heavy administrative fines amounting up to TRY 1,000,000 and criminal penalties that may lead to imprisonment.
We have summarized the relevant articles that will enter into force below. Please see our abovementioned article and our firm’s contribution to ICLG to Data Protection 2016 Turkey Chapter for detailed information in this regard.
Transfer of Personal Data
The Data Protection Law sets forth that personal data shall only be transferred abroad or to third parties in Turkey by obtaining the explicit consent of the data subject. The exception is that both non-sensitive and sensitive personal data can be transferred to third parties or abroad without the explicit consent of the data subject if one of the exceptional cases set forth under the processing of respective data is present. However, there are certain additional safeguards stipulated for transfers in these exceptional cases.
Rights of the Data Subject
Data controllers must abide by the below rights of the data subjects and reply to the applications made by them in 30 days:
- Learn whether or not her/his personal data has been processed;
- Request information as to processing of her/his personal data;
- Learn the purpose of processing of the personal data and whether they are used in accordance with/relevant to its purpose;
- Know the third parties to whom personal data has been transferred within Turkey or abroad;
- Request rectification in case personal data is processed incompletely or inaccurately;
- Request deletion or destroying of personal data within the framework of the conditions set forth under the Data Protection Law;
- Request notification of the operations made as per items (5) and (6) above to third parties to whom personal data has been transferred;
- Object to occurrence of any result that is to the detriment of the person by means of analysis of personal data exclusively through automatic systems;
- Request compensation of the damages in case the person incurs damages due to unlawful processing of personal data.
In case the controller does not reply to the requests in due time, the data subject will have the right to file a complaint with the Data Protection Board.
Data Controllers’ Registry
The Data Protection Law sets forth a general obligation for data controllers to register with the publicly available data controllers’ registry prior to commencing processing. However, on the condition it is in accordance with and proportionate to the purpose and general principles of the Data Protection Law, this obligation does not apply in certain cases listed in Article 28 (2). Moreover, the Data Protection Board is also authorised to set forth exemptions to this obligation as per the objective criteria it may so determine.
The Data Protection Law imposes serious obligations on data controllers, some of which are, in summary, the following:
- To inform data subjects with regard to the data controller’s identity, purpose, method, and legal ground of the processing, transfer of data to third parties, and the rights of the data subject (this might mean mandatory privacy policies for internet services), non-compliance of which results in an administrative fine of approx. €1,500 to €30,000;
- To ensure the security of the collected data, and to notify the Data Protection Board and the data subject of data breaches, non-compliance of which results in an administrative fine of approx. €5,000 to €310,000;
- To register with a publicly available data controllers’ registry, non-compliance of which results in an administrative fine of €6,000 to €310,000;
- To comply with the decisions of the Data Protection Board, non-compliance of which results in an administrative fine of €8,000 to €310,000.
Articles of Turkish Criminal Code pertaining to (i) unlawful recording, acquisition or dissemination of personal data, (ii) failing to delete or anonymize outdated personal data, (iii) unlawful surveillance of the transmission of data between information systems, and (iv) unlawful deletion or altering of data are currently in force. However, the relevant article of the Data Protection Law which refers the crimes in connection with personal data to the Turkish Criminal Code shall enter into force on 7 October 2016.