ErsoyBilgehan has contributed to the Turkey chapter of International Comparative Legal Guides (“ICLG”) to Data Protection prepared by the Global Legal Group. The ICLG series provides current and practical comparative legal information on a range of practice areas and it follows a question and answer format which ensures thorough coverage of each topic within different legal systems worldwide.
The ICLG to Data Protection 2017 - Turkey Chapter provides practical insight for general counsel, government agencies, private practice lawyers, and corporations, keeping them abreast of law and policy developments in 2017.
1 Competent Authorities
1.1 What is the principal data protection legislation?
The principal data protection legislation is the Law on the Protection of Personal Data no. 6698 (the “Data Protection Law”), which was inspired by the European Union Data Protection Directive 95/46/EC (the “EU Directive”).
1.2 Is there any other general legislation that impacts data protection?
The general provisions that are applicable in terms of data protection are primarily the following:
- The Constitution of the Republic of Turkey: Right to privacy and data protection as per Article 20; and freedom of communication as per Article 22.
- Turkish Civil Code: Protection of personality against violations as per Article 24.
- Turkish Criminal Code: Unlawful recording, acquisition or dissemination of personal data as per Articles 135–138; unlawful surveillance of the transmission of data between information systems as per Article 243; and unlawful deletion or altering of data as per Article 244.
1.3 Is there any sector specific legislation that impacts data protection?
The sector-specific laws and regulations that are relevant in terms of data protection are primarily the following:
- the Law on the Regulation of Broadcasts via Internet and Combating Crimes Committed by Means of Such Publications;
- the Electronic Communication Law and its secondary legislation;
- the Law on the Regulation of Electronic Commerce (“E-Commerce Law”) and its secondary legislation;
- the Bank Cards and Credit Cards Law and its secondary legislation;
- the Regulation on Patient Rights;
- the Regulation on Processing and Privacy of Personal Health Data; and
- the Regulation on Distance Contracts.
1.4 What is the relevant data protection regulatory authority(ies)?
The Data Protection Law stipulates the establishment of a “Data Protection Authority” whose decision-making body shall be the “Data Protection Board”. Although the Data Protection Authority is not fully operational at the time of writing, all members of the Data Protection Board have been appointed and the Chairperson of the Data Protection Authority has been elected.
2 Definitions
2.1 Please provide the key definitions used in the relevant legislation:
• “Personal Data”
Personal data is defined as “any information relating to an identified or identifiable natural person”.
• “Sensitive Personal Data”
The Data Protection Law refers to this type of information as “special categories of personal data”, which is defined as “data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics”.
• “Processing”
Processing is defined as “any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system”.
• “Data Controller”
Data controller is defined as “any natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system”.
• “Data Processor”
Data processor is defined as “any natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller”.
• “Data Subject”
Data subject is defined as “any natural person whose personal data are processed”.
Other key definitions – please specify (e.g., “Pseudonymous Data”, “Direct Personal Data”, “Indirect Personal Data”)
• Anonymisation is defined as “rendering personal data by no means identified or identifiable with a natural person, even by linking with other data”.
• Explicit consent is defined as “freely given specific and informed consent”.
• Filing system is defined as “any recording system through which personal data are processed by structuring the same according to specific criteria”.
3 Key Principles
3.1 What are the key principles that apply to the processing of personal data?
• Transparency
The Data Protection Law provides for certain obligations to ensure transparency when data are processed. Accordingly, while collecting personal data, the data controller is obligated to inform the data subject of the following information:
- the identity of the data controller, or, if available, its representative;
- the purposes for which personal data will be processed;
- the persons to whom personal data might be transferred and the purposes for such transfer;
- the method and legal cause of collection of personal data; and
- the rights of the data subject.
The data controllers are also required to register with a publicly available Data Controllers Registry before they start processing personal data.
• Lawful basis for processing
The Data Protection Law adopts a rule and exception model, where it provides a general rule for processing and then sets forth exceptions thereto. Accordingly, the primary principle is that personal data shall only be processed with the explicit consent of the data subject. Nevertheless, personal data may also be processed without obtaining the explicit consent of the data subject if one of the following conditions exists:
- processing is expressly permitted by any law;
- processing is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
- processing is necessary for compliance with a legal obligation which the controller is subject to;
- the relevant information is revealed to the public by the data subject herself/himself;
- processing is necessary for the institution, usage, or protection of a right; and
- processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
In terms of sensitive personal data, although the explicit consent rule is applicable, exceptions are rather limited in this case:
- sensitive data, except for data concerning health and sexual life, can be processed if it is permitted by any law; and
- data concerning health or sexual life can only be processed for the purposes of protection of public health, and planning or sustaining health-care services by an authorised body or persons who are under the obligation of confidentiality.
Additionally, data controllers are required to take adequate measures designated by the Data Protection Board when processing sensitive personal data.
Finally, the Data Protection Law stipulates general principles (“General Principles”) to be complied with when data are processed. These principles require that personal data should be:
- in conformity with the law and good faith;
- accurate and, if necessary, up to date;
- processed for specified, explicit, and legitimate purposes;
- relevant, limited, and proportionate to the purposes for which data are processed; and
- stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.
• Purpose limitation
The General Principles indicated above cover purpose limitation as well.
• Data minimisation
The General Principles indicated above cover data minimisation as well.
• Proportionality
The General Principles indicated above cover proportionality as well.
• Retention
As per the General Principles, personal data must be stored only for the time designated by relevant legislation or necessitated by the purpose for which they are collected. Further, the Data Protection Law requires that personal data shall be deleted ex officio or upon data subject’s request in case the reasons necessitating their processing ceases to exist.
• Other key principles – please specify
• Data accuracy: As per the General Principles, personal data must be accurate and if necessary, up to date.
4 Individual Rights
4.1 What are the key rights that individuals have in relation to the processing of their personal data?
• Access to data
Data subjects have the right to: (i) learn whether or not their personal data have been processed; (ii) request further information as to the processing; (iii) learn the purpose of processing and whether data are processed in accordance with these purposes; and (iv) learn the third parties in Turkey or abroad to whom personal data have been transferred.
• Correction and deletion
The Data Protection Law entitles data subjects to: (i) request rectification of their personal data in case such data are incomplete or inaccurate; and (ii) request deletion of their personal data in case the reasons necessitating the processing cease to exist.
• Objection to processing
A right to object in the meaning of the EU Directive is not explicitly included in the Data Protection Law.
• Objection to marketing
A specific right to object to marketing is not regulated in the data protection legislation of Turkey. However, the E-Commerce Law (please refer to our answer to question 8.1), as well as the general provisions of the Data Protection Law, provide for a similar, if not the same, right.
• Complaint to relevant data protection authority(ies)
The data subject is first required to apply to the data controller and indicate her/his request. Afterwards, the data controller must reply to the request as soon as possible, considering the nature of the request, and within 30 days at the latest.
In the event that the data subject’s application is rejected, replied insufficiently, or not replied in due time, he/she is entitled to file a complaint with the Data Protection Board and request enforcement of her/his rights.
• Other key rights – please specify
• Notification to third parties: Data subjects have the right to request notification of the operations made within the scope of their correction or deletion request to the persons to whom data subjects’ personal data have been transferred.
• Automated decision-making: Data subjects have the right to object to the occurrence of any result that is to their detriment by means of analysis of personal data exclusively through automated systems.
• Right to compensation: Data subjects have the right to request compensation for the damages they incurred due to unlawful processing of their personal data.
5 Registration Formalities and Prior Approval
5.1 In what circumstances is registration or notification required to the relevant data protection regulatory authority(ies)? (E.g., general notification requirement, notification required for specific processing activities.)
The Data Protection Law sets forth a general obligation for data controllers to register with the publicly available Data Controllers Registry (“Registry”) prior to commencing processing. However, on the condition of being in accordance with and proportionate to the purpose and general principles of the Data Protection Law, this obligation does not apply in certain cases listed in Article 28 (2). Moreover, the Data Protection Board is also authorised to set forth exemptions to this obligation as per the objective criteria it may so determine.
5.2 On what basis are registrations/notifications made? (E.g., per legal entity, per processing purpose, per data category, per system or database.)
The Data Protection Law does not indicate the basis on which registration to the Registry shall be made and refers to the secondary legislation to be issued later by the Data Protection Authority.
5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation.)
Save for the exceptions provided by the Data Protection Law, all natural or legal persons who process personal data wholly or partly by automatic means, or otherwise than by automatic means which form part of a filing system, are obligated to register with the Registry.
5.4 What information must be included in the registration/notification? (E.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes.)
The application to the Registry shall be made with a notification including the following:
- identity and address information of the data controller and the representative thereof, if any;
- purposes for which personal data will be processed;
- a description of the categories of data subjects and the data categories;
- recipients or categories of recipients to whom personal data may be transferred;
- personal data which is to be transferred abroad;
- measures taken for the security of personal data; and
- a maximum period of time necessitated by the purposes for which personal data are processed.
5.5 What are the sanctions for failure to register/notify where required?
Failure to comply with the registration obligations is subject to an administrative fine ranging from approximately €5,000 to €250,000.
5.6 What is the fee per registration (if applicable)?
As the Registry is yet to be established, the registration fees, if any, are currently unknown.
5.7 How frequently must registrations/notifications be renewed (if applicable)?
The Data Protection Law does not indicate if and when registrations must be renewed; however, the Data Protection Board must be notified of any changes affecting the information provided in the registration notification.
5.8 For what types of processing activities is prior approval required from the data protection regulator?
The Data Protection Law does not explicitly refer to a prior approval requirement for any processing activity. However, as explained above in detail, data controllers’ obligation to register with the Registry before they start processing covers all types of processing activities.
Additionally, although not clear, prior approval may be required for the transfer of personal data abroad. In this regard, please see our answer to question 8.1.
5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe.
Please refer to our answer above in question 5.8.
6 Appointment of a Data Protection Officer
6.1 Is the appointment of a Data Protection Officer mandatory or optional?
The appointment of a Data Protection Officer is optional as there are no provisions relating to this in the Turkish legislation.
6.2 What are the sanctions for failing to appoint a mandatory Data Protection Officer where required?
This is not applicable.
6.3 What are the advantages of voluntarily appointing a Data Protection Officer (if applicable)?
This is not applicable.
6.4 Please describe any specific qualifications for the Data Protection Officer required by law.
This is not applicable.
6.5 What are the responsibilities of the Data Protection Officer, as required by law or typical in practice?
This is not applicable.
6.6 Must the appointment of a Data Protection Officer be registered/notified to the relevant data protection authority(ies)?
This is not applicable.
7 Marketing and Cookies
7.1 Please describe any legislative restrictions on the sending of marketing communications by post, telephone, e-mail, or SMS text message. (E.g., requirement to obtain prior opt-in consent or to provide a simple and free means of opt-out.)
Marketing communications are not directly regulated by the data protection legislation in Turkey but are instead subject to the E-Commerce Law and its secondary legislation. Accordingly, commercial electronic messages including telephone calls, SMS and fax messages, and emails shall be sent to persons other than merchants and artisans upon prior opt-in consent. Further, an easy and free means of opting-out of receiving marketing communications shall be provided in the commercial electronic message and the recipient shall be able to use such right at any time without indicating any reason.
Marketing communications sent through physical means are not regulated by the E-Commerce Law. In this regard, general provisions of Turkish law as well as the Data Protection Law shall apply.
7.2 Is the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions?
The governmental agency responsible for the enforcement of the E-Commerce Law is the Ministry of Customs and Trade (“Ministry”). According to data obtained from the Ministry by a news reporter, the sum of the administrative fines issued in the first one-and-a-half years of the E-Commerce Law, since its entry into force on 1 May 2015, amounts to approximately €500,000.
7.3 Are companies required to screen against any “do not contact” list or registry?
Turkey does not have a “do not contact” registry, and the Data Protection Law does not require companies to screen against any such list or registry.
7.4 What are the maximum penalties for sending marketing communications in breach of applicable restrictions?
As per the E-commerce Law, sending unsolicited marketing communications is subject to an administrative fine ranging from approximately €250 to €1,250, which can be multiplied by up to 10 at the discretion of the Ministry if the commercial electronic message is sent to multiple recipients at once. Further, failure to provide an easy and free means of opting-out and/or to cease sending commercial electronic messages, within three business days as of the date the opt-out demand was received, are subject to an administrative fine ranging from approximately €500 to €3,700.
7.5 What types of cookies require explicit opt-in consent, as mandated by law or binding guidance issued by the relevant data protection authority(ies)?
Cookies are not explicitly regulated in the Data Protection Law; however, depending on the characteristics of the respective cookie, explicit opt-in consent may be required as per the general rules governing the processing of personal data. The Data Protection Board has not issued any guidance on this matter yet.
7.6 For what types of cookies is implied consent acceptable, under relevant national legislation or binding guidance issued by the relevant data protection authority(ies)?
Please refer to our answer above in question 7.5.
7.7 To date, has the relevant data protection authority(ies) taken any enforcement action in relation to cookies?
The Data Protection Authority has not yet taken any enforcement action in relation to cookies at the time of writing.
7.8 What are the maximum penalties for breaches of applicable cookie restrictions?
Please refer to our answer above in question 7.5.
8 Restrictions on International Data Transfers
8.1 Please describe any restrictions on the transfer of personal data abroad.
The primary rule is that the explicit consent of the data subject must be obtained for the transfer of personal data abroad. In this case, an adequate level of protection in the destination country will not be required.
Personal data can also be transferred abroad without obtaining the explicit consent of the data subject if one of the exceptional cases set forth under its processing is present (please refer to “lawful basis for processing” under question 3.1). However, in this case, it is additionally required that:
- the destination country must have an adequate level of protection (such countries will be declared by the Data Protection Board); or
- both sides of the transfer must commit, in writing, to provide an adequate level of protection, and the approval of the Data Protection Board must be obtained.
Furthermore, the Data Protection Law sets forth that, save for the provisions of international agreements, “in cases where the interests of Turkey or the data subject will be seriously harmed”, personal data may only be transferred abroad upon approval of the Data Protection Board. The preamble of this provision does not offer much explanation, and at this point, it is uncertain as to how it will be enforced.
8.2 Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions.
As the Data Protection Board has not issued the list of the countries that are deemed to be providing an adequate level of protection, explicit consent of the data subject is usually the ground on which personal data are transferred abroad.
8.3 Do transfers of personal data abroad require registration/notification or prior approval from the relevant data protection authority(ies)? Describe which mechanisms require approval or notification, what those steps involve, and how long they take.
For prior approval requirements, please refer to our answer above in question 8.1. It is also worth noting here that data controllers who transfer personal data abroad must be registered with the Registry; however, this does not require a separate registration from the one explained in detail in question 5.1.
9 Whistle-blower Hotlines
9.1 What is the permitted scope of corporate whistle-blower hotlines under applicable law or binding guidance issued by the relevant data protection authority(ies)? (E.g., restrictions on the scope of issues that may be reported, the persons who may submit a report, the persons whom a report may concern.)
The Data Protection Law, as well as other Turkish laws, do not explicitly deal with whistle-blower hotlines and there is no guidance from the Data Protection Board on this matter. Nevertheless, it is plausible that employers who establish such hotlines will be deemed data controllers and therefore will be subject to the obligations thereof. As the provisions of the Data Protection Law are similar to those of the EU Directive, Opinion 1/2006 of the Article 29 Working Party may be considered relevant in this regard as well.
9.2 Is anonymous reporting strictly prohibited, or strongly discouraged, under applicable law or binding guidance issued by the relevant data protection authority(ies)? If so, how do companies typically address this issue?
Please refer to the answer above in question 9.1.
9.3 Do corporate whistle-blower hotlines require separate registration/notification or prior approval from the relevant data protection authority(ies)? Please explain the process, how long it typically takes, and any available exemptions.
Please refer to the answer above in question 9.1.
9.4 Do corporate whistle-blower hotlines require a separate privacy notice?
Please refer to the answer above in question 9.1.
9.5 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?
This is not applicable.
10 CCTV and Employee Monitoring
10.1 Does the use of CCTV require separate registration/notification or prior approval from the relevant data protection authority(ies)?
Turkish laws do not specifically address the use of CCTV; however, CCTV operators are likely to be deemed as data controllers under the Data Protection Law and be subject to the abovementioned registration obligations.
10.2 What types of employee monitoring are permitted (if any), and in what circumstances?
Although employee monitoring is not specifically regulated in Turkish legislation, according to the jurisprudence of the high courts and the doctrine, employers may monitor their employees’ use of company emails and internet during working hours, provided that such monitoring is based on legitimate reasons and proportionate thereto.
Continuous CCTV monitoring specific to an employee can be deemed to be in violation of the essence of the right to privacy and therefore not permitted. However, CCTV monitoring is permitted if there are legitimate reasons (e.g. security of the workplace), provided that the monitoring is proportionate to such reasons.
10.3 Is consent or notice required? Describe how employers typically obtain consent or provide notice.
In principle, employees should be informed of any monitoring in the workplace. This is typically done via a provision of the original employment agreement or a specific monitoring policy or similar.
10.4 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?
This is not applicable.
10.5 Does employee monitoring require separate registration/notification or prior approval from the relevant data protection authority(ies)?
Employers who monitor their employees are likely to be deemed data controllers as per the Data Protection Law and therefore may be subject to the registration obligations thereof. However, whether this will require separate registration will be clear when secondary legislation of the Data Protection Law is drafted.
11 Processing Data in the Cloud
11.1 Is it permitted to process personal data in the cloud? If so, what specific due diligence must be performed, under applicable law or binding guidance issued by the relevant data protection authority(ies)?
Processing data in the cloud is not forbidden, nor is it specifically regulated. In this regard, the Data Protection Law, particularly its provisions relating to the rights of the data subject, transfers abroad, and data security, shall apply in general.
11.2 What specific contractual obligations must be imposed on a processor providing cloud-based services, under applicable law or binding guidance issued by the relevant data protection authority(ies)?
The Data Protection Law does not explicitly stipulate any contractual obligations to be imposed on processors providing cloud-based services and the Data Protection Board has not published any guidance in this regard.
12 Big Data and Analytics
12.1 Is the utilisation of big data and analytics permitted? If so, what due diligence is required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?
Controllers may utilise big data and analytics, provided that the processing involved in the analysis of personal data is covered by a legal basis and the remaining provisions of the Data Protection Law are complied with.
Further, the Data Protection Law contains certain exceptions in this regard where its provisions shall not be applied. Accordingly, the processing of personal data for the purposes of research, planning, statistics and similar is outside the scope of the Data Protection Law, provided that the relevant data are anonymised. It is worth noting here that these exceptions do not provide a ground for lawfulness for such processing but merely exclude it from the scope of the Data Protection Law.
13 Data Security and Data Breach
13.1 What data security standards (e.g., encryption) are required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?
Data controllers and processors are jointly responsible for implementing technical and organisational measures for providing an appropriate level of security in order to protect personal data from unlawful access and processing. Although the Data Protection Law does not stipulate any security standards, there are certain requirements in this regard in sector-specific regulations (e.g. telecommunications).
13.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.
The Data Protection Law requires that the data controller must notify the data subject and the Data Protection Board of data breaches as soon as possible. The details of such notification are not clear as the Data Protection Board has not published any guidance on this matter and the secondary legislation is not drafted yet.
13.3 Is there a legal requirement to report data breaches to individuals? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.
Yes, data controllers must report data breaches to data subjects. Please refer to our answer above in question 13.2.
13.4 What are the maximum penalties for security breaches?
Failure to comply with the data security obligations is subject to an administrative fine ranging from approximately €3,700 to €250,000.
14 Enforcement and Sanctions
14.1 Describe the enforcement powers of the data protection authority(ies):
Investigatory Power Civil/administrative
The Data Protection Board has the power to investigate possible violations of the Data Protection Law, at its own initiative or upon complaints from data subjects.
Civil/administrative Sanction
- Administrative fines up to €25,000 for non-compliance with the obligation to inform.
- Administrative fines up to €250,000 for non-compliance with (i) the decisions of the Data Protection Board, (ii) obligations relating to the Registry, or (iii) obligations relating to data security.
- In certain cases, the Data Protection Board may also take interim measures to cease the processing (including transfers abroad).
Criminal Sanction
The Data Protection Board may refer the case to the public prosecutor or a data subject may raise a criminal complaint and a judge may impose a criminal sanction, which may lead to imprisonment.
14.2 Describe the data protection authority’s approach to exercising those powers, with examples of recent cases.
There is no precedent in this regard, as the Data Protection Authority has not yet exercised its enforcement powers at the time of writing.
15 E-discovery / Disclosure to Foreign Law Enforcement Agencies
15.1 How do companies within your jurisdiction respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies?
Foreign e-discovery requests are handled within the framework of mutual legal assistance treaties. On the other hand, voluntary sharing of personal data shall be subject to the provisions of the Data Protection Law; please refer to our answers in sections 3 and 8.
15.2 What guidance has the data protection authority(ies) issued?
The Data Protection Board has not issued any guidance on this matter yet.
16 Trends and Developments
16.1 What enforcement trends have emerged during the previous 12 months? Describe any relevant case law.
a) Legislative Activity
The long-awaited Data Protection Law has been enacted by Parliament and became fully effective on 7 October 2016. The Turkish Parliament also ratified the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data no. 108 and its additional protocol no. 181 regarding supervisory authorities and transborder data flows.
b) Case Law
Right to be Forgotten
Right to be forgotten is not explicitly established in Turkish legislation, including the Data Protection Law. However, it may be inferred from the general provisions of Turkish law. In this regard, for the first time, the Supreme Court, in its decision dated 17 June 2015, used the term “right to be forgotten” and explicitly cited the Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González decision of the European Court of Justice. The Court defined the right to be forgotten as a right to request negative events experienced in the past that exist in the digital memory to be forgotten after a period of time, provided that there is no superior public interest. It then ruled that including a person’s full name in a criminal law textbook without pseudonymisation is in violation of the person’s right to be forgotten.
The Constitutional Court, in its decision dated 3 March 2016, has also ruled on a landmark case regarding right to be forgotten. Similar to González’s case, a Turkish citizen filed an application requesting removal of the news dated back to 1998 and 1999 relating to his criminal records from the internet-based archive of a newspaper. When the case elevated to the Constitutional Court, it was decided that the individual’s right to be forgotten must be protected. This decision was based on the reasoning that the news subject to the application does not have any value of being up-to-date, does not serve any scientific or statistical purposes, and the individual is neither a political nor a social figure.
The above decisions were prior to the entry into force of the Data Protection Law and in that regard, it is reasonable to infer that recognition of right to be forgotten will be even stronger in Turkish law with the Data Protection Law in force.
Employee Monitoring
In a case involving the monitoring of employees’ company email accounts, the Constitutional Court, in its decision dated 24 March 2016, ruled that such monitoring does not violate the right to respect for private life and freedom of communication of the employees, provided that the employees are informed of such monitoring and the monitoring is based on legitimate reasons and proportionate thereto.
16.2 What “hot topics” are currently a focus for the data protection regulator?
The Data Protection Law has been recently enacted and the Data Protection Board is yet to start enforcing its powers. In this regard, the protection of personal data is a “hot topic” in general at the moment and will continue to be, especially in the following months when the Data Protection Board becomes fully operational and starts enforcing its powers.