The protection of personal data is recognised as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey2 as of its amendment in 2010. Since the aforementioned Article requires that the principles and procedures regarding the protection of personal data shall be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (the DP Law), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.

The data protection authority established by the DP Law, the Personal Data Protection Board (the Board), is currently active and has been regularly publishing secondary legislation of the DP Law as well as principle decisions and guidance documents concerning the application of the DP Law. Additionally, certain sector-specific data protection rules are scattered under sector-specific laws. For example, there are certain additional data protection related provisions provided under the Banking Law for financial services and these are enforced by the Turkish banking authority, the Banking Regulation and Supervision Agency.

Because Turkey is currently not an EU country, in principle, EU's General Data Protection Regulation3 (GDPR) is not directly applicable in Turkey. However, since the territorial scope of the GDPR applies where the personal data processing activities are related to the offering of goods or services to data subjects that are in the Union by a controller or processor not established in the Union, data controllers located in Turkey might be required to comply with the GDPR.

'Data protection' as a concept is becoming more and more topical in the country. The Board is continuing its work to create public awareness on the issue. On this endeavour, the Board is organising seminars, sharing educational videos and publishing guidance documents with regards to the implementation of the principles and procedures set forth under the DP Law.

With regard to cybersecurity, the relevant legislation is still evolving. Cybersecurity rules are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Entities practising in critical sectors such as telecommunications, energy, banking and finance, and insurance are generally subjected to cybersecurity or information-security requirements. However, recently enacted legislation demonstrates the sensitivity that is being shown by the government regarding cybersecurity, which we expect to become an even more important topic for Turkey in the near future.


Data protection has been an active legal area since the enactment of the DP Law. From the Board's perspective, 2019 has been the year of enforcement decisions and guidance for data controllers. The Board has been continuously publishing enforcement decisions concerning unlawful collection and processing of personal data by both private companies and government entities alike. And for the first time since its establishment, Board decisions are more detailed and the identities of the relevant data controllers and the amounts of the fines issued are disclosed. This transparency approach adopted by the Board and concerns regarding reputational risks have forced the data controllers processing personal data in Turkey to be more diligent about being compliant with the DP Law.

The most important decisions published by the Board since November 2018 are those regarding unsolicited commercial communications and data breach notifications. According to the decision published on 1 November 2018, the Board has received numerous complaints from data subjects concerning the fact that their communications addresses are being used to send unsolicited marketing calls and messages without their consent. In its decision, the Board explicitly stated that prior consent of the data subject is required to process personal communication data for the purpose of sending commercial messages. In its decision of 15 February 2019, the Board announced the principles and procedures to be followed when submitting personal data breach notifications to the Board in accordance with Article 12 of the DP Law. According to the decision, data controllers are expected to notify the Board as soon as possible and no later than 72 hours4 after they become aware of the breach; the notifications are to be made via a template notification form and the data controllers are expected to prepare a 'data breach response plan' that will cover issues such as steps to be followed within the organisation to handle breaches and responsibilities regarding such incidents.

Based on the enforcement decisions published by the Board, the heaviest fines were issued in response to data breaches of an international nature that involved the personal data of Turkish citizens. For example, the Board issued its highest fines in its decisions concerning data breaches that involved global companies such as Marriott International Inc,5 Cathay Pacific Airway Limited6 and Facebook,7 with fines of 1.45 million, 550,000 and 1.65 million Turkish lira respectively.


i Privacy and data protection legislation and standards

The main legislative instrument protecting the personal data of data subjects is the DP Law. Article 2 of the DP Law states that its provisions will be applicable to 'natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or by non-automated means which form part of a filing system'. Therefore, it can be said that the DP Law does not distinguish between the scope or type of data processing activities or the sector under which the data controller is operating; it applies to all.

Definitions of both 'personal data' and 'processing of personal data' are similar to their counterparts under the GDPR. 'Personal data' is defined as 'any information relating to an identified or identifiable natural person' and definition of 'processing of personal data' covers any operation performed upon personal data. The definition of 'special categories of personal data' includes data relating to race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and data relating to biometrics and genetics. Notably, data relating to appearance and dress is not considered as a special category of personal data under the GDPR but is considered as such under the DP Law.

There is multiple secondary legislation of the DP Law that provides further specification on certain provisions of the DP Law. The secondary legislation that is most relevant to data controllers is as follows.

Regulation on the Deletion, Destruction or Anonymisation of Personal Data8

The DP Law states that personal data shall be deleted, destroyed or anonymised either ex officio or upon the request of the data subject if the reasons necessitating their process cease to exist. This regulation provides further details on deletion, destruction and anonymisation of personal data.

Regulation on the Registry of Data Controllers9

Under Article 16 of the DP Law, data controllers are required to register with the data controller registry. This regulation provides further details concerning the principles and procedures to be followed when fulfilling this obligation. Furthermore, the regulation brings two new titles: 'data controller representative' and 'contact person'. People filling these positions will have significant duties with regards to conveying communication between data controllers and the Board.

Communiqué on the Procedures and Principles to be Complied When Fulfilling the Obligation to Inform

The communiqué provides further details concerning how data controllers will fulfil their obligation to notify the data subjects about the processing of their personal data. These details include which information must be given to data subjects and the means and methods of these notifications.

Communiqué on Procedures and Principles for Data Controller Applications

The Communiqué provides further details concerning how data subjects will direct their requests concerning their rights stated under the DP Law to data controllers and how data controllers will handle these requests.

ii General obligations for data handlers

The DP Law sets forth an array of obligations for data controllers. Some of these obligations can be listed as follows.

Processing personal data in accordance with principles and conditions stated under the DP Law

The most fundamental of data controller obligations is to comply with general principles stated under Article 4 for the processing of personal data and process personal data only when one of the conditions under Article 5 is met.

Principles to be followed when processing personal data include:

  1. conforming to the law and good faith principles;
  2. being accurate and, if necessary, up to date;
  3. processing for specified, explicit and legitimate purposes;
  4. processing that is relevant, limited and proportionate to the stated purposes; and
  5. storing data only for the time designated by the relevant legislation or necessitated by the purpose for which data is collected.

The conditions for lawful data processing stated under Article 5 are:

  1. if none of the following conditions can be met, explicit consent10 of the data subject,
  2. if processing is expressly permitted by any law;
  3. if processing is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
  4. if it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
  5. if processing is necessary for compliance with a legal obligation which the controller is subject to;
  6. if the relevant information is publicised by the data subject herself or himself;
  7. if processing is necessary for the institution, usage, or protection of a right; and
  8. if processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Conditions for processing 'special categories of personal data' are provided under Article 6 and are more restricted.

It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law.

Personal data relating to health and sexual life can only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorised institutions and organisations.

iii Obligation to inform

According to Article 10 of the DP Law, data controllers are obliged to inform the data subjects about the following, at the point of collecting their personal data:

  1. the identity of the data controller and, if any, its representative;
  2. the purposes for which personal data will be processed;
  3. the persons to whom processed personal data might be transferred and the purposes for the same;
  4. the method and legal cause of collection of personal data; and
  5. the rights set forth under Article 11 of the DP Law.

Principles and procedures that must be followed when fulfilling this obligation are provided in detail under the Communiqué on the procedures and principles to be complied with when fulfilling obligation to inform (the Communiqué on the obligation to inform). For example, the Communiqué on the obligation to inform requires data controllers to inform data subjects and obtain their consent separately, and states that, when informing data subjects, a clear, simple and understandable wording must be used.

iv Registering with the data controller registry

Article 16 of the DP Law states that the data controllers are required to register with the Data Controller Registry (the Registry) before processing personal data. The Registry is currently active and accepting registrations.

The following information shall be provided to the Registry:

  1. identity and address information of the data controller and, if any, of its representative;
  2. the purposes for which personal data will be processed;
  3. the group or subject groups of persons of the data and explanations regarding data categories belonging to these persons;
  4. recipient or recipient groups to whom personal data may be transferred;
  5. personal data which is expected to be transferred abroad;
  6. measures taken for the security of personal data; and
  7. the maximum retention period for the purposes for which personal data are processed.

Principles and procedures regarding the obligation to register with the Registry are provided in detail under the Regulation on the Data Controller Registry. On an additional note, the Regulation requires data controllers resident in Turkey to appoint a contact person and register it with the Registry. The contact person shall be the 'middleman' that will carry out the communication with the data subjects and the data controller. Similarly, data controllers that are not resident in Turkey are expected to appoint a 'data controller representative', which can be either a real person who is a Turkish citizen, or a legal entity located in Turkey. This person shall be notified to the Registry during registration. The deadline for registering is 30 September 2019 for local and foreign private data controllers.

v Ensuring the security of personal data

Under Article 12 of the DP Law, data controllers are obliged to take all necessary technical and organisational measures to provide an appropriate level of security to:

  1. prevent unlawful processing of personal data;
  2. prevent unlawful access to personal data; and
  3. safeguard personal data.

What the phrase 'all necessary technical and organisational measures' actually means is not explicitly defined under the data protection legislation; however, the 'Guidebook on Personal Data Security' published by the Board11 provides guidance on what measures are expected from the data controllers to be taken.

What is more, the DP Law expects additional protective measures to be taken when handling special categories of personal data; these measures are specified under a principle decision taken by the Board12 and include using cryptographic encryption measures, signing NDA agreements with the personnel and setting two-stage authentication systems over the information systems that contain personal data.

Additionally, data controllers are required to notify the relevant data subjects and the Board if personal data is obtained by others through unlawful means (e.g., a cyberattack or data leakage) as soon as possible.

vi Data subjects' rights

As stipulated by Article 11 of the DP Law, every data subject has the following rights in relation to their personal data, which they may use by applying to the data controller. He or she may:

  1. learn whether their personal data have been processed;
  2. request information as to processing if their data have been processed;
  3. learn the purpose of processing of their personal data and whether data are used in accordance with their purpose;
  4. learn the third parties those which their personal data have been transferred;
  5. request rectification in case personal data are processed incompletely or inaccurately;
  6. request deletion or destruction of their personal data within the framework of the conditions set forth under Article 7;
  7. request notification of the operations made as per indents (e) and (f) to third parties to whom personal data have been transferred;
  8. object to the occurrence of any result that is to their detriment by means of analysis of their personal data exclusively through automated systems; and
  9. request compensation for the damages in case the they incur damages owing to unlawful processing of their personal data.

vii Specific regulatory areas

Electronic marketing

In addition to the general provisions of the DP Law, electronic marketing communications are regulated under a separate regulation, the Regulation on Commercial Communications and Electronic Commercial Communications.13 Commercial emails, text messages and outbound calls fall within the scope of the regulation and these electronic commercial messages are required to meet certain strict criteria to be regarded as lawful.

First, sending electronic commercial messages requires prior consent of the recipient. However, there are certain exceptions to the prior consent requirements such as if the message is sent to merchants and craftsman or the message relates to collection matters, debt reminders, information update, purchases, delivery and similar actions with respect to an ongoing subscription, membership or partnership, or contains information required by legislation to be sent to the recipient. The consent cannot be actively requested by sending an electronic communication to the recipient or deemed obtained through disclaimers or general terms and conditions. Also, if the consent is obtained through electronic tick-boxes, the consent box shall not be presented as pre-checked.

Secondly, electronic commercial message must contain the following information: the sender's trade name, central registration system number in the title or content of the message, at least one contact detail and an easy way for the recipient to opt out. Recipients may refuse at any time to receive further electronic commercial messages without having to give a reason.

Lastly, service providers and intermediary service providers must keep records of consent for one year after consent is terminated and records of message delivery for one year after the message is delivered.

Sector-specific legislation

Although the DP Law is the main data protection instrument, there is sector-specific legislation that governs the protection of personal data under their respective sectors and areas such as the Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector,14 Article 73 of the Banking Law15 about banking secrecy and 'customer secrets', and the Regulation on Personal Health Data that mainly concerns the healthcare sector.16

ix Technological innovation

Use of cookies and similar technologies

Cookies and similar online tracking technologies are not regulated under a specific law; therefore, general rules under the DP Law apply. Processing of personal data for the purposes of targeted and behavioural advertising or profiling, generally, can only be carried out with the explicit consent of the data subject. Consequently, Turkish online media organisations are continuously switching to opt-in schemes for their tracking activities and adding cookie banners to their websites.

Facial recognition and biometric data

Biometric data (e.g., fingerprints, facial scans, palm vein data) is categorised as a special category of personal data under the DP Law and can only be processed with the explicit consent of the data subject, unless it is expressly allowed by law. In addition, the use of biometric data is considered to be problematic from a constitutional rights perspective. In a recent decision issued by the Council of State,17 use of facial recognition technologies for shift tracking in a public workplace has been found unconstitutional. In its ruling, the Council stated that use of such technologies even under public settings do fall under the scope of 'the right to private life' and that the use of the technology in employee tracking was not envisioned by law.

Right of erasure or right to be forgotten

The 'right to be forgotten' is not explicitly recognised as a right under the Turkish Constitution. However, recent case law of both Turkish Court of Cassation18 and Supreme Court19 have ruled that the individuals have a 'right to be forgotten' under 'the right to protection of honour and reputation' and 'the right to protection of personal data'. In both decisions, the courts made a reference to the ground-breaking Google Spain judgment of the ECHR. Consequently, it can be said that a right to be forgotten is emerging by way of case law in Turkey. Moreover, the DP Law recognises that individuals have the right to request deletion or destruction of their personal data under Article 11. Thus, data subjects may request their data to be deleted if the reasons for processing no longer exist.


International transfer of personal data is regulated under Article 9 of the DP Law. The Article prohibits transfer of personal data without obtaining the explicit consent of the data subject. Nevertheless, the second paragraph of the Article permits the transfer of personal data abroad without the data subject's explicit consent where the following cumulative conditions are met. If one of the conditions set forth in the second paragraph of Article 5 or third paragraph of Article 6 is present and the foreign country to which the personal data will be transferred has an adequate level of protection. If there is not an adequate level of protection, if the data controllers in Turkey and abroad undertake to provide an adequate level of protection in writing and the Data Protection Board has given its permission.

On 17 May 2018, the Board announced the minimum undertakings that must be given by the data controller residing in Turkey and the data processor or controller to which the personal data will be transferred that is residing in an 'unsafe country'.20 However, as of August 2019, the Board has not yet published the list of 'safe countries'.


i Data processing notifications

Data controllers are required to fulfil their obligation to inform data subjects about the processing operations that they will carry out over their personal data. However, the DP Law or secondary legislation does not force data controllers to use any specific methods when informing the data subjects. Aside from the written notices, data controllers may use videos, infographics or other creative methods for informing data controllers as long as they include the minimum information that must be given to the data subjects to fulfil their obligation to inform.

ii Data processing inventory

Data controllers who are obliged to register with the Registry under the Regulation on the Registry of Data Controllers are expected to create a 'data processing inventory' and a personal data retention and destruction policy that is compliant with the inventory. The data processing inventory is where data controllers explain and detail their data processing operations in accordance with their business processes. The inventory shall contain the following:

  1. purposes for processing personal data;
  2. data categories;
  3. recipient groups to which data is transferred;
  4. subject groups of the data;
  5. maximum retention period required by the processing purpose;
  6. personal data to be transferred abroad; and
  7. measures taken regarding data security.

Furthermore, the data processing inventory shall be the basis for the notifications to be made to the Registry during registration, and Article 5 of the Communiqué on the obligation to inform states that the information provided during the fulfilment of the obligation to inform must be compliant with the information disclosed to the Registry. Therefore, the information within the inventory is fundamental for lawfully fulfilling the obligation to register with the registry and the obligation to inform the data subjects.

iii Data security practices

With regards to the security obligations, the DP law obliges data controllers to take 'all technical and organisational measures to ensure adequate level of data security'. Therefore, the type of data security measures to be taken by the data controllers are not determined by law. The Board has published a guidebook on data security to highlight certain measures that can be taken by the data controllers. The measures suggested by the Board include conducting data protection risk analyses, preparing internal data protection policies (incident response plans, data access policies etc.), signing NDAs with employees, using firewalls and conducting penetration tests. Measures included in the guidebook are not mandatory for each and every data controller. Data controllers must decide themselves which measures are adequate for their data processing operations. However, measures included in the guidebook are explanatory on the interpretation on what type of measures the Board expects data controllers to take to ensure 'adequate data security'.


According to Article 332 of the Turkish Criminal Procedure Law, criminal courts and prosecutors may request information, including those containing personal data, during criminal proceedings. Similarly, civil courts may request information that relates to the case at hand from the parties of the case or even third parties. The DP Law expressly states that provisions of the law shall not be applied when personal data is processed by judicial authorities with regards to investigation, prosecution, trial or execution procedures.

In addition to the judicial authorities, a number of onsite auditing rights are granted to multiple public bodies over entities that are active in their respective sectors. To exemplify, by the rights granted in their founding laws, the Energy Market Regulatory Authority, the Banking Regulation and Supervision Authority, and the Information Technologies and Communication Agency may request information from relevant players of their corresponding sectors and may conduct on site auditing activities. During the audits, supervisory authorities may access records which include personal data.

Lastly, Turkey is a party to the Convention of 1 March 1954 on civil procedure and multiple bilateral treaties on legal assistance. Therefore, data may be disclosed in response to lawful requests made by foreign governments complying with due process under the Convention.


i Enforcement agencies

The Board is the main authority with regards to protection of personal data. The Board is established by the DP Law and the law grants extensive investigatory and sanctioning power to the authority. Pursuant to Article 15 of the DP Law, the Board may conduct necessary investigations ex officio or upon notification about breaches of the DP Law. Data controllers are obliged to comply with the information requests made by the Board and allow them to conduct onsite audits. If a breach is found, the Board notifies the relevant data controller to correct the unlawful situation. The data controller must comply with the notification without delay and within 30 days of the notification at the latest.

Article 18 of the DP Law lists several misdemeanours concerning data protection and the range of the administrative fines tied to them. Breach of the obligation to inform or to ensure the security of personal data, and failure to fulfil the obligation to register with the data controller registry or to comply with the decision given by the Board are considered misdemeanours and are subject to separate administrative fines ranging from 5,000 to 1 million Turkish lira.

During its investigations, if the Board finds out that a particular breach is widespread, it may issue a principle decision and publish it. It is mandatory for data controllers to comply with principle decisions. The Board has published multiple principle decisions to date including some concerning phonebook applications, the implementation of privacy measures on counters and booths, and data breaches caused by data controllers' personnel, data breach notifications and unsolicited marketing communications. In addition to the principle decisions, the Board is periodically publishing guidelines and videos and arranges seminars to inform the public and data controllers about data protection issues.

In addition to the mentioned administrative sanctions, Turkish Criminal Code lists certain crimes that are related to unlawful processing of personal data. For example, unlawful recording, distribution or obtaining of personal data are crimes that are punished by imprisonment of the perpetrator between one to four years.

ii Recent enforcement cases

The Board have recently published summaries of numerous enforcement decisions on its website.21 Previously, the summaries did not include the identities of the data controllers or the amount of fines; however, the Board has been more transparent in its more recent decisions and has published names and amounts. The majority of fines were due to a breach of data security obligations, even when the breach was caused by a violation of data processing principles. For example, the Board sanctioned a bank because it violated the principle of 'data minimisation' when it provided a six-month account statement of its customer to a civil court when the court only asked for the statement of the last three months. In another example, the Board found a breach of data security obligations where the data controller had made the explicit consent of the data subject a precondition for the provision of certain goods or services.

iii Private litigation

Under Article 11 of the DP Law, data subjects have the right to request compensation for the damages if they incur any losses due to unlawful processing of personal data. Accordingly, data subjects may request for pecuniary or non-pecuniary damages from the data controllers in case of unlawful processing of personal data.


The DP Law applies to domestic and foreign data controllers alike. Although the DP Law does not provide a territorial scope for its application, it is generally regarded as applicable if the processing takes place within the borders of Turkey (and has been demonstrated by the enforcement decisions concerning foreign data controllers).22 Consequently, foreign data controllers are expected to comply with the obligations listed in the DP Law if they carry out personal data processing activities that affect individuals located in Turkey.

The notable obligations foreign data controllers are required to comply with are to register with the data controller registry and to assign a 'data controller representative'. According to Article 11 of the Regulation on Data Controller Registry, data controllers who are not resident in Turkey are expected to appoint a data controller representative who will carry out communications by data subjects and the Board with the foreign data controller.

One misconception that is common in practice is mistaking the data controller representative with the data protection officer (DPO) regulated under the GDPR. There is no obligation to appoint a DPO under the DP Law. Additionally, data controller representatives are positioned more as a contact point and they do not have extensive data-protection-related responsibilities as significant as those a DPO would hold under the GDPR.

The data controller representative must represent its associated data controller on at least the following issues (though the list can be expanded in the appointment decision):

  1. accepting the notifications or correspondence made by the Board on behalf of the data controller and responding to the requests directed to the data controller in the name of the data controller; and
  2. collecting and forwarding the data subject applications to the data controller;
  3. transmit the responses given by data controllers in relation to data subject applications; and
  4. carrying out actions and operations related to the Registry on behalf of the data controller.


i Cybersecurity

There is no catch-all cybersecurity legislation that is applicable to every entity. However, the recently enacted Circular Note on Information and Communication Security Measures numbered 2019/1223 (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector.

There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies)24 and entities from sectors such as insurance,25 banking26 and payment services27 to employ certain measures related to cybersecurity.

On the state level, the National Computer Emergency Response Center (CERT) has been established within the Information and Communication Technologies Authority.28 Missions of the CERT include thwarting cybersecurity risks in Turkey, taking measures to minimise the impact of cyberattacks, and sharing information about cybersecurity with public and private entities.

ii Data breaches

The most important data breach notification obligation under Turkish law is the personal data breach notification stipulated under the DP Law. Data controllers are required to notify the data subject and the Board 'in case personal data is acquired by others through unlawful means'. Data breaches that fall under this notification obligation are not categorised by their scope, seriousness or its possible adverse effects. Thus, all data breaches where personal data is obtained unlawfully by third parties must be notified to the data subject and the Board. The Board has clarified that data controllers must notify the Board within 72 hours of becoming aware of the breach, by making use of the data breach notification form published by the Board.29


Data protection is a relatively new regulatory area for Turkey. Yet the developments that we have observed in the area in the last three years have been fast and are not expected to slow down in the following years. For the near term, two of the most significant developments that are expected are the activation of the data controller registry and the publishing of the list of countries that have an 'adequate level of personal data protection' by the Board. It is advisable for the foreign entities to be on the watch for these two legal developments as these will have significant effects for their businesses in Turkey.

The GDPR has had an impact on the Turkish entities owing to its extended territorial scope and high level of monetary fines. Turkish businesses that are active in the European market are mindful of the requirements brought by it. The DP Law was prepared by taking note of the EU Data Protection Directive of 1995 and it is known that the Board is paying close attention to the data protection developments in Europe. If the 'Europeanisation' trend continues for data protection in Turkey, in the long term amendments to the DP Law that are in line with the provisions of the GDPR should not come as a surprise.


1 Batu Kınıkoğlu is a partner, and Selen Zengin and Kaan Can Akdere are attorneys at BTS&Partners.

2 Published in the Official Gazette No. 17844 and dated 20 October 1982. Available in English: https://global.tbmm.gov.tr/docs/constitution_en.pdf.

3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal L 119, 4 May 2016.

4 Notably, the Board have made a reference to the 72 hour period provided under the GDPR as a basis for this rule.

8 Published in the Official Gazette No. 30224 and dated 28 October 2017.

9 Published in the Official Gazette No. 30286 and dated 30 December 2017.

10 'Explicit consent' is defined as 'Freely given, specific and informed consent'. Consent must be free (for example, consent must not be made conditional for the provision of a service), informed, limited to the relevant act of processing and have been given unambiguously by data subject acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data.

11 Guidebook on Personal Data Security (Technical and Organisational Security Measures): https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf .

12 'Personal Data Protection Board's Decision No. 2018/10 dated 31/01/2018 on Adequate Security Measures to be Taken by Data Controllers When Processing Special Categories of Personal Data' published on 7 March 2018: https://kvkk.gov.tr/Icerik/4110/2018-10 .

13 Published in the Official Gazette No. 29417 and dated 15 July 2015.

14 Published in the Official Gazette No. 28363 and dated 24 July 2012.

15 Published in the Official Gazette No. 25983 and dated 1 November 2005.

16 Published in the Official Gazette No. 30808 and dated 21 June 2019.

17 Council of State, 11th Chamber, Decision No. 2017/4906 dated 13 June 2017.

18 Court of Cassation, 19th Criminal Chamber, Decision number 2017/5325 dated 5 June 2017.

19 Supreme Court, application number 2013/5653. Published in the Official Gazette No. 29811 and dated 24 August 2016.

20 Essential Contractual Clauses Required in the Undertaking to be Prepared by Data Controllers When Transferring Personal Data Abroad, Published on 16 May 2018: https://www.kvkk.gov.tr/Icerik/4236/Yurtdisina-Veri-Aktariminda-Veri-Sorumlularinca-Hazirlanacak-Taahhutnamede-Yer-Alacak-Asgari-Unsurlar .

21 Personal Data Protection Board, Decision Summaries: https://www.kvkk.gov.tr/Icerik/5406/Kurul-Karar-Ozetleri .

22 See the footnotes 9, 10 and 11.

23 Published in the Official Gazette No. 30823 and dated 6 July 2019.

24 See Communiqué on Information System Management, published in the Official Gazette No. 30292 and dated 5 January 2018.

25 See Regulation on Supervision and Auditing of Insurance and Individual Annuity Insurance Sectors, published in the Official Gazette No. 28054 and dated 14 September 2011.

26 See Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital, published in the Official Gazette No. 29057 and dated 11 July 2014.

27 See Regulation on the Activities of the Payment and Security Settlement Systems, published in the Official Gazette No. 29044 and dated 28 June 2014.

28 CERT Website available in English: https://www.usom.gov.tr/.

29 See the data breach notification form published by the Board, available in Turkish at: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9.pdf.