The Privacy, Data Protection and Cybersecurity Law Review: Turkey
The protection of personal data is recognised as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey2 as of its amendment in 2010. Since the aforementioned Article requires that the principles and procedures regarding the protection of personal data shall be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, the Law on the Protection of Personal Data No. 6698 (the DP Law), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.
The data protection authority established by the DP Law, the Personal Data Protection Board (the Board), is currently active and has been publishing secondary legislation of the DP Law as well as principle decisions and guidance documents concerning the application of the DP Law. Additionally, certain sector-specific data protection rules are scattered under sector-specific laws. For example, there are certain additional data protection related provisions provided under the Banking Law for financial services and these are enforced by the Turkish banking authority, the Banking Regulation and Supervision Agency.
Because Turkey is not currently an EU country, in principle the EU's General Data Protection Regulation (GDPR)3 is not directly applicable in Turkey (nevertheless, as discussed below, further harmonisation with European privacy standards is one of the government's medium-term goals). However, because the territorial scope of the GDPR applies where the personal data processing activities are related to the offering of goods or services to data subjects that are in the Union by a controller or processor not established in the Union, data controllers located in Turkey might be required to comply with the GDPR.
'Data protection' as a concept is becoming more and more topical in the country. The Board is continuing its work to create public awareness on the issue. On this endeavour, the Board is organising seminars, sharing educational videos and publishing guidance documents with regard to the implementation of the principles and procedures set out under the DP Law.
With regard to cybersecurity, the relevant legislation is still evolving. Cybersecurity rules are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Entities practising in critical sectors such as telecommunications, energy, banking and finance, and insurance are generally subjected to cybersecurity or information-security requirements. However, recently enacted legislation demonstrates the sensitivity that is being shown by the government regarding cybersecurity, which we expect to become an even more important topic for Turkey in the near future.
The year in review
Similar to 2020, 2021 has seen the Board continuing its work on public awareness, data controllers' accountability issues and developing data protection legislation. Along with the 28 data breach notifications and 62 decisions published (the Board does not publish all of its decisions and breach notifications), the highlights of the first half of 2021 are as follows.
i Potential legislation on cookies
Although there is no current specific provision or legislation regulating cookies or similar technologies (unlike the EU's ePrivacy Directive), the Board clarified in 2020 that the processing of personal data via cookies or similar technologies falls within the scope of the DP Law. In the meantime, no tracking-technology-specific guidance or regulation has been published and, therefore, general principles of the DP Law apply to these processing activities. Recently, the president of the Personal Data Protection Authority stated that certain rules regarding applications and websites processing personal data via cookies in Turkey will be regulated and that the Board will be publishing a cookie report. While it is anticipated that the Board will adopt similar privacy principles on tracking technologies as the EU's ePrivacy Directive, no clear declaration in this regard has yet been made.
ii Amendment of the DP Law
The Human Rights Action Plan 2021 was announced on 2 March 2021, with one of its aims being the harmonisation of the DP Law with EU standards. On 12 March 2021, the Turkish Presidency presented its Improvement of the Investment Climate package. Within the scope of the economic improvements, the cross-border personal data transfer regime has been evaluated as a barrier to investments and an amendment to the DP Law's provisions regarding cross-border data transfers in line with the GDPR has been made to the action plan. The deadline for the execution of the action plan is foreseen as 31 March 2022.
iii Decisions on general principles
The Board's recent decisions illustrate the paramount role played by the general principles introduced under the DP Law's Article 4. Similar to those of the GDPR, the DP Law brings the following principles: conforming to the law and good faith; being accurate and, if necessary, up to date; processing for specified, explicit and legitimate purposes; processing that is relevant, limited and proportionate to the stated purposes; and data being stored for due periods. Recently, the Board introduced an active diligence obligation to data controllers to ensure that personal data is accurate and, when necessary, up to date, especially regarding the processing of documents containing personal data such as invoices, payment statements or order confirmations sent via SMS or email to data subjects.4 Similarly, data minimisation and proportionality principles are frequently in the spotlight of the Board.
i Privacy and data protection legislation and standards
The main legislative instrument governing data privacy practices in Turkey is the DP Law. Article 2 of the DP Law states that its provisions shall be applicable to 'natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or by non-automated means which form part of a filing system'. It could therefore be concluded that the DP Law does not distinguish between the scope or type of data processing activities or the sector within which the data controller operates; it applies to all.
Definitions of both 'personal data' and 'processing of personal data' are similar to their counterparts under the GDPR. 'Personal data' is defined as 'any information relating to an identified or identifiable natural person', and the definition of 'processing of personal data' covers any operation performed upon personal data. The definition of 'special categories of personal data' includes data relating to race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and data relating to biometrics and genetics. Notably, data relating to appearance and dress is not considered as a special category of personal data under the GDPR but is considered as such under the DP Law.
There is multiple secondary legislation of the DP Law that provides further specification on certain provisions of the Law. The secondary legislation that is most relevant to data controllers is as follows.
Regulation on the Deletion, Destruction or Anonymisation of Personal Data
The DP Law states that personal data shall be deleted, destroyed or anonymised either ex officio or upon the request of the data subject if the reasons necessitating their process cease to exist. This Regulation5 provides further details on deletion, destruction and anonymisation of personal data.
Regulation on the Registry of Data Controllers
Under Article 16 of the DP Law, data controllers are required to register with the data controller registry. This Regulation6 provides further details concerning the principles and procedures to be followed when fulfilling this obligation. Furthermore, the regulation brings two new titles: 'data controller representative' and 'contact person'. People filling these positions will have significant duties with regard to conveying communication between data controllers and the Board.
Communiqué on the Procedures and Principles to be Complied with When Fulfilling the Obligation to Inform
The Communiqué provides further details concerning how data controllers will fulfil their obligation to notify data subjects about the processing of their personal data. These details include which information must be given to data subjects and the means and methods of these notifications.
Communiqué on Procedures and Principles for Data Controller Applications
The Communiqué provides further details concerning how data subjects will direct their requests concerning their rights stated under the DP Law to data controllers and how data controllers will handle these requests.
ii General obligations for data handlers
The DP Law sets out an array of obligations for data controllers. Some of these obligations can be listed as follows.
Processing personal data in accordance with principles and conditions stated under the DP Law
The most fundamental of the data controller obligations is to comply with general principles stated under Article 4 for the processing of personal data and process personal data only when one of the conditions under Article 5 is met.
Principles to be followed when processing personal data include:
- conforming to the law and good faith principles;
- being accurate and, if necessary, up to date;
- processing for specified, explicit and legitimate purposes;
- processing that is relevant, limited and proportionate to the stated purposes; and
- storing data only for the time designated by the relevant legislation or necessitated by the purpose for which data is collected.
The conditions for lawful data processing stated under Article 5 are:
- if none of the following conditions can be met, explicit consent7 of the data subject;
- if processing is expressly permitted by any law;
- if processing is necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- if it is necessary to process the personal data of parties to a contract, provided that the processing is directly related to the execution or performance of the contract;
- if processing is necessary for compliance with a legal obligation that the controller is subject to;
- if the relevant information is publicised by the data subject himself or herself;
- if processing is necessary for the institution, usage or protection of a right; and
- if processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Conditions for processing 'special categories of personal data' are provided under Article 6 and are more restricted.
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law.
Personal data relating to health and sexual life can only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorised institutions and organisations.
iii Obligation to inform
According to Article 10 of the DP Law, data controllers are obliged to inform the data subjects about the following, at the point of collecting their personal data:
- the identity of the data controller and, if any, its representative;
- the purposes for which personal data will be processed;
- the persons to whom processed personal data might be transferred and the purposes for the same;
- the method and legal cause of collection of personal data; and
- the rights set out under Article 11 of the DP Law.
Principles and procedures that must be followed when fulfilling this obligation are provided in detail under the Communiqué on the Procedures and Principles to be Complied with When Fulfilling the Obligation to Inform (the Communiqué on the Obligation to Inform). For example, the Communiqué on the Obligation to Inform requires data controllers to inform data subjects and obtain their consent separately, and states that, when informing data subjects, clear, simple and understandable wording must be used.
iv Registering with the data controller registry
Article 16 of the DP Law states that data controllers are required to register with the Data Controller Registry (the Registry) before processing personal data. The Registry is currently active and accepting registrations.
The following information shall be provided to the Registry:
- identity and address information of the data controller and, if any, of its representative;
- the purposes for which personal data will be processed;
- the group or subject groups of persons of the data and explanations regarding data categories belonging to these persons;
- recipient or recipient groups to whom personal data may be transferred;
- personal data that is expected to be transferred abroad;
- measures taken for the security of personal data; and
- the maximum retention period for the purposes for which personal data are processed.
Principles and procedures regarding the obligation to register with the Registry are provided in detail under the Regulation on the Data Controller Registry. On an additional note, the Regulation requires resident data controllers to appoint a contact person to submit requested information to the Registry. The contact person shall be the 'point of contact' that will carry out the communication with the Board and with the data subjects. Similarly, non-resident data controllers are expected to appoint a 'data controller representative', which can either be a natural person who is a Turkish citizen, or a legal entity established and operating in Turkey. This person shall be notified to the Registry during registration.
The registration deadline has been extended to 31 December 2021 for resident and non-resident data controllers.
v Ensuring the security of personal data
Under Article 12 of the DP Law, data controllers are obliged to take all necessary technical and organisational measures to provide an appropriate level of security to:
- prevent unlawful processing of personal data;
- prevent unlawful access to personal data; and
- safeguard personal data.
What the phrase 'all necessary technical and organisational measures' actually means is not explicitly defined under the data protection legislation; however, the 'Guidebook on Personal Data Security' published by the Board8 provides guidance on what measures are expected to be taken by the data controllers.
What is more, the DP Law expects additional protective measures to be taken when handling special categories of personal data; these measures are specified under a principle decision taken by the Board9 and include using cryptographic encryption measures, signing non-disclosure agreements (NDAs) with the personnel and setting two-stage authentication systems over the information systems that contain personal data.
Additionally, data controllers are required to notify the relevant data subjects and the Board if personal data is obtained by others through unlawful means (e.g., a cyberattack or data leakage) as soon as possible.
In its decision of 15 February 2019, the Board announced the principles and procedures to be followed when submitting personal data breach notifications to it in accordance with Article 12 of the DP Law. According to the decision, data controllers are expected to notify the Board as soon as possible and no later than 72 hours10 after they become aware of the breach. Notifications are to be made via a template notification form and data controllers are expected to prepare a 'data breach response plan' that will cover issues such as steps to be followed within the organisation to handle breaches and responsibilities regarding such incidents.
Additionally, the Board has issued a Board Decision specifying the minimum content of notifications to be made to data subjects in the event of a breach. Accordingly, data subject notifications must include information on the following:
- when the breach occurred;
- categories of data affected by the breach (in a manner differentiating between categories of personal data and special categories of personal data);
- potential impacts of the breach;
- measures taken or recommended to be taken to eliminate the adverse effects of the breach; and
- contact details of persons to be communicated with to obtain further information on the incident or other methods of communication, including the website and call centre of the data controller.
Finally, the Board has also introduced an active diligence obligation to ensure that personal data is accurate and, when necessary, up to date. Within this scope, necessary measures, including sufficient mechanisms to verify the contact information obtained from data subjects (the primary example being use of one-time-password confirmations), should be taken by data controllers to ensure that the processed personal data are accurate and up to date.
vi Data subject rights
As stipulated by Article 11 of the DP Law, every data subject has the following rights in relation to their personal data, which they may use by applying to the data controller. He or she may:
- learn whether his or her personal data have been processed;
- request information on the processing, if his or her data have been processed;
- learn the purpose of processing of his or her personal data and whether data are used in accordance with their purpose;
- learn details of the third parties to which his or her personal data have been transferred;
- request rectification if personal data are processed incompletely or inaccurately;
- request deletion or destruction of his or her personal data within the framework of the conditions set out under Article 7;
- request notification of the operations made as per points (e) and (f) to third parties to whom personal data have been transferred;
- object to the occurrence of any result that is to his or her detriment by means of analysis of his or her personal data exclusively through automated systems; and
- request compensation for the damages if damages occur owing to unlawful processing of his or her personal data.
vii Specific regulatory areas
In addition to the general provisions of the DP Law, electronic marketing communications are regulated under a separate regulation, the Regulation on Commercial Communications and Electronic Commercial Communications (the Commercial Communications Regulation).11 Commercial emails, text messages and outbound calls fall within the scope of the regulation and these electronic commercial messages are required to meet certain strict criteria to be regarded as lawful.
First, sending electronic commercial messages requires prior consent of the recipient. However, there are certain exceptions to the prior consent requirements such as if the message is sent to merchants and craftspeople or the message relates to collection matters, debt reminders, information update, purchases, delivery and similar actions with respect to an ongoing subscription, membership or partnership, or contains information required by legislation to be sent to the recipient. The consent cannot be actively requested by sending an electronic communication to the recipient or deemed obtained through disclaimers or general terms and conditions. Also, if the consent is obtained through electronic tick-boxes, the consent box shall not be presented as pre-checked.
Second, electronic commercial message must contain the following information: the sender's trade name, central registration system number in the title or content of the message, at least one contact detail and an easy way for the recipient to opt out. Recipients may refuse at any time to receive further electronic commercial messages without having to give a reason.
Service providers and intermediary service providers must keep records of consent for one year after consent is terminated and records of message delivery for one year after the message is delivered.
In parallel, the Turkish Commercial Electronic Message Management System (CMMS) – a centralised system that manages the opt-ins and opt-outs – brings certain additional obligations on service providers.
Accordingly, service providers and intermediary service providers (initiating the transmission of commercial electronic messages at the service provider's instruction) are required to register with the CMMS and upload and integrate their electronic message data and system.
Service providers are under the following obligations:
- to register with the CMMS;
- to upload consents and rejections within three business days; and
- to control the recipient's status via the CMMS before sending commercial electronic messages (as the recipient may also use the CMMS to withdraw his or her consent).
Although the Commercial Communications Regulation does not explicitly provide for a registration requirement for non-resident service providers, the respective regulatory authority extended the CMMS registration obligation to non-resident entities. Thus, the legal position of non-resident service providers in respect of the obligations for the CMMS is the same as that of the resident service providers, as no distinction is made in this regard. However, further clarification is required with respect to non-resident service providers in terms of how processes concerning registration with and the use of the CMMS is to be handled. Currently, the CMMS is in Turkish and non-resident service providers require a Turkish citizen as representative to register with and use the CMMS.
Although the DP Law is the main data protection instrument, there is sector-specific legislation that governs the protection of personal data under their respective sectors and areas such as the Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector,12 Article 73 of the Banking Law13 on banking secrecy and 'customer secrets', and the Regulation on Personal Health Data that mainly concerns the healthcare sector.14
viii Technological innovation
Cookies and similar online tracking technologies are not regulated under a specific law; therefore, general rules under the DP Law apply. Processing of personal data for the purposes of targeted and behavioural advertising or profiling, generally, can only be carried out with the explicit consent of the data subject. Consequently, Turkish online media organisations are continually switching to opt-in schemes for their tracking activities and adding cookie banners to their websites.
Facial recognition and biometric data
Biometric data (e.g., fingerprints, facial scans, palm vein data) is categorised as a special category of personal data under the DP Law and can only be processed with the explicit consent of the data subject, unless it is expressly allowed by law. In addition, the use of biometric data is considered to be problematic from a constitutional rights perspective. In a recent decision issued by the Council of State,15 the use of facial recognition technologies for shift tracking in a public workplace has been found as unconstitutional. In its ruling, the Council stated that the use of such technologies even under public settings do fall under the scope of 'the right to private life' and that the use of the technology in employee tracking was not envisioned by law.
Right of erasure or right to be forgotten
The 'right to be forgotten' is not explicitly recognised as a right under the Turkish Constitution. However, recent case law of both the Turkish Court of Cassation16 and the Supreme Court17 have ruled that the individuals have a 'right to be forgotten' under 'the right to protection of honour and reputation' and 'the right to protection of personal data'. In both decisions, the courts made reference to the ground-breaking Google Spain judgment of the European Court of Human Rights. Consequently, it can be said that a right to be forgotten is emerging by way of case law in Turkey.
Moreover, the Board has recently published a Board Decision18 that provides further regulation on the right to be forgotten, as well as specific criteria to be followed by search engines when concluding data subject requests in this regard. It is essential to underline that although the data subject rights envisaged under the DP Law do not specifically refer to the right to be forgotten, data subjects are entitled to request erasure of their personal data. While explicitly determining that search engines shall be construed as data controllers, the Board also decided that the data subjects' right to request removal of results (containing personal data) from the search index shall be construed as falling within the scope of data subject rights envisaged under the DP Law.
Recent amendments to the Law on the Regulation of Broadcasts over the Internet and Prevention of Crimes Committed Through Such Broadcasts No. 5651 (the Internet Law)19 also included a provision specifically addressing the right to be forgotten. This newly introduced provision of the Internet Law now allows:
- individuals whose personal rights are violated due to content broadcast over the internet to request disassociation of their name with URLs that are subject to a content removal or access blocking decision; and
- the Access Providers' Union to notify search engines regarding such name and URL disassociation. Prior to this amendment, individuals or requesting parties were instructed to directly submit a request to the related search engines for the removal of violating content from the cache memories of search engines, as such violating content would still be listed under the inquiry even when removed.
International data transfer and data localisation
International transfer of personal data is regulated under Article 9 of the DP Law. Article 9 of the DP Law provides for a general rule that prohibits the cross-border transfer of personal data without obtaining explicit consent from the data subject. The Article further provides for a derogation from this general rule and allows for the cross-border transfer of personal data without obtaining explicit consent on the following conditions:
- in the event that the conditions specified under Articles 5 and 6 of the DP Law are deemed applicable, and the recipient country ensures an adequate level of personal data protection, the related transfer operation is permitted to be performed; and
- in the absence of an adequate level of personal data protection within the recipient country, the related transfer operation shall be permitted provided that the data controllers in Turkey and in the recipient country undertake to ensure an adequate level of protection in writing, and the approval of the Board is obtained.
The list of countries ensuring an adequate level of protection is yet to be announced by the Board. Accordingly, a strict interpretation of the DP Law, along with the Board's current position, concludes the implementation of two permitted cross-border data transfer mechanisms to ensure full compliance in the absence of further regulation: either obtaining explicit consent from the data subjects for the respective transfer, or concluding a written undertaking with the between the parties to the transfer (either in the form of an agreement or a binding corporate rule (BCR)) and obtaining the Board's approval.
With respect to written undertakings to be concluded between the parties to the cross-border transfer, the Board has published two public announcements:
- the Board initially published the Board Announcement on Minimum Content of Undertakings20 to be concluded between the parties, in a manner categorised under two main sub-fields: (1) data controller to data controller transfers and (2) data controller to data processor transfers. Within the scope thereof, the Board explicitly determined that the published minimum content shall be incorporated into cross-border data transfer agreements; and
- the Board then published the Board Announcement on Principles and Procedures to be Followed Concerning the Preparation of Undertakings,21 which focuses on procedural as well as content requirements for submitting a written undertaking for the Board's approval. Within the scope thereof, the Board essentially requires the incorporation of the published minimum content into cross-border data transfer agreements and introduces a comprehensive set of information and documentation requirements.
On the other hand, the Board published a public announcement22 on 10 April 2020, concerning local BCR. Within the scope thereof, the local BCR regime has been introduced as an alternative tool for resident data controllers transferring personal data to their non-resident group companies. Despite being an adaptation of the Binding Corporate Rules mechanism acknowledged as a similar tool under the GDPR, the local BCR regime substantially diverges from the scope thereof.
In July 2019, the Presidency of the Republic of Turkey issued the Presidential Circular on Information and Communication Security Measures, which specifically restricts the use of public cloud systems to store data by public sector entities. Among other things, with a particular emphasis on data localisation, the Circular provides for the following:
- data of public institutions and organisations is not to be stored in cloud storing services, except for the private systems of public institutions or local service providers under the control of public institutions;
- critical information and data, such as civil registration, health and communication information as well as genetic and biometric data, shall be stored domestically in a safe environment; and
- enterprises authorised to provide communication services are obliged to establish an internet exchange point within Turkey. Furthermore, measures shall be taken and implemented to ensure that the domestic communication traffic shall not be taken outside of the country.
As for sector-specific data localisation requirements, a categorisation as to whether (1) there is a data or information system localisation requirement (on-soil requirement) or (2) there is a power vested in the competent regulatory and supervisory authority to conduct on-site audits can be made. An on-soil requirement is considered to directly pose a barrier to the transfer of data outside of Turkey, whereas the latter solely obliges regulated entities to provide access to data upon being lawfully requested by the related authority.
Company policies and practices
i Data processing notifications
Data controllers are required to fulfil their obligation to inform data subjects about the processing operations that they will carry out over their personal data. However, the DP Law or secondary legislation does not force data controllers to use any specific methods when informing the data subjects. Aside from the written notices, data controllers may use videos, infographics or other creative methods for informing data controllers as long as they include the minimum information that must be given to the data subjects to fulfil their obligation to inform.
While GDPR-compliant privacy notices often cover most of the information to be given to data subjects required by the DP Law, they are not automatically sufficient to meet its requirements and need to be amended to be presented to Turkish data subjects.
ii Data processing inventory
Data controllers who are obliged to register with the Registry under the Regulation on the Registry of Data Controllers are expected to create a 'data processing inventory' and a personal data retention and destruction policy that is compliant with the inventory. The data processing inventory is where data controllers explain and detail their data processing operations in accordance with their business processes. The inventory shall contain the following:
- purposes for processing personal data;
- data categories;
- recipient groups to which data is transferred;
- subject groups of the data;
- maximum retention period required by the processing purpose;
- personal data to be transferred abroad; and
- measures taken regarding data security.
Furthermore, the data processing inventory shall be the basis for the notifications to be made to the Registry during registration, and Article 5 of the Communiqué on the Obligation to Inform states that the information provided during the fulfilment of the obligation to inform must be compliant with the information disclosed to the Registry. Therefore, the information within the inventory is fundamental for lawfully fulfilling the obligation to register with the registry and the obligation to inform the data subjects.
iii Data security practices
With regard to the security obligations, the DP Law obliges data controllers to take 'all technical and organisational measures to ensure adequate level of data security'. Therefore, the type of data security measures to be taken by the data controllers are not determined by law. The Board has published a guidebook on data security to highlight certain measures that can be taken by the data controllers. The measures suggested by the Board include conducting data protection risk analyses, preparing internal data protection policies (incident response plans, data access policies, etc.), signing NDAs with employees, using firewalls and conducting penetration tests. Measures included in the guidebook are not mandatory for each and every data controller. Data controllers must decide themselves which measures are adequate for their data processing operations. However, measures included in the guidebook are explanatory on the interpretation on what type of measures the Board expects data controllers to take to ensure 'adequate data security'.
Discovery and disclosure
According to Article 332 of the Turkish Criminal Procedure Law, criminal courts and prosecutors may request information, including that containing personal data, during criminal proceedings. Similarly, civil courts may request information that relates to the case at hand from the parties of the case or even third parties. The DP Law expressly states that provisions of the law shall not be applied when personal data is processed by judicial authorities with regard to investigation, prosecution, trial or execution procedures.
In addition to the judicial authorities, a number of on-site auditing rights are granted to multiple public bodies over entities that are active in their respective sectors. To exemplify, by the rights granted in their founding laws, the Energy Market Regulatory Authority, the Banking Regulation and Supervision Authority, and the Information Technologies and Communication Agency may request information from relevant players of their corresponding sectors and may conduct on-site auditing activities. During the audits, supervisory authorities may access records that include personal data.
Finally, Turkey is a party to the Convention of 1 March 1954 on civil procedure and multiple bilateral treaties on legal assistance. Therefore, data may be disclosed in response to lawful requests made by foreign governments complying with due process under the Convention.
Public and private enforcement
i Enforcement agencies
The Board is the main authority with regard to protection of personal data. The Board is established by the DP Law and the law grants extensive investigatory and sanctioning power to the authority. Pursuant to Article 15 of the DP Law, the Board may conduct necessary investigations ex officio or upon notification about breaches of the DP Law. Data controllers are obliged to comply with the information requests made by the Board and allow them to conduct on-site audits. If a breach is found, the Board notifies the relevant data controller to correct the unlawful situation. The data controller must comply with the notification without delay and within 30 days of the notification at the latest.
Article 18 of the DP Law lists several misdemeanours concerning data protection and the range of the administrative fines tied to them. Breach of the obligation to inform or to ensure the security of personal data, and failure to fulfil the obligation to register with the data controller registry or to comply with the decision given by the Board are considered misdemeanours and are subject to separate administrative fines ranging from 5,000 to 1 million Turkish lira.
During its investigations, if the Board finds out that a particular breach is widespread, it may issue a principle decision and publish it. It is mandatory for data controllers to comply with principle decisions. The Board has published multiple principle decisions to date, including concerning phonebook applications, the implementation of privacy measures on counters and booths, and data breaches caused by data controllers' personnel, data breach notifications and unsolicited marketing communications. In addition to the principle decisions, the Board is periodically publishing guidelines and videos and arranges seminars to inform the public and data controllers about data protection issues.
In addition to the mentioned administrative sanctions, Turkish Criminal Code lists certain crimes that are related to unlawful processing of personal data. For example, unlawful recording, distribution or obtaining of personal data are crimes that are punished by imprisonment of the perpetrator of between one and four years.
ii Recent enforcement cases
The Board routinely publishes summaries of its enforcement decisions on its website.23 The summary decisions and the reasons provided by the Board therein are instrumental in understanding the interpretation of the DP Law by the Personal Data Protection Authority. The Board also publishes yearly activity reports providing important statistics on enforcement decisions from previous years. The 2020 activity report provides the following:
- the Board handled a total of 2,918 notices and complaints in 2020, 1,818 of which have been decided on;
- among the 1,818 decided cases, 91 resulted in administrative fines, and in 79 cases, the Board provided specific instructions to data controllers to reconcile their data processing activity with the DP Law;
- the total amount of administrative fines issued in 2020 was 21.39 million lira; and
- the primary reason for complaints received by the Board was 'unlawful sharing of personal data with third parties by data controllers', amounting to almost half of the total complaints received.24
iii Private litigation
Under Article 11 of the DP Law, data subjects have the right to request compensation for damage if they incur any losses due to unlawful processing of personal data. Accordingly, data subjects may request pecuniary or non-pecuniary damages from the data controllers in the case of unlawful processing of personal data.
Considerations for foreign organisations
The DP Law applies to domestic and foreign data controllers alike. Although the DP Law does not provide a territorial scope for its application, it is generally regarded as applicable if the processing takes place within the borders of Turkey (and has been demonstrated by the enforcement decisions concerning foreign data controllers). Consequently, foreign data controllers are expected to comply with the obligations listed in the DP Law if they carry out personal data processing activities that affect individuals located in Turkey.
The notable obligations foreign data controllers are required to comply with are to register with the data controller registry and to assign a 'data controller representative'. According to Article 11 of the Regulation on Data Controller Registry, data controllers that are not resident in Turkey are expected to appoint a data controller representative who will carry out communications by data subjects and the Board with the foreign data controller.
One misconception that is common in practice is mistaking the data controller representative for the data protection officer (DPO) regulated under the GDPR. There is no obligation to appoint a DPO under the DP Law. Additionally, data controller representatives are positioned more as a contact point and they do not have extensive data-protection-related responsibilities as significant as those a DPO would hold under the GDPR.
The data controller representative must represent its associated data controller on at least the following issues (though the list can be expanded in the appointment decision):
- accepting the notifications or correspondence made by the Board on behalf of the data controller and responding to the requests directed to the data controller in the name of the data controller;
- collecting and forwarding the data subject applications to the data controller;
- transmitting the responses given by data controllers in relation to data subject applications; and
- carrying out actions and operations related to the Registry on behalf of the data controller.
Cybersecurity and data breaches
There is no catch-all cybersecurity legislation that is applicable to every entity. However, the recently enacted Circular Note on Information and Communication Security Measures numbered 2019/1225 establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are: (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector.
In the absence of a generally applicable cybersecurity legislation, Electronic Communications Law No. 5809 (Law No. 5809) allocates duties and responsibilities concerning national cybersecurity to both the Ministry of Transport and Infrastructure (the Ministry) and to the Information and Communication Technologies Authority (the Authority). Responsibilities allocated to the Ministry include determining principles and procedures, preparing action plans and coordinating operations to ensure cybersecurity for public institutions and organisations, as well as natural or legal persons. Likewise, the Authority is responsible for performing duties delegated by the Presidency, the Ministry and the Cyber Security Board.
Pursuant to Law No. 5809, the Authority shall take all necessary measures to protect public institutions and organisations, as well as natural and legal persons, against cyberattacks and to ensure deterrence against cyberattacks. The Authority is further empowered to obtain and assess information, documentation, data and records from related parties as part of its duties. Additionally, the Authority may utilise and establish communication with archives, electronic information processing centres and communications infrastructures, and implement other necessary measures or ensure that such measures are implemented.
Within the purposes of the Communiqué, cybersecurity incident response teams (CIRTs) are established as teams specialised in detecting causes and effects of cybercrime and protecting information systems and data that are located therein against cybersecurity attacks. In this regard, CIRTs directly operate in cooperation with the National Cybersecurity Incident Response Centre (USOM or TR-CERT),26 which has been established under the Authority (further to the National Cybersecurity Strategy and Action Plan 2013–2014, updated by Action Plan 2016–2019 of the Ministry).
There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies)27 and entities from sectors such as insurance,28 banking29 and payment services30 to employ certain measures related to cybersecurity.
ii Data breaches
The most important data breach notification obligation under Turkish law is the personal data breach notification stipulated under the DP Law. Data controllers are required to notify the data subject and the Board 'in case personal data is acquired by others through unlawful means'. Data breaches that fall under this notification obligation are not categorised by their scope, seriousness or its possible adverse effects. Thus, all data breaches where personal data is obtained unlawfully by third parties must be notified to the data subject and the Board. The Board has clarified that data controllers must notify the Board within 72 hours of becoming aware of the breach, by making use of the data breach notification form published by the Board.31
Data protection is a relatively new regulatory area for Turkey. Yet the developments that we have observed in the area in recent years have been fast-moving and are not expected to slow down in the coming years. For the near term, two of the most significant developments that are expected are the harmonisation (at least partly) of the cross-border data transfer provisions of the local privacy laws with those stipulated under GDPR and, later, the harmonisation of the DP Law with the European standards in general. The timeline foreseen for both legislative endeavours is by March 2022 (which is optimistic, based on the authors' experience). Nevertheless, the work of public authorities is underway and therefore it is advisable for foreign entities to be on the watch for these two legal developments as they will have significant consequences for their businesses in Turkey.
1 Susen Aklan is a senior associate and Kaan Can Akdere and Melis Mert are attorneys at BTS & Partners.
2 Published in the Official Gazette No. 17844 and dated 20 October 1982. Available in English: https://global.tbmm.gov.tr/docs/constitution_en.pdf.
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal L 119, 4 May 2016.
4 Published in the Official Gazette No. 31365 and dated 15 January 2021.
5 Published in the Official Gazette No. 30224 and dated 28 October 2017.
6 Published in the Official Gazette No. 30286 and dated 30 December 2017.
7 'Explicit consent' is defined as 'Freely given, specific and informed consent'. Consent must be free (for example, consent must not be made conditional on the provision of a service), informed, limited to the relevant act of processing and have been given unambiguously by the data subject acting in a way that leaves no doubt that the data subject agrees to the processing of his or her data.
8 Guidebook on Personal Data Security (Technical and Organisational Security Measures): https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf.
9 'Personal Data Protection Board's Decision No. 2018/10 dated 31/01/2018 on Adequate Security Measures to be Taken by Data Controllers When Processing Special Categories of Personal Data' published on 7 March 2018: https://kvkk.gov.tr/Icerik/4110/2018-10.
10 Notably, the Board has made a reference to the 72-hour period provided under the GDPR as a basis for this rule.
11 Published in the Official Gazette No. 29417 and dated 15 July 2015.
12 Published in the Official Gazette No. 31324 and dated 4 December 2020.
13 Published in the Official Gazette No. 25983 and dated 1 November 2005.
14 Published in the Official Gazette No. 30808 and dated 21 June 2019.
15 Council of State, 11th Chamber, Decision No. 2017/4906 dated 13 June 2017.
16 Court of Cassation, 19th Criminal Chamber, Decision No. 2017/5325 dated 5 June 2017.
17 Supreme Court, Application No. 2013/5653. Published in the Official Gazette No. 29811 and dated 24 August 2016.
18 'Personal Data Protection Board's Decision No. 2020/481 dated 23/06/2020 on Requests Regarding the Removal of Results re. Queries of Persons' Names from the Indexes of Search Engines', published on 17 July 2020: https://kvkk.gov.tr/Icerik/6776/2020-481.
19 Published in the Official Gazette No. 31202 and dated 31 July 2020.
20 Minimum Content of Undertaking to be Prepared by Data Controllers When Transferring Personal Data Abroad, published on 16 May 2018: https://www.kvkk.gov.tr/Icerik/4236/Yurtdisina-Veri-Aktariminda-Veri-Sorumlularinca-Hazirlanacak-Taahhutnamede-Yer-Alacak-Asgari-Unsurlar.
21 Board Announcement on Principles and Procedures to be Followed Concerning the Preparation of Undertakings, published on 7 May 2020: https://kvkk.gov.tr/Icerik/6741/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-HAZIRLANACAK-TAAHHUTNAMELERDE-DIKKAT-EDILMESI-GEREKEN-HUSUSLARA-ILISKIN-DUYURU.
23 Personal Data Protection Board, Decision Summaries: https://www.kvkk.gov.tr/Icerik/5406/Kurul-Karar-Ozetleri.
24 Personal Data Protection Board, Activity Report of 2020: https://www.kvkk.gov.tr/Icerik/2094/Faaliyet-Raporu.
25 Published in the Official Gazette No. 30823 and dated 6 July 2019.
27 See Communiqué on Information System Management, published in the Official Gazette No. 30292 and dated 5 January 2018.
28 See Regulation on Supervision and Auditing of Insurance and Individual Annuity Insurance Sectors, published in the Official Gazette No. 28054 and dated 14 September 2011.
29 See Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital, published in the Official Gazette No. 29057 and dated 11 July 2014.
30 See Regulation on the Activities of the Payment and Security Settlement Systems, published in the Official Gazette No. 29044 and dated 28 June 2014.
31 See the data breach notification form published by the Board, available in Turkish at: www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9.pdf.