The Privacy, Data Protection and Cybersecurity Law Review: Turkey
The protection of personal data is recognised as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey2 as of its amendment in 2010. Since the aforementioned Article requires that the principles and procedures regarding the protection of personal data shall be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (the DP Law), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.
The data protection authority established by the DP Law, the Personal Data Protection Board (the Board), is currently active and has been regularly publishing secondary legislation of the DP Law as well as principle decisions and guidance documents concerning the application of the DP Law. Additionally, certain sector-specific data protection rules are scattered under sector-specific laws. For example, there are certain additional data protection related provisions provided under the Banking Law for financial services and these are enforced by the Turkish banking authority, the Banking Regulation and Supervision Agency.
Because Turkey is currently not an EU country, in principle, EU's General Data Protection Regulation3 (GDPR) is not directly applicable in Turkey. However, since the territorial scope of the GDPR applies where the personal data processing activities are related to the offering of goods or services to data subjects that are in the Union by a controller or processor not established in the Union, data controllers located in Turkey might be required to comply with the GDPR.
'Data protection' as a concept is becoming more and more topical in the country. The Board is continuing its work to create public awareness on the issue. On this endeavour, the Board is organising seminars, sharing educational videos and publishing guidance documents with regards to the implementation of the principles and procedures set forth under the DP Law.
With regard to cybersecurity, the relevant legislation is still evolving. Cybersecurity rules are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Entities practising in critical sectors such as telecommunications, energy, banking and finance, and insurance are generally subjected to cybersecurity or information-security requirements. However, recently enacted legislation demonstrates the sensitivity that is being shown by the government regarding cybersecurity, which we expect to become an even more important topic for Turkey in the near future.
The year in review
Data protection has been an active legal area since the enactment of the DP Law, and 2020 has not been an exception. From the Board's perspective, 2020 has been the year of influential enforcement decisions and guidance for data controllers. The Board has been continuously publishing enforcement decisions concerning unlawful collection and processing of personal data by both private companies and government entities alike.
The three most influential decisions published by the Board within the first half of 2020 are as follows.
i Amazon.com.tr decision
One of the most important decisions given by the Board within the first half of 2020 was the Amazon decision. In its decision summary, published on 7 May 2020, the Board announced that it has fined Amazon's Turkish subsidiary with an administrative fine of 1.2 million lira in total. In its summary, the Board mentioned that it has spotted various shortcomings of Amazon's Turkish marketplace (amazon.com.tr) in its compliance with the DP Law, such as (1) failure to collect prior consent from users for direct marketing activities;4 (2) invalidity of certain consent practices;5 and (3) Amazon's failure to comply with cross-border data transfer requirements of the DP Law. It was the first enforcement decision of the Board where non-compliance with cross-border data transfer rules have been explicitly stated as a reason for finding a breach. The enforcement decision was given upon an inspection done over amazon.com.tr and privacy documentation present on the website; which compelled many companies to take a second look on their own e-commerce websites.
ii Binding corporate rules
The Board recognised Binding Corporate Rules (BCR) as a viable mechanism for group companies to be able to transfer personal data from Turkey to abroad. The mandatory content expected and procedure for application have been shared with the public, but the main limitation preventing data transfer agreements from being a practical solution for personal data transfers still remains: the bureaucracy heavy and lengthy Board application process (in the case of BCR, the current application procedure can take up to one and a half years).
iii Decisions on transparency
A pattern of special focus on privacy and consent notices (in terms of both wording and how they are presented) can be identified in the recent decisions of the Board. Our takeaway from the recent judgements is that; in the eyes of the Board, spending minimal efforts to comply with the basic information requirements of the DP Law is not sufficient to meet the transparency requirements. Based on its decisions, the Board expects to see a genuine attempt by the controller to inform data subjects about the data processing activities in a simple and clear manner.
i Privacy and data protection legislation and standards
The main legislative instrument governing data privacy practices in Turkey is the DP Law. Article 2 of the DP Law states that its provisions shall be applicable to 'natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or by non-automated means which form part of a filing system'. It could therefore be concluded that the DP Law does not distinguish between the scope or type of data processing activities or the sector within which the data controller operates; it applies to all.
Definitions of both 'personal data' and 'processing of personal data' are similar to their counterparts under the GDPR. 'Personal data' is defined as 'any information relating to an identified or identifiable natural person' and definition of 'processing of personal data' covers any operation performed upon personal data. The definition of 'special categories of personal data' includes data relating to race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and data relating to biometrics and genetics. Notably, data relating to appearance and dress is not considered as a special category of personal data under the GDPR but is considered as such under the DP Law.
There is multiple secondary legislation of the DP Law that provides further specification on certain provisions of the DP Law. The secondary legislation that is most relevant to data controllers is as follows.
Regulation on the Deletion, Destruction or Anonymisation of Personal Data6
The DP Law states that personal data shall be deleted, destroyed or anonymised either ex officio or upon the request of the data subject if the reasons necessitating their process cease to exist. This regulation provides further details on deletion, destruction and anonymisation of personal data.
Regulation on the Registry of Data Controllers7
Under Article 16 of the DP Law, data controllers are required to register with the data controller registry. This regulation provides further details concerning the principles and procedures to be followed when fulfilling this obligation. Furthermore, the regulation brings two new titles: 'data controller representative' and 'contact person'. People filling these positions will have significant duties with regards to conveying communication between data controllers and the Board.
Communiqué on the Procedures and Principles to be Complied When Fulfilling the Obligation to Inform
The communiqué provides further details concerning how data controllers will fulfil their obligation to notify the data subjects about the processing of their personal data. These details include which information must be given to data subjects and the means and methods of these notifications.
Communiqué on Procedures and Principles for Data Controller Applications
The Communiqué provides further details concerning how data subjects will direct their requests concerning their rights stated under the DP Law to data controllers and how data controllers will handle these requests.
ii General obligations for data handlers
The DP Law sets forth an array of obligations for data controllers. Some of these obligations can be listed as follows.
Processing personal data in accordance with principles and conditions stated under the DP Law
The most fundamental of data controller obligations is to comply with general principles stated under Article 4 for the processing of personal data and process personal data only when one of the conditions under Article 5 is met.
Principles to be followed when processing personal data include:
- conforming to the law and good faith principles;
- being accurate and, if necessary, up to date;
- processing for specified, explicit and legitimate purposes;
- processing that is relevant, limited and proportionate to the stated purposes; and
- storing data only for the time designated by the relevant legislation or necessitated by the purpose for which data is collected.
The conditions for lawful data processing stated under Article 5 are:
- if none of the following conditions can be met, explicit consent8 of the data subject,
- if processing is expressly permitted by any law;
- if processing is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- if it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
- if processing is necessary for compliance with a legal obligation which the controller is subject to;
- if the relevant information is publicised by the data subject himself or herself;
- if processing is necessary for the institution, usage, or protection of a right; and
- if processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Conditions for processing 'special categories of personal data' are provided under Article 6 and are more restricted.
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law.
Personal data relating to health and sexual life can only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorised institutions and organisations.
iii Obligation to inform
According to Article 10 of the DP Law, data controllers are obliged to inform the data subjects about the following, at the point of collecting their personal data:
- the identity of the data controller and, if any, its representative;
- the purposes for which personal data will be processed;
- the persons to whom processed personal data might be transferred and the purposes for the same;
- the method and legal cause of collection of personal data; and
- the rights set forth under Article 11 of the DP Law.
Principles and procedures that must be followed when fulfilling this obligation are provided in detail under the Communiqué on the procedures and principles to be complied with when fulfilling obligation to inform (the Communiqué on the obligation to inform). For example, the Communiqué on the obligation to inform requires data controllers to inform data subjects and obtain their consent separately, and states that, when informing data subjects, a clear, simple and understandable wording must be used.
iv Registering with the data controller registry
Article 16 of the DP Law states that the data controllers are required to register with the Data Controller Registry (the Registry) before processing personal data. The Registry is currently active and accepting registrations.
The following information shall be provided to the Registry:
- identity and address information of the data controller and, if any, of its representative;
- the purposes for which personal data will be processed;
- the group or subject groups of persons of the data and explanations regarding data categories belonging to these persons;
- recipient or recipient groups to whom personal data may be transferred;
- personal data which is expected to be transferred abroad;
- measures taken for the security of personal data; and
- the maximum retention period for the purposes for which personal data are processed.
Principles and procedures regarding the obligation to register with the Registry are provided in detail under the Regulation on the Data Controller Registry. On an additional note, the Regulation requires resident data controllers to appoint a contact person to submit requested information to the Registry. The contact person shall be the 'point of contact' that will carry out the communication with the Board and with the data subjects . Similarly, non-resident data controllers are expected to appoint a 'data controller representative', which can either be a natural person who is a Turkish citizen, or a legal entity established and operating in Turkey. This person shall be notified to the Registry during registration.
The registration deadline has been extended to 30 September 2020 for resident and non-resident data controllers. Having said that, for resident data controllers that have an annual turnover less than 25 million lira and employ less than 50 employees, but whose main area of activity is processing special categories of personal data, the registration deadline has been extended to 31 May 2021.
v Ensuring the security of personal data
Under Article 12 of the DP Law, data controllers are obliged to take all necessary technical and organisational measures to provide an appropriate level of security to:
- prevent unlawful processing of personal data;
- prevent unlawful access to personal data; and
- safeguard personal data.
What the phrase 'all necessary technical and organisational measures' actually means is not explicitly defined under the data protection legislation; however, the 'Guidebook on Personal Data Security' published by the Board9 provides guidance on what measures are expected to be taken by the data controllers.
What is more, the DP Law expects additional protective measures to be taken when handling special categories of personal data; these measures are specified under a principle decision taken by the Board10 and include using cryptographic encryption measures, signing NDA agreements with the personnel and setting two-stage authentication systems over the information systems that contain personal data.
Additionally, data controllers are required to notify the relevant data subjects and the Board if personal data is obtained by others through unlawful means (e.g., a cyberattack or data leakage) as soon as possible.
In its decision of 15 February 2019, the Board announced the principles and procedures to be followed when submitting personal data breach notifications to the Board in accordance with Article 12 of the DP Law. According to the decision, data controllers are expected to notify the Board as soon as possible and no later than 72 hours11 after they become aware of the breach. Notifications are to be made via a template notification form and data controllers are expected to prepare a 'data breach response plan' that will cover issues such as steps to be followed within the organisation to handle breaches and responsibilities regarding such incidents.
Additionally, the Board has issued a Board Decision specifying the minimum content of notifications to be made to data subjects in the event of a breach incident. Accordingly, data subject notifications must include information on the following:
- when the breach has occurred;
- categories of data affected by the breach (in a manner differentiating between categories of personal data and special categories of personal data);
- potential impacts of the breach;
- measures taken or recommended to be taken to eliminate the adverse effects of the breach; and
- contact details of persons to be communicated in order to obtain further information on the incident or other methods of communication, including the website and call centre of the data controller.
vi Data subjects' rights
As stipulated by Article 11 of the DP Law, every data subject has the following rights in relation to their personal data, which they may use by applying to the data controller. He or she may:
- learn whether their personal data have been processed;
- request information as to processing if their data have been processed;
- learn the purpose of processing of their personal data and whether data are used in accordance with their purpose;
- learn the third parties those which their personal data have been transferred;
- request rectification in case personal data are processed incompletely or inaccurately;
- request deletion or destruction of their personal data within the framework of the conditions set forth under Article 7;
- request notification of the operations made as per indents (e) and (f) to third parties to whom personal data have been transferred;
- object to the occurrence of any result that is to their detriment by means of analysis of their personal data exclusively through automated systems; and
- request compensation for the damages in case the they incur damages owing to unlawful processing of their personal data.
vii Specific regulatory areas
In addition to the general provisions of the DP Law, electronic marketing communications are regulated under a separate regulation, the Regulation on Commercial Communications and Electronic Commercial Communications (the Commercial Communications Regulation).12 Commercial emails, text messages and outbound calls fall within the scope of the regulation and these electronic commercial messages are required to meet certain strict criteria to be regarded as lawful.
First, sending electronic commercial messages requires prior consent of the recipient. However, there are certain exceptions to the prior consent requirements such as if the message is sent to merchants and craftsman or the message relates to collection matters, debt reminders, information update, purchases, delivery and similar actions with respect to an ongoing subscription, membership or partnership, or contains information required by legislation to be sent to the recipient. The consent cannot be actively requested by sending an electronic communication to the recipient or deemed obtained through disclaimers or general terms and conditions. Also, if the consent is obtained through electronic tick-boxes, the consent box shall not be presented as pre-checked.
Secondly, electronic commercial message must contain the following information: the sender's trade name, central registration system number in the title or content of the message, at least one contact detail and an easy way for the recipient to opt out. Recipients may refuse at any time to receive further electronic commercial messages without having to give a reason.
Service providers and intermediary service providers must keep records of consent for one year after consent is terminated and records of message delivery for one year after the message is delivered.
As recently amended, the Commercial Communications Regulation introduces the Turkish Commercial Electronic Message Management System (CMMS), the main functions of which are:
- obtaining commercial electronic message permissions;
- using the right to opt-out by recipients; and
- managing recipients' complaints regarding unsolicited commercial electronic messages.
Accordingly, service providers and intermediary service providers (initiating the transmission of commercial electronic messages at the service provider's instruction) are now required to register to the CMMS and upload and integrate their electronic message data and system.
Service providers are under the obligation to register to the CMMS and must upload their permissioned database until 1 September 2020. Although the Commercial Communications Regulation does not explicitly provide for a registration requirement for non-resident service providers, the respective regulatory authority extended the CMMS registration obligation to also cover non-resident entities. Thus, the legal position of non-resident service providers in respect of the obligations for CMMS is same as that of the resident service providers, as no distinction is made in this regard. However, further clarification is required with respect to non-resident service providers, as to how processes concerning registration to and use of CMMS is to be handled.
Although the DP Law is the main data protection instrument, there is sector-specific legislation that governs the protection of personal data under their respective sectors and areas such as the Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector,13 Article 73 of the Banking Law14 about banking secrecy and 'customer secrets', and the Regulation on Personal Health Data that mainly concerns the healthcare sector.15
viii Technological innovation
Cookies and similar online tracking technologies are not regulated under a specific law; therefore, general rules under the DP Law apply. Processing of personal data for the purposes of targeted and behavioural advertising or profiling, generally, can only be carried out with the explicit consent of the data subject. Consequently, Turkish online media organisations are continuously switching to opt-in schemes for their tracking activities and adding cookie banners to their websites.
Facial recognition and biometric data
Biometric data (e.g., fingerprints, facial scans, palm vein data) is categorised as a special category of personal data under the DP Law and can only be processed with the explicit consent of the data subject, unless it is expressly allowed by law. In addition, the use of biometric data is considered to be problematic from a constitutional rights perspective. In a recent decision issued by the Council of State,16 use of facial recognition technologies for shift tracking in a public workplace has been found unconstitutional. In its ruling, the Council stated that use of such technologies even under public settings do fall under the scope of 'the right to private life' and that the use of the technology in employee tracking was not envisioned by law.
Right of erasure or right to be forgotten
The 'right to be forgotten' is not explicitly recognised as a right under the Turkish Constitution. However, recent case law of both Turkish Court of Cassation17 and Supreme Court18 have ruled that the individuals have a 'right to be forgotten' under 'the right to protection of honour and reputation' and 'the right to protection of personal data'. In both decisions, the courts made a reference to the ground-breaking Google Spain judgment of the ECHR. Consequently, it can be said that a right to be forgotten is emerging by way of case law in Turkey.
Moreover, the Board has recently published a Board Decision19 that provides further regulation on the right to be forgotten, as well as specific criteria to be followed by search engines when concluding data subject requests in this regard. It is essential to underline that although the data subject rights envisaged under the DP Law do not specifically refer to the right to be forgotten, data subjects are entitled to request erasure of their personal data. While explicitly determining that search engines shall be construed as data controllers, the Board also decided that the data subjects' right to request removal of results (containing personal data) from the search index shall be construed as falling within the scope of data subject rights envisaged under the DP Law.
Recent amendments to the Law on the Regulation of Broadcasts over the Internet and Prevention of Crimes Committed Through Such Broadcasts No. 565120 (the Internet Law) also included a provision specifically addressing the right to be forgotten. This newly introduced provision of the Internet Law now allows:
- individuals whose personal rights are violated due to content broadcasted over the internet to request disassociation of their name with URLs that are subject to a content removal or access blocking decision; and
- the Access Providers' Union to notify search engines regarding such name and URL disassociation. Prior to this amendment, individuals or requesting parties were instructed to directly submit a request to the related search engines for the removal of violating content from the cache memories of search engines, as such violating content would still be listed under the inquiry even when removed.
International data transfer and data localisation
International transfer of personal data is regulated under Article 9 of the DP Law. The respective Article 9 of the DP Law provides for a general rule that prohibits the cross-border transfer of personal data without obtaining explicit consent from the data subject. The respective article further provides for a derogation from this general rule and allows for the cross-border transfer of personal data without obtaining explicit consent on the following conditions:
- in the event that the conditions specified under Article 5 and Article 6 of the DP Law are deemed applicable, and the recipient country ensures an adequate level of personal data protection, the related transfer operation is permitted to be performed; and
- in the absence of an adequate level of personal data protection within the recipient country, the related transfer operation shall be permitted provided that the data controllers in Turkey and in the recipient country undertake to ensure an adequate level of protection in writing, and the approval of the Board is obtained.
The list of countries ensuring an adequate level of protection is yet to be announced by the Board. Accordingly, a strict interpretation of the DP Law, along with the Board's current position, concludes the implementation of two permitted cross-border data transfer mechanisms to ensure full compliance in the absence of further regulation: either obtaining explicit consent from the data subjects for the respective transfer, or concluding a written undertaking with the between the parties to the transfer (either in the form of an agreement or a BCR) and obtaining the Board's approval.
With respect to written undertakings to be concluded between the parties to the cross-border transfer, the Board has published two public announcements:
- the Board initially published the Board Announcement on Minimum Content of Undertakings21 to be concluded between the parties, in a manner categorised under two main sub-fields: (1) data controller to data controller transfers and (2) data controller to data processor transfers. Within the scope thereof, the Board explicitly determined that the published minimum content shall be incorporated into cross-border data transfer agreements; and
- the Board then published the Board Announcement on Principles and Procedures to be Followed Concerning the Preparation of Undertakings,22 which focuses on procedural as well as content requirements for submitting a written undertaking for the Board's approval. Within the scope thereof, the Board essentially requires the incorporation of the published minimum content into cross-border data transfer agreements and introduces a comprehensive set of information and documentation requirements.
On the other hand, the Board published a public announcement23 on 10 April 2020, concerning local BCR. Within the scope thereof, the local BCR regime has been introduced as an alternative tool for resident data controllers transferring personal data to their non-resident group companies. Despite being an adaptation of the Binding Corporate Rules mechanism acknowledged as a similar tool under the GDPR, the local BCR regime substantially diverges from the scope thereof.
In July 2019, the Presidency of Republic of Turkey issued the Presidential Circular on Information and Communication Security Measures (the Circular), which specifically restricts the use of public cloud systems to store data by public sector entities. Among other things, with a particular emphasis on data localisation, the Circular provides for the following:
- data of public institutions and organisations is not to be stored in cloud storing services, except for the private systems of public institutions or local service providers under the control of public institutions;
- critical information and data, such as civil registration, health and communication information as well as genetic and biometric data, shall be stored domestically in a safe environment; and
- enterprises authorised to provide communication services are obliged to establish an internet exchange point within Turkey. Furthermore, measures shall be taken and implemented in order to ensure that the domestic communication traffic shall not be taken outside of the country.
As for sector-specific data localisation requirements, a categorisation as to whether (1) there is a data or information system localisation requirement (on-soil requirement) or (2) there is a power vested in the competent regulatory and supervisory authority to conduct on-site audits can be made. An on-soil requirement is considered to directly pose a barrier to the transfer of data outside of Turkey, whereas the latter solely obliges regulated entities to provide access to data upon being lawfully requested by the related authority.
Company policies and practices
i Data processing notifications
Data controllers are required to fulfil their obligation to inform data subjects about the processing operations that they will carry out over their personal data. However, the DP Law or secondary legislation does not force data controllers to use any specific methods when informing the data subjects. Aside from the written notices, data controllers may use videos, infographics or other creative methods for informing data controllers as long as they include the minimum information that must be given to the data subjects to fulfil their obligation to inform.
While GDPR compliant privacy notices often cover most of the information to be given to data subjects required by DP Law, they are not automatically sufficient to meet its requirements and need to be amended to be presented to Turkish data subjects.
ii Data processing inventory
Data controllers who are obliged to register with the Registry under the Regulation on the Registry of Data Controllers are expected to create a 'data processing inventory' and a personal data retention and destruction policy that is compliant with the inventory. The data processing inventory is where data controllers explain and detail their data processing operations in accordance with their business processes. The inventory shall contain the following:
- purposes for processing personal data;
- data categories;
- recipient groups to which data is transferred;
- subject groups of the data;
- maximum retention period required by the processing purpose;
- personal data to be transferred abroad; and
- measures taken regarding data security.
Furthermore, the data processing inventory shall be the basis for the notifications to be made to the Registry during registration, and Article 5 of the Communiqué on the obligation to inform states that the information provided during the fulfilment of the obligation to inform must be compliant with the information disclosed to the Registry. Therefore, the information within the inventory is fundamental for lawfully fulfilling the obligation to register with the registry and the obligation to inform the data subjects.
iii Data security practices
With regards to the security obligations, the DP law obliges data controllers to take 'all technical and organisational measures to ensure adequate level of data security'. Therefore, the type of data security measures to be taken by the data controllers are not determined by law. The Board has published a guidebook on data security to highlight certain measures that can be taken by the data controllers. The measures suggested by the Board include conducting data protection risk analyses, preparing internal data protection policies (incident response plans, data access policies etc.), signing NDAs with employees, using firewalls and conducting penetration tests. Measures included in the guidebook are not mandatory for each and every data controller. Data controllers must decide themselves which measures are adequate for their data processing operations. However, measures included in the guidebook are explanatory on the interpretation on what type of measures the Board expects data controllers to take to ensure 'adequate data security'.
Discovery and disclosure
According to Article 332 of the Turkish Criminal Procedure Law, criminal courts and prosecutors may request information, including those containing personal data, during criminal proceedings. Similarly, civil courts may request information that relates to the case at hand from the parties of the case or even third parties. The DP Law expressly states that provisions of the law shall not be applied when personal data is processed by judicial authorities with regards to investigation, prosecution, trial or execution procedures.
In addition to the judicial authorities, a number of onsite auditing rights are granted to multiple public bodies over entities that are active in their respective sectors. To exemplify, by the rights granted in their founding laws, the Energy Market Regulatory Authority, the Banking Regulation and Supervision Authority, and the Information Technologies and Communication Agency may request information from relevant players of their corresponding sectors and may conduct on site auditing activities. During the audits, supervisory authorities may access records which include personal data.
Lastly, Turkey is a party to the Convention of 1 March 1954 on civil procedure and multiple bilateral treaties on legal assistance. Therefore, data may be disclosed in response to lawful requests made by foreign governments complying with due process under the Convention.
Public and private enforcement
i Enforcement agencies
The Board is the main authority with regards to protection of personal data. The Board is established by the DP Law and the law grants extensive investigatory and sanctioning power to the authority. Pursuant to Article 15 of the DP Law, the Board may conduct necessary investigations ex officio or upon notification about breaches of the DP Law. Data controllers are obliged to comply with the information requests made by the Board and allow them to conduct onsite audits. If a breach is found, the Board notifies the relevant data controller to correct the unlawful situation. The data controller must comply with the notification without delay and within 30 days of the notification at the latest.
Article 18 of the DP Law lists several misdemeanours concerning data protection and the range of the administrative fines tied to them. Breach of the obligation to inform or to ensure the security of personal data, and failure to fulfil the obligation to register with the data controller registry or to comply with the decision given by the Board are considered misdemeanours and are subject to separate administrative fines ranging from 5,000 to 1 million Turkish lira.
During its investigations, if the Board finds out that a particular breach is widespread, it may issue a principle decision and publish it. It is mandatory for data controllers to comply with principle decisions. The Board has published multiple principle decisions to date including some concerning phonebook applications, the implementation of privacy measures on counters and booths, and data breaches caused by data controllers' personnel, data breach notifications and unsolicited marketing communications. In addition to the principle decisions, the Board is periodically publishing guidelines and videos and arranges seminars to inform the public and data controllers about data protection issues.
In addition to the mentioned administrative sanctions, Turkish Criminal Code lists certain crimes that are related to unlawful processing of personal data. For example, unlawful recording, distribution or obtaining of personal data are crimes that are punished by imprisonment of the perpetrator between one to four years.
ii Recent enforcement cases
The Board have recently published summaries of numerous enforcement decisions on its website.24 Previously, the summaries did not include the identities of the data controllers or the amount of fines; however, the Board has been more transparent in its more recent decisions and has published names and amounts. The majority of fines were due to a breach of data security obligations, even when the breach was caused by a violation of data processing principles. For example, the Board sanctioned a bank because it violated the principle of 'data minimisation' when it provided a six-month account statement of its customer to a civil court when the court only asked for the statement of the last three months. In another example, the Board found a breach of data security obligations where the data controller had made the explicit consent of the data subject a precondition for the provision of certain goods or services.
iii Private litigation
Under Article 11 of the DP Law, data subjects have the right to request compensation for the damages if they incur any losses due to unlawful processing of personal data. Accordingly, data subjects may request for pecuniary or non-pecuniary damages from the data controllers in case of unlawful processing of personal data.
Considerations for foreign organisations
The DP Law applies to domestic and foreign data controllers alike. Although the DP Law does not provide a territorial scope for its application, it is generally regarded as applicable if the processing takes place within the borders of Turkey (and has been demonstrated by the enforcement decisions concerning foreign data controllers).25 Consequently, foreign data controllers are expected to comply with the obligations listed in the DP Law if they carry out personal data processing activities that affect individuals located in Turkey.
The notable obligations foreign data controllers are required to comply with are to register with the data controller registry and to assign a 'data controller representative'. According to Article 11 of the Regulation on Data Controller Registry, data controllers who are not resident in Turkey are expected to appoint a data controller representative who will carry out communications by data subjects and the Board with the foreign data controller.
One misconception that is common in practice is mistaking the data controller representative with the data protection officer (DPO) regulated under the GDPR. There is no obligation to appoint a DPO under the DP Law. Additionally, data controller representatives are positioned more as a contact point and they do not have extensive data-protection-related responsibilities as significant as those a DPO would hold under the GDPR.
The data controller representative must represent its associated data controller on at least the following issues (though the list can be expanded in the appointment decision):
- accepting the notifications or correspondence made by the Board on behalf of the data controller and responding to the requests directed to the data controller in the name of the data controller; and
- collecting and forwarding the data subject applications to the data controller;
- transmit the responses given by data controllers in relation to data subject applications; and
- carrying out actions and operations related to the Registry on behalf of the data controller.
Cybersecurity and data breaches
There is no catch-all cybersecurity legislation that is applicable to every entity. However, the recently enacted Circular Note on Information and Communication Security Measures numbered 2019/1226 (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector.
In the absence of a generally applicable cybersecurity legislation, Electronic Communications Law No. 5809 (Law No. 5809) allocates duties and responsibilities concerning national cybersecurity to both the Ministry of Transport and Infrastructure (the Ministry) and to the Information and Communication Technologies Authority (the Authority). Responsibilities allocated to the Ministry include determining principles and procedures, preparing action plans and coordinating operations to ensure cybersecurity for public institutions and organisations, as well as natural or legal persons. Likewise, the Authority is responsible for performing duties delegated by the Presidency, the Ministry and the Cyber Security Board.
Pursuant to Law No. 5809, the Authority shall take all necessary measures to prevent public institutions and organisations, as well as natural and legal persons, against cyberattacks and to ensure deterrence against cyberattacks. The Authority is further empowered to obtain and assess information, documentation, data, and records from related parties as part of its duties. Additionally, the Authority may utilise and establish communication with archives, electronic information processing centres and communications infrastructures; and implement other necessary measures or ensure that such measures are implemented.
Within the purposes of the Communiqué, Cybersecurity Incident Response Teams (CIRTs) are established as teams specialised in detecting causes and effects of cybercrimes and protecting information systems and data that are located therein against cybersecurity attacks. In this regard, CIRTs directly operate in cooperation with the National Cybersecurity Incident Response Centre (USOM or TR CERT),27 which has been established under the Authority (further to the National Cybersecurity Strategy and Action Plan 2013–2014, updated by Action Plan 2016–2019 of the Ministry).
There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies)28 and entities from sectors such as insurance,29 banking30 and payment services31 to employ certain measures related to cybersecurity.
ii Data breaches
The most important data breach notification obligation under Turkish law is the personal data breach notification stipulated under the DP Law. Data controllers are required to notify the data subject and the Board 'in case personal data is acquired by others through unlawful means'. Data breaches that fall under this notification obligation are not categorised by their scope, seriousness or its possible adverse effects. Thus, all data breaches where personal data is obtained unlawfully by third parties must be notified to the data subject and the Board. The Board has clarified that data controllers must notify the Board within 72 hours of becoming aware of the breach, by making use of the data breach notification form published by the Board.32
Data protection is a relatively new regulatory area for Turkey. Yet the developments that we have observed in the area in the last three years have been fast and are not expected to slow down in the following years. For the near term, two of the most significant developments that are expected are the activation of the data controller registry and the publishing of the list of countries that have an 'adequate level of personal data protection' by the Board. It is advisable for the foreign entities to be on the watch for these two legal developments as these will have significant effects for their businesses in Turkey.
The GDPR has had an impact on the Turkish entities owing to its extended territorial scope and high level of monetary fines. Turkish businesses that are active in the European market are mindful of the requirements brought by it. The DP Law was prepared by taking note of the EU Data Protection Directive of 1995 and it is known that the Board is paying close attention to the data protection developments in Europe. If the 'Europeanisation' trend continues for data protection in Turkey, in the long term amendments to the DP Law that are in line with the provisions of the GDPR should not come as a surprise.
1 Batu Kınıkoğlu is a partner, and Selen Zengin and Kaan Can Akdere are attorneys at BTS&Partners.
2 Published in the Official Gazette No. 17844 and dated 20 October 1982. Available in English: https://global.tbmm.gov.tr/docs/constitution_en.pdf.
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal L 119, 4 May 2016.
4 The complainant pointed out that Amazon Turkey currently considers all who use the Amazon service or who browse the website as having given their consent by default to receive electronic communications from Amazon Turkey.
6 Published in the Official Gazette No. 30224 and dated 28 October 2017.
7 Published in the Official Gazette No. 30286 and dated 30 December 2017.
8 'Explicit consent' is defined as 'Freely given, specific and informed consent'. Consent must be free (for example, consent must not be made conditional for the provision of a service), informed, limited to the relevant act of processing and have been given unambiguously by data subject acting in a way that leaves no doubt that the data subject agrees to the processing of his or her data.
9 Guidebook on Personal Data Security (Technical and Organisational Security Measures): https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf.
10 'Personal Data Protection Board's Decision No. 2018/10 dated 31/01/2018 on Adequate Security Measures to be Taken by Data Controllers When Processing Special Categories of Personal Data' published on 7 March 2018: https://kvkk.gov.tr/Icerik/4110/2018-10.
11 Notably, the Board have made a reference to the 72-hour period provided under the GDPR as a basis for this rule.
12 Published in the Official Gazette No. 29417 and dated 15 July 2015.
13 Published in the Official Gazette No. 28363 and dated 24 July 2012.
14 Published in the Official Gazette No. 25983 and dated 1 November 2005.
15 Published in the Official Gazette No. 30808 and dated 21 June 2019.
16 Council of State, 11th Chamber, Decision No. 2017/4906 dated 13 June 2017.
17 Court of Cassation, 19th Criminal Chamber, Decision number 2017/5325 dated 5 June 2017.
18 Supreme Court, application number 2013/5653. Published in the Official Gazette No. 29811 and dated 24 August 2016.
19 'Personal Data Protection Board's Decision No. 2020/481 dated 23/06/2020 on Requests Regarding the Removal of Results re. Queries of Persons' Names from the Indexes of Search Engines' published on 17 July 2020: https://kvkk.gov.tr/Icerik/6776/2020-481.
20 Published in the Official Gazette No. 31202 and dated 31 July 2020.
21 Minimum Content of Undertaking to be Prepared by Data Controllers When Transferring Personal Data Abroad, Published on 16 May 2018: https://www.kvkk.gov.tr/Icerik/4236/Yurtdisina-Veri-Aktariminda-
22 Board Announcement on Principles and Procedures to be Followed Concerning the Preparation of Undertakings, Published on 7 May 2020: https://kvkk.gov.tr/Icerik/6741/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-HAZIRLANACAK-TAAHHUTNAMELERDE-DIKKAT-
23 Announcement on Binding Corporate Rules, Published on 10 April 2020: https://kvkk.gov.tr/Icerik/6728/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-BAGLAYICI-
24 Personal Data Protection Board, Decision Summaries: https://www.kvkk.gov.tr/Icerik/5406/Kurul-Karar-Ozetleri.
25 See footnotes 9, 10 and 11.
26 Published in the Official Gazette No. 30823 and dated 6 July 2019.
28 See Communiqué on Information System Management, published in the Official Gazette No. 30292 and dated 5 January 2018.
29 See Regulation on Supervision and Auditing of Insurance and Individual Annuity Insurance Sectors, published in the Official Gazette No. 28054 and dated 14 September 2011.
30 See Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital, published in the Official Gazette No. 29057 and dated 11 July 2014.
31 See Regulation on the Activities of the Payment and Security Settlement Systems, published in the Official Gazette No. 29044 and dated 28 June 2014.
32 See the data breach notification form published by the Board, available in Turkish at: www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9.pdf.