İrem Cansu Atikcan
Currently, there is no specific law in Turkey regarding personal data protection. Data protection is governed by the general provisions of a number of laws and regulations.
There has been a Draft Law on the Protection of Individuals with regard to Processing of Personal Data (“Draft Law”) pending before the Turkish Parliament, which is reformulated over the last months of 2012. The Draft Law regulates rules and procedures relating to protection and processing of personal data and has been prepared in light of European Union Directive 95/46/EC and the Commission’s Decision 2001/497/EC.
On 12 September 2010, a referendum was held on a reform package which introduced amendments to the last Turkish Republic Constitution adopted in 1980. As a result of the amendment, the right to protection of personal rights and privacy set forth in Article 20 of the Constitution has been bolstered, increasing the scope of accountability and introducing more stringent requirements for protection of personal data. It is anticipated that the Draft Law shall be enacted in the very near future to reflect changes made to the Turkish Constitution.
Most recently on 24 July 2012 Regulation on Protection of Personal Data in Electronic Communications Sector was published. This Regulation stipulates sector specific requirements for operators.
Definition of Personal Data
In the absence of a specific law on data protection there is no exact definition for “personal data” however there are some regulations and laws that have defined personal data within their specific context.
The most relevant source is the Regulation on Protection of Personal Data in Electronic
Communications Sector which deals with personal data processed in hard copy and automated fashion, this Regulation defines personal data as any information regarding a known or identifiable natural or legal person.
Definition of Sensitive Personal Data
Although there is no explicit definition of sensitive data, the Turkish Criminal Code No. 5237 imposes penalties on any person who records the political, philosophical or religious concepts
of individuals, or without legitimate reason personal information relating to their racial origins,
ethical tendencies, health conditions or connections with syndicates.
Definition of Personal Data
The Draft Law defines personal data as any information relating to an identified or identifiable natural and legal person.
Definition of Sensitive Personal Data
The Draft Law defines sensitive personal data as personal data revealing race, political opinions, philosophical beliefs, religion, sect or other beliefs, foundation or union membership, and the processing of data concerning health or private life and all kinds of convictions.
National Data Protection Authority
Currently there is no independent body governing data protection in Turkey.
In accordance with the Draft Law an independent authority will be established to monitor data processing and ensure compliance, namely, the Personal Data Authority (“Authority”). The Authority shall enforce application of the law, monitor data processing and ensure compliance.
Currently there is no requirement for registration.
The Draft Law stipulates that the Authority shall keep a Personal Data Registry, natural and legal persons will be required to register prior to commencing any data processing activities unless an exemption applies.
Data Protection officers
There is no requirement in Turkey to appoint a data protection officer.
Neither, under the Draft Law is there any requirement to appoint a data protection officer.
Collection and Processing
Article 20 of the Constitution states that everyone has the right to ask for protection of his/ her personal information; and such right includes the right to be informed of personal data pertaining to such person, the right to access, delete and/or correct such data and the right to find out whether the data is being used in accordance with the purpose for which it was collected.
The provision also stipulates that personal data can only be processed for reasons stated in the law or with explicit consent of the data subject.
Data protection is enforced through general provisions laid down in a number of laws and regulations. In this regard, each situation needs to be evaluated individually as it may be subject to provisions of an applicable specific law, if any.
In general terms, the Turkish Criminal Code No. 5237 contains provisions regulating collecting and processing of personal data and imposes penalties for acquiring and unlawful recording of personal data.
Furthermore, the Turkish Criminal Code No. 5237 stipulates that upon expiry of the time period specified by law to retain data, such data must be deleted or destroyed.
The Draft Law stipulates personal data can only be processed in accordance with the Draft Law and other laws and sets forth personal data may be collected and processed if:
- processed fairly and lawfully;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
- adequate, relevant and not excessive in relation to the purposes for which they are collected
- and/or processed;
- accurate and, where necessary, kept up to date; or
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
- Personal data may be processed only if:
- the data subject has given his explicit consent;
- processing is necessary for compliance with a legal obligation to which the controller is
- processing is necessary in order to protect the life or physical integrity of the data subject or
- another where the data subject is incapable of giving his consent;
- processing is necessary for the execution or performance of a contract to which the data subject is party;
- processing of data that has been disclosed/published by the data subject or is available in the
- public domain; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.
- As part of the collection of data from the data subject the controller is obliged to provide the data subject with the following information:
- the identity of the controller and of his representative, if any;
- the purposes of the processing for which the data is intended;
- the recipients of the data;
- the process of collecting data, the legal grounds and probable effects;
- the existence of the right of access data collected; and
- the right to rectify the data concerning the data subject.
Where the data has not been obtained from the data subject, the controller shall provide the data subject with the above stated information as well as details of the categories of data concerned.
Processing of sensitive personal data revealing race, political opinions, philosophical beliefs, religion, sect or other beliefs, foundation or union membership, and the processing of data concerning health or private life and all kinds of convictions is forbidden.
Sensitive personal data may be processed under a number of circumstances defined under the Draft Law provided precautions/safeguards are taken to protect the family and private life.
Broadly speaking, the Turkish Criminal Code No. 5237, contains provisions regarding unlawful transmission or obtaining of personal data. Nonetheless, each situation should be evaluated as it may be subject to provisions of an applicable specific law.
In accordance with the Draft Law approval of the Authority is required for transfer of personal data and personal data may only be transferred to a third country if; the recipient country ensures an adequate level of protection, if there is no such protection in the recipient foreign country, the data transfer may be permitted in a number of situations listed under the Draft Law.
Consistent with the principles of good faith those entrusted with personal data are expected to ensure protection of such data. There are a number of specific laws which require data to be kept safely and ensure protection of any data collected and/or processed.
Under the Draft Law, the controller is required to ensure that appropriate technical and organizational measures are taken to prevent all illegal processing and to ensure the data is not destroyed, lost, amended, disclosed or transferred without authority. Such measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected.
In the event the controller carries out processing by way of a processor, such relationship must be governed by a contract or legal act binding the processor to the controller and such instrument shall stipulate that the processer has adequate technological and administrative precautionary measures in place.
There is no breach notification requirement; nonetheless, in the event that data is inadvertently or erroneous lost, transferred, destroyed etc., notification should be made to the data subjects in accordance with the principles of good faith. Furthermore, each situation should be evaluated in accordance with provisions of the applicable specific law, if any, as more strict procedures may apply.
The Draft Law does not currently stipulate any breach notification requirement; however, this may change before the law is enacted.
In general terms, the Turkish Criminal Code No. 5237 imposes custodial sentences for unlawful processing of data; the Turkish Civil Law No. 4721 affords the right to claim compensation for the unjust use of data and a number of other laws impose administrative fines.
The Draft Law also introduces imprisonment, penalties and administrative fines for collecting and processing personal data in breach of the law and disclosing it illegally to third parties. Acts that breach the Draft Law can result in administrative fines in the amount of 5,000 TL (approximately EUR 2,500) to 10,000 TL (approximately EUR 5,000) to be imposed by the Authority.
There is another Draft Law on E-Commerce pending before the Parliament which would require service providers to provide protection for personal data.
Online Privacy (Including cookies and Location Data)
There is no specific law on online privacy with specific provisions on Cookies and Location Data. However, Law No. 5651 on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting enables internet users to initiate prosecution in case of infringements of their personal rights.