August 10, 2022

Legislation and the regulatory authority

Legislative framework

Summarise the legislative framework for the safety of individual details (PI). Does your jurisdiction have a dedicated information defense legislation? Is the knowledge security regulation in your jurisdiction primarily based on any international devices or laws of other jurisdictions on privateness or knowledge defense?

The Turkish Structure has particularly protected PI given that 2010.

The safety of PI has also been regulated by unique laws, particularly the Own Knowledge Defense Regulation (PDPL), Law No. 6698, which arrived into drive in October 2016. Directive 95/46/EC is the starting up position for the PDPL. Even even though there are several discrepancies between the PDPL and the EU Typical Info Safety Regulation (GDPR), the PDPL is commonly centered on, and follows, the GDPR.

Turkey is a occasion to the Convention for the Defense of Folks with regard to Automatic Processing of Particular Knowledge of 1981 of the Council of Europe. The Conference was published in the Turkish Formal Gazette in March 2016 and grew to become domestic legislation.

Crimes versus knowledge defense and similar sanctions are also controlled by the Turkish Felony Code.

Facts safety authority

Which authority is responsible for overseeing the information protection law? What is the extent of its investigative powers?

The authority dependable for overseeing the implementation of the PDPL is the Own Knowledge Defense Authority (the Authority). The Authority is accountable, among other things, for monitoring the hottest developments in legislation and practice, making evaluations and tips, conducting researches and analyses, and cooperating with public establishments and organisations, international organisations, non-governmental organisations, expert associations and universities.

The Data Security Board (the Board) is shaped within just the Authority and has the subsequent duties, amongst many others:

  • making certain that particular data are processed in compliance with the PDPL, and fundamental rights and freedoms
  • promulgating regulations and restrictions beneath the PDPL
  • determining administrative sanctions less than the PDPL
  • reviewing issues of PDPL violations
  • having needed measures versus PDPL violations at its discretion
  • setting a strategic program for the Authority
  • determining the reason, targets, service high quality criteria and overall performance standards of the Authority
  • deciding extra steps for the processing of sensitive personal data
  • figuring out unique procedures relating to facts stability, and the duties, powers and duties of facts controllers
  • supplying remarks on laws and principles drafted by other institutions and organisations that involve private facts provisions and
  • approving and publishing periodic experiences on the functionality, economical situation, annual things to do and other matters similar to the Authority.

Cooperation with other info safety authorities

Are there lawful obligations on the facts protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve diverse techniques?

The Authority is the entirely authorised institution below the PDPL. The PDPL responsibilities the Authority with monitoring and assessing global developments on personalized info concerns, and cooperating with intercontinental organisations and international counterparts.

Irrespective of the confined range of decisions the Board has issued considering that its formation, the obvious trend is that the Board normally takes decisions of the European Details Safety Board (EDPB) into account when investigating situations. On the other hand, there is no mechanism to avert the Board from taking decisions diverging from those of the EDPB.

Breaches of facts safety law

Can breaches of knowledge safety law guide to administrative sanctions or orders, or felony penalties? How would these breaches be dealt with?

Breaches of the PDPL can guide to each administrative fines and felony penalties. The Board is responsible for guaranteeing that private knowledge is processed in compliance with fundamental legal rights and freedoms, and reviewing problems of details topics. The Board can just take short term measures and other adequate steps, these kinds of as monetary sanctions, in opposition to violations.

In addition, criminal functions these kinds of as the illegal acquisition or registration of personalized facts, and non-destruction of personalized info when expected may well be subject to prison penalties under the Turkish Legal Code.


Exempt sectors and establishments

Does the details security regulation address all sectors and kinds of organisation or are some parts of activity outside its scope?

The Particular Info Protection Law (PDPL) applies to all pure folks whose own data is processed. It also applies to all all-natural and authorized folks who process this sort of information working with entirely or partly automated signifies, supplied that they are component of a information registry process (the ‘filing system’ beneath the EU Basic Info Security Regulation), by means of non-automatic signifies. There is no distinction foreseen amongst personal sector institutions and condition institutions. As this kind of, the PDPL applies to all sorts of entities and people.

On the other hand, the PDPL does not utilize in the subsequent situations:

  • processing by organic folks in the scope of routines relating to either by themselves or their family users living in the same residence, on the affliction that the facts is safeguarded and not presented to 3rd get-togethers
  • anonymised processing for statistical, investigate, arranging and identical purposes
  • processing for the reasons of artwork, history, literature and science, or as aspect of the exercise of freedom of speech, offered the processing does not prejudice countrywide defence, countrywide security, general public purchase, community security, financial stability, privacy and other personalized rights, or constitute a criminal offense
  • processing inside of the scope of preventive, protecting and intelligence routines by point out establishments carrying out countrywide defence, countrywide protection, general public purchase, public protection or financial security capabilities and
  • processing by judicial authorities or execution authorities in relation to investigations, prosecutions, courtroom conditions, legal proceedings, and execution and enforcement proceedings.

Interception of communications and surveillance laws

Does the knowledge protection law address interception of communications, digital marketing or monitoring and surveillance of individuals?

No, the PDPL does not straight address interception of communications, digital advertising and marketing or checking and surveillance of the folks. However, the Knowledge Protection Board (Board) has issued a choice regarding the regulation of getting in contact with persons via e-mail, SMS or cell phone phone calls to make ads, the place it held that these communications are subject matter to the exact same ideas underneath the PDPL as apply to other data processing. Accordingly, these forms of communications can be designed only dependent on consent or in reliance on an exemption.

Turkey has precise laws that handles the interception of communications, digital advertising, and checking and surveillance of people today. For case in point, the Legislation on Electronic Communication regulates all digital interaction techniques whilst the Law on Electronic Trade regulates electronic advertising and trade. The Regulation on Erasure, Destruction and Anonymisation of Personalized Data and the Communiqué on Regulations and Strategies for the Fulfilment of the Obligation to Notify determine the procedures and methods to be applied to interception of communications, electronic marketing, and monitoring and surveillance of persons. The Board has also released steerage with regards to electronic communications bearing personal information and facts and considered it required for information controllers to get reasonable measures to validate the speak to data declared by the suitable data subjects (eg, sending a verification code or link to the person’s registered phone number or e mail deal with). For each the Board’s approach, keeping individual info correct and up-to-date is the two in the desire of the info controller and vital to secure the fundamental rights and freedoms of the data issue. In addition, channels have to be designed readily available at all occasions for facts subjects to update their private info. The Legal Code and Felony Procedural Law regulate the sanctions in circumstance of breach of the relevant laws.

Other legal guidelines

Are there any even more laws or restrictions that supply particular info security policies for linked spots?

There are specific regulations that outline data security procedures for different parts. For instance, Turkish Labour Law holds that employers are obliged to use the own information of staff members in excellent religion and accordance with relevant legislation, and not to disclose any personal data in which an employee has a authentic curiosity and has asked for to be retained non-public.

Another example is the Regulation on Processing and Maintaining Privacy of Personal Well being Knowledge, regulating the policies and strategies to be applied even though processing facts involving health info.

Turkish Banking Legislation, the Law on Payment and Safety Arrangement Methods, Payment Systems and Electronic Currency Organisations and the Law on Financial institution Cards and Credit score Cards regulate the processing and transfer of economical knowledge in Turkey and abroad.

Turkish telecommunications legislation also has provisions with regards to info processing and transfers.

PI formats

What types and styles of PI are lined by the legislation?

The PDPL does not restrict the scope of defense by groups or kinds. All details relating to an discovered or identifiable all-natural particular person preserved and saved in any structure is protected by the PDPL and secondary legislation promulgated thereunder. Nevertheless, there are distinct provisions in the PDPL that regulate sensitive personal data as ‘special groups of personal data’.


Is the attain of the law restricted to PI house owners and processors bodily set up or functioning in your jurisdiction, or does the legislation have extraterritorial outcome?

The PDPL can make no differentiation amongst facts topics who are nationals or not. The PDPL applies to all purely natural individuals whose own info are processed.

Nonetheless, there are particular procedures that apply to the transfer of personal data exterior of Turkey. As a common rule, private info can not be transferred abroad with no the explicit consent of the facts matter. On the other hand, own info could be transferred abroad devoid of the explicit consent of the facts subject provided that a single of the circumstances specified in the PDPL is met, and that:

  • suitable security is delivered in the overseas state the place the facts are to be transferred (the Board has the authority to determine the countries where by an sufficient amount of protection is considered to be provided although it has not carried out so yet) or
  • where by enough defense is not furnished, the controllers in Turkey and the suitable overseas nation assurance sufficient safety in writing, and the Board authorises these types of transfer (whilst info requiring facts subject’s express consent in Turkey will carry on to have to have such consent and will not be mechanically protected by the accepted undertaking) or
  • authorised binding company policies are adopted (despite the fact that facts requiring facts subject’s express consent in Turkey will go on to need this kind of consent and will not be instantly lined by this kind of guidelines).


Consequently, the applicability of the PDPL is not minimal to Turkey.

Included makes use of of PI

Is all processing or use of PI included? Is a distinction made amongst people who regulate or possess PI and those people who supply PI processing solutions to entrepreneurs? Do owners’, controllers’ and processors’ responsibilities vary?

The PDPL handles all processing and use of personalized details. Specified distinctions are manufactured between the entrepreneurs, controllers and processors concerning their responsibilities and liabilities.

Regulation said date

Suitable on

Give the day on which the information and facts earlier mentioned is correct.

27 May perhaps 2022.