Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week. The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. This blog post examines the law and highlights certain important provisions.
The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic processing of personal data “which form part of a filing system.” “Personal data” means “any information relating to an identified or identifiable natural person.” The concept of a “filing system” is not expressly defined in the law, which may pose difficulties for companies in determining whether their paper records are within scope.
Under the Data Protection Law, personal data should be:
a) Processed fairly and lawfully,
b) Accurate and up-to-date where necessary,
c) Processed for specific, explicit and legitimate purposes,
d) Relevant, limited and proportional to the purposes for which they are processed, and
e) Kept for duration necessary for the purposes for which the data are processed or duration foreseen under the relevant legislation.
By default, the processing of personal data requires “explicit consent” from the data subject. Explicit consent is defined as freely given, specific, informed consent. Data may be processed without explicit consent subject to limited conditions, including where necessary to perform a contract to which the data subject is a party, to comply with a legal obligation of the data controller, or for the purposes of the “legitimate interests” of the controller.
“Special categories of data” may only be processed “if envisaged under the law” or if the “explicit consent of the data subject has been obtained.” Special categories of data include data relating to an individual’s racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs; membership in any association, foundation, or trade union; health or sex life; criminal convictions and security measures; biometric data; and, notably, “dress and appearance.” Unless a data subject has provided explicit consent, personal data relating to health and sex life may “only be processed for the purposes of protection of public health, preventive medicine, medical diagnosis, conducting of nursing services, planning of the health services and financing by persons who are under the obligation of confidentiality or authorized institutions and organizations.”
Erasure, Destruction, or Anonymization of Personal Data
The Data Protection Law includes provisions expressly requiring the erasure, destruction, or anonymization of personal data once the purpose for its collection has expired. Infringements are specifically punishable as criminal offenses. The law provides for the adoption of secondary legislation regarding these requirements.
Transfers of Personal Data
By default, transfers of personal data to third parties or outside of Turkey require the explicit consent of the data subject. Alternatively, personal data may be transferred to third parties or transferred abroad under the same exceptions to consent that apply to legitimate processing (discussed above). However, for transfers of data abroad without explicit consent, additional conditions apply: (i) the country in question must provide “sufficient protection” as determined and announced by the Board of the Personal Data Protection Authority (“DPA”), or (ii) the transfer may be authorized by the Board where the data controllers involved “undertake to provide sufficient protection in writing.” Finally, the law further provides that where “the interests of Turkey or the data subject may be seriously harmed,” personal data may only be transferred abroad with the Board’s permission. The DPA and its Board are provided for in the Data Protection Law but have not yet been put in place. However, the data transfer provisions of the Data Protection Law will not enter into force until six months after publication of the law.
Other significant provisions of the Data Protection Law include the following:
– Notice. The data controller must provide notice to data subjects regarding the collection, use, and transfer of personal data.
– Data subject rights. Data subjects have the right to access and correct information, and to demand further information from the data controller, including “the third party recipients to whom the data are disclosed within the country or abroad.”
– Liability for damages. Data subjects may “demand compensation” for damages suffered as a result of unlawful processing.
– Information security. Data controllers must take security measures to prevent unlawful processing or access to data, including “necessary audits” to ensure compliance.
– Breach notification. If personal data is obtained by third parties “in an illegal manner” notification must be provided to the data subject and the DPA “as soon as possible.”
– Registration. Subject to exemptions that may be adopted by the Board, companies that process data must make an official registration before processing data. The registration requirement enters into force six months after publication of the law.
The Data Protection Law provides for fines of up to 1 million Turkish Lira (approx. € 300,000) as well as imprisonment for violations. The law generally entered into force upon its publication, although entry into force and enforcement of certain articles (including, as noted, registration and transfers) is provided for six months after publication. In addition, the law includes transitional provisions for processing already under way.