Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey - Data Protection Overview
Back

Turkey - Data Protection Overview

July 2021

1. Governing Texts

In April 2016, Turkey completed the final step in a long-running process to enact the Law on Protection of Personal Data No. 6698 ('the Data Protection Law'). The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on 7 April 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.

From 7 April 2016 onward, a general prohibition applied in Turkey on the processing or storing of personal data without explicit consent from the data subject, subject to certain limited exceptions where such consent is not required. Companies which held personal data prior to 7 April 2016 received a two-year grace period to ensure the data met the new legislative requirements.

The enactment process for a local data protection law had been ongoing for more than 35 years, starting with the execution of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108'). Turkey executed Convention 108 with other Member States on 28 January 1981, but delayed its ratification into national law until 2 May 2016, and it entered into force on 1 September 2016.

1.1. Key acts, regulations, directives, bills

The Data Protection Law outlines a similar framework to the European data protection system within the framework of:

In addition, secondary legislation in the form of regulations and communications further outline how Turkey's data protection regime operates in practice.

Key regulations include:

  • Regulation on Deletion, Destruction, or Anonymisation of Personal Data 2017 (only available in Turkish here) ('the DDA Regulation');
  • Regulation on the Data Controller Registry 2017 (only available in Turkish here) ('the Data Controller Regulation');
  • Regulation on Working Procedures and Principles of the Personal Data Protection Board 2017 (only available in Turkish here);
  • Regulation on Organisation of the Personal Data Protection Authority 2018 (only available in Turkish here);
  • Regulation on Promoting and Change of Title of the Data Protection Authority Personnel 2018 (only available in Turkish here);
  • Regulation on Personal Data Protection Expertise 2018 (only available in Turkish here);
  • Regulation on Disciplinary Supervisors of Personal Data Protection Authority 2019 (only available in Turkish here); and
  • Regulation on Personal Health Data 2019 (only available in Turkish here).

Key communiqués include:

  • Communiqué on Principles and Procedures for Application to Data Controller 2018 (only available in Turkish here) ('Application Communiqué'); and
  • Communiqué on Procedures and Principles Regarding the Data Controller's Obligation to Inform Data Subjects 2018 ('Obligation to inform Communiqué') (only available in Turkish here).

Furthermore, the Personal Data Protection Authority ('KVKK') has explained the minimum elements to be included in the undertaking for cross-border transfers, executed between the data exporter and data importer abroad (only available in Turkish here).

Constitutional measures

Before the Data Protection Law was enacted, data protection was governed by the Constitution of the Republic of Turkey ('the Constitution'), as well as general and sectoral laws and regulations. These other pieces of legislation continue to be effective in parallel to the Data Protection Law's provisions, as outlined below.

The Constitution does not specifically address data protection. However, the right to protection of personal rights and privacy can be found in Article 20 of the Constitution, under the section regarding Privacy of Private Life. Accordingly, everyone has the constitutional right to:

  • ask for protection of his/ her personal information;
  • be informed of what personal data is held about them;
  • access, delete, and/or correct such data; and
  • be informed about whether the data is being used in accordance with the purpose for which consent was given.

General laws

Criminal law

Articles 134-140 of the Criminal Code No. 5237 ('the Criminal Code') outline provisions regarding the protection of privacy. The Articles in the Criminal Code establish a framework for privacy violations and the unlawful recording of personal data, as well as unlawful delivery, acquisition, and destruction of data. In addition, the Criminal Code provides the basis for sanctions and penalties under the Data Protection Law.

Turkish law clearly states that criminal responsibility is personal and, therefore, cannot be attached to legal entities. Nevertheless, the board members of a company can still be held liable for their actions in respect to privacy violations. Criminal sanctions envisaged to this respect ranges from six months to four years. In addition, legal entities may be subject to safety measures where stipulated by law. Accordingly, the Criminal Code envisages safety measures for:

  • privacy violations (Article 134);
  • recording personal data (Article 135); and
  • unlawful delivery or acquisition of data (Article 136).

Possible measures imposed on legal entities include:

  • licence cancellation if a crime is committed in favour of the legal entity by the legal entity's organs or representatives, via an abuse of the authorisation provided by the licence; and
  • government seizure of:
    • pecuniary benefits obtained by legal entities from the commissioned crime; and/or
    • goods used for or gained as a result of the commissioned crime.

Civil law

Articles 23 and 24 of Turkish Civil Law No. 4721 (only available in Turkish here) ('the Civil Law') outline individual personality rights. Pursuant to the Civil Law, no person can waive his/her rights and capacity to act freely, even in the smallest degree. Neither can a person waive his/her freedom, nor have anyone impose restrictions on a person which are contrary to laws and ethics.

Tort law

Infringement of personal rights may constitute a tortious violation of privacy rights under the Turkish Code of Obligations No. 6098 (only available in Turkish here).

Sectoral laws

Electronic communications

A general framework exists for using personal data in the electronic communications field, with particular reference to traffic and individuals' location data. Accordingly, except to the extent required for providing electronic communication service, operators cannot store or access information in the terminals of their users/subscribers without giving comprehensive and clear information about the data processing, as well as obtaining explicit consent.

Traffic data may be processed for:

  • traffic management;
  • interconnection;
  • billing;
  • fraud detection;
  • customer enquiries; and
  • settling disputes (particularly, interconnection and billing disputes. Such data must be kept completely and confidentially held until the dispute is settled).

Traffic data or location data used for marketing electronic communication services, or for providing value added electronic communications services, can be processed only to the extent and for the duration necessary for such services (or similar services); and

either:

  • with explicit consent from users/subscribers; or
  • using anonymisation.

Traffic and location data may only be transferred outside Turkey with explicit consent from the data subjects. Operators must also allow users/subscribers to reject to their location data being processed.

Internet crimes

Turkish legislation does not directly address protection of personal data on the Internet. However, it does define actors within the internet environment and regulates access blocking scheme where breaches of personal rights and criminal offenses occur (Law No. 5651 Regulating Internet Broadcasting and Combatting Crimes Committed through Internet Broadcasting (only available in Turkish here).

Electronic commerce

Personal data collected from a consumer can only be used and shared with third parties with the consumer's consent (Electronic Commerce Law No. 6563 (only available in Turkish here). Therefore, customer consent must be obtained to use personal data for marketing purposes; such as online mailing or online behavioural advertising as well as other electronic commercial communication. Service providers and intermediary service providers are responsible for establishing and maintaining security systems for personal data. The details of the electronic commercial communication have been determined under the Regulation on Commercial Electronic Communication, published in the Official Gazette numbered 29417 on 15 July 2015 (only available in Turkish here).

The Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages that sets forth the establishment of a central and singular platform with the purpose of conducting the transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, usage of the right of rejection by the recipient and complaint procedures  entered into effect by being published in Official Gazette numbered 30998 on 4 January 2020 (only available in Turkish here).

Commercial Electronic Messages Management System ('MMS') was established with the purpose of conducting transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, the usage of the right of rejection by the recipient, and complaint procedures introduced by the Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages (only available in Turkish here). In addition, registry to the system has become mandatory for real or legal persons aiming to send commercial messages and it was enacted so that these type of messages cannot be sent to the recipients whose approval are not on the MMS. The provisions for the active use of the MMS, such as registration with the MMS, obtaining electronic communication permissions through the MMS, offering the possibility of opt-out through the MMS will enter into force on 1 September 2020.

1.2. Guidelines

The KVKK consistently publishes guidelines to clarify grey areas in practice as well as guidance on data protection matters in Turkey. KVKK has issued an English guideline on Data Protection in Turkey to create awareness for non-Turkish entities. In addition, various other guidelines on specific data protection related matters have been published by KVKK on its website (only available in Turkish here and here).

1.3. Case law

Since the Data Protection Law was only recently enacted, there is only limited case law available in this area.

Judicial cases

Some notable judicial consideration of the area is outlined below:

  • The Constitutional Court dismissed an application decision numbered 2016/125 seeking to suspend and strike out certain clauses in the Data Protection Law, on the basis that the clauses are vague, broad, subjective, open to interpretation, and are not proportionate. The court considered international legislation, EU legislation and Turkey's Constitution, ultimately deciding that the clauses were not unconstitutional (only available in Turkish here).
  • The Izmir Regional Court of Justice considered an appeal where the execution office refused to fulfil a creditor's request to acquire family records from the civil registry, in order to question whether the debtor may have any inheritance. The court indicated that while it may be beneficial for the creditor to acquire such knowledge for debt collection purposes, having easy access to personal data may be more detrimental than beneficial, if the possible benefits and damages are compared.
  • The Assembly of the Civil Chambers, the highest body within Turkey's civil court system, accepted the existence of the right to be forgotten for the first time (2014/4-56 E, and 2015/1679 K, dated 17 June 2015 It held that the right to be forgotten includes digital data, as well as non-digital personal data kept in publicly accessible mediums. The digital aspect of this decision adopts and applies a similar scope as was granted by the Court of Justice of the European Union in its decision about Google. However, unlike the decision in Google, the Assembly also held that the right to be forgotten applies to non-digital personal data which is stored in mediums which are easily accessible by the public.
  • The Constitutional Court considered a claim that Article 136(1) of the Turkish Criminal Code is unconstitutional because there is no clear definition or limitation for the phrase 'personal data,' violating Article 20 (right to privacy) and Article 38 (principle of legality) of the Turkish Constitution (decision number 2015/32, 12 November 2015 only available in Turkish here). Article 136 of the Criminal Code states that persons who unlawfully give out, release, or acquire personal data belonging to other people will be subject to imprisonment for between two to four years. In seeking to have the provision struck out, the Criminal Court claimed the article is ambiguous because there are no definite definition or limitation for the phrase 'personal data.' The Constitutional Court rejected the claim, ruling that technological developments mean it is impossible for legislators to specify all types of 'personal data'.
  • Penal Department No 12 of the Supreme Court ruled that even though data which is shared on Facebook or by using any other social media tools is considered to be personal data, if data is shared via a non-confidential social media account, use of the data is not unlawful (2014/4081 E and 2014/19490 K dated 13 October 2014) (only available in Turkish here).
  • Penal Department No 4 of the Supreme Court ruled in favour of the plaintiff regarding request for non-pecuniary damages due to the fact that the plaintiff's identification information had been used without his/her consent (only available in Turkish here).
  • Supreme Court Assembly of Criminal Chambers ruled that that the creation of membership on the internet sites through using someone else's information violates Article 136 of Turkish Criminal Code that regulates unlawful delivery or acquisition of data (only available in Turkish here).

The Constitutional Court held that an employer who surveilled an employee's email acted lawfully where the surveillance right was recited in the employment contract (decision number 2018/31036, 12 January 20121 (only available here). In the instant case, the employer (as the data processor) terminated the employment contract after discovering that an employee (as the data subject) was using company email for non-company commercial matters. The court considered that the inspection of the corporate e-mails was within the limits of legitimate interest of the data controller, and since the data controller has legitimate interest, the explicit consent of the data subject is not required. Moreover, the data processor fulfilled its obligation to inform the employee by outlining the right to inspect corporate e-mails in the employment agreement, therefore, granting their consent by signing the employment contract (only available in Turkish here).

2. Scope of Application

2.1. Personal scope

Article 2 of the Data Protection Law states the scope of the law. Accordingly, the Data Protection Law shall apply to:

  • natural persons whose personal data are processed; and
  • natural or legal persons who process such data fully or partially through automatic or non-automatic means only for the process which is part of any data registry system set out in the Law.

In this regard, the Data Protection Law ensures protection for data belonging to natural persons and data related to legal persons who do not fall within the scope of the Data Protection Law.

There is no distinction between private corporations and public authorities before the law. Therefore, rules and procedures determined by the Data Protection Law apply to all institutions and organisations.

2.2. Territorial scope

Unlike the GDPR, the Data Protection Law does not have a territorial scope. That being said, in line with the principle of territoriality applicable under the Turkish Law, the Data Protection Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they locate in Turkey or abroad.

2.3. Material scope

Processing of personal data is defined as an operation that is carried out on personal data such as collection, recording, storage, retention, alteration, re-organisation, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic or non-automatic means only for the process which is a part of any data registry system. Accordingly, any system structured according to a specific criterion to facilitate access to personal data, will be evaluated within the scope of the Data Protection Law.

The Data Protection Law foresees several exceptions under the Article 28(1) where the Data Protection Law shall not apply:

  • processing of personal data by natural persons within the scope of activities related to themselves or family members living together in the same dwelling, provided that it is not to be disclosed to third parties and the data security obligations are to be complied with;
  • processing of personal data for official statistics and research, planning, and statistical purposes after having been anonymised;
  • processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that national defence, national security, public security, public order, economic security, privacy, or personal rights are not violated or the processing shall not constitute a criminal offence;
  • processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organisations duly authorised and assigned to maintain national defence, national security, public security, public order, or economic security; and
  • processing of personal data by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings, or execution proceedings.

In addition to the above exemptions, the Data Protection Law also grant partial exemptions in specific circumstances. As per Article 28(2) of the Data Protection Law, Article 10 regarding the data controller's obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to demand compensation, and Article 16 regulating the requirement to register with the data controller registry system shall not apply to the circumstances where personal data processing:

  • is required for the prevention of a crime or crime investigation;
  • is carried out on the data which is made public by the data subject himself/herself;
  • is required for the conduct of supervisory or regulatory duties, for disciplinary investigation, or prosecution by the public institutions, organisations, and professional associations having the status of public institutions assigned and authorised for such actions, in accordance with the power granted them by law; and
  • is required for the protection of State's economic and financial interests with regard to budgetary, tax-related, and financial issues.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Data Protection Law establishes regulatory bodies to oversee its provisions; that is, the KVKK and the Data Protection Board ('the Board'). The KVKK serves a mostly administrative and government-relations role, whereas the Board is the decision-making organ within the Authority.

The Board began operating in January 2017, once all appointments were made. The Board comprises nine members, elected as follows:

3.2. Main powers, duties and responsibilities

The KVKK was established as an independent regulatory authority with institutional and financial autonomy. It is responsible for ensuring personal data protection and raising awareness in this respect.

It is stipulated that the Board shall perform and use the duties and powers assigned by the Data Protection Law and other legislation independently under its responsibility. In addition, no organ, authority, office, or person may issue orders or instructions to the Board concerning the matters falling within its scope of duties and powers.

The duties and responsibilities of the Board are regulated mainly under the Article 22 of the Data Protection Law, yet some are also included in other articles. The main duties of the Board are as follows:

  • to take necessary and adequate measures for the processing of the special personal data categories (Article 6(4) of the Data Protection Law);
  • to allow the transfer of personal data abroad if the controllers in Turkey and in the related country guarantee an adequate protection in writing, where sufficient protection is not provided (Article 9(2) of the Data Protection Law);
  • to determine and announce the countries where adequate level of protection is provided (Article 9(3) of the Data Protection Law);
  • (if necessary) to announce data breaches on its official website or through other methods it deems appropriate (Article 12(5) of the Data Protection Law);
  • to examine and conclude the complaints made in cases where:
    • the application is declined by the data controller;
    • the response given by the data controller is found unsatisfactory; or
    • the response is not given in due time (Article 14 of the Data Protection Law);
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller and, in cases where the infringement is widespread, the Board shall adopt and publish resolutions in this regard (Articles 15(5) and 15(6) of the Data Protection Law);
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller (Articles 15(5) and 15(6) of the Data Protection Law);
  • to decide that the processing of data or transfer of data abroad is to be stopped, in the event that such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful (Article 15(7) of the Data Protection Law);
  • to ensure that the data registry system is maintained and, in cases of necessity, to make exceptions to the obligation to register with the data registry system (Articles 16(1) and 16(2) of the Data Protection Law);
  • to notify relevant institutions in order to conduct disciplinary investigations against civil servants who violate the prescribed obligations regarding the protection of personal data (Article 18(3) of the Data Protection Law);
  • to ensure that the personal data is processed in compliance with fundamental rights and freedoms (Article 22(1)(a) of the Data Protection Law);
  • to carry out regulatory procedures:
    • in order to lay out the liabilities concerning data security;
    • regarding the matters concerning the Board's field of duty and the KVKK's operation; and
    • regarding the data controller and his/her representative duties, powers, and responsibilities (Articles 22(1)(e), 22(1)(f), and 22(1)(g) of the Data Protection Law);
  • to deliver its opinion on draft legislation prepared by other institutions and organisations that contain provisions on personal data (Article 22(1)(h) of the Data Protection Law);
  • to decide on the administrative sanctions foreseen under the Data Protection Law (Article 22(1)(ğ) of the Data Protection Law);
  • to conclude the KVKK's strategic plan in order to determine the KVKK's purpose, targets, service quality standards, and performance criteria, and to discuss and decide on strategic plans and the budget proposal which are prepared in compliance with its purposes and targets (Articles 22(1)(i) 22(1)(i) of the Data Protection Law);
  • to approve and publish the draft reports prepared on KVKK's performance, financial situation, annual activities, and required issues (Article 22(1)(j) of the Data Protection Law); and
  • to negotiate and decide proposals on the purchase, sale, and lease of immovable properties (Article 22(1)(k) of the Data Protection Law); and
  • to fulfil duties assigned by any other law (Article 22(1)(l) of the Data Protection Law).

4. Key Definitions

Data controller: means a real person or entity who determines the intended purposes and means of processing personal data. Data controllers are responsible for establishing and administering data registry systems.

Data processor: means a real person or entity processing data with the authorisation of the data controller.

Personal data: includes any information relating to an identified or identifiable natural person that can be used to identify that individual. For example, a customer's name and address, IP address, e-mail address, or a database of customer email addresses.

Sensitive data: 'special categories of personal data' receive extra protection. This includes information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, appearance, memberships of unions, associations, or foundations, as well as information about health, sexual life, criminal records, or punitive measures, as well as biometric and genetic data.

Health data: means the health-related personal data (physical or mental) which constitute special categories of personal data, such as, information about medical conditions.

Biometric data: means the personal data that uniquely identify a person. Personal data derived from technical processing relating to a real person's physical, physiological, or behavioural traits. For instance, photo, fingerprint, DNA, genetic characteristics.

Pseudonymisation: is a technical and organisational measure by which personal data cannot be attributed to the data subject without any additional information. The related additional information is kept separately through an algorithm to ensure that the data subject cannot be attributed by using them.

Data Subject: (natural person concerned) means the natural person, whose personal data are processed. Under the Data Protection Law, real persons, are the only beneficiaries of the Data Protection Law.

Explicit consent: means the consent which is based on information and given with free will by the data subject. The Data Protection Law introduces a general prohibition on processing personal data or special categories of personal data without explicit consent. However, it does not envisage a specific method to obtain the explicit content. In light of this, companies would be prudent to both record and retain consents, either in writing or electronically.

Processing activities: means any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganisation, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully, or partially through automatic means, or, provided that the process is part of a data registry system, through non-automatic means.

Data registry system: means the registry system which the personal data is registered into through being structured according to certain criteria.

5. Legal Bases

5.1. Consent

Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).

5.2. Contract with the data subject

Personal data of each party to a contract may be processed by the other party provided that it is strictly necessary to execute or perform the contract, for example, processing personal information of an employee by an employer in order to execute an employment agreement (Article 5(2)(c) of the Data Protection Law).

5.3. Legal obligations

If explicitly provided for by law or it is necessary for compliance with a legal obligation to which the data controller is subject to, personal data may be processed without data subject's explicit consent. For example, preparing and holding personnel files by employers, collecting and reporting certain information by banks and financial institutions, and reporting personal information of a new employee to law enforcement agencies by employers.

5.4. Interests of the data subject

Personal data can be processed in protection of life or physical integrity of a person, or of any other person who is bodily incapable of giving its consent, or whose consent would otherwise be deemed not legally valid. For example, location data of a mobile device carried by a missing person, or CCTV records can be processed for locating a missing person.

5.5. Public interest

As per the Data Protection Law, public interest is not a legal base to process personal data of a data subject without obtaining its explicit consent. However, the Board considers public interest as criteria while evaluating limits of independent press and the balance between the right to privacy and right to freedom of expression.

5.6. Legitimate interests of the data controller

Personal data may be processed without a data subject's explicit consent if such processing is necessary to the data controller's legitimate interests; provided, however, that processing does not harm the data subject's fundamental rights and freedoms (Article 5(2)(f) of the Data Protection Law). For example, the preamble of the Data Protection Law provides states that the owner of a company may process employee personal data to arrange job promotions, social rights, or in determining their role in the company's restructuring, each of which constitute legitimate interests of the company.

5.7. Legal bases in other instances

As per Article 5 of the Data Protection Law under the following conditions personal data can be processed without providing the explicit consent of the data subject:

  • if the personal data is publicised by the data subjects themselves; and
  • if  it is mandatory for the establishment, exercise, or protection of certain rights.

6. Principles

Principles for processing personal data

All data processing activities should be carried out in compliance with the principles for processing personal data (Article 4 of the Data Protection Law). The following key principles need to be adhered to for all personal data processing activities. Personal data must be:

  • processed lawfully and fairly;
  • accurate and where necessary, kept up to date;
  • processed for specified, explicit, and legitimate purposes;
  • relevant, limited, and proportionate to the purposes for which they are processed; and
  • retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing.

Personal data processing conditions

Data controllers are obliged to comply with data processing conditions while processing personal data. Personal data can be processed in cases where:

  • the data subject has given his explicit consent;
  • it is explicitly permitted by the laws;
  • it is mandatory for the protection of life or to prevent the physical injury of a person, where such person is physically or legally incapable of providing his/her consent;
  • processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the execution or performance of that contract;
  • it is mandatory for the data controller to fulfil its legal obligations;
  • the personal data is publicised by the data subjects themselves;
  • it is mandatory for the establishment, exercise, or protection of certain rights; or
  • it is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not compromised.

7. Controller and Processor Obligations

Data security measures

Data controllers are obliged to (Article 12 of the Data Protection Law):

  • prevent unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the retention of personal data.

The data controllers must take all necessary technical and organisational measures to provide appropriate data security. The Personal Data Security Guide regarding technical and administrative measures published by the Board in January 2018 and the guideline for technical and administrative measures to be taken by the public authorities and key infrastructure organisations published by the Digital Transformation Office in July 2020 can be taken as references while complying with the obligation on data security measures.

In addition to these sources, the Board's decision numbered 2018/10 must be taken with regards to the processing of special categories of personal data. The Board declared with this decision that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasised the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Accordingly, the sufficient measures to be taken while processing special categories of personal data must be ensured by the data controllers.

In addition to the above stated Board decisions and security guides published by the authorities, to mention the Decision of the Board dated 9 October 2020 and numbered 2020/787 would be sufficient to see how the Board will treat certain aspects of security breaches. Such decision is resolved upon the data breach notification submitted by the related data processor, operating in the health sector, within the statutory notification-period. The Board carried out its investigations and concluded that the data breach was not caused by the lack of precaution of the data controller, but a common-used application; and the data controller cannot interfere in this situation. The data controller has noticed the violation in a short time and took all necessary technical and administrative measures promptly and in line with the Data Protection Law. Therefore, the Board does not impose any sanctions on the data controller (only available in Turkish here).

Unlike the GDPR, the rights and obligations of the data processor are not specifically regulated under the Data Protection Law, although there is still an obligation to ensure data security jointly with the data controllers. Within this framework, data processors shall comply with the instructions of the data controller while processing personal data transferred to themselves and not disclose the personal data that they have learned. In addition, they shall not use such data for purposes other than the processing purpose determined by the data controller. This obligation shall continue even after the end of their term as the data processor.

Other obligations:

  • data controllers are obliged to carry out (or have third parties carry out) necessary audits to ensure compliance with the Data Protection Law within their own organisation; and
  • data controllers are obliged to comply with data transfer conditions for data transfers within Turkey and cross-border transfers. (Please see section 13 for the further information).

7.1. Data processing notification

The Board established the Registry, which became operational on 1 October 2018. This is an online database, which only accepts online registration applications from data controllers through the Data Controllers Information System ('VERBIS'). Real or legal persons processing personal data must register prior to commencing their data processing activities.

 Data controllers must prepare a data inventory for all data processed in Turkey, which must include at least the following certain information, including the following:

  • identifying information (including the address of the data controller or its representative);
  • data categories;
  • purpose of the data processing;
  • data subject groups;
  • recipient or recipient groups to which the data may be transferred;
  • information on whether the relevant data category is transferred abroad;
  • data security measures taken; and
  • the maximum time period for processing personal data.

The data inventory must be kept up-to-date, accurate and lawful. The registration process should be carried out in line with the data inventory and the changes in data inventory must be updated on the Data Registry System via VERBIS within seven days.

The data controllers must appoint a contact person who will be in charge with submitting data inventories and completing registration process. Please note that the contact person must be a real person and a Turkish citizen residing in Turkey. In case that the data controller is located abroad, the data controller must appoint a 'data controller representative' in addition to a contact person.

The Board published a decision numbered 2020/542 on 16 July 2020 and put forward its opinion on appointment of contact person for multiple data controllers. Accordingly, a single person can be a contact person for only one data controller in Turkey and a single person may be appointed as the contact person for multiple data controllers, which are located abroad, at the same time (only available in Turkish here).

The Board ruled with its decision number 2019/225 (only available in Turkish here) on VERBIS registration obligation of data controllers located outside Turkey. Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices.

The Board announced that the registration obligation will apply in line with the periods under decision number 2018/88, and failure to comply with these dates risks a fine ranging from TRY 20,000 (approx. €2,630) and TRY 1 million (approx. €86,101) (only available in Turkish here).

The Board extended the registration periods several times. Pursuant to the Board's last decision numbered 2021/238, resolved by evaluating the sector representatives', certain public institutions' and public professional organisations' requests, the registration deadlines with VERBİS are extended once again. Accordingly, the following data controllers must register with the Registry:

  • 1 October 2018 to 30 June 2020:
    • data controllers which employ 50 or more employees;
    • data controllers with an annual balance of TRY 25 million (approx. €2,152,538) or more; and
    • data controllers located abroad (regardless of the employee number or annual balance amount);
  • 1 January 2019 to 30 September 2020: data controllers which:
    • employ less than 50 employees;
    • with an annual turnover below TRY 25 million (approx. €2,152,538);
    • whose main business activity is the processing of special categories of personal data.
  • 1 April 2019 to 31 December 2020: Public authorities which are data controllers.

Exemptions from registration with the Registry

In addition, the Board held that the following categories of data controllers are exempt from having to register with the Registry:

  • data controllers employing less than 50 employees and with an annual balance less than TRY 25 million (approx. €2,152,538) (unless the data controller's main business activity is processing special categories of personal data);
  • data controllers processing personal data through non-automatic means, provided the processing is part of a data filing system;
  • public notaries;
  • associations (only for the personal data, processed in accordance with their area of activity);
  • foundations;
  • unions;
  • political parties;
  • lawyers;
  • public accountants and sworn-in public accountants;
  • customs brokers and authorised customs brokers; and
  • mediators.

7.2. Data transfers

The Data Protection Law addresses the transfer of personal data to third parties, as well as transfers outside of Turkey. This is particularly relevant for multinational companies and local companies which have operations crossing Turkey's national borders. Companies should review their operations to ensure that they are aware where personal data is stored and whether the new legislative rules will apply.

Sectoral obligations

Banking Law No. 5411 (only available in Turkish here) ('the Banking Law') foresees specific rules for cross-border transfers of customer data. According to Article 73 of the Banking Law, data belonging to real and legal persons formed after establishing a customer relationship with banks specifically for banking activities becomes customer data and is subject to the regulations stipulated under the Banking Law. Therefore, conditions regarding the cross-border transfer of customer data set forth under the Banking Law should take precedence over conditions set forth under the Data Protection Law. Consequently, for customer data within the scope of Article 73 of the Banking Law, the provisions of the Banking Law should be considered as special legal provisions before the Data Protection Law.

The Banking Law stipulates that even if the explicit consent of the customer is obtained pursuant to the Data Protection Law for cross-border transfers or transfers of customer data to third parties located in Turkey, the customer data should not be shared with and transferred to third parties located in Turkey or outside Turkey without the customers' instructions or requests.

Furthermore, under the Banking Law the Banking Regulation and Supervision Authority ('BDDK') is authorised to prohibit the sharing or transfer of customer data or bank secrets with third parties located outside Turkey, as well as to make decisions regarding keeping information systems used by banks and their backups locally due to evaluations regarding economic security.

Transfers to third parties

The Data Protection Law requires explicit consent from data subjects for the transfer of personal data to third parties. However, consent is not required if the transfer is carried out in the following circumstances:

  • expressly permitted under laws;
  • necessary to protect the life or physical integrity of the data subject (or another person) where the data subject is physically or legally incapable of providing their consent;
  • necessary to process data of the parties to a contract, if such processing is directly related to the execution or performance of the contract;
  • necessary for the data controller to fulfil its legal obligations;
  • already publicised by the individuals themselves;
  • necessary to establish, use or protect a right; or
  • necessary for the legitimate interests of the data controller, provided that such processing does not violate fundamental rights and freedoms.

In addition, the Data Protection Law stipulates that personal data on health and sexual life may only be transferred without explicit consent by persons under a confidentiality obligation, or by competent authorities, for the purposes of:

  • protecting public health;
  • operating preventive medicine;
  • medical diagnosis;
  • treatment and care services; or
  • planning and managing health services and financing.

Transfers outside of Turkey

Consent will not be required for data transfers outside of Turkey where any of the exceptions above apply, and either adequate protection exists in the transferee country (the Board will announce the countries which it deems to have adequate protection, however until then, data controllers should consider that no country has such protection) or, where no adequate protection exists in the transferee country, the data controller has given a written security undertaking and the Board grants permission.

The Board specified the criteria to determine the countries with an adequate level of protection on its decision Number 2019/125 (only available in Turkish here). The decision includes a form, to be used in determining the countries with adequate level of protection. Matters to be taken into account are as follows:

  • reciprocity condition;
  • legislation of the relevant country regarding the processing of personal data and its implementation;
  • existence of an independent data protection authority;
  • party status to international agreements on the protection of personal data;
  • membership status to international organisations;
  • membership status to global and regional organisations that Turkey is a party to; and
  • the volume of trade with the relevant country.

Until the enactment of the Data Protection Law in 2016, the Board approved only two undertakings. The Board announced its first approval pertaining to a fleet leasing company on 9 February 2021 and its second approval pertaining to an e-commerce and a web services company (Amazon's subsidiaries) on 4 March 2021.The Board has announced that minimum contractual clauses are required for transferring personal data outside Turkey. These are the essential clauses which must be included in contracts for transferring personal data to countries which Turkey deems not to provide adequate protection. The minimum clauses include separate provisions for transfers to data controllers, compared to data processors (controller-processor template and controller-controller template). The Board reviews the applications both from the procedural perspective and from material aspects. While considering the material aspects, the most critical point is to determine whether the data transfer is from data controller to data controller or from data controller to data processor. The transfer process must be carefully analysed by the applicants. To determine the relationship between a data controller and data processor, the Board's decision dated 30 January 2020 and numbered 2020/71 can be taken as reference (only available in Turkish here).

When granting permissions, the Board must evaluate international treaties, reciprocity of countries, measures taken by the data controller, as well as the period and purpose of the data processing. This requirement is particularly relevant for multinational companies and local companies, having cross-border operations or keeping data servers outside Turkey.

The Board can limit data transfers to third countries if it considers that a violation of public interest or personal interests exists. It is not clear how the Board will determine the criteria for such violation yet.

Binding corporate rules

On 10 April 2020, KVKK announced Binding Corporate Rules ('BCRs') allowing intra-group data transfers among multinational companies. BCRs are defined as data protection rules applicable for cross-border transfers that allows multinational group companies, operating in unsafe countries, to achieve an adequate level of data protection for the intra-group data transfers.

Due to the difficulties in the implementation of cross-border data transfer rules determined under the Data Protection Law, the KVKK was expected to issue new rules set for intra-group cross-border data transfers in parallel with the approach to BCRs accepted under the GDPR. Considering sector-specific needs, the KVKK introduced an alternative cross-border data transfer method specific to group companies, which is modelled after EU's BCR approach.

BCRs, introduced by the KVKK, would allow multinational companies to transfer personal data from Turkey to a member of the same corporate group, located in a country with an inadequate level of data protection. BCRs are to be considered as a commitment to adequate data protection for intra-group cross-border data transfer in such circumstances.

BCRs must include all general data protection principles and adequate safeguards for protecting personal data in the corporate group. The KVKK gives a guideline on the necessary content of the BCR, as well as a standard application form on its official websites (only available in Turkish here and here).

7.3. Data processing records

The concept of 'data processing records' is not defined under the Data Protection Law. It is expected that such concept will be adopted in the following amendments within the scope of GDPR harmonisation process. 

7.4. Data protection impact assessment

Data protection impact assessment ('DPIA') is not mandatory under the Data Protection Law.

7.5. Data protection officer appointment

The Data Protection Law itself, does not require the appointment of a data protection officer. That being said, the Data Controller Regulation, which includes the details of the registration process, requires data controllers located outside Turkey to appoint a data controller representative in Turkey to establish an account within the Registry. The representative can be either a legal entity, located in Turkey or a Turkish individual. The appointment of the representative must be made with a resolution of the data controller, which needs to be notarised and apostilled (or otherwise legalised).

7.6. Data breach notification

Data controllers are obliged to notify the data subject and the Board within the shortest time, in case the processed data is collected by other parties through unlawful methods. Where necessary, the Board may announce such breach on its official website or through other methods it deems appropriate.

The KVKK has published the Board decision numbered 2019/10 dated 24 January 2019 and numbered 2019/10 regarding the notification procedures and principles related to personal data breach. According to this decision:

  • data controller shall notify the Board without delay and within 72 hours at the latest from the date he/she learns of such breach. After identifying the persons affected by the data breach, the data controller shall promptly notify the related persons by appropriate methods;
  • in the event that data controller cannot notify the Board within 72 hours for good cause he/she should explain the reasons which caused the delay to the Board with the notification to be made; and
  • data controllers are obliged to use the document attached to such decision (only available in Turkish here).

The Board ruled that the purpose of data breach notification is creating an opportunity swiftly avoid or minimise the negative outcomes that might arise from the breach to be borne on the data subjects. Therefore, in its decision numbered 2019/271 the Board determined the minimum requirements of a data breach notification to data subjects (only available in Turkish here). The Board stated that data breach notifications to data subjects must be in clear, plain language, and must include at least:

  • the time and date of breach;
  • categories of data (personal data, special categories of personal data) affected by the breach);
  • possible consequences of the breach;
  • measures that have since been taken, or will be taken by the data controller to address the breach and mitigate its consequences; and
  • the name and contact details of the contact person(s) from whom data subjects may obtain more information about the breach, or some other means of communication, such as the data controller's website, call center, etc.

The Board has published an announcement regarding COVID-19 ('Coronavirus') on 23 March 2020 (only available in Turkish here). The announcement has specified that Board will pay regard to the extraordinary conditions that data controllers are in with respect to the consideration of the periods that are necessary to be taken into account by data controllers in terms of complaints, notices, and data breach notifications submitted to the KVKK. As such, the KVKK envisages that the periods that data controllers are obliged to comply with may be evaluated taking into consideration the Coronavirus pandemic.

7.7. Data retention

Erasure, destruction, and anonymisation of personal data

Personal data shall be maintained for the purpose for which it is processed, as required by the principle of purpose limitation. In this regard, the data controller is obliged to take the following administrative and technical measures:

  • establishing personal data retention and erasure policy and principles;
  • determining storage periods as well as technical and administrative measures to be applied in the storage; and
  • ensuring the storage of personal data in accordance with these principles.

Data controllers shall comply with the periods foreseen in the legislation for the relevant personal data. In case such a prediction is not available, the data shall only be retained as long as is necessary for the purpose for which it was processed.

7.8. Children's data

The Data Protection Law does not distinguish between personal data of adults and minors. Personal data of adults and children are protected equally by the Data Protection Law though it contains no specific definition of a child. However, KVKK published a patch of guidelines regarding the matters which shall be considered in order to protect children's data. These guidelines are for consciousness-raising purposes on personal data concept, and they do not regulate any legal requirement regarding the processing of children's data.  It is expected to be introduced and to include specific provisions concerning protection of children's data.

7.9. Special categories of personal data

The Data Protection Law envisages specific rules for the processing of special categories of personal data that is defined as data relating to:

  • race;
  • ethnic origin;
  • political beliefs;
  • philosophical beliefs;
  • religion, denomination, or other faiths;
  • clothing and attire;
  • membership of an association, charity or union;
  • health;
  • sexual life;
  • criminal convictions and security measures; and
  • biometric and genetic data.

Special categories of personal data can only be processed provided that the data subject has given his/her explicit consent (Article 6 of the Data Protection Law). In terms of additional legal bases for processing, the Data Protection Law divides special categories of personal data into two different categories:

  • personal data related to health or sexual life; and
  • other special categories of personal data.

While other types of special categories of personal data can be processed if such processing is permitted by the laws, personal data related to health or sexual life is protected more strictly than other special categories of data, as the scope of the legal grounds for processing is very limited. In addition to the requirement to obtain the explicit consent of the data subject, personal data related to health or sexual data can only be processed under the obligation of confidentiality, or by authorised institutions and establishments, for the purposes of:

  • protection of public health;
  • preventive medicine;
  • medical diagnosis;
  • provision of health care services and treatment; and
  • planning and management of health care services and their financing.

7.10. Controller and processor contracts

Data processor agreements are not a concept introduced by the Data Protection Law. However, as the obligations of the data processors have not been regulated in a detailed manner under the Data Protection Law, when a data processor is involved in the data processing, the data controllers will jointly be responsible for the data security (Article 12 of the Data Protection Law).

Data controllers need to execute data processing agreements to ensure the data processors' compliance with the data protection legislation. Furthermore, the authorisation granted to the data processors and the limits of the authorisation, the technical details of the processing activity, and the principles and rules to be complied by the data processors should be contractually regulated between the data controller and the data processor to ensure the proper flow of the personal data processing.

8. Data Subject Rights

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analysed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The Board published a decision numbered 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here). The Board clarified the periods for filing complaints to the Board and applying to data controllers. Accordingly, the following principles apply when calculating application periods if:

  • the data controller fails to respond within 30 days, the data subject has 60 days to apply to the Board, starting from the date of its application to the data controller;
  •  the data controller responds within 30 days, the data subject can file a complaint with the Board no later than 30 days after such response; and
  • the data controller responds after the 30 days period has lapsed, the data subject can file a complaint with the Board no later than 60 days following the date of application to the data controller, which complaint may be submitted immediately upon expiration of the 30 days period, whether or not a response has been received from the data controller.

8.1. Right to be informed

Regardless of the legal basis of data processing, data controllers are obliged to inform the data subjects when collecting personal data in respect of the minimum mandatory content outlined below (Article 10 of the Data Protection Law):

  • the identity of the data controller and its representative, if any;
  • the purpose of personal data processing;
  • the recipients to whom the personal data can be transferred, and the purpose of the transfer;
  • the methods and legal reasons of collection of personal data; and
  • the data subject's rights under Article 11 of the Data Protection Law.

8.2. Right to access

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analysed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The KVKK has issued the Application Communiqué which regulates the methods and procedures to lodge a request with data controllers. Accordingly, data controllers should respond to requests duly lodged by data subjects within 30 days. The Application Communiqué also provides for a processing fee of TRY 1 (approx. €0.1)for each page which may be charged for responses exceeding ten pages, or the cost of the data recording medium (if the answer is given in this manner).

8.3. Right to rectification

In accordance with the principles of lawful data processing activity, personal data is only processed when it is accurate and kept up to date. In line with such principle, data subjects are entitled to request for rectification from the data controllers, in case of contrary practice.

8.4. Right to erasure

Data controllers are obliged to erase, destruct, or anonymise the personal data ex officio or upon the demand of the data subject, in the event that the reasons for which it was processed are no longer valid (Article 7 of the Data Protection Law).

The details of the erasure, destruction, and anonymisation process is governed by the DDA Regulation. In addition, a Guide on Erasure, Destruction, or Anonymisation of Personal Data has been prepared by the Board (only available in Turkish here), in order to clarify the implementation to this respect. It should also be mentioned that data controllers which are required to be registered with the Registry must draft a data storage and extermination policy. The mandatory content of the policy has been envisaged under the aforementioned regulation. Data controllers are obliged to publish their policy/procedures related to data retention and extermination.

8.5. Right to object/opt-out

The Data Protection Law does not provide a general right to object to data subjects. In case of the existence of legal basis for data processing, the right to object will not be sufficient to cease processing activities. However, in case of the legal basis purpose excess, the data subject may use its right to object in order to cease processing activities which are exceeding the purpose of legal basis such as legitimate interest. In addition to that, data subject may always have the option to revoke their consent and stop the data processing which is being carried out based on the explicit consent of the data subject.

In addition to above stated perspective of the Data Protection Law, there is an alternative legislation regulating the right to object/opt-out of the data subjects within electronic commerce practice. The Electronic Commerce Law No. 6563 states that personal data collected from a consumer can only be used and shared with third parties with the consumer's consent. Therefore, the consent of the data subject, that is in consumers position, must be obtained in order to use their personal data for marketing purposes.

The same legislation entitles the consumers/data subjects to use their right to object/opt-out. Data controllers, which are acting as service providers, are obliged to include their accessible contact addresses in the commercial electronic communications, so that recipient data subject can exercise their opt-out rights. Whichever communication channel the commercial electronic message was sent, opt-out notification must be also provided through the same communication channel, easily, and free of charge. As per the Regulation on Commercial Electronic Communication (and its amendments), a national and centralised commercial electronic communication management system has been established. The consumers or data subjects may use their right to object/opt-out through this system (or through the system designed by the relevant service provider).

8.6. Right to data portability

Unlike the GDPR, the Data Protection Law does not provide right to portability to data subjects. Under the Data Protection Law, data subjects are not entitled to have their personal data transmitted directly from one controller to another.

8.7. Right not to be subject to automated decision-making

The Data Protection Law does not grant a general right not to be a subject to automated decision-making systems. The processing limits and rights of the data subjects shall be evaluated by considering the other legal requirements under Data Protection Law such as the purpose of the legal basis etc. However, based on the Article 11(1)(g) of the Data Protection Law, data subjects have the right to object to any negative consequence of their data being analysed exclusively through automated systems. Please note that such right can be used by the data subjects in the existence of a negative consequence. The existence of an automated decisions making system is not enough to use such right, but it is necessary to negative consequences against the data subject created by the system.

8.8. Other rights

The Data Protection Law does not provide any other rights.

9. Penalties

Certain breaches of data protection law can result in imprisonment under Turkish law:

  • prison sentences (ranging from six months to four years) or judicial fines can apply for unlawful collection, processing and transfer of personal data under the Criminal Code;
  • safety measures may be imposed on legal entities such as cancelation of licences or seizure of the goods used for or gained as a result of the commissioned crime or benefits gained from the commissioned crime determined under Article 60 of the Criminal Code;
  • administrative fines ranging between TRY 5,000 (approx. €497) and TRY 1 million (approx. €99,401) will apply for breaches of the Data Protection Law;
  • individuals can claim compensation for unlawful collection or processing of personal data (under Civil Code, Law No. 4721 (as amended) (only available in Turkish here); and
  • sector-specific regulations also contemplate administrative fines, see for example the Regulation on Administrative Sanctions of Information and Communications Authority (only available in Turkish here), which imposes fines on authorised operators (service providers, network providers, infrastructure operators) worth up to 3% of the preceding calendar year's net sales for violating personal data and security obligations.

9.1 Enforcement decisions

The Board published six principle-decisions stating the main principles which shall be taken into consideration by the data controllers. The details of such principle-decisions are mentioned below under board decisions. Such principle-decisions underlines the following criteria;

  • all data processing activities must comply with the conditions under Articles 5 and Article 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Law;
  • the entities providing services at service counters, box-offices and desks must ensure that only authorised persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data;
  • the data controllers must take all necessary technical and organisational measures to provide appropriate data security in order to cease and prevent unauthorised accesses and misuse of the authority;
  • advertising, using data subjects' contact details unlawfully should cease;
  • individuals and organisations use software programs, which allow them to question personal data, through data which obtained in various ways are unlawful and such usages are subject to procedural actions under Turkish Criminal Law; and
  • reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.

In addition to above mentioned principle-decisions, some sample decisions of the Board, which are significant to clarify, are as follows:

  • the Board imposed an administrative fine in it's decision numbered 2020/559  TRY 900,000 (approx. €88,390) on a data controller for transferring personal data abroad without having a valid legal basis. The data controller's claim that Convention 108 is sufficient per se for data transfer abroad among the parties has been declined by the Turkish Data Protection Board. Being a party to Convention 108 is not sufficient to accept such a party as a safe country and the data controller relies on Convention 108 for abroad data transfer are not met the requirements under the Data Protection Law (only available in Turkish here);
  • the Board stated under its decision numbered 2019/157 that usage of e-mail services from service providers having their servers/data centres outside of Turkey, shall be deemed as a data transfer abroad; therefore, storage services obtained through data controllers/data processors whose servers are located abroad shall also be required to comply with Article 9 of the Data Protection Law (only available in Turkish here);
  • the Board stated under its decision numbered 2020/746 that the right to inform covers the right to access and the data subjects' request on receiving the personal data is lawful. However, if the related personal data record includes personal data of anyone other than the related data subject, the data processor shall have the option to mask the third parties' personal data and/or to provide the record in an alternative format (such as transcript or the record) (only available in Turkish here);
  • the Board found under its decision numbered 2020/494 that it is lawful for the employer to present the camera recordings as evidence in the reemployment lawsuit filed by the employee whose employment contract was terminated (only available in Turkish here);
  • the Board has decided in its decision numbered 2021/115 to impose an administrative fine of TRY 175,000 (approx. €15,067) on the data controller for registering the phone number of a debtor's brother as an alternative phone number because the bank had previously contacted by using this phone number (only available in Turkish here);
  • the Board decided in its decision numbered 2020/755 that a real estate property manager-data controller did not violate Personal Data Protection Law by sharing with data subject's landlord certain personal data requested, including an accounting of delinquent property dues and mobile phone number, since processing was necessary to landlord’s exercise of rights granted by Article 22 of the Property Ownership Law number 634 (only available in Turkish here);
  • the Board decided in its decision numbered 2021/111 that regarding the contact with the relatives of the debtor concerning the debt, the Board decided to impose an administrative fine of TRY 50,000 (approx. €4,913) against the first law firm that processed personal data without any reason for data processing, TRY 115,000 (approx. €11,300) against the company that transferred this data to another law firm without checking its accuracy, and TRY 100,000 (approx. €9.826) against the law firm that contacted them, despite knowing that the data in question belonged to the debtor himself (only available in Turkish here);
  • the Board decided in its decision numbered 2020/407 to impose an administrative fine of TRY 100,000 (approx. €8,610) on the data controller hospital, which transmitted the health data of the relevant person to a third person along with the relevant person via e-mail (only available in Turkish here);
  • the Board decided in its decision numbered 2020/404 to impose a total administrative fine of TRY 250,000 (approx. €24,565) on the data controller who did not provide proper disclosure, processed sensitive personal data (biometric data such as fingerprints during entrances and exits to workplace) without a valid consent and transferred the personal data abroad (only available in Turkish here); and
  • the Board has imposed in its decision numbered 2020/335 an administrative fine of TRY 50,000 (approx. €4,912) on the data controller who made express consent car rental services as a condition of and did not provide services to the customer who did not give his express consent (available in Turkish here).

Board decisions

In addition, the Board issues decisions to clarify areas within the Data Protection Law, regulations, and practice. Key decisions include:

  • Decision Number 2018/10 on the adequate measures to be implemented when processing special categories of personal data (only available in Turkish here): the Board declared that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasised the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Decision Number 2017/62 on the data security in service areas (only available in Turkish here): the Board declared that entities providing services at service counters, box-offices, and desks must ensure that only authorised persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data. The Board specifically referred to banks and healthcare organisations in this context. Decision Number 2017/61 on phone directory services (only available in Turkish here): the Board found that websites and applications which offer phone directory services (searchable via phone number or name) and share personal data without any justifiable reason determined under the Data Protection Law and relevant legislation, must immediately cease their activities or face either administrative or criminal sanctions. The decision underlines that all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Data Protection Law.

Principle decisions published by the Board includes:

  • Decision Number 2018/63 on the unauthorised access and usage of the data (only available in Turkish here): the Board announced that the data controllers must take all necessary technical and organisational measures to provide appropriate data security in order to cease and prevent unauthorised accesses and misuse of the authority.
  • Decision Number 2018/119 on advertising using data subjects contact addresses unlawfully (only available in Turkish here): the Board announced that advertising using data subjects' contact details unlawfully should cease. The Board stated that those advertising via e-mail, SMS, and calls should also cease such activities and the Board will impose sanctions for failures to do so.
  • Decision Number 2019/308 on individuals and institutions using various software programs that allow questioning personal data (only available in Turkish here): the Board determined that individuals and organisations use software programs, which allow them to question personal data, through data which obtained in various ways. The Board specifically referred to attorneys, law firms, individuals, and organisations operating in finance, real estate, and insurance sectors. The Board announced that use of such software programs is not in not in compliance with the Article 12 of the Data Protection Law and the data processors using such software programs shall be subject to procedural actions under Turkish Criminal Law.
  • Decision Number 2020/966 on the technical and administrative measures to be taken by data controllers in order to verify the contact addresses provided by data subjects (only available in Turkish here): In order to ensure that personal data are kept accurate and up-to-date when necessary, the Board decided that reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.
  • Decision Number 2019/125 on specifying the criteria to determine the countries with an adequate level of protection (only available in Turkish here): within the scope of Article 9 of the Data Protection Law;
  • Decision Number 2019/10 on notification procedures and principles related to the personal data breach (only available in Turkish here);
  • Decision Number 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here);
  • Decision Number 2019/225 on Data Controller Registry ('the Registry') registration obligation of data controllers located outside Turkey (only available in Turkish here). Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices;

Decisions on the exemptions from registration to the data controller's registry include:

  • decision Number 2018/32 (only available in Turkish here);
  • decision Number 2018/68 (only available in Turkish here);
  • decision Number 2018/75 (only available in Turkish here);
  • decision Number 2018/87 (only available in Turkish here);
  • decision Number 2019/353 (only available in Turkish here);
  • decision Number 2020/315 (only available in Turkish here); and
  • decision Number 2018/88 on registration deadlines (only available in Turkish here)

Decisions on the registration deadlines include:

  • decision Number 2019/265 (only available in Turkish here);
  • decision Number 2019/387 (only available in Turkish here);
  • decision Number 2020/482 (only available in Turkish here); and
  • decision Number 2021/238 (only available in Turkish here).

The KVKK has also published the Board's summarised and anonymised decisions help to clarify legislation and practices in this developing area, giving some insight on how the Board will treat certain aspects of data processing, transfers, and security breaches. Notable points from the decisions include:

  • Decision Number 2020/481 on the right to be forgotten (only available in Turkish here): The Board stated that the search engines, operating based on the data collected from third party websites are data controllers, carrying out data processing activities. The Board evaluated the delisting requests of the data subjects from search engines as a subtitle of right to be forgotten. To consider such requests, a balance test between the data subject's fundamental rights and freedoms and public's interest for obtaining the information is required. The Board published a list consisting of 13 criteria, which may be used while making such balance test.
  • the Board ruled that notifying data subjects about a breach of personal data security 17 months after the breach exceeds the reasonable period, constituting a breach of data security (only available in Turkish here);
  • if other grounds of processing personal data exist, granting explicit consent of data subjects constitutes abuse of right, by the data controller and the explicit consent cannot be requested as a pre-condition for the services (only available in Turkish here);
  • the Board ruled that transferring personal data to courts which exceeds the requested amount violates the principle of data minimisation (only available in Turkish here);
  • the Board warned data controllers which do not respond to data subjects who wish to exercise their rights within 30 days (only available in Turkish here);
  • the Board warned a company for processing personal data for purposes other than its legal obligations where the company kept personal data for ten years on the basis of its legal obligations (only available in Turkish here);
  • the Board sanctioned a data controller which sent a customer's personal data to another customer with the same name on the basis that the error indicates a lack of technical and administrative measures (only available in Turkish here);
  • the Board ruled that adding an employee's residential address to sample contracts which were sent to third parties without any legal basis is a violation (only available in Turkish here);
  • the Board refused a data subject's request to remove his/her name from a column in a journal, on the basis that freedom of press overrides their right to privacy (only available in Turkish here);
  • the Board sanctioned a data controller which obtained additional documents including personal data that are not necessary for the execution of the related transaction (only available in Turkish here);
  • the Board decided with its decision numbered 2019/122 to apply disciplinary procedures against a bank's employees who did not respond to the application made by the relevant person and ruled that such bank should change its privacy notice available on its official website in accordance with the Obligation to Inform Communiqué (only available in Turkish here).
  • the Board ruled with its decision numbered 2019/82 that a company's loyalty card is designed as a marketing tool and consequently seeking consent for processing of special categories personal data is not related, limited nor proportionate to the scope of the activities of data controller (only available in Turkish here);
  • the Board noted in its decision numbered 2018/90  that the data controller's obligation to inform and seek the data subject's explicit consent should be carried out separately (only available in Turkish here);
  • the Board noted in its decision numbered 2019/106 that unidentified person(s) shall not be determined as data controllers (only available in Turkish here);
  • the Board ruled with its decision numbered 2018/156 that applications made to the KVKK regarding issues falling under the jurisdiction of the judicial authorities shall not be considered within the scope of the Data Protection Law (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 8 May 2019 due to a data breach occurred in the company system. Microsoft instructed that the ID information of a customer support manager working for one of its service providers has unauthorisedly been obtained by the third parties. The company reported that this manager violated Microsoft's policy and shared his/her account login information with 13 support representatives. As a result, third parties were able to partly reach Microsoft users' e-mail accounts between 1 January 2019 and 28 March 2019. (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 29 January 2020 due to a data misconfiguration on its security systems that lead to a breach which resulted in illegal disclosure of Microsoft customer records;
  • the Board has put forward two recent decisions numbered 2019/81 and 2019/165 on biometric data. Accordingly, the Board has imposed administrative sanctions on two different data controllers which are both operating fitness centres due to processing of biometric data during entrances and exits of their members. The Board construes that explicit consent obtained from members has been presented as a pre-condition for receiving the services; therefore, explicit consents cannot be considered as given with free will and hence invalid. In addition, the Board has decided that data controllers' practice of requiring their members to use fingerprints as the obligatory and only way to entering the fitness centres, is not compliance with the principle of proportionality which requires minimisation of the data collected, to the extent possible. The Board also explicitly stated that obtaining explicit consent do not legalise collection of excessive personal data and the collection needs to be proportionate and limited with the purpose of processing. (only available in Turkish here);
  • the Board ruled that rejecting data subjects' access request due to the application was not sent notary public or via electronically signed e-mail is a pecuniary burden that is not foreseen in the Data Protection Law or the Application Communiqué with its decision Number 2019/296. Therefore, the right of the data subject to make an appropriate application is prevented and this situation which constitutes breach of law and rules of honesty which is stipulated under Article 6 of the Application Communiqué (only available in Turkish here);
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13. (only available in Turkish here);
  • the Board ruled with its decision Number 2020/173, that explicit consent cannot be incorporated into a general privacy notice and must be obtained before the transfer of personal data. Obtaining the consent of the data subject through an opt-in section is not enough to comply with the explicit consent requirements. The transfers carried out based on this approval are unlawful. (only available in Turkish here);
  • the Board highlighted the difference between wet-ink signature and biometric signature in its decision numbered 2020/649. Biometric signature solutions are not defined within the framework of a specific standard, they have different fictional features and are not considered equivalent to wet-ink signature. The provisions regarding a signature in the Turkish Code of Obligations number 6098 are the regulations for classical signature and electronic signature and does not include the biometric signature. As the biometric signature falls in the scope of a special category of personal data, it can only be processed in the presence of the explicit consent of the data subject or if clearly prescribed by the law. However, the provisions of the Turkish Code of Obligations number 6098 do not fulfil the requirement of being 'clearly prescribed by the law'. (only available in Turkish here);
  • the Board issued a decision numbered 2020/927 on a data subject's request regarding to be excluded from results of search engine queries. The Board decided that, the request is subject to evaluation of trial court and does not related to scope of Data Protection Law (only available in Turkish here);
  • the Board decided with its decision numbered 2020/93 that there is no ground for deleting or modifying health data (including mental health data), since the data were processed by the Ministry, who fulfils 'the authorised institutions and establishments' requirement and for the purpose of 'protection of public health, preventive medicine, medical diagnosis, provision of health care services and treatment, planning, and management of health care services and their financing' (only available in Turkish here);
  • the Board ruled with its decision numbered 2020/508 that processing personal data, which became public for a special purpose, for the same purpose, does not breach the Data Protection Law. Since the personal data, posted on the attorney's search websites, are processed for the same purpose as the Turkish Bar Association, the process of personal data is not unlawful (only available in Turkish here);
  • the Board decided with its decision numbered 2020/667 that since to obtain special category personal data is necessary for renewal of the insurance policy, the insurance company's explicit consent request from its client in order to process their special category personal data is lawful (only available in Turkish here);
  • the Board issued a decision, numbered 2020/710 on the process of personal data during enforcement proceedings. As the Article 89 of Enforcement and Bankruptcy Law (only available in Turkish here) allows a secured creditor in an enforcement proceeding to pursue recovery against non-debtor third parties who may be in possession of debtor assets, to process the data of non-debtor third parties in this regard does not violate the Data Protection Law (only available in Turkish here);
  • the Board issued a decision, numbered 2020/212 on CCTV camera with audio video recording practice. The Board highlighted that each audio video recording practice of data controllers shall be considered based on the principle of proportionality (only available in Turkish here);
  • the Board evaluated the trade registry offices practice and principle of publicity of trade registry records with its decision number 2020/307. The documents recorded by the trade registry offices includes personal data pertaining to real person representatives. Therefore, the trade registry offices must provide the requested documents and/or information to third parties provided that the sections including personal data are redacted. The Board noted that the trade registry offices are under a confidentiality obligation with regards to the personal data in its possession and are not the authorised body in order to provide civil registry information as per the Civil Registry Services Law numbered 5490 (only available in Turkish here);
  • the Board ruled with its decision numbered 2020/507 that the legal inheritors of the deceased persons are entitled to obtain records including personal data related to health (only available in Turkish here);
  • the Board issued a decision, numbered 2020/504 regarding the request of an airline company's customer who requests to obtain the audio records pertaining to conversation between the customer and the call centre. Since the audio records include other personal data belonging to third parties in addition to related customer's data, the airline company provided its customer a redacted transcript of the related conversation. The Board noted that, the right to information right involves the right to obtain the related data, unless the related data does not violate third parties' rights. In case the data violates third parties' rights, providing the content of the data, which includes all details pertaining to related data subject, in an alternative form such as its transcripts is an eligible way to satisfy the data subject's request. (only available in Turkish here);
  • The Board ruled that the purpose of data breach notification is to create an opportunity to swiftly avoid or minimise the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271, the Board determined the minimum requirements that should be included in a data breach notification (only available in Turkish here); and
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here).

The Board imposed fines on:

  • a hospital which could not provide an adequate level of protection for patients' personal data (only available in Turkish here);
  • a career platform which shared an applicant's personal data with other applicants without any legal basis (only available in Turkish here);
  • a company which shared an applicant's CV with the other group companies through a mutual electronic platform, without the applicant’s consent (only available in Turkish here);
  • a technical service provider company which could not take necessary technical and administrative measures to protect its customers. Afterwards, the Board imposed a second fine to this company for not complying with the Board's previous decision (decision numbered 2019/52 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user's visual data. This data breach was caused by an 'API bug',' as a result, third-party applications were able to access user photos, for 12 days. The total amount of the fine issued was TRY 1.65 million (approx. € 164,012), coming in two parts: The Board firstly imposed TRY 1.100.000 on Facebook for failure to react in time to take necessary technical and administrative measures, and secondly imposed TRY 550,000 (approx. €54,670) (for not notifying the Board as soon as possible after detecting the API bug (decision numbered 2019/104 is only available in Turkish here);
  • three different companies working on transportation sector and lodging industry: The Board imposed TRY 550.000  (approx. €54,670) to transportation companies separately and imposed TRY 1.45 million to a hotel due to non-compliance with taking necessary administrative and technical measures and obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/144 is only available in Turkish here);
  • an asset management company that sent text messages to data subject on multiple times regarding the same issue without obtaining data subject's explicit consent (decision numbered 2019/159 is only available in Turkish here);
  • a data controller that sent commercial electronic communication without obtaining data subject's explicit consent. The Board decided that sending commercial electronic communication to data subject is a data processing activity and it should be compliant to data processing conditions stipulated under Article 5 of the Data Protection Law (decision numbered 2019/162 is only available in Turkish here);
  • a data controller an administrative fine of TRY 50,000 (approx. €4,970) on the data controller for failing to fulfil its obligation to prevent illegal processing of personal data (decision numbered 2019/166 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user’s data. This data breach was caused by the complex interaction of multiple bugs related to three different Facebook features. However, the breach in question was not duly notified by Facebook to the Board as envisaged under the Personal Data Protection Law. In this respect, the Board started an ex-officio investigation on Facebook in accordance with Article 15(1) of the Data Protection Law. As a result of the investigation, the Board fined Facebook TRY 1.6 million (approx. €159,042) due to the facts that Facebook did not take the necessary technical and administrative measures to prevent possible data breaches and failed to notify the Board of the breach (decision numbered 2019/269 is only available in Turkish here);
  • a data controller that fails to ensure adequate level of administrative and technical measures to protect personal data and also imposed second administrative fine due to applicant that violates the obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/122 is only available in Turkish here);
  • an airline company that requests both-sided identification card by the data subject in response to the data subject's request to change the username and password of his loyalty membership due to processing of data subject's health and religion data (sensitive personal data) on the ID card without obtaining explicit consent from data subject. Also, the Board decided that the data controller has processed personal data non-compliant to the principle of being relevant with, limited to and proportionate to the purposes for which they are processed (decision numbered 2019/294 is only available in Turkish here);
  • a data controller that processes personal data that is made public by the data subject inconsistently with its purpose. (decision numbered 2019/331 is only available in Turkish here);
  • a newspaper that has disclosed a special kind of personal data of the data subject in a column without obtaining his explicit consent. The Board decided that the special kind of personal data was disclosed against the personal data processing conditions and imposed administrative fine on the newspaper that failed to prevent unlawful processing of personal data (decision numbered 2020/32 is only available in Turkish here);
  • a bank which did not take adequate administrative and technical measures in line with its obligations to ensure the protection of personal data during the delivery of the credit card and did not make sufficient and reasonable efforts to keep the data of the data subject up-to-date. The Board decided that the courier does not act as data controller for the data contained in the envelope but acts as data controller for the data such as the sender and receiver name and surname used to provide its service (only available in Turkish here);
  • a gaming company which fails to ensure adequate level of administrative and technical measures to run sufficient vulnerability testing. The unauthorised access was detected via the company's log records; however, the company did not detect the potential breach risk through its log records. The preventative technical measures were taken after the users' data breach, and no notification was made to the Board (decision numbered 2020/286 only available in Turkish here);
  • a media company which published the legal notification on rectification request without masking the sections including personal data (decision numbered 2020/145 is only available in Turkish here);
  • a car rental company which uses credit card information, obtained at previous rental transaction, for the payments of another rental transaction. The provisions of the customer agreements, allowing the usage of credit card information for any potential future transactions, are deemed as unfair condition and such provisions do not enough to comply with the explicit consent requirements  (decision numbered 2020/166 is only available in Turkish here);
  • a private school which implements CAS Test (Cognitive Assessment System) to assess the planning skills and attention processes of its students without obtaining explicit consent from data subject's custodian. Since the results of the CAS Test includes information on students' mental assessment system, which shall be considered within the scope of special categories of personal data, the data controller must fulfil its obligation to inform and obtain the explicit consent of the data subject's custodian (decision numbered 2020/255 is only available in Turkish here);
  • a car rental company which obtains its customers' explicit consent as a pre-condition for its services (decision numbered 2020/335 is only available in Turkish here);
  • a company who implements fingerprints practice at its workplace. The Board decided that the special kind of personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obligation to inform and obligation to obtain explicit consent (decision numbered 2020/404 is only available in Turkish here); and
  • a bank who contacted the sibling of its debtor regarding its receivables. The Board decided that personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obtain explicit consent. Additionally, the Board did not impose administrative fine on the attorney of the bank who contacted the sibling of the debtor on behalf of the bank to perform its receivables, since the attorney made the phone call based on the contact details provided by the bank and since the attorney ended the conversation after he/she recognised that the contact person is not the debtor of the bank (decision numbered 2021/115 is only available in Turkish here).

The Board imposed disciplinary action on:

A public university that made students' exam results accessible to third parties by publishing them on internet. The Board stated that the examination results of students who took the examination years ago cannot remain accessible to third parties with no time limitation and the Board decided that the data controller did not respond in a timely manner to the Board's information and document request (decision numbered 2019/188 is only available in Turkish here).