Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey - Data Protection Overview
Back

Turkey - Data Protection Overview

September 2023

1. Governing Texts

In April 2016, Turkey completed the final step in a long-running process to enact the Law on Protection of Personal Data No. 6698 ('the Data Protection Law'). The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on April 7, 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.

From April 7, 2016, onward, a general prohibition applied in Turkey on the processing or storing of personal data without explicit consent from the data subject, subject to certain limited exceptions where such consent is not required. Companies which held personal data prior to April 7, 2016, received a two-year grace period to ensure the data met the new legislative requirements.

The enactment process for a local data protection law had been ongoing for more than 35 years, starting with the execution of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108'). Turkey executed Convention 108 with other Member States on January 28, 1981, but delayed its ratification into national law until May 2, 2016, and it entered into force on September 1, 2016.

1.1. Key acts, regulations, directives, bills

The Data Protection Law outlines a similar framework to the European data protection system within the framework of the:

In addition, secondary legislation in the form of regulations and communications further outlines how Turkey's data protection regime operates in practice.

Key regulations include:

  • Regulation on Deletion, Destruction, or Anonymization of Personal Data 2017 (only available in Turkish here) ('the DDA Regulation');
  • Regulation on the Establishment of the Registry of Controllers No. 30286 ('the Data Controller Regulation')
  • Regulation on Working Procedures and Principles of the Personal Data Protection Board 2017 (only available in Turkish here);
  • Regulation on Organization of the Personal Data Protection Authority 2018 (only available in Turkish here);
  • Regulation on Promoting and Change of Title of the Data Protection Authority Personnel 2018 (only available in Turkish here);
  • Regulation on Personal Data Protection Expertise 2018 (only available in Turkish here);
  • Regulation on Disciplinary Supervisors of Personal Data Protection Authority 2019 (only available in Turkish here); and
  • Regulation on Personal Health Data 2019 (only available in Turkish here).

Key communiqués include:

  • Communiqué on Principles and Procedures for Application to Data Controller 2018 (only available in Turkish here) ('Application Communiqué');
  • Communiqué on Procedures and Principles Regarding the Data Controller's Obligation to Inform Data Subjects 2018 ('Obligation to inform Communiqué') (only available in Turkish here);
  • Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism (only available in Turkish here) ('Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism'); and
  • Data Protection Officer Certification Program ('the Program') (only available in Turkish here).

Furthermore, the Personal Data Protection Authority ('KVKK') has explained the minimum elements to be included in the undertaking for cross-border transfers, executed between the data exporter and data importer abroad (only available in Turkish here). Also, the KVKK has published additional document requirements for the Binding Corporate Rules ('BCR's) for data controllers to regulate intragroup transfers (only available in Turkish here).

Constitutional measures

Before the Data Protection Law was enacted, data protection was governed by the Constitution of the Republic of Turkey ('the Constitution'), as well as general and sectoral laws and regulations. These other pieces of legislation continue to be effective in parallel to the Data Protection Law's provisions, as outlined below.

The Constitution does not specifically address data protection. However, the right to protection of personal rights and privacy can be found in Article 20 of the Constitution, under the section regarding Privacy of Private Life. Accordingly, everyone has the constitutional right to:

  • ask for protection of their personal information;
  • be informed of what personal data is held about them;
  • access, delete, and/or correct such data; and
  • be informed about whether the data is being used in accordance with the purpose for which consent was given.

General laws

Criminal law

Articles 134 to 140 of the Criminal Code No. 5237 ('the Criminal Code') outline provisions regarding the protection of privacy. The Articles in the Criminal Code establish a framework for privacy violations and the unlawful recording of personal data, as well as unlawful delivery, acquisition, and destruction of data. In addition, the Criminal Code provides the basis for sanctions and penalties under the Data Protection Law.

Turkish law clearly states that criminal responsibility is personal and, therefore, cannot be attached to legal entities. Nevertheless, the board members of a company can still be held liable for their actions with respect to privacy violations. Criminal sanctions envisaged in this respect range from six months to four years. In addition, legal entities may be subject to safety measures where stipulated by law. Accordingly, the Criminal Code envisages safety measures for:

  • privacy violations (Article 134);
  • recording personal data (Article 135); and
  • unlawful delivery or acquisition of data (Article 136).

Possible measures imposed on legal entities include:

  • license cancellation if a crime is committed in favor of the legal entity by the legal entity's organs or representatives, via an abuse of the authorization provided by the license; and
  • government seizure of:
    • pecuniary benefits obtained by legal entities from the commissioned crime; and/or
    • goods used for or gained as a result of the commissioned crime.

Civil law

Articles 23 and 24 of Turkish Civil Law No. 4721 (only available in Turkish here) ('the Civil Law') outline individual personality rights. Pursuant to the Civil Law, no person can waive their rights and capacity to act freely, even in the smallest degree. Neither can a person waive their freedom, nor have anyone impose restrictions on a person which are contrary to laws and ethics.

Tort law

Infringement of personal rights may constitute a tortious violation of privacy rights under the Turkish Code of Obligations No. 6098 (only available in Turkish here).

Sectoral laws

Electronic communications

A general framework exists for using personal data in the electronic communications field, with particular reference to traffic and individuals' location data. Accordingly, except to the extent required for providing electronic communication service, operators cannot store or access information in the terminals of their users/subscribers without giving comprehensive and clear information about the data processing, as well as obtaining explicit consent.

Traffic data may be processed for:

  • traffic management;
  • interconnection;
  • billing;
  • fraud detection;
  • customer enquiries; and
  • settling disputes (particularly, interconnection and billing disputes. Such data must be kept completely and confidentially held until the dispute is settled).

Traffic data or location data used for marketing electronic communication services, or for providing value added electronic communications services, can be processed only to the extent and for the duration necessary for such services (or similar services); and either:

  • with explicit consent from users/subscribers; or
  • using anonymisation.

Traffic and location data may only be transferred outside Turkey with explicit consent from the data subjects. Operators must also allow users/subscribers to reject to their location data being processed.

Internet crimes

Turkish legislation does not directly address the protection of personal data on the Internet. However, it does define actors within the internet environment and regulates access blocking schemes where breaches of personal rights and criminal offenses occur (Law No. 5651 Regulating Internet Broadcasting and Combatting Crimes Committed through Internet Broadcasting (only available in Turkish here).

Electronic commerce

Personal data collected from a consumer can only be used and shared with third parties with the consumer's consent (Electronic Commerce Law No. 6563 (only available in Turkish here) ('the Electronic Commerce Law')). Therefore, customer consent must be obtained to use personal data for marketing purposes; such as online mailing or online behavioral advertising, as well as other electronic commercial communications. Service providers and intermediary service providers are responsible for establishing and maintaining security systems for personal data. The details of the electronic commercial communication have been determined under the Regulation on Commercial Electronic Communication, published in the Official Gazette numbered 29417 on 15 July 2015 (only available in Turkish here).

Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages No. 30998 (only available in Turkish here) ('Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages') that sets forth the establishment of a central and singular platform with the purpose of conducting the transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, usage of the right of rejection by the recipient and complaint procedures entered into effect by being published in Official Gazette numbered 30998 on 4 January 2020 (only available in Turkish here).

The Commercial Electronic Messages Management System ('MMS') was established with the purpose of conducting transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, and the usage of the right of rejection by the recipient and complaint procedures introduced by the Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages. In addition, the registry to the system is mandatory for real or legal persons aiming to send commercial messages and it was enacted so that these types of messages cannot be sent to the recipients whose approval are not on the MMS.  The service providers wishing to send commercial electronic messages should either obtain the consent through MMS or upload the consent to the MMS within three business days after they obtain it.

1.2. Guidelines

The KVKK consistently publishes guidelines to clarify grey areas in practice as well as guidance on data protection matters in Turkey. In addition, various other guidelines on specific data protection related matters have been published by KVKK on its website (only available in Turkish here and here).

Guidelines Published by the KVKK in 2021:

Guide to Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence ('AI')

On September 15, 2021, the Data Protection Board ('the Board') published the Recommendations on the Protection of Personal Data in the Field of AI (only available in Turkish here) ('AI Guide'), which contains recommendations for the protection of personal data in the context of Data Protection Law for developers, manufacturers, service providers, and decision makers operating in the field of AI on its official website. During the preparation of the AI Guide, previous studies of the European Commission and Organization for Economic Co-operation and Development ('OECD') were taken into consideration. In addition, the Board published the following

Guideline on Considerations in the Processing of Biometric Data

On September 16, 2021, the Board published the Guidance Regarding the Considerations in the Processing of Biometric Data (only available in Turkish here) ('Biometric Data Guide') in order to provide guidance on the principles to be considered in processing of biometric data by data controllers and biometric data security on its official website.

Guidelines on the Right to be Forgotten

On October 20, 2021, the Board published the Guideline on the Right to Be Forgotten (only available in Turkish here) ('RBF Guideline'), which regulates the rights of the data subjects regarding the request to be forgotten, specific to search engines. The RBF Guideline, published by the Board with the aim of clarifying the discussions on whether there is a right to be forgotten in practice and/or how it can be used, once again highlighted that this right can be exercised by the data subjects.

As stated in the RBF Guideline, although there is no specific regulation regarding the right to be forgotten within the framework of Data Protection Law, there are already different provisions providing this right. Namely, Article 4 of the Data Protection Law regulating the general principles regarding the processing of personal data, Article 7 of the Data Protection Law regulating the right to request the deletion, destruction, or anonymization of personal data, and Article 11 of the Data Protection Law regulating the rights of the data subjects, including the right to request the deletion or destruction of personal data are the basis of the right to be forgotten.

According to the Data Protection Law, for the establishment of the right to be forgotten, it does not need to be defined as a separate right. The requests of the data subjects regarding this right must be fulfilled by data controllers. The RBF Guideline refers to the Board's decision dated June 23, 2020 and numbered 2020/481 (only available in Turkish here) ('Decision No. 2020/481') in which it has been decided that the data subject can make a request for removal of the results shown on search engines with their own name and surname, and in case this is rejected by the data controller search engines or their requests are not answered, it is also possible to apply for judicial remedies while making an application to the Board.

The right to be forgotten is not an absolute right that can be asserted by the data subjects under all circumstances due to the necessity of making an evaluation specific to each specific case based on the balance test attributed by the Board in Decision No. 2020/481.

Guideline on Cookies Applications

The Board published a guideline in order to create an advisory and guiding document for data controllers who process personal data through cookies and presented it to the public on its official website (only available in Turkish here).

In the guideline, first, cookies are defined and information about the types of cookies is given, then the link between Electronic Communication Law No. 5809 (only available in Turkish here) ('the Electronic Communication Law') and the Data Protection Law is evaluated. Further, in the guide, there are explanations about the types of cookies that either require or do not require explicit consent. In this context, explicit consent will be required for cookie applications that are not based on a legal basis within the scope of Article 5 of the Data Protection Law. However, in any case, the application of cookies must comply with the principles in Article 4 of the Data Protection Law.

The following are examples of cookie applications that do not require explicit consent:

  • cookies with user input, such as cookies for the creation of the user basket;
  • authentication cookies used to identify the user when logging into a website;
  • user-centered security cookies used to increase security within the scope of a service expressly requested by the user;
  • multimedia player session cookies used to store technical data needed for video playback or audio content;
  • load balancing cookies that allow the distribution of web server requests over a pool of machines rather than a single machine, user interface customization, cookies, and social add-on content sharing (like, share, comment) cookies used to store the user's preferences for a service on the internet pages;
  • cookies used for open consent management platform; and
  • first-party analytical cookies.

1.3. Case law

Judicial cases

Some notable judicial consideration of the area is outlined below:

  • The Constitutional Court ('Constitutional Court') dismissed an application decision numbered 2016/125 seeking to suspend and strike out certain clauses in the Data Protection Law, on the basis that the clauses are vague, broad, subjective, open to interpretation, and are not proportionate. The Constitutional Court considered international legislation, EU legislation, and the Constitution, ultimately deciding that the clauses were not unconstitutional (only available in Turkish here).
  • The Constitutional Court decided that in the application numbered 2018/3454, the employer's access to the content of private messages on the WhatsApp application downloaded by the applicant to its computer and the termination of its employment contract based on the content, violates the right to respect the privacy guaranteed in Article 20 of the Constitution and the freedom of communication guaranteed in Article 22 of the Constitution.
  • The Izmir Regional Court of Justice considered an appeal where the execution office refused to fulfill a creditor's request to acquire family records from the civil registry, in order to question whether the debtor may have any inheritance. The Court indicated that while it may be beneficial for the creditor to acquire such knowledge for debt collection purposes, having easy access to personal data may be more detrimental than beneficial, if the possible benefits and damages are compared.
  • The Assembly of the Civil Chambers, the highest body within Turkey's civil court system, accepted the existence of the right to be forgotten for the first time (2014/4-56 E, and 2015/1679 K, dated 17 June 2015). It held that the right to be forgotten includes digital data, as well as non-digital personal data kept in publicly accessible mediums. The digital aspect of this decision adopts and applies a similar scope as was granted by the Court of Justice of the European Union in its decision Google LLC v. CNIL Case C‑507/17 (24 September 2019) ('Google LLC v. CNIL Case'). However, unlike the decision in the Google LLC v. CNIL Case, the Assembly also held that the right to be forgotten applies to non-digital personal data which is stored in mediums which are easily accessible by the public.
  • The Constitutional Court considered a claim that Article 136(1) of the Criminal Code is unconstitutional because there is no clear definition or limitation for the phrase 'personal data', violating Article 20 (right to privacy) and Article 38 (principle of legality) of the Constitution (decision number 2015/32, 12 November 2015 only available in Turkish here). Article 136 of the Criminal Code states that persons who unlawfully give out, release, or acquire personal data belonging to other people will be subject to imprisonment for between two to four years. In seeking to have the provision struck out, the Criminal Court claimed the article is ambiguous because there is no definite definition or limitation for the phrase 'personal data'. The Constitutional Court rejected the claim, ruling that technological developments mean it is impossible for legislators to specify all types of 'personal data'.
  • Penal Department No. 12 of the Supreme Court ruled that even though data which is shared on Facebook or by using any other social media tool is considered to be personal data, if data is shared via a non-confidential social media account, use of the data is not unlawful (2014/4081 E and 2014/19490 K dated 13 October 2014) (only available in Turkish here).
  • Penal Department No. 4 of the Supreme Court ruled in favor of the plaintiff regarding the request for non-pecuniary damages due to the fact that the plaintiff's identification information had been used without their consent (only available in Turkish here).
  • Supreme Court Assembly of Criminal Chambers ruled that that the creation of membership on the internet sites through using someone else's information violates Article 136 of the Criminal Code that regulates unlawful delivery or acquisition of data (only available in Turkish here).

The Constitutional Court held that an employer who monitored an employee's email acted lawfully where the surveillance right was recited in the employment contract (Decision Number 2018/31036, January 12, 2021 (only available here). In this case, the employer (as the data processor) terminated the employment contract after discovering that an employee (as the data subject) was using their company email for non-company commercial matters. The Constitutional Court considered that the inspection of the corporate emails was within the limits of the legitimate interest of the data controller, and since the data controller has such a legitimate interest, the explicit consent of the data subject is not required. Moreover, the data processor fulfilled its obligation to inform the employee by outlining the right to inspect corporate emails in the employment agreement, therefore, granting their consent by signing the employment contract (only available in Turkish here).

2. Scope of Application

2.1. Personal scope

Article 2 of the Data Protection Law states the scope of the law. Accordingly, the Data Protection Law shall apply to:

  • natural persons whose personal data are processed; and
  • natural or legal persons who process such data fully or partially through automatic or non-automatic means only for the process which is part of any data registry system set out in the law.

In this regard, the Data Protection Law ensures protection for data belonging to natural persons and data related to legal persons who do not fall within the scope of the Data Protection Law.

There is no distinction between private corporations and public authorities before the law. Therefore, rules and procedures determined by the Data Protection Law apply to all institutions and organizationsions.

2.2. Territorial scope

Unlike the GDPR, the Data Protection Law does not have a territorial scope. That being said, in line with the principle of territoriality applicable under Turkish law, the Data Protection Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.

2.3. Material scope

Processing of personal data is defined as an operation that is carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic or non-automatic means only for the process which is a part of any data registry system. Accordingly, any system structured according to a specific criterion to facilitate access to personal data, will be evaluated within the scope of the Data Protection Law.

The Data Protection Law foresees several exceptions under Article 28(1) which provides that the Data Protection Law shall not apply in the following circumstances:

  • processing of personal data by natural persons within the scope of activities related to themselves or family members living together in the same dwelling, provided that it is not to be disclosed to third parties and the data security obligations are to be complied with;
  • processing of personal data for official statistics and research, planning, and statistical purposes after having been anonymized;
  • processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy, or personal rights are not violated and the processing shall not constitute a criminal offense;
  • processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order, or economic security; and
  • processing of personal data by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings, or execution proceedings.

In addition to the above exemptions, the Data Protection Law also grants partial exemptions in specific circumstances. As per Article 28(2) of the Data Protection Law, Article 10 of the Data Protection Law regarding the data controller's obligation to inform, Article 11 of the Data Protection Law regarding the rights of the data subject, excluding the right to demand compensation, and Article 16 of the Data Protection Law regulating the requirement to register with the data controller registry system shall not apply to the circumstances where personal data processing:

  • is required for the prevention of a crime or crime investigation;
  • is carried out on the data which is made public by the data subject themselves;
  • is required for the conduct of supervisory or regulatory duties, for disciplinary investigation, or prosecution by the public institutions, organizations, and professional associations having the status of public institutions assigned and authorised for such actions, in accordance with the power granted to them by law; and
  • is required for the protection of the state's economic and financial interests with regard to budgetary, tax-related, and financial issues.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Data Protection Law establishes regulatory bodies to oversee its provisions; that is, the KVKK and the Board. The KVKK serves a mostly administrative and government-relations role, whereas the Board is the decision-making organ within the authority.

The Board began operating in January 2017, once all appointments were made. The Board comprises nine members, elected as follows:

3.2. Main powers, duties and responsibilities

The KVKK was established as an independent regulatory authority with institutional and financial autonomy. It is responsible for ensuring personal data protection and raising awareness in this respect.

It is stipulated that the Board shall perform and use the duties and powers assigned by the Data Protection Law and other legislation independently under its responsibility. In addition, no organ, authority, office, or person may issue orders instructions to the Board concerning the matters falling within its scope of duties and powers.

The duties and responsibilities of the Board are regulated mainly under Article 22 of the Data Protection Law, yet some are also included in other articles. The main duties of the Board are as follows:

  • to take necessary and adequate measures for the processing of the special personal data categories (Article 6(4) of the Data Protection Law);
  • to allow the transfer of personal data abroad if the controllers in Turkey and in the related country guarantee an adequate protection in writing, where sufficient protection is not provided (Article 9(2) of the Data Protection Law);
  • to determine and announce the countries where an adequate level of protection is provided (Article 9(3) of the Data Protection Law);
  • (if necessary) to announce data breaches on its official website or through other methods it deems appropriate (Article 12(5) of the Data Protection Law);
  • to examine and conclude the complaints made in cases where (Article 14 of the Data Protection Law):
    • the application is declined by the data controller;
    • the response given by the data controller is found unsatisfactory; or
    • the response is not given in due time;
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller and, in cases where the infringement is widespread, the Board shall adopt and publish resolutions in this regard (Articles 15(5) and 15(6) of the Data Protection Law);
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller (Articles 15(5) and 15(6) of the Data Protection Law);
  • to decide that the processing of data or transfer of data abroad is to be stopped, in the event that such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful (Article 15(7) of the Data Protection Law);
  • to ensure that the data registry system is maintained and, in cases of necessity, to make exceptions to the obligation to register with the data registry system (Articles 16(1) and 16(2) of the Data Protection Law);
  • to notify relevant institutions in order to conduct disciplinary investigations against civil servants who violate the prescribed obligations regarding the protection of personal data (Article 18(3) of the Data Protection Law);
  • to ensure that the personal data is processed in compliance with fundamental rights and freedoms (Article 22(1)(a) of the Data Protection Law);
  • to carry out regulatory procedures:
    • in order to lay out the liabilities concerning data security;
    • regarding the matters concerning the Board's field of duty and the KVKK's operation; and
    • regarding the data controller and their representative duties, powers, and responsibilities (Articles 22(1)(e), 22(1)(f), and 22(1)(g) of the Data Protection Law);
  • to deliver its opinion on draft legislation prepared by other institutions and organizations that contain provisions on personal data (Article 22(1)(h) of the Data Protection Law);
  • to decide on the administrative sanctions foreseen under the Data Protection Law (Article 22(1)(g) of the Data Protection Law);
  • to conclude the KVKK's strategic plan in order to determine the KVKK's purpose, targets, service quality standards, and performance criteria, and to discuss and decide on strategic plans and the budget proposal which are prepared in compliance with its purposes and targets (Articles 22(1)(i) of the Data Protection Law);
  • to approve and publish the draft reports prepared on KVKK's performance, financial situation, annual activities, and required issues (Article 22(1)(j) of the Data Protection Law); and
  • to negotiate and decide proposals on the purchase, sale, and lease of immovable properties (Article 22(1)(k) of the Data Protection Law); and
  • to fulfil duties assigned by any other law (Article 22(1)(l) of the Data Protection Law).

4. Key Definitions

Data controller: means a real person or entity who determines the intended purposes and means of processing personal data. Data controllers are responsible for establishing and administering data registry systems.

Data processor: means a real person or entity processing data with the authorisation of the data controller.

Personal data: includes any information relating to an identified or identifiable natural person that can be used to identify that individual. For example, a customer's name and address, IP address, e-mail address, or a database of customer email addresses.

Special categories of personal data: 'special categories of personal data' receive extra protection. This includes information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, appearance, memberships of unions, associations, or foundations, as well as information about health, sexual life, criminal records, or punitive measures, as well as biometric and genetic data.

Health data: means the health-related personal data (physical or mental) which constitute special categories of personal data, such as information about medical conditions.

Biometric data: means the personal data that uniquely identify a person. Personal data derived from technical processing relating to a real person's physical, physiological, or behavioral pseudonymization traits. For instance, photo, fingerprint, DNA, and genetic characteristics.

Pseudonymisation: is a technical and organizational measure by which personal data cannot be attributed to the data subject without any additional information. The related additional information is kept separately through an algorithm to ensure that the data subject cannot be attributed by using them.

Data Subject: (natural person concerned) means the natural person, whose personal data are processed. Under the Data Protection Law, real persons, are the only beneficiaries of the Data Protection Law.

Explicit consent: means the consent which is based on information and given with free will by the data subject. The Data Protection Law introduces a general prohibition on processing personal data or special categories of personal data without explicit consent. However, it does not envisage a specific method to obtain the explicit content. In light of this, companies would be prudent to both record and retain consents, either in writing or electronically.

Processing activities: means any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully, or partially through automatic means, or, provided that the process is part of a data registry system, through non-automatic means.

Data registry system: means the registry system which the personal data is registered into through being structured according to certain criteria.

5. Legal Bases

5.1. Consent

Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).

5.2. Contract with the data subject

Personal data of each party to a contract may be processed by the other party provided that it is strictly necessary to execute or perform the contract, for example, processing personal information of an employee by an employer in order to execute an employment agreement (Article 5(2)(c) of the Data Protection Law).

5.3. Legal obligations

If explicitly provided for by law or it is necessary for compliance with a legal obligation to which the data controller is subject to, personal data may be processed without the data subject's explicit consent. For example, preparing and holding personnel files by employers, collecting and reporting certain information by banks and financial institutions, and reporting personal information of a new employee to law enforcement agencies by employers.

5.4. Interests of the data subject

Personal data can be processed in the protection of the life or physical integrity of a person, or of any other person who is incapable of giving their consent, or whose consent would otherwise be deemed not legally valid. For example, location data of a mobile device carried by a missing person, or CCTV records processed for locating a missing person.

5.5. Public interest

As per the Data Protection Law, public interest is not a legal basis to process personal data of a data subject without obtaining their explicit consent. However, the Board considers public interest as a criterion while evaluating limits of independent press and the balance between the right to privacy and right to freedom of expression.

5.6. Legitimate interests of the data controller

Personal data may be processed without a data subject's explicit consent if such processing is necessary for the data controller's legitimate interests; provided, however, that processing does not harm the data subject's fundamental rights and freedoms (Article 5(2)(f) of the Data Protection Law). For example, the preamble of the Data Protection Law provides states that the owner of a company may process employee personal data to arrange job promotions, social rights, or in determining their role in the company's restructuring, each of which constitute legitimate interests of the company.

5.7. Legal bases in other instances

As per Article 5 of the Data Protection Law, under the following conditions personal data can be processed without obtaining the explicit consent of the data subject:

  • if the personal data is publicized by the data subjects themselves; and
  • if it is mandatory for the establishment, exercise, or protection of certain rights.

6. Principles

Principles for processing personal data

All data processing activities should be carried out in compliance with the principles for processing personal data (Article 4 of the Data Protection Law). The following key principles need to be adhered to for all personal data processing activities. Personal data must be:

  • processed lawfully and fairly;
  • accurate and where necessary, kept up to date;
  • processed for specified, explicit, and legitimate purposes;
  • relevant, limited, and proportionate to the purposes for which they are processed; and
  • retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing.

Personal data processing conditions

Data controllers are obliged to comply with data processing conditions while processing personal data. Personal data can be processed in cases where:

  • the data subject has given their explicit consent;
  • it is explicitly permitted by the laws;
  • it is mandatory for the protection of life or to prevent the physical injury of a person, where such person is physically or legally incapable of providing their consent;
  • processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the execution or performance of that contract;
  • it is mandatory for the data controller to fulfill its legal obligations;
  • the personal data is publicized by the data subjects themselves;
  • it is mandatory for the establishment, exercise, or protection of certain rights; or
  • it is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not compromised.

7. Controller and Processor Obligations

Data security measures

Data controllers are obliged to (Article 12 of the Data Protection Law):

  • prevent unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the retention of personal data.

The data controllers must take all necessary technical and organizational measures to provide appropriate data security. The Personal Data Security Guide (only available in Turkish here) regarding technical and administrative measures published by the Board in January 2018 and the guideline for technical and administrative measures to be taken by public authorities and key infrastructure organizations published by the Digital Transformation Office in July 2020 can be taken as references while complying with the obligation on data security measures.

In addition to these sources, Decision 2018/10 must be taken with regards to the processing of special categories of personal data. The Board declared with this decision that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasized the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Accordingly, the sufficient measures to be taken while processing special categories of personal data must be ensured by the data controllers.

In addition to the above stated Board decisions and security guides published by the authorities, to mention the Decision of the Board dated 9 October 2020 and numbered 2020/787 (only available in Turkish here) would be sufficient to see how the Board will treat certain aspects of security breaches. Such decision is resolved upon the data breach notification submitted by the related data processor, operating in the health sector, within the statutory notification-period. The Board carried out its investigations and concluded that the data breach was not caused by the lack of precaution of the data controller, but a common-used application; and the data controller cannot interfere in this situation. The data controller has noticed the violation in a short time and took all necessary technical and administrative measures promptly and in line with the Data Protection Law. Therefore, the Board does not impose any sanctions on the data controller.

Unlike the GDPR, the rights and obligations of the data processor are not specifically regulated under the Data Protection Law, although there is still an obligation to ensure data security jointly with the data controllers. Within this framework, data processors shall comply with the instructions of the data controller while processing personal data transferred to themselves, and shall not disclose the personal data that they have obtained. In addition, they shall not use such data for purposes other than the processing purpose determined by the data controller. This obligation shall continue even after the end of their term as the data processor.

Other obligations:

  • data controllers are obliged to carry out (or have third parties carry out) necessary audits to ensure compliance with the Data Protection Law within their own organization; and
  • data controllers are obliged to comply with data transfer conditions for data transfers within Turkey and cross-border transfers. (Please see Section 13 of the Data Protection Law for further information).

7.1. Data processing notification

The Board established the Registry, which became operational on October 1, 2018. This is an online database, which only accepts online registration applications from data controllers through the Data Controllers Information System ('VERBIS'). Real or legal persons processing personal data must register prior to commencing their data processing activities. The Board published its Decision No. 2020/482 on the Extension of Data Controllers Information System ('VERBIS') Registration Periods (only available in Turkish here) ('Decision No. 2019/387').

Data controllers must prepare a data inventory for all data processed in Turkey, which must include at least the following certain information, including the following:

  • identifying information (including the address of the data controller or its representative);
  • data categories;
  • purpose of the data processing;
  • data subject groups;
  • recipient or recipient groups to which the data may be transferred;
  • information on whether the relevant data category is transferred abroad;
  • data security measures taken; and
  • the maximum time period for processing personal data.

The data inventory must be kept up-to-date, accurate, and lawful. The registration process should be carried out in line with the data inventory and the changes in data inventory must be updated on the data registry system via VERBIS within seven days.

The data controllers must appoint a contact person who will be in charge of submitting data inventories and completing the registration process. Please note that the contact person must be a real person and a Turkish citizen residing in Turkey. In case the data controller is located abroad, the data controller must appoint a 'data controller representative' in addition to a contact person.

The Board published a decision numbered 2020/542 on 16 July 2020 (only available in Turkish here) and put forward its opinion on the appointment of a contact person for multiple data controllers. Accordingly, a single person can be a contact person for only one data controller in Turkey, and can be a contact person for multiple data controllers, which are located abroad, at the same time.

The Board ruled with its decision number 2019/225 (only available in Turkish here) on the VERBIS registration obligation of data controllers located outside Turkey. Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices.

The Board announced that the registration obligation will apply in line with the periods under decision number 2018/88 (only available in Turkish here), and failure to comply with these dates risks a fine ranging from TRY 53,576 (approx. $1,981) and TRY 2,678,870 (approx. $99,100).

The deadline for registration to VERBIS ended on December 31, 2021. Data controllers employing less than 50 employees and with an annual balance of less than TRY 25 million (approx. $924,820) (unless the data controller's main business activity is processing special categories of personal data) do not have VERBIS registration obligation. However, if either of these conditions are met, VERBIS registration is required, and the above penalty may apply. If these conditions are met after December 31, 2021, VERBIS registration must be made within 30 days after the VERBIS registration obligation arises.

Data controllers that are required to enroll in the registration have to prepare a personal data processing inventory and a policy regarding the retention and destruction of personal data (Articles 9(2) and 9(5) of the Regulation).

Any changes to the information provided to the registration must be reported via VERBIS within seven days (Article 13 of the Regulation).

Exemptions from registration with VERBIS

In addition, the Board held that the following categories of data controllers are exempt from having to register with VERBIS:

  • data controllers employing less than 50 employees and with an annual balance of less than TRY 25 million (approx. $924,820) (unless the data controller's main business activity is processing special categories of personal data);
  • data controllers processing personal data through non-automatic means, provided the processing is part of a data filing system;
  • public notaries;
  • associations (only for personal data processed in accordance with their area of activity);
  • foundations;
  • unions;
  • political parties;
  • lawyers;
  • public accountants and sworn-in public accountants;
  • customs brokers and authorized customs brokers; and
  • mediators.

In addition, a data controller is exempt from the registration obligation where (Article 15 of the Regulation):

  • processing of personal data is necessary for the prevention of crime or criminal investigation;
  • processing is carried out on personal data that is made public by the data subject;
  • processing is necessary for the performance of monitoring and regulating duties of the authorized public authorities and professional organizations with public institution status and for the disciplinary investigation and prosecution; or
  • processing is necessary to protect the economic and financial interests of the State in relation to budget, tax, and financial matters.

Furthermore, data controllers which process personal data through non-automatic means are also exempt from registration, provided the processing is part of a data filing system (see the Guide on VERBIS).

Finally, pursuant to Article 16 of the Regulation, the Board may also provide derogation from the registration obligation by considering, among other things, the nature and quantity of personal data, the purpose of processing, the field of activity in which personal data is processed, and the financial information of the data controller.

7.2. Data transfers

The Data Protection Law addresses the transfer of personal data to third parties, as well as transfers outside of Turkey. This is particularly relevant for multinational companies and local companies which have operations crossing Turkey's national borders. Companies should review their operations to ensure that they are aware where personal data is stored and whether the new legislative rules will apply.

Sectoral obligations

Banking Law No. 5411 of 2005 (only available in Turkish here) ('the Banking Law') foresees specific rules for cross-border transfers of customer data. According to Article 73 of the Banking Law, data belonging to real and legal persons formed after establishing a customer relationship with banks specifically for banking activities becomes customer data and is subject to the regulations stipulated under the Banking Law. Therefore, conditions regarding the cross-border transfer of customer data set forth under the Banking Law should take precedence over conditions set forth under the Data Protection Law. Consequently, for customer data within the scope of Article 73 of the Banking Law, the provisions of the Banking Law should be considered as special legal provisions before the Data Protection Law.

The Banking Law stipulates that even if the explicit consent of the customer is obtained pursuant to the Data Protection Law for cross-border transfers or transfers of customer data to third parties located in Turkey, the customer data should not be shared with and transferred to third parties located in Turkey or outside Turkey without the customers' instructions or requests.

Furthermore, under the Banking Law, the Banking Regulation and Supervision Authority ('BDDK') is authorized to prohibit the sharing or transfer of customer data or bank secrets with third parties located outside Turkey, as well as to make decisions regarding keeping information systems used by banks and their backups locally due to evaluations regarding economic security.

Transfers to third parties

The Data Protection Law requires explicit consent from data subjects for the transfer of personal data to third parties. However, consent is not required if the transfer is carried out in the following circumstances:

  • expressly permitted under laws;
  • necessary to protect the life or physical integrity of the data subject (or another person) where the data subject is physically or legally incapable of providing their consent;
  • necessary to process data of the parties to a contract, if such processing is directly related to the execution or performance of the contract;
  • necessary for the data controller to fulfil its legal obligations;
  • already publicized by the individuals themselves;
  • necessary to establish, use, or protect a right; or
  • necessary for the legitimate interests of the data controller, provided that such processing does not violate fundamental rights and freedoms.

In addition, the Data Protection Law stipulates that personal data on health and sexual life may only be transferred without explicit consent by persons under a confidentiality obligation, or by competent authorities, for the purposes of:

  • protecting public health;
  • operating preventive medicine;
  • medical diagnosis;
  • treatment and care services; or
  • planning and managing health services and financing.

Transfers outside of Turkey

Consent will not be required for data transfers outside of Turkey where any of the exceptions above apply, and either adequate protection exists in the transferee country (the Board will announce the countries which it deems to have adequate protection, however until then, data controllers should consider that no country has such protection) or, where no adequate protection exists in the transferee country, the data controller has given a written security undertaking and the Board grants permission.

The Board specified the criteria to determine the countries with an adequate level of protection in its decision Number 2019/125 (only available in Turkish here). The decision includes a form, to be used in determining the countries with adequate level of protection. Matters to be taken into account are as follows:

  • reciprocity condition;
  • legislation of the relevant country regarding the processing of personal data and its implementation;
  • existence of an independent data protection authority;
  • party status to international agreements on the protection of personal data;
  • membership status to international organizations;
  • membership status to global and regional organizations that Turkey is a party to; and
  • the volume of trade with the relevant country.

Until the enactment of the Data Protection Law in 2016, the Board approved only two undertakings. The Board announced its first approval pertaining to a fleet leasing company on February 9, 2021, and its second approval pertaining to an e-commerce and a web services company (Amazon's subsidiaries) on March 4, 2021. The Board has announced that minimum contractual clauses are required for transferring personal data outside Turkey. These are the essential clauses which must be included in contracts for transferring personal data to countries which Turkey deems not to provide adequate protection. The minimum clauses include separate provisions for transfers to data controllers, compared to data processors (only available in Turkish here). The Board reviews the applications both from the procedural perspective and from material aspects. While considering the material aspects, the most critical point is to determine whether the data transfer is from data controller to data controller or from data controller to data processor. The transfer process must be carefully analyzed by the applicants. To determine the relationship between a data controller and data processor, the Board's decision dated January 30, 2020, and numbered 2020/71 can be taken as a reference (only available in Turkish here).

When granting permissions, the Board must evaluate international treaties, reciprocity of countries, measures taken by the data controller, as well as the period and purpose of the data processing. This requirement is particularly relevant for multinational companies and local companies, having cross-border operations or keeping data servers outside Turkey.

The Board can limit data transfers to third countries if it considers that a violation of public interest or personal interests exists. It is not clear how the Board will determine the criteria for such violation yet.

Data Transfer Abroad via Undertaking

The KVKK stated in its public announcement dated February 9, 2021, (only available in Turkish here) that they approved an application for data transfer abroad. Thus, as of 2021, the process of transferring personal data abroad by means of undertaking has begun in Turkey.

The number of undertakings announced to be accepted by the Board in 2021 was limited to four.

Binding corporate rules

On April 10, 2020, KVKK announced BCRs, allowing intra-group data transfers among multinational companies. BCRs are defined as data protection rules applicable for cross-border transfers that allows multinational group companies, operating in unsafe countries, to achieve an adequate level of data protection for the intra-group data transfers.

Due to the difficulties in the implementation of cross-border data transfer rules determined under the Data Protection Law, the KVKK was expected to issue new rules set for intra-group cross-border data transfers in parallel with the approach to BCRs accepted under the GDPR. Considering sector-specific needs, the KVKK introduced an alternative cross-border data transfer method specific to group companies, which is modeled after the EU's BCR approach.

BCRs, introduced by the KVKK, would allow multinational companies to transfer personal data from Turkey to a member of the same corporate group, located in a country with an inadequate level of data protection. BCRs are to be considered as a commitment to adequate data protection for intra-group cross-border data transfer in such circumstances.

BCRs must include all general data protection principles and adequate safeguards for protecting personal data in the corporate group. The KVKK gives a guideline on the necessary content of the BCR, as well as a standard application form on its official website (only available in Turkish here and here).

7.3. Data processing records

The concept of 'data processing records' is not defined under the Data Protection Law. It is expected that such a concept will be adopted in the following amendments within the scope of the GDPR harmonizationtion process.

7.4. Data protection impact assessment

Data Protection Impact Assessment ('DPIA') is not mandatory under the Data Protection Law.

7.5. Data protection officer appointment

The Data Protection Law itself, does not require the appointment of a data protection officer ('DPO'). That being said, the Data Controller Regulation, which includes the details of the registration process, requires data controllers located outside Turkey to appoint a data controller representative in Turkey to establish an account within the Registry. The representative can be either a legal entity, located in Turkey or a Turkish individual. The appointment of the representative must be made with a resolution of the data controller, which needs to be notarised and apostilled (or otherwise legalized).

Professional qualifications

Article 6(1) of the Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism emphasizes that those who are successful in the exam, will be entitled to use the title of DPO. In addition, Article 4(1)(ç) of the Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism outlines that a certificate of participation will be given only to those who complete the training program, the procedures and principles of which are determined by the Board of the KVKK.

7.6. Data breach notification

Data controllers are obliged to notify the data subject and the Board within the shortest time, in case the processed data is collected by other parties through unlawful methods. Where necessary, the Board may announce such breach on its official website or through other methods it deems appropriate.

The KVKK has published the Board decision numbered 2019/10 dated 24 January 2019 and numbered 2019/10 regarding the notification procedures and principles related to personal data breach. According to this decision:

  • a data controller shall notify the Board without delay and within 72 hours at the latest from the date they learn of such breach. After identifying the persons affected by the data breach, the data controller shall promptly notify the related persons by appropriate methods;
  • in the event that the data controller cannot notify the Board within 72 hours for a good cause, they should explain the reasons which caused the delay to the Board with the notification to be made; and
  • data controllers are obliged to use the document attached to such decision (only available in Turkish here).

The Board ruled that the purpose of data breach notification is creating an opportunity to swiftly avoid or minimize the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271 (only available in Turkish here), the Board determined the minimum requirements of a data breach notification to data subjects. The Board stated that data breach notifications to data subjects must be in clear, plain language, and must include at least:

  • the time and date of breach;
  • categories of data (personal data, special categories of personal data) affected by the breach);
  • possible consequences of the breach;
  • measures that have since been taken, or will be taken by the data controller to address the breach and mitigate its consequences; and
  • the name and contact details of the contact person(s) from whom data subjects may obtain more information about the breach, or some other means of communication, such as the data controller's website, call center, etc.

The Board has published an announcement regarding COVID-19 ('Coronavirus') on 23 March 2020 (only available in Turkish here). The announcement has specified that Board will pay regard to the extraordinary conditions that data controllers are in with respect to the consideration of the periods that are necessary to be taken into account by data controllers in terms of complaints, notices, and data breach notifications submitted to the KVKK. As such, the KVKK envisages that the periods that data controllers are obliged to comply with may be evaluated taking into consideration the coronavirus pandemic.

7.7. Data retention

Erasure, destruction, and anonymization of personal data

Personal data shall be maintained for the purpose for which it is processed, as required by the principle of purpose limitation. In this regard, the data controller is obliged to take the following administrative and technical measures:

  • establishing personal data retention and erasure policy and principles;
  • determining storage periods as well as technical and administrative measures to be applied in the storage; and
  • ensuring the storage of personal data in accordance with these principles.

Data controllers shall comply with the periods foreseen in the legislation for the retention of the relevant personal data. In case such a prediction is not available, the data shall only be retained as long as is necessary for the purpose for which it was processed.

7.8. Children's data

The Data Protection Law does not distinguish between personal data of adults and minors. Personal data of adults and children are protected equally by the Data Protection Law though it contains no specific definition of a child. However, KVKK published a patch of guidelines regarding the matters which shall be considered in order to protect children's data. These guidelines are meant to raise awareness of personal data concepts, and they do not regulate any legal requirement regarding the processing of child's data. It is expected to be introduced and to include specific provisions concerning the protection of children's data.

7.9. Special categories of personal data

The Data Protection Law envisages specific rules for the processing of special categories of personal data that is defined as data relating to:

  • race;
  • ethnic origin;
  • political beliefs;
  • philosophical beliefs;
  • religion, denomination, or other faiths;
  • clothing and attire;
  • membership of an association, charity, or union;
  • health;
  • sexual life;
  • criminal convictions and security measures; and
  • biometric and genetic data.

Special categories of personal data can only be processed provided that the data subject has given their explicit consent (Article 6 of the Data Protection Law). In terms of additional legal bases for processing, the Data Protection Law divides special categories of personal data into two different categories:

  • personal data related to health or sexual life; and
  • other special categories of personal data.

While other types of special categories of personal data can be processed if such processing is permitted by the laws, personal data related to health or sexual life is protected more strictly than other special categories of data, as the scope of the legal grounds for processing is very limited. In addition to the requirement to obtain the explicit consent of the data subject, personal data related to health or sexual data can only be processed under the obligation of confidentiality, or by authorized institutions and establishments, for the purposes of:

  • protection of public health;
  • preventive medicine;
  • medical diagnosis;
  • provision of healthcare services and treatment; and
  • planning and management of healthcare services and their financing.

7.10. Controller and processor contracts

Data processor agreements are not a concept introduced by the Data Protection Law. However, as the obligations of the data processors have not been regulated in a detailed manner under the Data Protection Law, when a data processor is involved in the data processing, the data controllers will jointly be responsible for the data security (Article 12 of the Data Protection Law).

Data controllers need to execute data processing agreements to ensure the data processors' compliance with the data protection legislation. Furthermore, the authorization granted to the data processors and the limits of the authorization, the technical details of the processing activity, and the principles and rules to be complied by the data processors should be contractually regulated between the data controller and the data processor to ensure the proper flow of the personal data processing.

8. Data Subject Rights

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about the correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analyzed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The Board published a decision numbered 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here). The Board clarified the periods for filing complaints to the Board and applying to data controllers. Accordingly, the following principles apply when calculating application periods if:

  • the data controller fails to respond within 30 days, the data subject has 60 days to apply to the Board, starting from the date of its application to the data controller;
  • the data controller responds within 30 days, the data subject can file a complaint with the Board no later than 30 days after such response; and
  • the data controller responds after the 30-day period has lapsed, the data subject can file a complaint with the Board no later than 60 days following the date of application to the data controller, which complaint may be submitted immediately upon expiration of the 30-day period, whether or not a response has been received from the data controller.

8.1. Right to be informed

Regardless of the legal basis of data processing, data controllers are obliged to inform data subjects when collecting personal data in respect of the minimum mandatory content outlined below (Article 10 of the Data Protection Law):

  • the identity of the data controller and its representative, if any;
  • the purpose of personal data processing;
  • the recipients to whom the personal data can be transferred, and the purpose of the transfer;
  • the methods and legal reasons of the collection of personal data; and
  • the data subject's rights under Article 11 of the Data Protection Law.

8.2. Right to access

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about the correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analyzed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The KVKK has issued the Application Communiqué which regulates the methods and procedures to lodge a request with data controllers. Accordingly, data controllers should respond to requests duly lodged by data subjects within 30 days. The Application Communiqué also provides for a processing fee of TRY 1 (approx. $0.1) for each page which may be charged for responses exceeding ten pages, or the cost of the data recording medium (if the answer is given in this manner).

8.3. Right to rectification

In accordance with the principles of lawful data processing activity, personal data is only processed when it is accurate and kept up to date. In line with such principle, data subjects are entitled to request for rectification from the data controllers, in case of contrary practice.

8.4. Right to erasure

Data controllers are obliged to erase, destruct, or anonymize the personal data ex officio or upon the demand of the data subject, in the event that the reasons for which it was processed are no longer valid (Article 7 of the Data Protection Law).

The details of the erasure, destruction, and anonymization process is governed by the DDA Regulation. In addition, a guide on Erasure, Destruction, or Anonymisation of Personal Data has been prepared by the Board (only available in Turkish here), in order to clarify the implementation to this respect. It should also be mentioned that data controllers which are required to be registered with the Registry must draft a data storage and extermination policy. The mandatory content of the policy has been envisaged under the aforementioned regulation. Data controllers are obliged to publish their policy/procedures related to data retention and extermination.

8.5. Right to object/opt-out

The Data Protection Law does not provide a general right to object to data subjects. In case of the existence of legal basis for data processing, the right to object will not be sufficient to cease processing activities. However, in case of the legal basis purpose excess, the data subject may use its right to object in order to cease processing activities which are exceeding the purpose of legal basis such as legitimate interest. In addition to that, data subjects may always have the option to revoke their consent and stop the data processing which is being carried out based on the explicit consent of the data subject.

In addition to the above stated perspective of the Data Protection Law, there is an alternative legislation regulating the right to object/opt-out of the data subjects within electronic commerce practice. The Electronic Commerce Law No. 6563 states that personal data collected from a consumer can only be used and shared with third parties with the consumer's consent. Therefore, the consent of the data subjects, that is consumers in this context, must be obtained in order to use their personal data for marketing purposes.

The same legislation entitles the consumers/data subjects to use their right to object/opt-out. Data controllers, which are acting as service providers, are obliged to include their accessible contact addresses in the commercial electronic communications, so that recipient data subjects can exercise their opt-out rights. Whichever communication channel the commercial electronic message was sent, opt-out notification must be also provided through the same communication channel, easily, and free of charge. As per the Regulation on Commercial Electronic Communication (and its amendments), a national and centralized commercial electronic communication management system has been established. The consumers or data subjects may use their right to object/opt-out through this system (or through the system designed by the relevant service provider).

8.6. Right to data portability

Unlike the GDPR, the Data Protection Law does not provide right to portability to data subjects. Under the Data Protection Law, data subjects are not entitled to have their personal data transmitted directly from one controller to another.

8.7. Right not to be subject to automated decision-making

The Data Protection Law does not grant a general right not to be a subject to automated decision-making systems. The processing limits and rights of the data subjects shall be evaluated by considering the other legal requirements under the Data Protection Law such as the purpose of the legal basis etc. However, based on the Article 11(1)(g) of the Data Protection Law, data subjects have the right to object to any negative consequence of their data being analyzed exclusively through automated systems. Please note that such right can be used by the data subjects in the existence of a negative consequence. The existence of an automated decision-making system is not enough to use such a right, but it is necessary for negative consequences against the data subject to be created by the system.

8.8. Other rights

The Data Protection Law does not provide any other rights.

9. Penalties

Certain breaches of data protection law can result in imprisonment under Turkish law:

  • prison sentences (ranging from six months to four years) or judicial fines can apply for unlawful collection, processing and transfer of personal data under the Criminal Code;
  • safety measures may be imposed on legal entities such as cancelation of licenses or seizure of the goods used for or gained as a result of the commissioned crime or benefits gained from the commissioned crime determined under Article 60 of the Criminal Code;
  • administrative fines ranging between TRY 13,391 (approx. $500) and TRY 2,678,863 (approx. $99,100) will apply for breaches of the Data Protection Law;
  • individuals can claim compensation for unlawful collection or processing of personal data (under Civil Code, Law No. 4721 (as amended) (only available in Turkish here); and
  • sector-specific regulations also contemplate administrative fines, see for example the Regulation on Administrative Sanctions of Information and Communications Authority (only available in Turkish here), which imposes fines on authorized operators (service providers, network providers, infrastructure operators) worth up to 3% of the preceding calendar year's net sales for violating personal data and security obligations.

9.1 Enforcement decisions

The Board published six principle-decisions stating the main principles which shall be taken into consideration by the data controllers. The details of such principle-decisions are mentioned below under board decisions. Such principle-decisions underline the following criteria:

  • all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the law;
  • the entities providing services at service counters, box-offices, and desks must ensure that only authorized persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data;
  • the data controllers must take all necessary technical and organizational measures to provide appropriate data security in order to cease and prevent unauthorized accesses and misuse of the authority;
  • advertising, using data subjects' contact details unlawfully should cease;
  • individuals and organizations use software programs, which allow them to question personal data, through data which obtained in various ways are unlawful and such usages are subject to procedural actions under Turkish Criminal Law; and
  • reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or email address, etc.

In addition to above mentioned principle-decisions, some sample decisions of the Board, which are significant to clarify, are as follows:

  • the Board imposed an administrative fine of TRY 900,000 (approx. $33,300) in its decision numbered 2020/559 only available in Turkish here) on a data controller for transferring personal data abroad without having a valid legal basis. The data controller's claim that Convention 108 is sufficient per se for data transfers abroad among the parties has been declined by the Board. Being a party to Convention 108 is not sufficient to accept such a party as a safe country and the data controller relies on Convention 108 for data transfers abroad does not meet the requirements under the Data Protection Law;
  • the Board stated under its decision numbered 2019/157 (only available in Turkish here) that usage of email services from service providers having their servers/data centers outside of Turkey, shall be deemed as a data transfer abroad; therefore, storage services obtained through data controllers/data processors whose servers are located abroad shall also be required to comply with Article 9 of the Data Protection Law;
  • the Board stated under its decision numbered 2020/746 (only available in Turkish here) that the right to inform covers the right to access and the data subjects' request of receiving the personal data is lawful. However, if the related personal data record includes the personal data of anyone other than the related data subject, the data processor shall have the option to mask the third parties' personal data and/or to provide the record in an alternative format (such as transcript or the record);
  • the Board found under its decision numbered 2020/494 (only available in Turkish here) that it is lawful for the employer to present the camera recordings as evidence in the reemployment lawsuit filed by the employee whose employment contract was terminated;
  • the Board has decided in its decision numbered 2021/115 (only available in Turkish here) to impose an administrative fine of TRY 175,000 (approx. $6,480) on the data controller for registering the phone number of a debtor's brother as an alternative phone number because the bank had previously contacted by using this phone number;
  • the Board decided in its decision numbered 2020/755 only available in Turkish here) that a real estate property manager-data controller did not violate the Data Protection Law by sharing with the data subject's landlord certain personal data requested, including an accounting of delinquent property dues and mobile phone number, since processing was necessary to the landlord's exercise of rights granted by Article 22 of the Property Ownership Law No. 634 (only available in Turkish here);
  • the Board decided in its decision numbered 2021/111 (only available in Turkish here) that regarding the contact with the relatives of the debtor concerning the debt, the Board decided to impose an administrative fine of TRY 50,000 (approx. $1,850) against the first law firm that processed personal data without any reason for data processing, TRY 115,000 (approx. €4,260) against the company that transferred this data to another law firm without checking its accuracy, and TRY 100,000 (approx. $3,700) against the law firm that contacted them, despite knowing that the data in question belonged to the debtor themselves;
  • the Board decided in its decision numbered 2020/407 (only available in Turkish here) to impose an administrative fine of TRY 100,000 (approx. $3,700) on the data controller hospital, which transmitted the health data of the relevant person to a third person along with the relevant person via email;
  • the Board decided in its decision numbered 2020/404 (only available in Turkish here) to impose a total administrative fine of TRY 250,000 (approx. $9,250) on the data controller who did not provide proper disclosure, processed sensitive personal data (biometric data such as fingerprints during entrances and exits to the workplace) without valid consent, and transferred the personal data abroad; and
  • the Board has imposed in its decision numbered 2020/335 (available in Turkish here) an administrative fine of TRY 50,000 (approx. $1,850) on the data controller who made express consent as a condition of car rental services and did not provide services to the customer who did not give his express consent; and
  • the highest penalty is the penalty of TRY 1,950,000 (approx. $721,400) given to WhatsApp under the decision number 2021/891 on 3 September 2021 (only available in Turkish here). This penalty is the highest fine that has been announced since the Board started its activities and that was imposed in a single item.

Board decisions

In addition, the Board issues decisions to clarify areas within the Data Protection Law, regulations, and practice. Key decisions include:

  • Decision Number 2018/10 on the adequate measures to be implemented when processing special categories of personal data (only available in Turkish here) ('Decision 2018/10'): the Board declared that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasized the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Decision Number 2017/62 on the data security in service areas (only available in Turkish here): the Board declared that entities providing services at service counters, box-offices, and desks must ensure that only authorized persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data. The Board specifically referred to banks and healthcare organizations in this context. Decision Number 2017/61 on phone directory services (only available in Turkish here): the Board found that websites and applications which offer phone directory services (searchable via phone number or name) and share personal data without any justifiable reason determined under the Data Protection Law and relevant legislation, must immediately cease their activities or face either administrative or criminal sanctions. The decision underlines that all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Data Protection Law.
  • Decision Number 2021/361 (only available in Turkish here) on sending push notification to the mobile phone. The Board decided that sending push notifications to the mobile phone via two mobile applications offered by the data controller bank, ensuring that the electronic message receiving preference is automatically approved in the settings of the banking application installed by the data controller bank customers with Android operating system on their devices, and that the approval preference is considered valid unless the customers change this preference, is not in accordance with the relevant legislation. Such notifications, called 'push notifications', which are instantly sent to users via mobile applications by service providers, are approved in the default settings of mobile applications. The Board evaluated this as unlawful and has imposed an administrative fine on the data controller on the grounds that it contradicts with the regulation in the Electronic Communication Law that electronic messages will be subject to the consent of the recipients and violates the requirement to rely on explicit consent in the processing of personal data in Article 5 of the Data Protection Law.
  • Decision Number 2020/763 (only available in Turkish here) on electronic commerce. Regarding the data breach notification, the Board decided not to impose a penalty, considering the facts that all recipients were added to the BCC part of the relevant bulk email in order to protect the confidentiality of the recipient email addresses while sending an email to a group of 400 recipients for data breach notification, during the said process the email address of 43 customers was mistakenly added to the subject part of the email by the employee who sent the e-mail. Therefore, the information of 43 recipients, whose email address is in the subject part of the e-mail, is shared with the group of 400 recipients to whom the email is sent, as soon as the email in question is sent, it is determined by the employee that the email was sent in error as stated above, and the people responsible for the technology department are contacted to take immediate action. However, it was learned that it would not be possible to retrieve the email, that the email address information of the customers was affected by the breach, the identity and communication data were affected by the breach, since email addresses may also contain the name and surname of the person, 43 data subjects were informed about the said sharing and that the level of exposure of the relevant persons to the violation was minimized, that the relevant persons were contacted directly via their email addresses as soon as possible (within 48 hours) following the occurrence of the violation, and notification was made on September 29, 2020.
  • Decision Number 2020/915 (only available in Turkish here) on the processing of fingerprints. The Board stated that the processing of fingerprints, which are biometric data for the purpose of overtime control within the body of the data controller, is contrary to the principle of being limited and proportional to the purpose in clause Article 4(ç) titled 'General Principles' of the Data Protection Law, on the other hand, the data processing activity in question is not in accordance with the law, considering that it is not based on the data processing condition. The Board decided that the said application of the data controller constitutes a violation of the Data Protection Law. In this context, it was decided that the fingerprint-related data processed and kept by the data controller to date are promptly destroyed in accordance with the provisions of Article 7 of the Data Protection Law and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data (only available in Turkish here), if the relevant special category personal data is to be transferred to third parties, ensuring that the procedures for destruction are promptly notified to the third parties to whom this data has been transferred, ensuring work entry and exit procedures in alternative ways, also valid besides the epidemic period, to instruct the data controller to end the practice of entering and exiting transactions with biometric data and to remove the existing system.
  • Decision Number 2021/989 (only available in Turkish here) on explicit consent: Regarding the use of the image of the data subject in the news about the adoption of the person on a website by a celebrity without the explicit consent of the data subject, the Board decided that the content in the event subject to the news is not of public interest and benefit. It is clear that the data subject was appointed as a guardian to his mother's side and therefore the data subject was not adopted by the aforementioned celebrity. The Board ruled an administrative fine on the data controller considering that the photograph of the data subject was published on the website with an incorrect content not related to the data subject, by an editor working under the data controller, without the explicit consent of the guardian on behalf of the data subject or one of the other processing conditions in the Data Protection Law.

Principle decisions published by the Board includes:

  • Decision Number 2018/63 on the unauthorized access and usage of the data (only available in Turkish here): the Board announced that the data controllers must take all necessary technical and organizational measures to provide appropriate data security in order to cease and prevent unauthorized accesses and misuse of the authority.
  • Decision Number 2018/119 on advertising using data subjects' contact addresses unlawfully (only available in Turkish here): the Board announced that advertising using data subjects' contact details unlawfully should cease. The Board stated that those advertising via e-mail, SMS, and calls should also cease such activities and the Board will impose sanctions for failures to do so.
  • Decision Number 2019/308 on individuals and institutions using various software programs that allow questioning personal data (only available in Turkish here): the Board determined that individuals and organizations use software programs, which allow them to question personal data, through data which obtained in various ways. The Board specifically referred to attorneys, law firms, individuals, and organizations operating in finance, real estate, and insurance sectors. The Board announced that use of such software programs is not in not in compliance with Article 12 of the Data Protection Law and the data processors using such software programs shall be subject to procedural actions under Turkish Criminal Law.
  • Decision Number 2020/966 on the technical and administrative measures to be taken by data controllers in order to verify the contact addresses provided by data subjects (only available in Turkish here): In order to ensure that personal data are kept accurate and up-to-date when necessary, the Board decided that reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.
  • Decision Number 2019/125 on specifying the criteria to determine the countries with an adequate level of protection (only available in Turkish here): within the scope of Article 9 of the Data Protection Law;
  • Decision Number 2019/10 on notification procedures and principles related to the personal data breach (only available in Turkish here);
  • Decision Number 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here); and
  • Decision Number 2019/225 on the Registry registration obligation of data controllers located outside Turkey (only available in Turkish here). Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices.

Decisions on the exemptions from registration to the data controller's registry include:

  • decision Number 2018/32 (only available in Turkish here);
  • decision Number 2018/68 (only available in Turkish here);
  • decision Number 2018/75 (only available in Turkish here);
  • decision Number 2018/87 (only available in Turkish here);
  • decision Number 2019/353 (only available in Turkish here);
  • decision Number 2020/315 (only available in Turkish here) please see section 5 for further information on this decision; and
  • decision Number 2018/88 on registration deadlines (only available in Turkish here).

Decisions on the registration deadlines include:

  • decision Number 2019/265 (only available in Turkish here);
  • decision Number 2019/387 (only available in Turkish here);
  • decision Number 2020/482 (only available in Turkish here); and
  • decision Number 2021/238 (only available in Turkish here).

The KVKK has also published the Board's summarised and anonymized decisions help to clarify legislation and practices in this developing area, giving some insight on how the Board will treat certain aspects of data processing, transfers, and security breaches. Notable points from the decisions include:

  • Decision Number 2020/481 on the right to be forgotten (only available in Turkish here): The Board stated that the search engines, operating based on the data collected from third party websites are data controllers, carrying out data processing activities. The Board evaluated the delisting requests of the data subjects from search engines as a subtitle of right to be forgotten. To consider such requests, a balance test between the data subject's fundamental rights and freedoms and public's interest for obtaining the information is required. The Board published a list consisting of 13 criteria, which may be used while making such balance test.
  • the Board ruled that notifying data subjects about a breach of personal data security 17 months after the breach exceeds the reasonable period, constituting a breach of data security (only available in Turkish here);
  • if other grounds of processing personal data exist, granting explicit consent of data subjects constitutes abuse of right, by the data controller and the explicit consent cannot be requested as a pre-condition for the services (only available in Turkish here);
  • the Board ruled that transferring personal data to courts which exceeds the requested amount violates the principle of data minimization (only available in Turkish here);
  • the Board warned data controllers which do not respond to data subjects who wish to exercise their rights within 30 days (only available in Turkish here);
  • the Board warned a company for processing personal data for purposes other than its legal obligations where the company kept personal data for ten years on the basis of its legal obligations (only available in Turkish here);
  • the Board sanctioned a data controller which sent a customer's personal data to another customer with the same name on the basis that the error indicates a lack of technical and administrative measures (only available in Turkish here);
  • the Board ruled that adding an employee's residential address to sample contracts which were sent to third parties without any legal basis is a violation (only available in Turkish here);
  • the Board refused a data subject's request to remove their name from a column in a journal, on the basis that freedom of press overrides their right to privacy (only available in Turkish here);
  • the Board sanctioned a data controller which obtained additional documents including personal data that are not necessary for the execution of the related transaction (only available in Turkish here);
  • the Board decided with its decision numbered 2019/122 to apply disciplinary procedures against a bank's employees who did not respond to the application made by the relevant person and ruled that such bank should change its privacy notice available on its official website in accordance with the Obligation to Inform Communiqué (only available in Turkish here).
  • the Board ruled with its decision numbered 2019/82 that a company's loyalty card is designed as a marketing tool and consequently seeking consent for processing of special categories personal data is not related, limited nor proportionate to the scope of the activities of data controller (only available in Turkish here);
  • the Board noted in its decision numbered 2018/90 that the data controller's obligation to inform and seek the data subject's explicit consent should be carried out separately (only available in Turkish here);
  • the Board noted in its decision numbered 2019/106 that unidentified person(s) shall not be determined as data controllers (only available in Turkish here);
  • the Board ruled with its decision numbered 2018/156 that applications made to the KVKK regarding issues falling under the jurisdiction of the judicial authorities shall not be considered within the scope of the Data Protection Law (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 8 May 2019 due to a data breach occurred in the company system. Microsoft instructed that the ID information of a customer support manager working for one of its service providers has unauthorisedly been obtained by the third parties. The company reported that this manager violated Microsoft's policy and shared their account login information with 13 support representatives. As a result, third parties were able to partly reach Microsoft users' e-mail accounts between 1 January 2019 and 28 March 2019. (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 29 January 2020 due to a data misconfiguration on its security systems that lead to a breach which resulted in illegal disclosure of Microsoft customer records;
  • the Board has put forward two recent decisions numbered 2019/81 and 2019/165 on biometric data (only available in Turkish here). Accordingly, the Board has imposed administrative sanctions on two different data controllers which are both operating fitness centers due to processing of biometric data during entrances and exits of their members. The Board construes that explicit consent obtained from members has been presented as a pre-condition for receiving the services; therefore, explicit consents cannot be considered as given with free will and hence invalid. In addition, the Board has decided that data controllers' practice of requiring their members to use fingerprints as the obligatory and only way to entering the fitness centers, is not compliance with the principle of proportionality which requires minimization of the data collected, to the extent possible. The Board also explicitly stated that obtaining explicit consent do not legalize collection of excessive personal data and the collection needs to be proportionate and limited with the purpose of processing;
  • the Board ruled that rejecting data subjects' access request due to the application was not sent notary public or via electronically signed email is a pecuniary burden that is not foreseen in the Data Protection Law or the Application Communiqué with its decision Number 2019/296 (only available in Turkish here). Therefore, the right of the data subject to make an appropriate application is prevented and this situation which constitutes breach of law and rules of honesty which is stipulated under Article 6 of the Application Communiqué;
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here);
  • the Board ruled with its decision Number 2020/173 (only available in Turkish here), that explicit consent cannot be incorporated into a general privacy notice and must be obtained before the transfer of personal data. Obtaining the consent of the data subject through an opt-in section is not enough to comply with the explicit consent requirements. The transfers carried out based on this approval are unlawful;
  • the Board highlighted the difference between wet-ink signature and biometric signature in its decision numbered 2020/649 (only available in Turkish here). Biometric signature solutions are not defined within the framework of a specific standard, they have different fictional features and are not considered equivalent to wet-ink signature. The provisions regarding a signature in the Turkish Code of Obligations No. 6098 ('Turkish Code of Obligations') are the regulations for classical signature and electronic signature and does not include the biometric signature. As the biometric signature falls in the scope of a special category of personal data, it can only be processed in the presence of the explicit consent of the data subject or if clearly prescribed by the law. However, the provisions of the Turkish Code of Obligations  do not fulfill the requirement of being 'clearly prescribed by the law';
  • the Board issued a decision numbered 2020/927 (only available in Turkish here) on a data subject's request regarding to be excluded from results of search engine queries. The Board decided that, the request is subject to evaluation of trial court and does not related to scope of Data Protection Law;
  • the Board decided with its decision numbered 2020/93 (only available in Turkish here) that there is no ground for deleting or modifying health data (including mental health data), since the data were processed by the Ministry, whofulfills 'the authorized institutions and establishments' requirement and for the purpose of 'protection of public health, preventive medicine, medical diagnosis, provision of health care services and treatment, planning, and management of health care services and their financing';
  • the Board ruled with its decision numbered 2020/508 only available in Turkish here) that processing personal data, which became public for a special purpose, for the same purpose, does not breach the Data Protection Law. Since the personal data, posted on the attorney's search websites, are processed for the same purpose as the Turkish Bar Association, the process of personal data is not unlawful;
  • the Board decided with its decision numbered 2020/667 (only available in Turkish here) that since to obtain special category personal data is necessary for renewal of the insurance policy, the insurance company's explicit consent request from its client in order to process their special category personal data is lawful;
  • the Board issued a decision, numbered 2020/710 (only available in Turkish here on the process of personal data during enforcement proceedings. As Article 89 of Enforcement and Bankruptcy Law No. 2128 ('Enforcement and Bankruptcy Law') (only available in Turkish here) allows a secured creditor in an enforcement proceeding to pursue recovery against non-debtor third parties who may be in possession of debtor assets, to process the data of non-debtor third parties in this regard does not violate the Data Protection Law;
  • the Board issued a decision, numbered 2020/212 (only available in Turkish here) on CCTV camera with audio video recording practice. The Board highlighted that each audio video recording practice of data controllers shall be considered based on the principle of proportionality;
  • the Board evaluated the trade registry offices practice and principle of publicity of trade registry records with its decision number 2020/307 (only available in Turkish here). The documents recorded by the trade registry offices includes personal data pertaining to real person representatives. Therefore, the trade registry offices must provide the requested documents and/or information to third parties provided that the sections including personal data are redacted. The Board noted that the trade registry offices are under a confidentiality obligation with regards to the personal data in its possession and are not the authorized body in order to provide civil registry information as per the Civil Registry Services Law No. 5490 (only available in Turkish here);
  • the Board ruled with its decision numbered 2020/507 only available in Turkish here) that the legal inheritors of the deceased persons are entitled to obtain records including personal data related to health;
  • the Board issued a decision, numbered 2020/504 (only available in Turkish here) regarding the request of an airline company's customer who requests to obtain the audio records pertaining to conversation between the customer and the call center. Since the audio records include other personal data belonging to third parties in addition to related customer's data, the airline company provided its customer a redacted transcript of the related conversation. The Board noted that, the right to information right involves the right to obtain the related data, unless the related data does not violate third parties' rights. In case the data violates third parties' rights, providing the content of the data, which includes all details pertaining to related data subject, in an alternative form such as its transcripts is an eligible way to satisfy the data subject's request;
  • the Board ruled that the purpose of data breach notification is to create an opportunity to swiftly avoid or minimize the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271(only available in Turkish here), the Board determined the minimum requirements that should be included in a data breach notification; and
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here).

The Board imposed fines on:

  • a hospital which could not provide an adequate level of protection for patients' personal data (only available in Turkish here);
  • a career platform which shared an applicant's personal data with other applicants without any legal basis (only available in Turkish here);
  • a company which shared an applicant's CV with the other group companies through a mutual electronic platform, without the applicant’s consent (only available in Turkish here);
  • a technical service provider company which could not take necessary technical and administrative measures to protect its customers. Afterwards, the Board imposed a second fine to this company for not complying with the Board's previous decision (decision numbered 2019/52 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user's visual data. This data breach was caused by an 'API bug',' as a result, third-party applications were able to access user photos, for 12 days. The total amount of the fine issued was TRY 1.65 million (approx. $16,040), coming in two parts: The Board firstly imposed TRY 1.1 million (approx. $40,700) on Facebook for failure to react in time to take necessary technical and administrative measures, and secondly imposed TRY 550,000 (approx. $20,350)  (for not notifying the Board as soon as possible after detecting the API bug (decision numbered 2019/104 only available in Turkish here);
  • three different companies working on transportation sector and lodging industry: The Board imposed TRY 550,000 (approx. $20,350) to transportation companies separately and imposed TRY 1.45 million (approx. $53,640) to a hotel due to non-compliance with taking necessary administrative and technical measures and obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/144 is only available in Turkish here);
  • an asset management company that sent text messages to data subject on multiple times regarding the same issue without obtaining data subject's explicit consent (decision numbered 2019/159 only available in Turkish here);
  • a data controller that sent commercial electronic communication without obtaining data subject's explicit consent. The Board decided that sending commercial electronic communication to data subject is a data processing activity and it should be compliant to data processing conditions stipulated under Article 5 of the Data Protection Law (decision numbered 2019/162 is only available in Turkish here);
  • a data controller an administrative fine of TRY 50,000 (approx. $2,035) on the data controller for failing to fulfil its obligation to prevent illegal processing of personal data (decision numbered 2019/166 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user’s data. This data breach was caused by the complex interaction of multiple bugs related to three different Facebook features. However, the breach in question was not duly notified by Facebook to the Board as envisaged under the Personal Data Protection Law. In this respect, the Board started an ex-officio investigation on Facebook in accordance with Article 15(1) of the Data Protection Law. As a result of the investigation, the Board fined Facebook TRY 1.6 million (approx. $59,190) due to the facts that Facebook did not take the necessary technical and administrative measures to prevent possible data breaches and failed to notify the Board of the breach (decision numbered 2019/269 is only available in Turkish here);
  • a data controller that fails to ensure an adequate level of administrative and technical measures to protect personal data and also imposed second administrative fine due to applicant that violates the obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/122 is only available in Turkish here);
  • an airline company that requests both-sided identification card by the data subject in response to the data subject's request to change the username and password of his loyalty membership due to processing of data subject's health and religion data (sensitive personal data) on the ID card without obtaining explicit consent from data subject. Also, the Board decided that the data controller has processed personal data non-compliant to the principle of being relevant with, limited to and proportionate to the purposes for which they are processed (decision numbered 2019/294 is only available in Turkish here);
  • a data controller that processes personal data that is made public by the data subject inconsistently with its purpose. (decision numbered 2019/331 is only available in Turkish here);
  • a newspaper that has disclosed a special kind of personal data of the data subject in a column without obtaining his explicit consent. The Board decided that the special kind of personal data was disclosed against the personal data processing conditions and imposed administrative fine on the newspaper that failed to prevent unlawful processing of personal data (decision numbered 2020/32 is only available in Turkish here);
  • a bank which did not take adequate administrative and technical measures in line with its obligations to ensure the protection of personal data during the delivery of the credit card and did not make sufficient and reasonable efforts to keep the data of the data subject up-to-date. The Board decided that the courier does not act as data controller for the data contained in the envelope but acts as data controller for the data such as the sender and receiver name and surname used to provide its service (only available in Turkish here);
  • a gaming company which fails to ensure adequate level of administrative and technical measures to run sufficient vulnerability testing. The unauthorised access was detected via the company's log records; however, the company did not detect the potential breach risk through its log records. The preventative technical measures were taken after the users' data breach, and no notification was made to the Board (decision numbered 2020/286 only available in Turkish here);
  • a media company which published the legal notification on rectification request without masking the sections including personal data (decision numbered 2020/145 is only available in Turkish here);
  • a car rental company which uses credit card information, obtained at previous rental transaction, for the payments of another rental transaction. The provisions of the customer agreements, allowing the usage of credit card information for any potential future transactions, are deemed as unfair condition and such provisions do not enough to comply with the explicit consent requirements (decision numbered 2020/166 is only available in Turkish here);
  • a private school which implements CAS Test (Cognitive Assessment System) to assess the planning skills and attention processes of its students without obtaining explicit consent from data subject's custodian. Since the results of the CAS Test includes information on students' mental assessment system, which shall be considered within the scope of special categories of personal data, the data controller must fulfil its obligation to inform and obtain the explicit consent of the data subject's custodian (decision numbered 2020/255 is only available in Turkish here);
  • a car rental company which obtains its customers' explicit consent as a pre-condition for its services (decision numbered 2020/335 is only available in Turkish here);
  • a company who implements fingerprints practice at its workplace. The Board decided that the special kind of personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obligation to inform and obligation to obtain explicit consent (decision numbered 2020/404 is only available in Turkish here); and
  • a bank who contacted the sibling of its debtor regarding its receivables. The Board decided that personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obtain explicit consent. Additionally, the Board did not impose administrative fine on the attorney of the bank who contacted the sibling of the debtor on behalf of the bank to perform its receivables, since the attorney made the phone call based on the contact details provided by the bank and since the attorney ended the conversation after he/she recognized that the contact person is not the debtor of the bank (decision numbered 2021/115 is only available in Turkish here).

The Board imposed disciplinary action on:

A public university that made students' exam results accessible to third parties by publishing them on internet. The Board stated that the examination results of students who took the examination years ago cannot remain accessible to third parties with no time limitation and the Board decided that the data controller did not respond in a timely manner to the Board's information and document request (decision numbered 2019/188 only available in Turkish here).

Public Announcement on the Processing of Personal Data by Sending a Verification Code to Data Subjects via SMS during Shopping in Stores

On December 17, 2021, the Board published a public announcement regarding the allegations that a verification code was sent to the data subjects via SMS during the cash register transactions in shopping stores and that the said code was requested by the cashier on the grounds that it was necessary for completing the payments or updating their information (only available in Turkish here), however, after the said transaction, commercial electronic messages from the stores in question were sent to the data subjects.

In the examinations made by the Board regarding the complaints and notices, it has been determined that the data controllers misled the data subjects in obtaining explicit consent for commercial electronic messages by not providing any information on the contents of the SMS, why the verification code is sent during the payment transactions or before the SMS is sent, and/or the code is requested by the cashiers claiming that the said code is necessary for completing the payment transactions or updating the information.

In this respect, importance of the following matters was emphasized;

  • as a requirement of layered approach, the purpose of the SMS to be sent to the phone of the data subjects and what kind of consequences will occur if the code is provided to the cashiers must be explained in a clear and understandable manner to the data subjects by the persons authorized by the data controller in the stores at the first stage, as well as providing the necessary channels in the content of the SMS in order to fulfill the obligation of information;
  • ending the practices for carrying out different processing activities such as membership agreement, permission to process personal data, commercial electronic message approval by a single action – by sending a verification code to the data subjects via SMS during the payment; and obtaining explicit consent separately by offering the option for each different processing activities;
  • avoiding situations that may cause alignment of obtaining explicit consent and fulfillment of the obligation to inform; and
  • if a practice is carried to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, it is essential that the explicit consent to be received in the said transaction covers all elements of an explicit consent.
Feedback