Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Turkey: Comparing privacy laws - GDPR v. LPPD

In this report, OneTrust DataGuidance and Esin Attorney Partnership provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law on Protection of Personal Data (LPPD). 

The report, which was last updated in April 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LPPD with the  GDPR. 

You can access the latest version of the report here.

What is the LPPD?

The LPPD became the first general data protection law in Turkey and is largely based on the form European Data Protection Directive. The LPPD received Presidential approval on April 7, 2016, and outlines a similar framework to that of the GDPR.

Key highlights

The LPPD and the GDPR share some similarities, particularly in regards to their personal and material scope. Both laws:

  • have comparable definitions for concepts such as 'personal data,' 'sensitive data,' and 'processing;'  

  • apply to the processing of personal data by automated means or non-automated means if the data forms part of a filing system;
  • set out similar responsibilities for supervisory authorities;
  • set out similar responsibilities for data controllers and data processors, including obligations relating to data breach notifications and data security; and
  • provide a 72-hour timeframe for a breach notification to the supervisory authority.

However, despite their similarities, the LPPD and the GDPR also differ sometimes in their approach, such as:

  • requirements for Data Protection Impact Assessments;
  • their extraterritorial scope and mechanisms for cross-border data transfers;
  • data controller registry requirements;
  • the appointment of data protection officers; and
  • maintaining a record of processing activities.