On April 7, 2016 the long awaited Law on Protection of Personal Data (“New Law”) was published in the Official Gazette. With this event, a new era started for all entities and individuals in Turkey which deal with personal data on a daily basis.
The New Law is mainly based on the principles in EU Directive 95/46 EC, however the increased standards of the General Data Protection Regulation (“GDPR”), which will be enforced in the EU from May 2018, are not reflected in the New Law. In that sense, although the New Law will be behind the European rules and regulations on data protection, this is a very important step as this is Turkey’s first specific data protection law.
One of the first questions that comes to one’s mind when a change occurs, such as the enactment of the New Law, is whether he or she will be affected by the change. If you are a data subject or if you or your company collects, store or processes personal data, the answer is yes, you will be directly affected. Further, since Turkey is a country with an ever-increasing technology penetration and with a large population of more than 75 million people, the effects of the New Law will be critical for all those 75 million data subjects and more importantly for companies which collect, process and transfer personal data.
With the New Law, a Data Protection Board (an independent decision making body) and Data Protection Authority (a body operating under the Prime Ministry) will be established to watch over data processing and transfer activities. Further, entities which control the ways and purposes for which personal data is processed will be deemed data controllers and shall have specific obligations such as the obligation to register with the data protection registry, obligation to inform the public and other security obligations.
Under the New Law, the main rule to collect and process personal data is to obtain explicit consent of the person whose data will be collected/processed (“data subject”). However, personal data can also be collected and processed without data subject’s consent if any of the conditions stated below exists;
If collection and processing is permitted by any specific law provision,
If data subject is under a circumstance that prevents him/her from providing consent (due to an actual impossibility or lack of legal capacity) and processing is necessary for protection of data subjects’ or third parties’ life or physical integrity,
If processing is necessary for forming or performance of a contract to which the data subject will be/is party,
If processing is mandatory for data controller to perform his/her legal duties,
If personal data has been made available to public by data subject himself/herself,
If processing is mandatory for assigning, using or protecting a right.
Further, the conditions above are also applicable for the transfer of personal data to third parties within Turkey.
On the other hand, for the transfer personal data out of Turkey, in addition to the conditions above, a) the country to which personal data will be sent must have sufficient protection or b) data controllers in Turkey and the third country must guarantee protection of personal data in writing , in which case the Data Protection Board will allow the transfer.
As the changes are drastic and will have wide range of effects, the New Law provides for certain adjustment periods. In light of that, certain articles which stipulate the rules for transfer of personal data, obligation to register with data protection registry and security obligations will enter into force on October 7, 2016. In addition to that, the New Law stipulates that consents which were obtained legally until the enactment of the New Law shall be deemed valid unless data subjects revoke their consent. The New Law also provides a 2 year period for all personal data, processed or collected before the enactment of the New Law to be brought in conformity with the New Law.
These adjustment periods should be used as efficiently as possible by companies as being non-compliant with the rules in the New Law will have serious consequences such as possible imprisonment for terms of up to 4 years and administrative fines of up to TRY 1.000.000 (approx. USD 265.000 as of 28.02.2018).