Constitution of the Turkish Republic

The right to protection of personal data is regulated under the Constitution of the Turkish Republic (“Constitution”) as an individual right since its amendment in 2010.

According to Article 20(3) of the Constitution, the right to protection of personal data includes the right to:

• be informed about the processing of the personal data;
• have access to personal data;
• rectification or deletion of the personal data; and
• be informed about whether or not personal data is used in accordance with the appropriate purposes.

According to the same article, personal data may be processed only if the processing is allowed by the laws or the data subject gives their explicit consent. The article finally states that the procedures and principles of processing personal data must be regulated by the laws.

The Turkish Data Protection Law

Pursuant to Article 20(3) of the Constitution, Turkish law-makers enacted the Turkish Data Protection Law No 6698 (TDPL) to regulate the procedures and principles of processing personal data. The TDPL entered into force on 7 April 2016.

The TDPL is the first general law that specifically regulates the procedures and principles of processing personal data in Turkey.

Although the TDPL came into force only one month before the European Union General Data Protection Regulation (GDPR), the TDPL was drafted by taking into account EU Directive 95/46/EC. Currently, there are efforts to revise the TDPL in line with the GDPR. (Please see 1.8 Significant Pending Changes, Hot Topics and Issues.)

Important secondary regulations issued by the Personal Data Protection Authority (PDPA) include:

• the By-Law on the Deletion, Destruction or Anonymization of Personal Data;
• the By-Law on the Registry of Data Controllers;
• the Communique on Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform;
• the Communique on Principles and Procedures for the Request to Data Controller;
• the Communique on Principles and Procedures for the Personnel Certification Mechanism.

The PDPA has also published several guidelines and recommendations on different aspects of the TDPL. The main topics of these guidelines and recommendations include:

• the right to be forgotten;
• processing of biometric data;
• artificial intelligence (AI);
• inventory of personal data processing;
• fulfilment of the obligation to inform;
• technical and organisational measures;
• deletion, destruction or anonymisation of personal data;
• the concepts of data controller and data processor.

In addition to these, the PDPB adopts resolutions, which are published on PDPA’s official website and/or the Official Gazette.

The Turkish Criminal Law

Certain actions, which violate protection of personal data, are defined as a crime in the Turkish Criminal Code (TCrC) (please see 2.5 Enforcement and Litigation).

The Turkish Civil Law

Personal data is generally considered as a part of personality under Turkish law, hence it is protected under the protection of personality rights in the Turkish Civil Code (TCiC).

Other

In addition to the above, there are certain sector-specific legislations on processing of personal data in certain sectors such as telecommunication, banking, electronic payment and health sectors.

The primary supervisory and regulatory authority in Turkey is the PDPA. It is an independent administrative institution, which has an administrative and financial autonomy.

The PDPA has the power to regulate the data protection activities and protect the rights of data subjects.

The decision-making body of the PDPA is the Personal Data Protection Board (PDPB). The main duties and powers of the PDPB are as follows:

• ensuring that personal data is processed in compliance with fundamental rights and freedoms;
• conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;
• concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
• determining the adequate measures which are necessary for the processing of special categories of personal data;
• maintaining the Registry of Data Controllers (Veri Sorumluları Sicil Bilgi Sistemi, VERBIS);
• carrying out regulatory acts on matters concerning the duties, powers, responsibilities and data security obligations of the data controllers and their representatives;
• imposing administrative sanctions that are provided in the TDPL;
• determining and announcing the countries with adequate levels of protection of personal data for the purpose of international data transfers;
• approving the written undertaking of data controllers in Turkey and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of data international data transfers.

The Ministry of Trade is also authorised to oversee marketing communication.

Apart from the above, sectoral-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB) and the Information and Communication Technologies Authority (ICTA) are entitled to regulate the processing of personal data in their respective sectors. 

The PDPB’s investigations may be initiated based on a data subject’s complaint received by the PDPB, or ex officio if it becomes aware of the alleged violation.

The Course of an Investigation

The PDPB may request information and/or documents from data controllers in the course of its investigations. Data controllers must provide this information and/or relevant documents within 15 days, except where the information and documents constitute a state secret. The PDPB may request further information and/or documents during the course of investigation.

A data controller must enable on-site inspections if the PDPB considers it necessary.

Administrative Fines

If the PDPB identifies a violation of the TDPL, it can impose administrative fines, which may vary between TRY13,393 and TRY2,678,866, depending on the violation.

As per the Misdemeanours Law No 5326, when determining the amount of fines the PDPB must take into account the severity of the breach, the fault of the breaching party and its economic condition.

Administrative Orders

The PDPB may also order the data controller to bring processing activities in compliance with the TDPL.

The PDPA is also entitled to decide to cease certain data processing activities or personal data transfers abroad, if it finds that such data processing activities result in damages which are difficult or impossible to compensate for and, at the same time, the act would be clearly unlawful.

In case the PDPB issues an order to the data controller to bring processing activities to compliance with the TDPL, this decision must be implemented without any delay and at the latest within 30 days upon receipt of the notification by the data controller.

In cases where the PDPB considers that the violation is widespread, it may take a resolution on this matter and decide to publish this resolution on PDPA's website. Prior to taking the resolution, if it is deemed necessary, PDPB may also receive the opinions of the relevant institutions and organisations.

Appeal of a Sanction

The data controller has the right to appeal against the PDPB’s decisions.

If the PDPB’s decision includes only an administrative fine, the data controller may object to the PDPB's decision regarding the administrative fine before the Magistrate Criminal Court within 15 days from receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.

Where the PDPB’s decision includes an administrative order bundled with or without an administrative fine, the data controller can object to the decision before the administrative courts, whose decisions can be appealed to the Council of State.

Even though Turkey does not belong to any multinational system such as the European Union or the European Economic Area, the European system has a highly noticeable effect on the TDPL practice.

Firstly, Turkey was one of the first countries that became a member of the Council of Europe and signed Convention No 108. Although Turkey signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, which is shortly before Turkeys’ adoption of the TDPL. On the other hand, Turkey has not yet signed the Modernized Convention (also known as Convention 108+).

As a candidate member state of the EU, Turkey aims to align its national legislation with the EU acquis and follows the European legislation regime regarding data protection. The TDPL is mostly influenced by the EU Directive 95/46/EC.

Currently, amending the TDPL to harmonise it with the GDPR is on Turkey’s agenda.

The PDBA has been one of the accredited members of the European Conference Data Protection Authorities since May 2019.

Although their number is relatively small, there are associations that are established mainly by legal professionals to raise awareness about the TDPL among the public and to make data subjects more conscious about their rights.

Certain industry-specific organisations and chambers of commerce/industry have created working groups to assist their members to comply with the TDPL. 

The PDPA has started to obtain opinions from these NGOs in the course of drafting legislation.

As the TDPL was enacted only six years ago, Turkey’s data protection practice can be considered as a developing practice. However, considering the level achieved nearly from scratch, it is fair to say that Turkey has made significant progress so far.

Turkey follows the EU omnibus model. The TDPL draws a framework for the PDPA and data controllers by providing a general perspective of the obligations and principles that must be sought for data processing activities. The PDPA steers the data processing practice by regulating secondary legislation and publishing guidelines and/or the PDPB’s resolutions.

The PDPA seeks to take a proportionate approach to enforcement, prioritising cases where there is a significant risk of harm to individuals. Although the amounts of the administrative fines set forth in the TDPL are considerably lower than those set forth in the GDPR, the PDPA’s tendency for enforcement is relatively higher, in particular on data breaches, when compared to its European counterparts.

Key developments in Turkey in the past 12 months are as follows:

• publication of the draft Guideline on Practices of Cookies for public consultation;
• publication of the second Q&A publication of the PDPA on certain unclear issues or wrong practices;
• publication of the Communique on Principles and Procedures of the Mechanism about Personnel Certification (see also 2.1 Omnibus Laws and General Requirements);
• publication of the PDPA’s opinion on the right to be forgotten (consideration of the right be forgotten in the context of search engines);
• publication of the Guideline on Issues to Take into Account While Processing Biometric Data (“Guideline on Biometric Data”);
• publication of the recommendations of PDPA on Personal Data Protection in the Area of Artificial Intelligence (“Recommendations on AI”);
• expiration of the deadline for the obligation to register with VERBIS on 31 December 2021, after a number of time-extensions of the deadline had been previously announced by the PDPB;
• announcement of the violation decision against WhatsApp of the PDPB (see also 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation);
• announcements of the PDPA on issues related to the COVID-19 outbreak;
• announcement of the PDPA regarding the procedure of complaints;
• the PDPB’s recent resolution that defines the concept and criteria of joint controllership for the first time.

Personal Data Transfer Abroad and Amendments to the TDPL

Personal data transfer abroad has been the most problematic and controversial issue under the TDPL since its enactment (see also 4.2 Mechanisms or Derogations that Apply to International Data Transfers).

According to the Economic Reform Action Plan by the Ministry of Treasury and Finance of the Republic of Turkey ("Action Plan"), which was announced on 12 March 2021, the TDPL is under review to have its provision on data transfer abroad (Article 9) be amended in line with the GDPR. The targeted date for this amendment to enter into force is 31 March 2022.

However, the scope of the revisions may be broader as per the 2019–23 Development Plan, dated July 2019, and the Human Rights Action Plan, dated April 2021. According to the Human Rights Action Plan, the TDPL will be harmonised with the European Union standards in a year.

In line with the above, a comprehensive amendment to the TDPL, which will harmonise it with the GDPR, is expected to enter into force in 2022.

Cookies

The Draft Guideline on Practices of Cookies was published by the PDPA on 11 January 2022 In this guideline, the PDPA clarifies the definition of cookies, the scope of the cookies, and the conditions of processing personal data in terms of cookies within the scope of the TDPL. The draft guideline was open to public consultations until 11 February 2022.

Disinformation

There is no special regulation on disinformation, deepfakes, or other online harms, “dark patterns” or online manipulation, but disinformation on digital platforms seems to be on the agenda of the Turkish Parliament's Digital Platforms Commission. In any case, unlawful processing of personal data may be subject to the civil or criminal law regulations of Turkish law.

Territorial Applicability

Unlike the GDPR, the TDPL is silent on the subject of territorial scope. As a general rule on the territoriality principle, the TDPL applies to data controllers and data processors established in Turkey.

The PDPA has not yet set certain criteria for determining the TDPL’s extra-territorial scope. On the other hand, it can be understood from the PDPB’s decisions that it is of the view that, when the concerning data processing activities are realised or have consequences in Turkey, the TDPL shall be applicable.

Obligation to Register with VERBIS (Data Controllers Registry)

Data controllers who meet certain criteria set by the TDPL are obliged to register with VERBIS. Those who are obliged to register with VERBIS are as follows:

• data controllers who are established in Turkey and have equal to or more than 50 employees, or whose total annual financial balance sheet is equal to or more than TRY25 million;
• data controllers who are established in Turkey and have less than 50 employees and an annual financial balance of less than TRY25 million, but whose main activity is processing special categories of personal data; and
• data controllers that are based outside of Turkey.

In order to register with VERBIS, data controllers who are based outside of Turkey are required to appoint a representative to represent data controllers before the PDPA and data subjects. The representative may be either a Turkish citizen or a legal person in Turkey.

Those obliged to register with VERBIS should also appoint a “contact person”, who may only be a natural person in Turkey and is mainly responsible for submitting certain information to VERBIS and facilitating the communication between the PDPA and data controllers.

Data Protection Principles

The general principles which must be followed in all data processing activities are set out under Article 4 of the TDPL, and are as follows:

• lawfulness and fairness;
• being accurate and kept up to date where necessary;
• being processed for specified, explicit and legitimate purposes (purpose limitation);
• being relevant, limited and proportionate to the purposes for which they are processed (data minimisation);
• being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed (storage limitation).

Lawful Basis for Processing of Personal Data

In order to ensure that the data processing is lawful, data controllers must satisfy one of the following legal bases (provided by Article 5 of the TDPL):

• explicit consent of the data subject is obtained;
• it is expressly provided for by the laws;
• it is necessary for the protection of life or physical integrity of the person themself, or of any other person who is unable to explain their consent due to physical disability or whose consent is not deemed legally valid;
• processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
• it is necessary for compliance with a legal obligation to which the data controller is subject;
• personal data have been made public by the data subject themself;
• data processing is necessary for the establishment, exercise or protection of any right;
• processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Lawful Basis for Processing of Special Categories of Personal Data

For this purpose, please see 2.2 Sectoral and Special Issues.

Privacy Impact Analyses

Data protection impact assessment is not specifically regulated in the TDPL, but it may be considered as a technical and organisational measure that the data controllers should take.

Application of “Privacy by Design” or “Privacy by Default” Concepts

The TDPL does not include the concepts of “privacy by design” or “privacy by default”. However, data controllers may be required to apply ”privacy by design” and/or “privacy by default” concepts to be compliant with the TDPL, particularly the general principles and data processing conditions it sets forth.

Internal or External Privacy Policies

Data controllers must provide privacy notices to data subjects. Such privacy notice must at least include:

• the identity of the data controller and its representative, if any;
• the purpose(s) of the processing of personal data;
• to whom, and for which purposes, the processed personal data may be transferred;
• the method and legal basis of the collection of personal data;
• the rights of data subjects.

Moreover, the PDPA expects that data categories, purposes and legal basis are to be matched in privacy notices. 

Data controllers, who are obliged to register with VERBIS, are also obliged to:

• maintain a data processing inventory; and
• adopt a Personal Data Retention and Destruction Policy, details of which are as set forth under the By-Law on the Deletion Destruction or Anonymization of Personal Data.

Further, as per the PDPB’s decisions, data controllers are also required to maintain:

• procedures on responding to data breaches; and
• a specific privacy policy for processing of special categories of data.

Except from above, data controllers are not directly obliged to adopt internal or external privacy policies. However, the PDPB considers having internal and external privacy policies on data protection and cybersecurity as one of the technical and organisational measures that data controllers should take. Thus, it is recommended to adopt internal and external privacy policies.

Anonymisation, De-identification and Pseudonymisation

The TDPL obliges data controllers to erase, destroy or anonymise the personal data, ex officio or upon the request of the data subject(s), in the event that the purposes for the processing no longer exist.

The TDPL and the By-Law on the Deletion, Destruction or Anonymization of Personal Data define the concept of anonymisation as a technique that is used to ensure that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

A reference to de-identification is only made in the By-Law on Processing of Personal Health Data (“By-Law on Health Data”), which is issued by the Ministry of Health. This by-law requires data controllers who process health data to take partial de-identification or masking measures on health data such as medical diagnosis and examination in printed materials, as well as other measures to make it difficult to determine the data subject, in cases of access by unauthorised persons.

Pseudonymisation is not specifically referred in any of the legislation, but the PDPA regards pseudonymisation as one of the technical and organisational measures that data controllers must take.

Injury or Harm

There is no requirement under the TDPL to prove any “harm” or “injury” in order to be held responsible by the PDPA for non-compliance with the TDPL from an administrative law or criminal law perspective.

On the other hand, in order for a data subject to seek for compensation from a data controller (or data processor) due to its non-compliance with the TDPL, such a data subject must prove that they have been harmed or injured (please see 2.5 Enforcement and Litigation).

Data Breach Notification Process

Unlike the GDPR, pursuant to the TDPL, data controllers are obliged to notify the PDPB of all data breaches, regardless of whether or not there is a risk to the rights and freedoms of natural persons.

The notification must be made to the PDPA within 72 hours of the data controller becoming aware of the incident, and within the shortest time possible to the data subjects who are affected by the breach.

Rules on Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis, AI, Algorithms

According to the TDPL, “the data subject has right to object to the occurrence of a result against themself by analysing the data processed solely through automated systems”. This right may be at stake in cases of big data analytics, automated decision-making, profiling or microtargeting, artificial intelligence (including machine learning) and autonomous decision-making (including autonomous vehicles). However the application sphere of this provision is not yet clarified by the PDPB.

Apart from the above provision, there are no specific regulations about profiling, automated decision-making, online monitoring or tracking, big data analysis, artificial intelligence or algorithms. Therefore, the general rules would apply.

Data Protection Officers (DPOs)

Unlike the GDPR, there is no requirement to appoint a DPO for any data controller, in the public or private sectors. Neither the representative nor the contact person may be considered to have the same role as the DPO in the GDPR.

The PDPA published the Communique on Principles and Procedures of the Mechanism About Personnel Certification on 6 December 2021. Even though the concept of DPO defined in this Communique seems similar to the concept of the GDPR’s DPO, the next day (7 December 2021) the PDPA published an announcement which emphasised that the DPO in the Communique has a different role. According to the PDPA’s announcement, the job description of a DPO has not been formalised yet.

Further to this, at the beginning of February 2022, the Union of Turkish Bar Associations and several other bars announced that they requested the annulment and a suspension of execution of the said Communique from the competent court on the ground that, according to the Attorneys Act, only lawyers can advise on Turkish law. The approach of the court remains to be seen. There has been no development announced to the public at the time of writing.

Special Categories of Personal Data

According to the TDPL, special categories of personal data are as follows:

• racial or ethnic origin;
• political opinions;
• philosophical, religious, sect or other beliefs;
• clothing and attire;
• association, foundation or trade union membership;
• health and sexual life;
• criminal convictions and security measures on individuals; and
• biometric and genetic data.

Special categories of personal data may be processed if the data subject's explicit consent is obtained.

Except for data on health and sexual life, special categories of personal data may only be processed without the data subject's explicit consent in the cases provided by laws.

Data on health and sexual life may be processed by the persons subject to a confidentiality obligation (ie, doctors) or competent public institutions and organisations (ie, hospitals, social security institution) for the following purposes:

• protection of public health;
• operation of preventive medicine;
• medical diagnosis;
• treatment and care services;
• planning and management of health services;
• financing of healthcare services.

In 2018, the PDPB issued a resolution on the additional technical and organisational measures to be taken by data controllers to ensure that an adequate level of protection is provided while the special categories of data are being processed, such as adopting a separate processing policy and implementing two-factor authentication for remote access to data.

In 2021, the PDPB published a guideline on biometric data. The guideline provides a definition of biometric data, mentions the general principles that needs to be respected and technical and organisational measures in addition to the measures mentioned above.

Problems with Processing Health Data

The above-mentioned limited legal basis for the processing of health data causes data controllers to face some challenges, particularly in an employment context.

In certain situations, such as absence due to sickness, occupational sickness or workplace accidents, employers need to process the health data of employees in the course of the employment relationship. In fact, the Occupational Health and Safety Law No 6331 requires employees to do so. However, due to limitation on the legal basis of processing heath data as per the TDPL, employers can process health data (i) via an occupational doctor, which is not always a viable option in practice, or (ii) by obtaining explicit consent from their employees. However, obtaining employees' explicit consent creates a significant problem for a data processing activity, which must be carried out by a data controller, considering that an explicit consent must be freely given and can be withdrawn anytime.

Employment Data

There is no detailed legislation in Turkey except Article 419 of the Turkish Code of Obligations (TCO), Article 75 of the Turkish Labour Law and Article 15(5) of Occupational Health and Safety Law, which draw the framework for employers to process their employees’ personal data (see also 2.4 Workplace Privacy). Thus, the general rules apply to personal data processing in the employment context.

Children’s Data

Unlike the GDPR, there is no special provision in the TDPL on the collection and/or processing of minors’ personal data. Only the By-Law on Health Data sets forth the parents’ right to access to child’s health data.

However, the PDPB stated in a recent resolution that personal data is strictly considered as an element of personal rights. In this decision it is stated that a minor who has a power of discernment, as well as the legal representative of the minor, should be able to exercise data protection rights according to the TCiC. However, apart from this decision, there is no established jurisprudence or application on this matter.

Due to the lack of concrete legislation, the questions as to whether minors may give consent for processing personal data without obtaining their legal representative's approval – and, if so, which age group is considered to have the power to give consent by themselves from a data protection standpoint – is not clear under Turkish data protection practice.

Confidential Customer Data in the Banking Sector

Except as otherwise stipulated by the laws, personal data specific to banking relationships are also considered as customer secrets regarding Article 73 of the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Turkey or abroad, without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to third party is obtained as per the TDPL. This provision is highly criticised under Turkish data protection practice.

Based on its assessment on economic security, the BRSA is authorised (i) to ban disclosing or transferring of any kind of data abroad, including customer secrets or bank secrets, to third parties, (ii) to order banks to keep the information systems and back-ups that are used in carrying out their activities, in Turkey (obligation of data localisation).

Internet, Streaming and Video Issues

The Law on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication No 5651 (“Internet Law”) sets forth certain obligations to hosting providers, content providers, social media providers and access providers such as data retention requirements and removing unlawful content.

Voice Telephony and Text Messaging and Content of Electronic Communications

Personal data processed in telecommunication sector is subject to the By-law on Processing of Personal Data and Protection of Confidentiality in Electronic Communication Sector. The provision of this by-law is in line with the TDPL – however, this by-law includes more specific provisions on traffic data and location data.

Voice communications and text messages are protected under the fundamental right to privacy (Article 20) and freedom of communication (Article 22) of the Constitution. Certain types of crimes are defined in the TCrC to protect communication secrecy and private life. Only under specific and very limited circumstances and by a judge's decision, or a public prosecutor's decision in the cases of peril in delay, it is allowed to intervene in private communication (see also 3.1 Laws and Standards for Access to Data for Serious Crimes).

Cookies and Other Similar Technologies

Electronic Communication Law No 5809 includes a provision on cookies. However, such provision is only applicable to electronic communication service providers.

There is no specific provision on cookies under the TDPL. The PDPA has drafted guideline on cookies, which was open for public consultation until 11 February 2022 (see also 1.8 Significant Pending Changes, Hot Topics and Issues).

There is no specific regulation regarding browsing data, viewing data, beacons, tracking technology, behavioural or targeted advertising, social media, search engines, large online platforms and intermediary liability for user-generated content. Thus, the data processing activities that deal with this kind of data or technologies are subject to the general provisions of the TDPL.

Addressing Hate, Discrimination and Deepfake

According to the Constitution and TCrC, everyone – regardless of their language, race, nationality, skin colour, gender, political opinion, philosophical belief, religion or sect, etc – is equal before the law.

The TCrC criminalises and sets forth imprisonment for certain acts which aim to incite hate and/or discrimination between persons based on language, race, nationality, skin colour, gender, disability, political opinion, philosophical belief, religion or sect, etc.

Moreover, the TCrC criminalises and sets forth imprisonment for preventing someone from disposing property, receiving services, being recruited for a job, or undertaking an ordinary economic activity on the ground of hatred based on differences of language, race, nationality, colour, gender, etc.

There is no specific regulation regarding deepfake. As long as deepfake leads to a crime, it may be punishable, depending on what crime is committed. On the other hand, the input data, such as the voice or image that is used to generate deepfake is also part of personality rights and is classified as personal data. Hence, the general provisions that cover personality rights and personal data are also applicable in these cases.

Data Subject’s Rights

According to Article 11 of the TDPL, data subjects’ rights are as follows:

• learning whether their personal data is processed or not;
• requesting information as to whether their personal data has been processed or not;
• learning the purpose(s) of the processing of their personal data and whether such personal data is used in compliance with the purpose or not;
• finding out the third parties to whom their personal data is transferred to, in-country or abroad;
• requesting rectification of any incomplete or inaccurate data;
• requesting erasure or destruction of their personal data under the conditions referred to in Article 7 of the TDPL;
• requesting information about third parties to whom their personal data has been transferred;
• objecting to the occurrence of a result against themself by analysing the data processed solely through automated systems;
• claiming compensation for the damage arising from the unlawful processing of their personal data.

Unlike the GDPR, a data portability right is not set forth in the TDPL.

Right to Be Forgotten

Currently, no specific legislation in Turkey regulates the “right to be forgotten”. However, it is accepted by Turkish Constitutional Court decisions that data subjects have the right to be forgotten. Also, the PDPA published an opinion on the right to be forgotten (see 1.1 Laws and 1.7 Key Developments) and made a publicly announced resolution that outlined the criteria on exercising the right to be forgotten.

A 2020 amendment to the Internet Law includes a provision to ease the use of the right to be forgotten by specifically obliging search engines to delist the links from the search results upon a court order.

Online marketing is governed by the Law on Regulation of Electronic Commerce No 6563 (“E-Commerce Law”), the By-Law on Commercial Communication and Commercial Electronic Messages (“By-Law on Commercial Communication”) as well as the TDPL.

According to the E-Commerce Law and the By-law on Commercial Communication, the recipient's prior explicit consent must be obtained to make calls or send SMS or emails for marketing purposes (marketing communication).

However, it is permissible to make a marketing communication without prior consent in the business-to-business (B2B) model, unless the receiver opts out.

The contents of a marketing communication must include certain information such as the title and Centralised Registration Number (Merkezi Sicil Kayıt Sistemi,MERSIS) of the sender, as well as an option to opt-out.

The Ministry of Trade has authorised a joint stock company, incorporated by the Union of Turkish Chambers and Commodity Exchanges, to establish a centralised system called the Message Management System (MMS). The MMS was introduced by way of an amendment to the By-Law on Marketing Communication on 4 January 2020. 

The MMS is an online platform where receivers can manage their consents for receiving marketing communications and withdrawals from the same (ie, opt-outs). All senders of marketing communications must register with the MMS and upload the information regarding the consents/withdrawals for this purpose. Any consent or withdrawal received by the sender must be uploaded to the MMS within three business days upon their receipt.

The Ministry of Trade has published an announcement that companies outside of Turkey must also register with the MMS to send marketing communications to receivers in Turkey, although this is not specifically regulated in the applicable legislation.

There are no specific provisions for behavioural and targeted advertising under Turkish law. Therefore, the relevant processing activities are subject to general provisions of the TDPL. In this regard, based on the PDPB’s approach to this matter, it may be argued that – in order to carry out behavioural or targeted advertisement – prior consents of the data subjects must be obtained.

Privacy in the workplace is not specifically regulated in Turkish law, but workplace privacy can be considered within the scope of the TDPL.

On the other hand, there are provisions regarding this matter in various laws, for example:

• pursuant to Article 419 of the TCO, an employer can use the personal data of their employee only to the extent that it is necessary for the employee's employability or the performance of the employment contract;
• pursuant to Article 75 of the Turkish Labour Law, an employer is obliged to use the information obtained about their employee in accordance with the rules of good faith and law, and not to disclose any information that the employee has a justified interest in keeping confidential;
• pursuant to Article 15(5) of the Occupational Health and Safety Law No 6331, health data must be kept confidential in order to protect the private life and reputation of the employee who has undergone a medical examination.

Monitoring Workplace Communications

According to the decisions of the Constitutional Court, an employer is entitled to monitor the work computers, work mobile phones and other electronic devices, which it provides to its employees, provided that it fulfils the following conditions: 

• employees should be informed in advance that their correspondence and transactions in electronic devices may be monitored by clearly stating the purposes, legal basis of the monitoring (eg, by way a privacy notice addressed to the employees);
• there should be a legitimate purpose for accessing/monitoring the devices (eg, a compliance investigation based on a reasonable doubt); and
• access/monitoring should be proportional to the legitimate purpose (eg, if it is clear from the subject of the email/file that it is a personal email/file, then it should not be opened and reviewed).

The principles above shall also be applied to the implementation of cybersecurity tools and insider threat detection and prevention programs.

Processing Special Categories of Personal Data

As a general principle for processing special categories of employees' personal data, the explicit consent of employees must be obtained unless a justifying ground is provided by laws; see 2.2 Sectoral and Special Issues.

The PDPB decided that the processing of employees’ biometric data for security purposes breaches data minimisation (proportionality) principles. However, a case-by-case analysis of that principle is necessary – for instance, where high-security precaution is needed due to the quality of the data, processing biometric data of the relevant employees might be not violating the data minimisation (proportionality) principle.

Regulators

Under the TDPL, the PDPB has extensive enforcement powers, as described in 1.3 Administration and Enforcement Process. The PDPB may be considered to have a higher tendency for imposing administrative fines compared to its EU counterparts, in particular for data breaches.

So far, the PDPB has investigated and fined several national and international companies, including Marriot International Inc, Facebook, Amazon Turkey, and WhatsApp.

There are four types of violations that are set forth in the TDPL ; the amounts of administrative fines for these violations are subject to adjustment each year. The amounts of administrative fines which apply in 2022 are as follows:

• failure to inform data subjects on processing activities may be subject to an administrative fine of TRY13,393 to TRY267,886;
• failure to take the necessary technical and organisational measures (interpreted very broadly, including unlawful data transfer abroad, breach of fundamental principles) may be subject to an administrative fine of TRY40,183 to TRY2,678,866;
• failure to comply with the decisions issued by the PDPB may be subject to an administrative fine of TRY66,972 to TRY2,678,866;
• failure to comply with the obligation to register with VERBIS and not submitting information to VERBIS may be subject to an administrative fine of TRY53,576 to TRY2,678,866.

As per the Misdemeanours Law No 5326, when determining the number of fines the PDPB must take into account the severity of the breach, the fault of the breaching party and its economic condition.

The highest fine issued by the PDPB so far is TRY1.95 million, which was issued to WhatsApp.

The PDPA is also entitled to decide to cease certain data processing activities or personal data transfers abroad if it finds that such data processing activities results in damages which are difficult or impossible to compensate for and, at the same time, the act would be clearly unlawful.

Criminal Sanctions

There are also criminal sanctions that are regulated under TCrC, as follows:

• unlawful recording of personal data is subject to imprisonment of one to three years;
• unlawful transfer, publication or acquisition of personal data is subject to imprisonment of two to four years – if these are realised by exploiting the advantages of a profession or art, such actions are subject to imprisonment of three to six years; and
• failure to destroy personal data after the retention period set forth in the law has been passed is subject to imprisonment of two to six years.

The investigation may commence without the need for any complaint – ie, ex officio by public prosecutors. However, there is no established jurisprudence on how criminal sanctions will be applied in harmony with the TDPL.

Private Litigation

Right to seek compensation is clearly stated as one of the data subject rights under the TDPL.

Moreover, data subjects can seek compensation and ask the court to prevent a threatened infringement, to cease an existing infringement, to make a declaration that an infringement is unlawful, as per Articles 24–26 of the TCiC, Article 49 of the TOC

The data controller is jointly liable for the lack of technical and organisational measures which must be taken by the data processor from a civil law perspective.

There is no class action concept under the Turkish legal system.

The following activities are among those excluded from TDPL coverage:

• processing of personal data by judicial authorities or execution authorities with regard to the investigation, prosecution, judicial or execution proceedings; and
• processing of personal data by public institutions and organisations duly authorised and assigned by law with regard to maintaining national defence, national security, public security, public order or economic security within the scope of preventive, protective and intelligence activities.

The Turkish Law of Criminal Procedure (TLCP) is the primary source with respect to law enforcement’s access to data for investigation of serious crimes.

Other relevant laws are as follows:

• the Law on Police Duty and Authority;
• the Law on Gendarmerie Organisation Duty and Authority; and
• the Law on Governmental Intelligence Services and National Intelligence Agency.

Law enforcement authorities may request information on personal data for the investigation of criminal offences.

However, in certain situations, an independent judicial decision is necessary for public prosecutors and law enforcement officers to interfere with personal data by actions such as accessing, collecting or duplicating personal data from IT systems, or the interception of communications.

The exemption of this principle is the case of peril in delay. In such a case, the public prosecutor or law enforcement officer may obtain access to personal data by public prosecutor's order, which must be approved by a court afterwards.

It should be noted that, even though the TDPL does not cover these activities, Article 20(3) of the Constitution is still applicable.

Very similar rules to those discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes apply in the field of national security. In these cases, the authorities can demand information if it is necessary for the prevention of imminent threats.

The National Intelligence Agency is authorised to request any information within its powers and duties, including any personal data. Those who fulfil these requests cannot be held legally or criminally liable.

The provisions of the TDPL do not provide a clear legitimate basis for the invocation of a foreign government's request for collecting or transferring data. However, since the fulfilment of a foreign government's request may lead to data transfer abroad, the rules on data transfer abroad set forth in the TDPL must be complied with (see also 4.2 Mechanisms or Derogations that Apply to International Data Transfers).

On the other hand, Turkey is a signatory in many bilateral or multilateral agreements which aim to promote co-operation between states, especially on the issues related to judicial co-operation and extradition requests. Personal data processing activities that arise from these obligations are not exempted from the scope of the TDPL and public institutions are also obliged to comply with TDPL (please see 2.1 Omnibus Laws and General Requirements, 2.2 Sectoral and Special Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers).

Turkey does not participate in a CLOUD Act agreement with the USA.

One of the key privacy issues is inadequate and uncertain regulations about governmental access to data. Although the TDPL is applicable to the data processing activities of governmental bodies, the exceptions set forth in the TDPL are of a broad range. The DPL is criticised due to the broadness of exceptions about the application of the TDPL, because this causes application of the TDPL within governmental bodies to be interpreted as extenuated, which does not facilitate accurate implementation.

Indeed, especially compared to the GDPR, many issues are completely left out of the scope of the TDPL. This is criticised under Turkish data protection practice.

International transfer of personal data is subject to the TDPL.

Data transfer abroad is restricted unless:

• explicit consent of the data subject is obtained;
• the importing country provides adequate level of data protection; or
• regulatory approval of PDPB is obtained.

Please see 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

The TDPL also states that provisions on data transfer abroad in other laws are reserved. 

On the other hand, sector-specific regulations may impose further restrictions regarding data transfer abroad (see also 4.4 Data Localisation Requirements).

According to TDPL, the transfer of personal data abroad is permissible if the data subject’s explicit consent is obtained for such transfer.

In the event that the exporter relies on any legal basis other than the explicit consent (legal bases set forth under Article 5(2) and Article 6(3)), then the following applies.

• The foreign country to which the personal data will be transferred must have an adequate level of protection for personal data. These countries will be determined and announced by the PDPB (ie, the “White List”).
• In case there is not an adequate level of protection, an exporter data controller in Turkey and data importer abroad must execute a standard form written undertaking to commit to provide an adequate level of protection, similar to Standard Contractual Clauses in GDPR practice (ie, “undertaking”). Then, such undertaking must be submitted to the PDPB, and the approval of the PDPB must be obtained for the concerning data transfer.
• If data transfer abroad is only within multinational group companies, a data exporter located in Turkey may obtain approval from the PDPB for binding corporate rules (BCR).

The PDPB has not yet announced any White List, hence no country or region – including the EU and the USA – is currently considered to have adequate level of protection as per the TDPL.

As a White List has not yet been announced by the PDPB, only three practical options remain for data controllers to transfer data abroad:

• obtaining explicit consent from data subjects;
• obtaining a regulatory approval based on undertaking; or
• obtaining a regulatory approval based on BCR.

On the other hand, the PDPB states in its several decisions that “provision of a service cannot be made conditional upon a consent”. This principle is based on the argument that if the provision of a service is made conditional upon obtaining a consent for data processing (including transfer), such consent is deemed to be not freely given. Therefore, any consent which is not freely given may be regarded as invalid by the PDPB. Moreover, a consent may always be withdrawn by the data subject. Hence, obtaining consent for data transfer abroad may not be a very reliable basis.

Although obtaining valid explicit consent has its own challenges, obtaining regulatory approval from the PDPB is just as challenging. Only five data controllers have managed to obtain a regulatory approval by executing an undertaking with the importers since the enactment of the TDPL.

As mentioned in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers, undertaking and BCRs require the PDPB’s approval.

On the other hand, as per Article 9(5) of the TDPL, without prejudice to the provisions of international agreements, in cases where the interest of Turkey or the data subject shall be seriously harmed, personal data may only be transferred abroad upon permission of the PDPB. The PDPB must obtain the opinions of relevant public institutions and organisations before it grants its permission.

It should be noted that sector-specific regulations may seek further notifications or approvals regarding data transfer abroad (seealso 2.2 Sectoral and Special Issues).

Even though there is no data localisation requirement in the TDPL, there are certain sector-specific regulations that have been set forth for specific sectors in Turkey.

Banking and Finance Entities

The following entities must keep their primary and secondary information systems in Turkey:

• banks;
• payment institutions and electronic money institutions;
• insurance and private pension companies (except for services such as email, teleconference or videoconference);
• certain public companies, as well as certain capital markets institutions; and
• financial lease, factoring and finance companies.

Electronic Communication Providers

In principle, electronic communication providers cannot transfer traffic data and location data abroad due to national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of the data subject. 

Social Network Providers

Social network providers, who are located abroad or in Turkey and whose daily access is more than 1 million, must take necessary measures to retain data of their Turkish users in Turkey.

Public or private institutions that will use coded/encrypted electronic communication within their electronic communication services must apply to the ICTA and obtain permission in order to be authorised in accordance with the ICTA's regulations. A copy of the code/encryption must be provided to the ICTA with this application.

There are no specific limitations or considerations that apply to an organisation for collecting or transferring data in connection with foreign government data requests and foreign litigation proceedings.

Please see 3.3 Invoking Foreign Government Obligations, 4.1Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

Turkey does not have specific "blocking" statutes, but there are general statutory provisions that prevent the disclosure of matters relating to national interests.

According to the TDPL, “the data subject has right to object to the occurrence of a result against themself by analysing the data processed solely through automated systems”. This right may be at stake in cases of big data analytics, automated decision-making, profiling or microtargeting, artificial intelligence (including machine learning) and autonomous decision-making (including autonomous vehicles). However, the application sphere of this provision is not yet clarified by the PDPB.

Apart from the above, the TDPL and secondary legislation on data protection do not include any provision on these issues.

However, the PBPA issued its Recommendations on AI in September 2021. It is noteworthy that the Recommendations on AI do not provide a detailed view on artificial intelligence technologies, even though it succeeds in covering a number of fundamental topics.

The points that are stated below can be found throughout the document:

• respecting a person’s honour and their fundamental rights and freedoms;
• detecting, preventing and/or minimising potential and current risks in data processing activities within artificial intelligence technologies;
• complying with national and international regulations.

While there is not a data protection-centric provision that regulates drones, people who sell, buy, produce, import or fly unmanned vehicles, which are 500 g or heavier, are obligated to register with the Unmanned Vehicles Registry.

Biometric data has been a point of further discussion in the field of data protection and the processing of biometric data has been assessed extensively in both PDPA-issued documents and PDPB decisions.

PDPB decisions state that, even if explicit consent of data subject is obtained, the use of biometric data must be further analysed from a perspective of data minimisation and proportionality set forth in the General Principles of the TDPL (please see 2.4 Workplace Privacy for the use of biometric data in an employment context).

Establishing protocols for digital governance and fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies are not mandatory and/or common practices in Turkey.

In 2021, a noteworthy ex officio investigation was conducted by the PDPB towards WhatsApp.

The investigation commenced shortly after WhatsApp announced that it will update its Terms of Service and Privacy Policy, such that, if the data subjects do not give explicit consent to their personal data being processed and transferred abroad to third parties, they can no longer continue to use the application and their accounts shall be deleted. The investigation then evolved into a general review of the privacy policy and consent mechanism of WhatsApp.

The PDPB decided that WhatsApp:

• did not meet the condition of “freely given” for explicit consent, as it forces its users to give consent for data processing and imposes explicit consent as a condition of provision of a service;
• violated the principle of lawfulness and good faith, as it forces its users to accept the agreement as a whole, despite the fact that some parts of it may require the explicit consent of users;
• violated the principles of processing for specific, explicit and legitimate purposes, as well as principle of proportionately, as data transferred is not proportionate for the purpose, and the privacy policy does not transparently explain which data is transferred for which respective purpose;
• violated the data transfer abroad provisions;
• did not obtain explicit consent of users for the use of cookies for profiling purposes.

WhatsApp was fined TRY1.95 million and were given three months to revise the documents in question to be compliant; it was also decided that they should provide a legally accurate clarification to data subjects.

Carrying out a due diligence over a target entity is considered to be on the legal basis of “legitimate interest”.

On the other hand, when requesting and sharing of personal data in the course of a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

In the event that a due diligence process requires data transfer abroad, then the data controller must comply with data transfer abroad provisions. It should be noted that using virtual data rooms, whose servers are located abroad, would constitute a data transfer abroad. (Please see 4.1Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.)

The Turkish Data Controllers Registry (VERBIS) is an online public registry, which shows the personal data processing inventory of data controllers who has registered with and submitted information to VERBIS (see also 2.1 Omnibus Laws and General Requirements).

The information, which is submitted to VERBIS and is hence publicly available, is as follows:

• the categories of personal data;
• the data processing purposes for each data category;
• retention periods of each data category;
• data subjects for each data category;
• data transferees;
• information on data transfer abroad, for each data category;
• technical and organisational measures.

The relevant capital markets regulations impose an obligation on the companies, which will make a public offering, to state the risks of the business before such public offering. Although there is no specific requirement to state the risks on data protection and cybersecurity, since these may also include risks regarding data protection, such risks should be mentioned in the course of a public offering.

There are no other significant issues.