Tue, Sep
42 New Articles

Personal Data Protection Under Turkish Law: An Overview of Compliance Projects

Personal Data Protection Under Turkish Law: An Overview of Compliance Projects

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

After Personal Data Protection Law number 6698 came into force (April 7, 2016) in Turkey, and following a two-year-transition period (which concluded on April 7, 2018), the compliance process has been initiated in regard to general principles and rules on processing of personal data.

Only “personal data” – defined as “any information relating to an identified or identifiable natural person (‘data subject’).” – is classified as protected under the Personal Data Protection Law. Therefore, the “personal data” that needs to be protected by companies should be separated from other data. In this scope, natural and legal persons who qualify as “data controllers” should first identify that data when conducting data inventory and data mapping in compliance projects. The classification should be made carefully, taking into consideration the characteristics and regulations of the sector that the data controller participates in.

Obligations of Data Controllers 

A “data controller” is defined as any natural or legal person who determines the purposes and the tools of personal data and who is responsible for installing and administering the data register system. Natural persons, companies, public institutions, occupational organizations, foundations, and associations can all qualify as “data controllers.” All obligations and liabilities under this legislation are stipulated for only those data controllers. 

The main obligations of data controllers under the legislation are: (i) to inform, (ii) to provide data security, (iii) to fulfill the demands of data subjects, and (iv) to conduct inspections. 

Transfer of Personal Data Abroad 

In principle, it is possible to transfer personal data abroad if the explicit consent of the data subject exists, or where an adequate level of protection is provided in the foreign country the data will be transferred to. In addition, the Turkish Data Protection Authority (DPA) may give its consent to the transfer where data controllers in Turkey and in the foreign country where data will be transferred to guarantee adequate protection. 

The countries providing an adequate level of protection shall be identified and announced by the DPA. When determining whether an adequate level of protection exists, the DPA will consider: (i) reciprocity between Turkey and the country which data will be transferred to, (ii) the characteristics and purpose of processing the personal data, (iii) the regulations of the country where data will be transferred to, and (iv) guarantees given by the data controller in the foreign country which the data will be transferred to. 


If data controllers do not comply with this legislation, the following sanctions may be applied: (i) Pecuniary damages; (ii) Non-pecuniary damages; (iii) Imprisonment of one to seven years; or (iv) Administrative fines of between five thousand to one million Turkish liras.

Main Steps to be Taken

In light of current developments, the following main steps should be taken by companies in the compliance process:

  1. Conduct a data flow mapping, and create a data inventory in order to have information about which data you have, where it is kept, who is responsible for managing it, what its purpose and the legal basis of data processing is, who the recipients of the personal data are, and for what period the personal data will be kept (or the statutory data retention period), etc.
  2. Create appropriate informed-explicit consent mechanisms.
  3. Revise the company’s contracts, and, where appropriate, conduct negotiation processes accordingly.
  4. Ensure that electronic surveillance systems in the workplace such as camera surveillance, electronic or biometric entry and time detection, global positioning systems, and electronic transmission surveillance are compatible with regulations.
  5. Set up mechanisms to ensure data security such as restricting employees’ access to data, pseudonymizing or encrypting data, using multi-layered security software, firewalls, and anti-virus programs, using remote wiping softwares, using privacy-enhancing technologies, choosing right and safe cloud services, backing up files, excluding data from the cloud which could be classified as confidential business information or sensitive data, and regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
  6. Assign a managing director who will be responsible for data protection under the provisions of the Turkish Commercial Code.
  7. Draw up/revising privacy, cookies, and cybersecurity policies.
  8. Evaluate the compliance of data transfer both in domestic and foreign territories and drawing up data transfer contracts.
  9. Inform and train employees about current regulations relating to security and protection of personal data.  

By Hatice Zumbul, Head of Data Protection and Privacy, Nazali Attorney Partnership  

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Nazali Tax & Legal at a Glance

NAZALI offers a broad range of services in the fields of Tax, Audit, Corporate and Commercial Law, Mergers & Acquisitions, Corporate Finance, Banking, Finance and Capital Markets, Protective Legal Services and Dispute Resolution, Personal Data Protection and Privacy, Social Security and Labor Law, Occupational Health and Safety, Competition Law, Intellectual Property Law and R&D, Compliance and White-Collar Crimes, Administrative Law, Real Estate Law, Customs and Foreign Trade, Accounting and Payroll, Financial Incentives and Advisory Services and Public Administration and Compliance through its partners, associates and consultants of different seniorities who have both public and private sector experience.

What sets NAZALI apart from others is that NAZALI offers a truly comprehensive service to its clients with experts from different disciplines working collaboratively as a team under one roof enabling us to evaluate all dimensions of legal matters together with financial and technical matters.

The services that NAZALI provides to its clients include the most appropriate solution with the support of technical departments specialized in their fields. In this context, NAZALI associates are supported by NAZALI technical team and work alongside the experts in the fields of finance, social security and customs matters. NAZALI has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

As conditions continuously evolve, NAZALI always aims to further itself remaining true to its motto “GROW WITH KNOWLEDGE” and has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

Firm's website: http://www.nazali.com