After Personal Data Protection Law number 6698 came into force (April 7, 2016) in Turkey, and following a two-year-transition period (which concluded on April 7, 2018), the compliance process has been initiated in regard to general principles and rules on processing of personal data.
Only “personal data” – defined as “any information relating to an identified or identifiable natural person (‘data subject’).” – is classified as protected under the Personal Data Protection Law. Therefore, the “personal data” that needs to be protected by companies should be separated from other data. In this scope, natural and legal persons who qualify as “data controllers” should first identify that data when conducting data inventory and data mapping in compliance projects. The classification should be made carefully, taking into consideration the characteristics and regulations of the sector that the data controller participates in.
Obligations of Data Controllers
A “data controller” is defined as any natural or legal person who determines the purposes and the tools of personal data and who is responsible for installing and administering the data register system. Natural persons, companies, public institutions, occupational organizations, foundations, and associations can all qualify as “data controllers.” All obligations and liabilities under this legislation are stipulated for only those data controllers.
The main obligations of data controllers under the legislation are: (i) to inform, (ii) to provide data security, (iii) to fulfill the demands of data subjects, and (iv) to conduct inspections.
Transfer of Personal Data Abroad
In principle, it is possible to transfer personal data abroad if the explicit consent of the data subject exists, or where an adequate level of protection is provided in the foreign country the data will be transferred to. In addition, the Turkish Data Protection Authority (DPA) may give its consent to the transfer where data controllers in Turkey and in the foreign country where data will be transferred to guarantee adequate protection.
The countries providing an adequate level of protection shall be identified and announced by the DPA. When determining whether an adequate level of protection exists, the DPA will consider: (i) reciprocity between Turkey and the country which data will be transferred to, (ii) the characteristics and purpose of processing the personal data, (iii) the regulations of the country where data will be transferred to, and (iv) guarantees given by the data controller in the foreign country which the data will be transferred to.
If data controllers do not comply with this legislation, the following sanctions may be applied: (i) Pecuniary damages; (ii) Non-pecuniary damages; (iii) Imprisonment of one to seven years; or (iv) Administrative fines of between five thousand to one million Turkish liras.
Main Steps to be Taken
In light of current developments, the following main steps should be taken by companies in the compliance process:
- Conduct a data flow mapping, and create a data inventory in order to have information about which data you have, where it is kept, who is responsible for managing it, what its purpose and the legal basis of data processing is, who the recipients of the personal data are, and for what period the personal data will be kept (or the statutory data retention period), etc.
- Create appropriate informed-explicit consent mechanisms.
- Revise the company’s contracts, and, where appropriate, conduct negotiation processes accordingly.
- Ensure that electronic surveillance systems in the workplace such as camera surveillance, electronic or biometric entry and time detection, global positioning systems, and electronic transmission surveillance are compatible with regulations.
- Set up mechanisms to ensure data security such as restricting employees’ access to data, pseudonymizing or encrypting data, using multi-layered security software, firewalls, and anti-virus programs, using remote wiping softwares, using privacy-enhancing technologies, choosing right and safe cloud services, backing up files, excluding data from the cloud which could be classified as confidential business information or sensitive data, and regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
- Assign a managing director who will be responsible for data protection under the provisions of the Turkish Commercial Code.
- Draw up/revising privacy, cookies, and cybersecurity policies.
- Evaluate the compliance of data transfer both in domestic and foreign territories and drawing up data transfer contracts.
- Inform and train employees about current regulations relating to security and protection of personal data.
By Hatice Zumbul, Head of Data Protection and Privacy, Nazali Attorney Partnership
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.