Data Protection & Privacy 2018, Turkey Chapter


Law and the regulatory authority

1 Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The protection of personally identifiable information in Turkey is regulated mainly by the Law on the Protection of Personal Data (DPL), which came into effect on 7 April 2016. The DPL is heavily modelled on Directive 95/46/EC, with many of the terms and central provisions very closely mirroring their equivalents in the Directive. Other than the DPL, there are a few other central legislative measures that constitute the framework of the protection of PII in Turkey.

The first of these is the Turkish Constitution, article 20 of which defines and enshrines the right to the protection of personal data. The Turkish Criminal Code also contains provisions relating to the unlawful recording and obtaining of personal data. In fact, before the introduction of the new DPL, the data protection regime in Turkey was based primarily on the relevant articles of the Constitution and the Turkish Criminal Code.

While the DPL provides the central framework for the general data protection regime in Turkey, there are also certain industry-specific regulatory measures that introduce further requirements. The most prominent examples of such industry-specific measures are those relating to the electronic communication and banking sectors.

Following the publication of the DPL on 20 October 2016, the Ministry of Health published a Regulation on the Processing and Ensuring the Privacy of Personal Health Data (Personal Health Data Regulation), which introduced several additional restraints on the processing and transfer of personal health data. The scope of application of the Personal Health Data Regulation covers healthcare providers, real persons whose personal health data is being processed, real and legal persons providing software and hardware services to healthcare providers and all other public institutions and real and legal persons who process health data in accordance with any legislative measure. Particularly due to the broadness of the final category, there is a lack of certainty as to how widely applicable the Personal Health Data Regulation may be. In addition to these national legislative and regulatory measures, Turkey is also a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. While a signatory since 28 January 1981, Turkey only ratified the Convention on 2 May 2016.

2 Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The implementation of the DPL has been granted to the Turkish Data Protection Authority (DPA). It should be noted that, while the DPL had stated that the DPA would be established by 7 October 2016, the Board of the Turkish DPA was only finally appointed completely in January 2017. The Turkish DPA has commenced operations as of January 2017 and, as of the date of writing, is working on the ancillary regulations that will supplement the DPL.

The DPL contains provisions regarding both the establishment of the Turkish DPA and the scope of its powers and responsibilities. Accordingly, as per the DPL, the Turkish DPA has been granted investigative powers in order to ascertain whether data controllers and data processors are in compliance with the provisions of the DPL. To this end, the Turkish DPA may conduct investigations (either upon complaint or ex officio) in order to evaluate whether data processing is being conducted in compliance with the DPL and, if necessary, implement any temporary preventative measures. Furthermore, the Turkish DPA has been tasked with reviewing and ruling on any referred complaints alleging the violation of the fundamental data protection rights.

As the required ancillary data protection regulations detailing the DPA’s investigative procedures have not yet been published, it is currently unknown how these investigative powers shall be applied.

3 Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

As per the DPL, the breach of the provisions can lead to both administrative fines and criminal penalties. With regard to potential criminal penalties, the DPL itself makes reference to the relevant measures of the Turkish Criminal Code that detail unlawfully recording or accessing personal data. As per article 135 of the Turkish Criminal Code, unlawful recording of personal data can be sanctioned with a one- to three-year prison sentence; with the sanction being increased by half should the unlawfully recorded personal data be personal data of a sensitive nature. Article 136 states that unlawfully obtaining or transferring personal data is punishable by a two- to four-year prison sentence. Finally, article 138 of the Turkish Criminal Code states that those persons who have kept and not erased personal data beyond the period stipulated by DPL can be sanctioned with a prison sentence of one to two years.

In addition to criminal proceedings, the DPL also establishes administrative fines that may be applied in the situation of a breach. There are four main breaches that have been defined in the context of a potential administrative fine:

  • • a data controller not satisfying their obligation to inform the data subject;
  • • the data controller not satisfying the data security requirements;
  • • the data controller not implementing the decisions of the Turkish DPA; and
  • • the data controller not satisfying their obligation to register on the Data Controller Registry.

These breaches can be sanctioned with administrative fines ranging from 5,000 liras to 1 million liras. Depending on the nature of the breach – as in whether the breach constitutes a criminal or administrative offence – the data controller will either be referred to the prosecutor or the Turkish DPA or both.

Scope

4 Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The DPL does contain a provision that defines areas and activities of exception where the provisions of the DPL will not be applied. These areas of exception are as follows:

  •  use of personal data by real persons within the scope of activities relating to either themselves or their family members living in the same house; on the condition that the data is not provided to third parties and data security requirements are followed;
  •  processing of personal data for official statistics or – on the condition that the data is made anonymous – used for purposes such as research, planning or statistics;
  •  on the condition that such use is not contrary to national defence and security, public safety and order, economic security, the right to privacy and personal rights, and on the condition that it does not constitute a crime, processing for the purposes of art, history, literature or scientific pursuits or processing within the scope of the freedom of speech;
  •  processing within the scope of the preventive, protective and intelligence activities of the public bodies and institutions that have been authorised by law to safeguard national defence, security, public safety and order or economic security; and
  •  processing by judicial authorities or penal institutions in relation to investigations, prosecutions, trials or enforcement proceedings.

5 Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The DPL does not cover the issues of interception of communications, electronic marketing or the monitoring and surveillance of individuals.

The areas of interception of communications and the monitoring and surveillance of individuals are primarily regulated by the Turkish Criminal Procedure Code. The specifics of these areas are further regulated with more specific regulatory measures such as the Regulation on Inspection of Communication made via Telecommunication, Undercover Investigations and Surveillance with Technical Tools due to the Law of Criminal Procedure.

The legislative measures that regulate the electronic communication sector, primarily the Electronic Communication Law (ECL) and ancillary regulations such as the Authorization Regulation also specify that licensed operators operating within the electronic communication sector are under the obligation to establish and maintain the infrastructure that will enable such lawful interception and surveillance activities. Electronic marketing is covered by the Law on the Regulation of Electronic Commerce (E-Commerce Law) and its ancillary regulations.

6 Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

The primary sector-specific laws and regulations that introduce further data protection rules can be found in the electronic communication and banking sectors.

With regard to the electronic communication sector, the ECL introduces specific rules regarding how licensed operators operating in this sector may use traffic and location data that they can obtain from their customer. Furthermore, the Regulation on the Processing of Personal Data in the Electronic Communication Sector and the Protection of Privacy also contains further sector-specific rules regarding data processing in the electronic communication sector.

Certain legislative measures such as the Law on Payment and Security Agreement Systems, Payment Systems and Electronic Currency Organisations, requires financial institutions to keep their primary and secondary systems within Turkey and thus prevent transfer of such data abroad. Furthermore, the Banking Law introduces specific confidentiality obligations for persons who, owing to their position and task, are in possession of secret information relating to banks or their client. The Law on Bank Cards and Credit Cards imposes a similar obligation on this industry too.

7 PII formats

What forms of PII are covered by the law?

The DPL defines personal data widely as ‘all information relating to an identified or identifiable real person’. Furthermore, the DPL does not make any limitations or distinctions with regard to the format that such PII is maintained or stored. Therefore, in light of the central definition of the DPL, it can be said that the forms of PII covered are extensive both in the nature of the information and in terms of the format.

8 Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

While the DPL does not have a specific geographic scope that is stated within the text of the Law, it should be noted that as a Turkish law with sanctions applied by either Turkish public bodies or Turkish courts, the application of the Law itself is practically limited to real and legal persons who are processing the PII of the persons residing in Turkey. Despite issues regarding the enforceability of sanctions against persons who are not in Turkey or do not have assets in Turkey, the content and structure of the DPL does make it clear that it is intended to establish and safeguard the data protection rights of all persons within Turkey whose personal data is being processed, regardless of the identity of the data processor. As a result, the DPL will apply to data controllers and data processors both inside and outside of Turkey that are processing the personal data of the Turkish residents

9 Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners?

The DPL also provides a very wide scope definition for the processing of PII. As per the relevant provision, processing of personal data is defined as ‘all operations performed on personal data, whether completely or partially through automated means or – on the condition that it is a part of a data recording system – through non-automated means, such as collection, recording, structuring, storage, re-structuring, disclosure, transfer, retrieval, making available, categorisation or restriction’.

The DPL also distinguishes between data controllers, who determine the purposes and methods of data processing, and data processors that process data based on the authorisation provided by the data controllers.

Legitimate processing of PII

10 Legitimate processing – grounds Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

The general principle of the DPL is that the processing of personal data is only lawful if the relevant data subject has provided their explicit and informed consent. However, the Law itself also provides additional situations where this requirement of obtaining explicit and informed consent will not be required, which are set forth below:

  •  processing is clearly mandated by laws;
  •  for a person who is unable to express their explicit consent owing to a situation of impossibility, processing is required for the safeguarding of their or a third person’s life or physical wellbeing;
  •  processing is necessary for and directly related to the formation or execution of an agreement to which the data subject is a party;
  •  processing is mandatory for the data controller to satisfy his or her legal obligation;
  •  the data to be processed has been made public by the data subject;
  •  processing is mandatory for the establishment, use or protection of a right; or
  •  on the condition that it does not harm the data subject’s fundamental rights and freedoms, the processing is mandatory for the legitimate interests of the data controller.

11 Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Yes, the DPL provides more stringent rules for the processing of personal data of a sensitive nature. Personal data of a sensitive nature is defined exhaustively as data relating to ‘race, ethnicity, political views, philosophical belief, religious denomination or other beliefs, clothing and attire, membership in associations, charities or trade unions, health, sex life, convictions, security measures, biometric and genetic data’.

While the general principle for the processing of such data remains the explicit consent of the data subject, the situations of exception are a lot narrower compared to normal PII. With regard to personal data of a sensitive nature other than health and sex life data, processing without consent is allowed when such processing is clearly mandated by law. For health and sex life data, the only exception is data processed by persons or authorised institutes bound by the duty of confidentiality for the purpose of the protection of public health, the provision of medical, diagnostic and treatment services and the planning, management and financing of healthcare services.

The Personal Health Data Regulation has also introduced an additional provision regarding the processing of health data, which states that the parties that fall under the scope of the regulation may only process health data should they obtain written consent from data subjects and store this obtained consent.

Data handling responsibilities of owners of PII

12 Notification Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The DPL does include a duty of notification that requires data controllers to notify the data subjects as to the use of their data. This notification must be made at the time that the personal data is obtained and must include the following information:

  •  the identity of the data controller and, if applicable, its representative;
  •  the purposes of processing;
  •  to whom the processed data may be transferred and for which purposes they may be transferred;
  •  the method and legal grounds for the data collection; and
  •  information about the other rights of the data subject.

13 Exemption from notification

When is notice not required?

The conditions for exemption from the obligation of notification are when:

  •  the processing is required for the prevention or investigation of a crime;
  •  the data being processed has been made public by the data subject;
  •  the processing is required for disciplinary investigations or procedures by authorised public bodies and institutions, or by professional organisations with public institution status and for the inspections carried out by such parties in accordance with their statutory purview; or
  •  the processing is required to protect the state’s economic and financial interests with regard to the issues of budget, taxation and financial issue.

14 Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

As the DPL upholds the central principle that data processing should be based on consent and that processing should be in accordance with the law and the principle of honesty, it can be said that by the very nature of the centrality of explicit consent, the data subjects are afforded a degree of control over their information. The exceptions to the requirement of consent do provide derogations from this notion of control; however, as will be further discussed in questions 34–37, data subjects have been granted substantial rights to ensure that their data is being processed in accordance with the original purpose of the processing of their PII.

15 Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

One of the main principles of the DPL is that the processed personal data be accurate and – when necessary – up to date. While there has not been any further guidance as to the standards of accuracy and quality of the personal data, it is expected that these principles will be further clarified by the Turkish DPA through the drafting and publication of ancillary regulatory measures.

The DPL also grants data subjects the right to demand that any personal data relating to them that has been processed in an incorrect or incomplete manner be rectified.

16 Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The DPL itself does not state set and definite time limits for how long personal data may be held. However, article 7 of the DPL introduces a general principle stating that, once the grounds of processing of personal data no longer exist, the data controller is under the obligation to either delete, destroy or anonymise the personal data. While these processes may be applied upon the request of the data subject, the DPL also states that the data controller itself should also apply these processes through its own determination.

With regard to the amount of PII, as long as all processed PII is being held and processed lawfully, the DPL does not enforce any restrictions as to the amount or volume of data.

17 Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Article 4 of the DPL provides the fundamental principles of data processing in Turkey; one of which is that processing must be in connection with, limited to and proportional to the stated purposes of processing. Therefore, as per the DPL, processing of personal data must be limited to either the purpose for which explicit consent was provided or to the scope of the exception to obtaining explicit consent upon which the data controller chooses to base the processing.

18 Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

As stated above, due to the adoption of the finality principle requiring processing to be connected, limited and proportional to the stated purpose of processing, the DPL does not allow for using collected personal data for new purposes that are not covered by the obtained explicit consent or the specific grounds of exception that have been used for processing.

Security

19 Security obligations What security obligations are imposed on PII owners and service providers that process PII on their behalf ?

The DPL imposes general security obligations on data controllers to ensure that personal data is not processed unlawfully, accessed without authorisation and is safeguarded. The relevant provision stipulates a general obligation of ensuring that all technical and administrative precautions are taken by the data controller in order to ensure that such protection is provided. However, the DPL itself does not provide detailed explanations as to the content of these precautions.

Furthermore, as per the provision of the DPL that establishes the conditions of processing personal data of a sensitive nature, such processing is conditioned upon implementing the sufficient measures that have been determined by the Turkish DPA. It is expected that both the general technical and administrative precautions and the precautions specific to personal data of a sensitive nature will be among the first areas that will be detailed through ancillary regulations.

The data controllers are also under the obligation to conduct the required audits in order to ensure that they are adhering to the security provisions of the DPL. In the situation that a data controller utilises a third-party data processor to process PII on their behalf, the data controller will remain jointly liable with regard to ensuring that safety precautions are taken to ensure the protection of the PII.

20 Notification of data breach

Does the law include (general and/or sector-specific) obligations to notify the supervisory authority and individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

The DPL requires for any access to data by third parties through unlawful means to be notified by the data controller to both the data subject and the Turkish DPA. The DPL also stipulates that, should the Turkish DPA deem it necessary, it may publish such notified breaches either on its own website or through other appropriate means.

Currently there are no further clarifications regarding this duty of notification, particularly with regard to any set time limit within which to notify such breaches to the data subjects and the DPA. The relevant provision only states that such notifications must be made ‘within the shortest possible time’. As the DPL only recently came into effect, there have been no ancillary regulations to clarify and no details of areas such as breach notification processes.

As per the Personal Health Data Regulation, those parties that fall under the scope of the regulation must also notify the Ministry of Health of a suspected data breach relating to personal health data.

Internal controls

21 Data protection officer Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

The DPL and other sector-specific ancillary regulations do not require the appointment of a data protection officer.

22 Record keeping

Are owners of PII required to maintain any internal records or establish internal processes or documentation?

The DPL does not contain a provision regarding a general obligation to maintain internal records or establish internal processes or documentation. However, it is likely that some form of documentation obligation will be introduced with the ancillary regulatory measures that detail the security measures and precautions that have been stated quite generally within the DPL.

With regard to the electronic communication sector, the ECL and ancillary regulatory measures require licensed operators within the electronic communication sector to maintain certain records relating to completed and attempted electronic communications. Furthermore, licensed operators are also under obligation to maintain records that document access made to personal data and other related systems for a period of two years.

Registration and notification

23 Registration Are PII owners and/or processors of PII required to register with the supervisory authority? Are there any exemptions?

As per the DPL, both real and legal persons processing PII must be registered on the Data Controller Register (the Register). It should be noted that the implementation of the provision detailing the requirement of registration has been delayed until 7 October 2016.

The ancillary legislation detailing the registration process is currently being drafted by the Turkish DPA. Therefore, while the DPL does provide for the Turkish DPA to introduce exemptions for registration to the Register based on such considerations as the quality, amount and grounds of the processing, the content of the exemptions will be determined only after the Turkish DPA issues a regulation in this regard.

However, article 28(2) of the DPL also introduces a more general exemption from the obligation to register for instances of processing where, on the condition that it remains in accordance and proportional to the purpose and principles of the DPL:

  •  the processing is required for the prevention or investigation of a crime;
  •  the data being processed has been made public by the data subject;
  •  the processing is required for disciplinary investigations or procedures by authorised public bodies and institutions or by professional organisations with public institution status and for the inspections carried out by such parties in accordance with their statutory purview; o
  •  the processing is required to protect the state’s economic and financial interests with regard to the issues of budget, taxation and financial issue.

24 Formalities

What are the formalities for registration?

As stated in the response to question 23, the more detailed requirements of registration to the Register will be determined once the Turkish DPA issues a regulation in that regard. However, the relevant provision of the DPL does establish the general principles relating to registration with the Register.

As per said principles, the data controller’s application for registration must include the following information:

  •  the identity and address of the data controller and, if applicable, his or her representative;
  •  the purpose of processing of the personal data;
  •  the data subject groups and explanations relating to the data categories belonging to these persons;
  •  recipients or recipient groups to whom the data may be transferred;
  •  the precautions taken with regard to the security of personal data; and
  •  the maximum time period required for the process of processing.

25 Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

In the situation that a data controller fails to register for the Register or fails to maintain their registration with up-to-date information, said controller can be sanctioned with an administrative fine ranging from 20,000 liras to 1 million liras.

26 Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Currently the DPL does not provide any specific ground on which the Turkish DPA could refuse to allow an entry on the Register. In order to register with the Register, an individual or a legal entity must be a data controller, and thus the Turkish DPA can refuse to allow an entry only if the applicant is not a data controller or if the data controller does not provide all of the required information for registry.

27 Public access

Is the register publicly available? How can it be accessed?

Yes, the DPL sets forth that the Register will be open to the public. However, for the reasons stated above, the current specifics of access and presentation have not yet been clarified by the Turkish DPA.

28 Effect of registration

Does an entry on the register have any specific legal effect?

No. Currently, the DPL does not explicitly attach any specific legal effect to entry onto the Register.

Transfer and disclosure of PII

29 Transfer of PII How does the law regulate the transfer of PII to entities that provide outsourced processing services?

The DPL has regulated all transfers from data controllers to third parties, without making any differentiation in terms of outsourced data processors. Therefore, there is no specific provision or exemption applicable to the transfers of PII to entities that provide outsourced processing services.

30 Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Other than adhering to the requirement of either obtaining explicit consent from the data subject (in cases where there is no area of exception to obtaining such explicit consent), there are no further restrictions on the disclosure of PII to third parties within Turkey.

It should be noted that the Personal Health Data Regulation has introduced a further restriction on the transfer of personal health data (both domestically and abroad), stating that – other than the special situation of exception stated above for health data – such data can only be transferred if made anonymous. However, it should be stated that, owing to the phrasing of the remainder of the provision, there is currently a degree of uncertainty regarding whether this requirement for anonymisation is applicable for all health data that does not fall under the scope of the aforementioned exception. As there are currently ongoing issues regarding the scope and applicability of the provisions of the regulation, it is expected that the newly established Turkish DPA will issue a clarification regarding this particular restriction in the near future.

31 Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

The general principle with regard to transfer of personal data outside of Turkey is that the explicit consent of the data subject is required. In the situation that one of the general exceptions of obtaining consent for personal data or for personal data of a sensitive nature exists, said personal data may be transferred outside of Turkey if the country of the recipient provides ‘sufficient safeguards’. If the country where the recipient is located does not provide ‘sufficient safeguards’, the personal data may only be transferred following further approval and authorisation by the Turkish DPA.

A general restriction that applies to transfer of personal data outside of Turkey regards considerations of national interest. Reserving the applicable provisions of international agreements, in the situation that the interests of Turkey or the data subject will be seriously harmed, said personal data may only be transferred abroad with the consent of the Turkish Data Protection Board.

32 Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

As stated above, in the situation that explicit consent for transfer has not been obtained and, instead, the data controller is to transfer personal data abroad based on one of the exceptions defined in the DPL, the country where the recipient is located must provide ‘sufficient safeguards’. In the situation that the Turkish DPA has not determined said country to be on the list of ‘countries providing sufficient safeguards’, transfer of data abroad can only be completed if both data controllers provide written undertakings to ensure sufficient safeguards and if the Turkish DPA authorises the transfer. However, this requirement of notification and authorisation is only required for a transfer abroad based on an exception to a recipient in a country not providing ‘sufficient safeguards’. For all other transfers there are no general or specific obligations to notify the Turkish DPA or obtain authorisation for transfer.

33 Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Currently the DPL only explicitly covers the issue of the initial transfer abroad, with no explicit provisions detailing subsequent onward transfers. Consequently, it should be accepted that the provisions relating to transfer abroad apply equally to such further transfers, and the detailed explanations provided above should be taken into consideration.

Rights of individuals

34 Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

As per the DPL, individuals have been granted the right to access their personal information held by data controllers. In addition to the right to learn whether or not their personal data is being processed, individuals also have a right to know the purpose of the processing of their data and whether the current processing is in accordance with this purpose and the right to know to whom their data is being transferred, both domestically and abroad.

However, these rights of access can be limited in the following situations, on the condition that it remains in accordance and proportional to the purpose and principles of the DPL where:

  •  the processing is required for the prevention or investigation of a crime;
  •  the data being processed has been made public by the data subject;
  •  the processing is required for disciplinary investigations or procedures by authorised public bodies and institutions or by professional organisations with public institution status and for the inspections carried out by such parties in accordance with their statutory purview; and
  •  the processing is required to protect the state’s economic and financial interests with regard to the issues of budget, taxation and financial issue.

35 Other rights

Do individuals have other substantive rights?

In addition to the rights explained in our response to question 34, the DPL has also granted individuals other substantive rights to exercise.

As per article 11 of the DPL, data subjects have the following substantive rights with regard to the processing of their personal data:

  •  the right to ask for rectification of any data that has been processed in an incomplete or wrong manner;
  •  the right to request the deletion or destruction of their personal data where the grounds of processing of the personal data no longer exist;
  •  the right to have their requests of rectification or deletion notified to any third parties to whom their personal data has been transferred; and
  •  the right to object to a decision made against them based solely on analysis of personal data through automated processing.

36 Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

The DPL clearly states that individuals have the right to compensation in the situation that the unlawful processing of their personal data has caused them to suffer damage. Therefore, in the situation that a breach of the DPL causes a person damage, she or he will be able to file a compensation action seeking monetary damages against the offending data controller.

Under Turkish law, compensation claims can be filed for both pecuniary and non-pecuniary damages for pain and suffering. However, it should be noted that in Turkish practice, non-pecuniary damages are rarely granted in situations where there has not been actual damage.

37 Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

The DPL provides that data subjects must first apply to the relevant data controller with any complaints that they have regarding the exercise of their data protection rights. Should such an application not be answered in 30 days, rejected or should the data subject be unsatisfied with the response, the data subject will then have the right to refer the complaint to the Turkish DPA.

In addition to the complaint procedure that can ultimately be referred to the Turkish DPA for resolution, data subjects may exercise their rights relating to unlawful access or transfer of their personal data through the judicial system. Exemptions, derogations and restrictions

38 Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described?nDescribe the relevant provisions.

Other than the exemptions and derogations explained above in questions 4, 13, 24 and 34, there are no further exemptions or limitations on the application of the provisions of the DPL.

Supervision

39 Judicial review Can PII owners appeal against orders of the supervisory authority to the courts?

As the Turkish DPA is an administrative body, as per the general principles of Turkish administrative law, the decisions and actions of the body can be appealed through administrative courts.

Specific data processing

40 Internet use Describe any rules on the use of ‘cookies’ or equivalent technology.

While there are no general legislative or regulatory measures relating to the use of cookies, the ECL does contain rules on the use of cookies that are specific to operators that have been licensed in accordance with the relevant electronic communication legislation. As per said specific rules, licensed operators may only store information on the devices of their customers, or reach stored information on these devices if they have obtained informed and explicit consent.

However, it should be noted that for any use of cookies that will involve PII, the relevant safeguards and measures of the DPL will also apply.

41 Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

The general rules on marketing through any means of electronic communication have been defined in the E-Commerce Law. As per the E-Commerce Law, the general rule for sending any form of electronic commercial communication is that the consent of the recipient is obtained in advance. Such consent may be obtained either in writing or by using any form of electronic communication tool. Additionally, such recipients must always be provided the opportunity to opt out of receiving such communication at any time and without having to specify any reason.

Certain electronic communications can be sent without first obtaining the explicit consent of the recipient. These communications are either communications with the purpose of providing information on the changes, use and repair of the provided goods or services sent to recipients who have readily provided their contact information, or if the electronic communications are being sent to a tradesmen or merchant. However, such recipients should also be provided with the aforementioned chance to opt out of receiving such electronic communications.

Furthermore, the content of the electronic commercial communication must be in line with the consent obtained from the recipient.

42 Cloud services Describe any rules or regulator guidance on the use of cloud computing services

There are currently no rules or regulatory guidance specifically relating to the use of cloud computing services. However, the Information and Communication Technologies Authority has been working on a draft guidance document relating to standards that should be adopted in this area.

Furthermore, in accordance with the aforementioned provisions of the DPL regarding the transfer of data to third parties and transfer of data abroad, it should be noted that the requirements relating to such transfers can also be applied to situations where cloud computing services are obtained from companies with servers abroad.

First published by GTDT, in 06.09.2017