Apart from an economic slow-down, one can say that 2018 has been productive and looked promising for Turkey from a privacy perspective. We have seen considerable efforts and attempts from the data protection authority, as it has been active in meeting with the practitioners, academics, organizing trainings and seminars, and issuing new guidelines, and regulations. We have seen more data breach decisions rendered by the DPA and these shed a light to the practice and claims made at level of DPA has also increased dramatically as stated by the DPA experts.
The Data Protection Law in Turkey became fully effective as of April 2018 and privacy has been on the top list of agenda of privacy practitioners.
The most debated issues in data privacy in Turkey, (i) data transfers outside of Turkey in the absence of safe country list and (ii) processing health data (a requirement to get explicit consent in almost any and all situations – one exception reserved from medical purposes) have not yet been resolved. However, the DPA has acknowledged the legal needs for a revision on these matters and added that it is currently working on the safe country list. The DPA has also prepared undertaking templates for data transfers abroad.
The obligation to be registered with the Data Controllers’ Registry started as of Oct. 01, 2018 for those who are held within the obligation to get registered. Registry obligation will also include those who are not based in Turkey but process personal data in Turkey, the deadline set for registration is Sept. 30, 2019.
We anticipate that the DPA will continue to be active and cooperate with privacy professionals in 2019, and this will help establishing and developing the privacy practice in a concrete manner. The DPA is required to release data breach decisions in more details (without anonymization) so that it can provide more insight to the practice. There are still various issues that need clarification and guidance from the DPA.
It is worth saying that the public sector is not as diligent as the private sector about data privacy, although there is no difference in their obligations. Further, the Turkish courts that are capable of resolving privacy disputes from criminal law perspective must be also fully informed about the new regulations. We see that there is lack of knowledge and interest in the public sector and Turkish courts (especially criminal courts) in privacy matters and expect to overcome these in coming years.