The Data Protection Law envisages both administrative fines and criminal liability.
With regard to criminal penalties, the Data Protection Law refers to the relevant provisions of the Turkish Criminal Code that detail sanctions for the unlawful recording, or disclosing, or transferring of personal data.
In addition to criminal sanctions, the Data Protection Law also contains provisions detailing administrative fines that are to be applied in the event of a breach. There are four main breaches that have been defined under the Data Protection Law:
(i) The data controller does not satisfy his/her obligation to inform the data subject;
(ii) The data controller does not satisfy the data security requirements;
(iii) The data controller does not implement the decisions of the DPA; and
(iv) The data controller does not satisfy the registration obligation with the Data Controllers’ Registry.
These breaches may be sanctioned with administrative fines ranging from TRY 9,832 to TRY 1,966,857. (Based on the updated amounts for 2021.)
The DPA has issued numerous decisions for breach of the Data Protection Law, and has imposed administrative fines on data controllers for not taking data security measures in cases where there is unlawful data processing or data transfers.
It has been observed in some cases that the DPA renders decisions where it applies fines upon a data breach notification or upon ex officio investigations without requesting further information and defences on the matter. Although the Regulation on Working Procedures and Principles of the Personal Data Protection Board does not explicitly require the Board to grant a right of defence to investigation subjects, such steps would enable a clearer justification for fines.
Although the Turkish courts have not yet effectively applied the Data Protection Law to impose criminal liability, the lack of expertise in the criminal courts in terms of data protection rules imposes a risk on data controllers and their data processing activities.