On April 7, 2016, a new law on the protection of personal data came into force in Turkey: The Law on the Protection of Personal Data numbered 6698 (“Data Protection Law”). It is the first law of its kind in Turkey, specifically regulating the protection of personal data.
The Data Protection Law is a step towards harmonizing Turkish legislation with EU legislation, and it was prepared based on Directive 95/46/EC on data protection (“Data Protection Directive”). The Data Protection Law is very similar to the Data Protection Directive, although it is not a complete replica. Furthermore, certain principles of the General Data Protection Regulation ("GDPR") were also considered. On the other hand, some of the differences between the Data Protection Law and Data Protection Directive, as well as the GDPR, may be seen to be deficiencies, rather than improvements, in terms of the Data Protection Law.
Since the enactment of the Data Protection Law:
- The Personal Data Protection Board (“Board”) was established;
- A number of guidelines were issued in relation to the various concepts set out in the Data Protection Law;
- Various regulations and communiqués (that is, secondary legislation under Turkish law) were prepared by the Board and came into force. The most notable ones among those Regulations and Communiqués are the following:
- Regulation on Data Controllers’ Registry;
- Regulation on Erasure, Destruction and Anonymization of Personal Data;
- Regulation on Working Principles of the Data Protection Board;
- Communiqué on the Obligation of Information.
- The DPA issued various guidelines in order to provide insight on different matters. The most notable ones have been:
- Guideline on Personal Data Security (Technical and Administrative Measures);
- Guideline on Erasure, Destruction and Anonymisation of Personal Data;
- Guideline on Preparation of the Data Inventory;
- Guideline on Implementation of the Obligation to Inform.
- The DPA issued data breach decisions and principal decisions; and
- Data breach notifications have been made to the DPA and they were made public.
The DPA regularly publishes decisions and principle decisions that provides clarity to certain issues and outlines procedures for data breach incidents. We closely monitor the decisions of the DPA, as well as foreign data protection authority decisions for issues we need clarification of, and actively attend DPA workshops, or organize workshops, where practitioners and DPA experts come together to discuss the application of the Data Protection Law.