On April 7, 2016, the Law on the Protection of Personal Data (“Law”) came into force in Turkey as a special law regarding the protection of personal data.
The Law is a step towards harmonising Turkish legislation with EU legislation, and it was prepared based on Directive 95/46/EC on data protection (“Data Protection Directive”). Although the Law is very similar to the Data Protection Directive, certain principles of the General Data Protection Regulation (“GDPR”) were also considered in preparing the Law. It can be argued that there are some fundamental issues that differentiate from the GDPR in terms of the application and wording of the Law, and it is crucial for foreign companies operating in Turkey to consider these differences.
Application of the Law on the Protection of Personal Data
The provisions of the Law apply to data controllers who process and transfer personal data. In the situation where data controllers utilise the services of third-party data processors for these processes, the Law holds them jointly liable for taking all technical and administrative measures required to safeguard personal data and prevent any unlawful access or processing.
The Law does not envisage the scope of its application in terms of territory. However, the Law has the GDPR approach in general and in this regard, it takes the view that the Law applies to data controllers in Turkey, as well as data controllers not residing in Turkey but who target data subjects in Turkey (in other words those monitoring and providing services or goods in or to Turkey) irrespective of citizenship. The Law does not aim to apply to those who are residents abroad and do not target data subjects in Turkey but, randomly, might be in a position to provide goods/ services to persons in Turkey (passively).
The circumstances excluded from the scope of the application of the Law are as follows:
- Processing of personal data by natural persons within the scope of activities relating to either themselves or their family members living in the same household, on the condition that the data is not provided to third parties and data security requirements are followed;
- Processing of personal data for official statistics or, on the condition that the data is made anonymous, used for purposes such as research, planning or statistics;
- On the condition that such use is not contrary to national defence and security, public safety and order, economic security, the right to privacy and personal rights and, on the condition that it does not constitute a crime, processing for art, history, literature or scientific research or processing purposes within the scope of the freedom of speech;
- Processing within the scope of the preventive, protective, and intelligence activities of the public bodies and institutions that have been authorised by law to safeguard the national defence, security, public safety and order or economic security; or
- Processing by judicial authorities or penal institutions about investigations, prosecutions, trials or enforcement proceedings.
We provide legal assistance to global companies with activities in Turkey, whether they have establishments in Turkey or not; we evaluate their actions and advise on the procedures they need to follow as per the Law.