Data Protection Law in General
On April 7, 2016, a new law on the protection of personal data came into force in Turkey: The Law on the Protection of Personal Data numbered 6698 (“Data Protection Law”). It is the first law of its kind in Turkey, specifically regulating the protection of personal data. The Data Protection Law is a step towards harmonizing Turkish legislation with EU legislation, and it was prepared based on Directive 95/46/EC on data protection (“Data Protection Directive”). The Data… »
Application of the Data Protection Law
The Data Protection Law applies to data controllers who process and transfer personal data. In the situation where data controllers utilise the services of third-party data processors for these processes, the law holds them jointly liable for taking all of the technical and administrative measures required to ensure the safeguarding of personal data and to prevent any unlawful access or processing. The Data Protection Law does not envisage the scope of its application in… »
Lawful Data Processing
Processing Personal Data Personal data can be processed based on the below specified legal grounds: If explicit consent of the data subject is obtained; If processing is clearly proposed under the laws; If processing is mandatory for the protection of life, or to prevent the physical injury of a person, in cases where that person cannot express consent, or whose consent is legally invalid due to physical disabilities; If processing is necessary for and directly related to… »
Singapore Convention Entered into Force on 11 April 2022 in Turkey
The United Nations General Assembly adopted the Convention on International Settlement Agreements Resulting from Mediation (“the Singapore Convention”) on 20 December 2018, which was signed by Turkey on 07 August 2019 in Singapore. Turkey enacted the Law No. 7282 dated 25 February 2021[1] concerning the approval of the Singapore Convention, which was followed by the Presidential Decree (3866) dated 21 April 2021[2] concerning its ratification. Finally, with the Presidential… »
Similarity of Short Trademarks: Patent and Trademark Office Deviates From Practice in Groundbreaking Decision
Minor alterations were previously considered sufficient for consumers to distinguish between short marks The PTO recently held that the word mark M + PLUS was similar to the opponent’s series of earlier M marks The office diverged from standard practice in a decision that focused on the overall impression made by the marks on consumers Background When the Turkish Patent and Trademark Office assesses whether two signs are confusingly similar under Article 6/1 of the… »
Explicit Consent under The Data Protection Law
Explicit consent has been defined as consent that relates to a specified issue, declared by free will, and based on information. The definition provides that not all kinds of consent will suffice under the Data Protection Law. The data subject must know for what s/he is giving consent and must clearly express his/her consent. For example, consent obtained in English from non-English speakers in Turkey would not be considered to be explicit consent. Further, implied consent is… »
Constitutional Court’s Last Judgement on Inspection of Employees' Correspondences
With the judgement dated 28 December 2021 and numbered 2018/34584[1], the Constitutional Court discussed the employer’s examination of the employees’ correspondence sent through the messaging program called WhatsApp and the termination of the employment contracts based on these correspondences, within the scope of the right to privacy and freedom of communication. In the said decision, the Constitutional Court ruled that the employer's obtaining of the contents of the… »
Transfer of Personal Data to Third Party
Sensitive and non-sensitive personal data may be transferred to third parties if the data subject’s explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer. The Data Protection Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors… »
Transfer of Personal Data Abroad
Sensitive and non-sensitive personal data can be transferred abroad with the data subject’s explicit consent. Other legal grounds also apply to transferring personal data to a foreign country. The destination country must have “sufficient protection” to conclude the transfer abroad based on legal grounds other than explicit consent. The Board is expected to determine a list of jurisdictions that provide sufficient protection. The Board has confirmed that they have been… »
Data Breach Notification
The Data Protection Law requires data controllers to notify the relevant data subject and the Board as soon as possible when being made aware of such data breach. In its decision dated January 24, 2019 and numbered 2019/9, the Board clarified the rules and procedures to be applied in data breach incidents. The Board takes the GDPR approach in terms of timing of breach notifications, and clarified that the term of “as soon as possible” within the Data Protection Law must be… »
Data Controllers’ Registry (VERBIS)
According to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers. In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations, and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets. Data… »
Consequences of Data Breach
The Data Protection Law envisages both administrative fines and criminal liability. With regard to criminal penalties, the Data Protection Law refers to the relevant provisions of the Turkish Criminal Code that detail sanctions for the unlawful recording, or disclosing, or transferring of personal data. In addition to criminal sanctions, the Data Protection Law also contains provisions detailing administrative fines that are to be applied in the event of a breach. There are… »