Insights
Lawful Personal Data Processing
Personal data can be processed based on the following legal grounds: If explicit consent of the data subject is obtained. If processing is clearly proposed. If processing is mandatory for the protection of life or to prevent the physical injury of a person in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities. If processing is necessary for and directly related to the establishment or performance of a contract and… »
Explicit Consent under Data Protection Law
Explicit consent has been defined as consent that relates to a specified issue, declared by free will, and based on information. As the definition suggest, the Law stipulates that no kind of “blanket consent” of not limited to a specific subject or transaction will be valid. For example, consent such as "I allow all kinds of data processing activities", will not suffice under the Law. The data subject must know for what s/he is giving consent and must clearly express his/her… »
Notification Obligation to Tax Office for Registered Transactions in the Trade Registry is Abolished
The General Communiqué no. 546 on Tax Procedural Law (the "Communiqué") which determines the procedures and principles regarding the acceptance of the notifications made electronically by the Ministry of Trade to the Ministry of Treasury and Finance (the "Ministry") from the transactions registered in the trade registry as notifications made by taxpayers was published in the Official Gazette dated 18 January 2023, to be effective as of 1 February 2023. Within the scope of the… »
New Regulation on Named Patient Programs is Published
Pharmaceuticals that are not authorized in Turkey and/or not available in the market despite being authorized, shall be procured from abroad upon request of physicians and special authorization in cases where patients require such pharmaceuticals. Until recently, this exceptional import regime for pharmaceuticals was regulated by the Guideline on the Supply of Pharmaceuticals from Abroad published by the Turkish Medicines and Medical Devices Agency ("Agency"). On February 3… »
Turkey's Ongoing Decline In Corruption Perception Index
Transparency International’s annual report 2022 Corruption Perceptions Index (“CPI 2022”), aiming to measure the perceived level of public sector corruption based on various sources with the contributions of businesspeople, NGOs and country experts, was released on January 31, 2023. The index ranks 180 countries/territories by their perceived level of public sector corruption on a scale from 0 (highly corrupt) to 100 (very clean). CPI is regarded as one of the most credible… »
Transfer of Data Abroad
Sensitive and non-sensitive personal data can be transferred abroad if the data subject’s explicit consent is obtained. Furthermore, other legal grounds will also apply to transferring personal data to a foreign country. However, the destination country must have “sufficient protection” to conclude the transfer abroad based on legal grounds (except for having obtained explicit consent). The Board will determine a list of jurisdictions that provide sufficient protection. The… »
Data Breach Notification
The Law requires data controllers to notify the relevant data subject and the Board as soon as possible after becoming aware of a data breach. In its decision dated January 24, 2019, and numbered 2019/9, the Board clarified the rules and procedures applicable to data breach incidents. The Board took the GDPR approach regarding the timing of breach notifications and clarified that “as soon as possible” within the Law must be interpreted as 72 hours from becoming aware of a… »
Turkish DPA Fines Meta and WhatsApp Try 5,3m For Failure to Fulfill Their Registration Obligation to the VERBIS
The Turkish Personal Data Protection Authority (the “Turkish DPA”),concerning the investigation initiated ex officio, into Meta and WhatsApp which processes the personal data of the data subjects in Turkey and is subject to the provisions of the Law on the Protection of Personal Data No. 6698 (“Law”) over imposed an administrative fine of TRY 2,665,000 (approx. EUR 128,560) separately for failure to fulfill their Data Controller’s Registry (VERBIS) registration and… »
Data Controllers’ Registry (VERBIS)
According to Article 16 of the Law, an obligation to register in the Data Controllers Registry (“VERBIS”) has been introduced for data controllers. In 2018, the Board issued decisions granting exemptions from the registration obligation to specific professional groups, associations, and political parties. The Board also granted a general exemption to data controllers residing in Turkey with less than 50 employees and less than TRY 25 million on their balance sheets. Data… »
Judicial Review of Board Decisions
The Law does not include an explicit provision concerning the process for appealing Board decisions that impose administrative fines. However, it is accepted that criminal courts of peace are the authorised courts under Law No. 5326 on Misdemeanours dated 30/3/2005 since the title of Article 18 of the Law is “Misdemeanours,” and administrative fines are issued as per Article 18 of the Law. With this in mind, decisions imposing behavioural sanctions can be appealed before… »
How Does Turkey's Judicial System Fare With Respect to Gender Diversity?
The increasing importance of gender equality and the inclusion of women is a significant indicator of development. One of the goals set out under the Strategic Plan of 2019-2023 issued by the Ministry of Justice is to increase the number of judges, public prosecutors and judicial personnel. The Strategic Plan provides that, as a strategy to achieve this goal, the principle of gender equality in the recruitment of judges, public prosecutors and other personnel will be taken… »
Guidelines on Cookies Applications
The Board prepared the Guidelines on Cookies Applications (“Guidelines”) explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on June 20, 2022. Within the Guidelines, cookies in general and their types are regulated. Moreover, the types of cookies are categorised based on their timeframe, intended purpose and parties. The relationship between the Electronic… »