Data Protection and Privacy Law in Turkey Key Developments and Predictions

We focus on the key aspects of data privacy matters and developments in Turkey, and the most important or challenging issues regarding the same.

The Data Protection Law entered into force in 2016. Even prior to its enactment, and afterwards, we have been dealing with privacy law and data protections issues. We have seen a significant number of data breach decisions issued by the DPA in the last 2 years, and these shed a light on the practice and claims made at the level of DPA, which has also increased dramatically as stated by the DPA experts. On the other hand, data breaches that have created global ambiguity have also been under the radar of the Turkish DPA. Sanctions imposed by the DPA have reached a noticeable number and, therefore, privacy issues has been at the top of the list of the agenda of most companies (local or global) providing goods/services in Turkey. Both local and global companies (to name a few - Amazon, Facebook, Zynga and Marriott) have had administrative fines imposed upon them by the Turkish DPA. The Turkish DPA recently published an announcement on the importance of the right to be forgotten principle. Despite all the developments, the most debated issues in data privacy in Turkey remain as (i) data transfers outside of Turkey in the absence of a safe country list, (ii) processing of health data and the legal grounds of such processing, and (iii) controversial regulations regarding the judicial review of DPA decisions.