Turkey is now four months away from the deadline or fulfilling the compliance with the Data Protection Law, and in 2017 we were all busy with adopting the law as much as possible in the absence of well-established rules and practices, but in light of EU developments. It seems that our efforts will continue in 2018.
During 2017, fundamental steps were taken for the purpose of privacy after the enactment of the Data Protection Law in April 2016. The data protection authority was officially established (although it has certain organizational deficiencies) and secondary legislation has been prepared, in this respect the Regulation on Anonymization, Erasure and Deletion of Personal Data and the Regulation on Data Controllers Registry were enacted and the Regulation on Protection of Health Data which was highly criticized during 2016 and subject to stay of execution decision in 2017, was recently amended in a way to clarify the main controversial provisions. In addition, sector-specific Draft Regulation on Privacy in Electronic Telecommunication was prepared.
Privacy lawyers and professionals discussed data mapping techniques, personal data analysis and assessment the most during 2017. Further, the validity of using consent forms for all data processing activities and the scope of legitimate interest or other conditions to make data processing lawful were on the top of the discussion lists. Transfer of data abroad in the absence of DPA’s safe countries’ list and validity of obtaining the consent from data subjects to overcome the difficulty was questioned. Appointment of a data protection officer to companies — is that a legal requirement, or is it only advised; and what is a health data, were the other frequently asked questions. It is worth saying that concrete steps for compliance were only taken by global companies and Turkish conglomerates. Turkish SMEs still do not find themselves busy with compliance issues.
We have high expectations for 2018 and are hopeful in terms of establishment of privacy rules in a more clarified way together with more guidelines to be announced by the DPA and more DPA decisions. The main difficulty in application of privacy rules in Turkey is the lack of guidance regarding the legal background and lack of experienced experts within the DPA. Thus there is need of close follow up of EU developments and legislation considering that Turkish legislation has elements of both the EU Directive and GDPR. In terms of raising awareness, most probably a landmark DPA decision may teach the importance of privacy to public better than the legislative developments.