Data Protection & Privacy 2023 Guide for Turkey - 1
Contents
- 1. Basic National Regime
- 1.1. Laws
- 1.2. Regulators
- 1.3. Administration and Enforcement Process
- 1.4. Multilateral and Subnational Issues
- 1.5. Major NGOs and Self-Regulatory Organisations
- 1.7. Key Developments
- 1.8. Significant Pending Changes, Hot Topics and Issues
- 2. Fundamental Laws
- 2.1. Omnibus Laws and General Requirements
- 2.2. Sectoral and Special Issues
1. Basic National Regime
1.1. Laws
The right to protection of personal data is regulated under the Constitution of the Turkish Republic (Constitution) as an individual right since its amendment in 2010. According to Article 20(3) of the Constitution, the right to the protection of personal data includes the right to:
- be informed about the processing of personal data;
- have access to personal data;
- rectification or deletion of the personal data; and
- be informed about whether personal data is used in accordance with the appropriate purposes.
According to the same article, personal data may be processed only if the processing is allowed by the laws or the data subject gives his/her explicit consent. The article finally states that the procedures and principles of processing personal data must be regulated by the laws.
The Turkish Data Protection Law
Pursuant to Article 20(3) of the Constitution, Turkish lawmakers enacted the Turkish Data Protection Law No 6698 (“DP Law”) to regulate the procedures and principles of processing personal data, which is the first general law that specifically regulates the procedures and principles of processing personal data in Türkiye and entered into force on 7 April 2016. Although it came into force only one month before the European Union General Data Protection Regulation (GDPR), the DP Law was drafted by considering only EU Directive 95/46/EC. Currently, there are ongoing efforts to revise the DP Law in line with the GDPR (see also 1.8 Significant Pending Changes, Hot Topics and Issues.) Important secondary regulations issued by the Personal Data Protection Authority (“DP Authority”) include:
- the By-Law on the Deletion, Destruction or Anonymization of Personal Data;
- the By-Law on the Registry of Data Controllers;
- the Communique on Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform; and
- the Communique on Principles and Procedures for the Request to Data Controller.
The DP Authority has also published several guidelines and recommendations on different aspects of the DP Law. The main topics of these guidelines and recommendations include:
- good practices on personal data protection in the banking sector;
- cookie practices;
- the right to be forgotten;
- processing of biometric data;
- artificial intelligence (AI);
- preparing an inventory of personal data processing;
- fulfilment of the obligation to inform;
- technical and organisational measures;
- deletion, destruction or anonymisation of personal data; and
- the concepts of controller and processor.
In addition to these, the Personal Data Protection Board (“DP Board”) adopts resolutions, which are published on DP Authority’s official website and/or the Official Gazette.
The Turkish Criminal Law
Certain actions, which violate protection of personal data, are defined as crimes in the Turkish Criminal Code (TCrC) (see also2.5 Enforcement and Litigation).
The Turkish Civil Law
Personal data is considered as a part of personality under Turkish law; hence it is also protected under the protection of personality rights in the Turkish Civil Code (TCiC).
Other
In addition to the above, there is some sector-specific legislation on the processing of personal data in certain sectors such as telecommunications, banking, electronic payment and health sectors.
1.2. Regulators
The primary supervisory and regulatory authority in Türkiye is the DP Authority. It is an independent administrative institution which has administrative and financial autonomy. The DP Authority has the power to regulate data protection activities and to protect the rights of data subjects. The decision-making body of the DP Authority is the DP Board. Some of the main duties and powers of the DP Board are as follows:
- conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;
- concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
- maintaining the Registry of Data Controllers (VERBIS);
- imposing administrative sanctions that are provided in the DP Law;
- determining and announcing the countries with adequate levels of protection of personal data for the purpose of international data transfers; and
- approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.
The Ministry of Trade is authorised to oversee marketing communication. Apart from the above, sector-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB) and the Information and Communication Technologies Authority (ICTA) are also entitled to regulate the processing of personal data in their respective sectors.
1.3. Administration and Enforcement Process
The DP Board’s investigations may be initiated based on a data subject’s complaint received by the DP Board or ex officio if it becomes aware of the alleged violation.
The Course of an Investigation
The DP Board may request information and/or documents from controllers in the course of its investigations. Controllers must provide this information and/or relevant documents within 15 days, except where the information and documents constitute a state secret. The DP Board may request further information and/or documents during an investigation. A controller must enable on-site inspections if the DP Board considers it necessary.
Administrative Fines
If the DP Board identifies a violation of the DP Law, it can impose administrative fines, which may vary between TRY29,852 and TRY5,971,989 depending on the type of violation. As per the Misdemeanours Law No 5326, when determining the amount of fines, the DP Board must consider the severity of the breach, the fault of the breaching party and its economic condition.
Administrative Orders
The DP Board may also order the controller to bring processing activities in compliance with the DP Law. The DP Authority is also entitled to decide to cease certain data processing activities or personal data transfers abroad if it finds that such data processing activities result in damages which are difficult or impossible to compensate for and, at the same time, the act would be clearly unlawful. In case the DP Board issues an order to the controller to bring its processing activities into compliance with the DP Law, this decision must be implemented without any delay and, at the latest, within 30 days upon receipt of the notification by the controller.
Appeal of a Sanction
The controller has the right to appeal against the DP Board’s decisions. If the DP Board’s decision includes only an administrative fine, the controller may object to this decision before the Magistrate Criminal Court within 15 days from receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district. Where the DP Board’s decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions can be appealed to the Council of State.
1.4. Multilateral and Subnational Issues
Even though Türkiye does not belong to any multinational system such as the European Union or the European Economic Area, the European system has a highly noticeable effect on the DP Law practice. Firstly, Türkiye was one of the first countries that became a member of the Council of Europe and signed Convention No 108. Although Türkiye signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before the adoption of the DP Law. On the other hand, Türkiye has not yet signed the Modernized Convention (also known as Convention 108+). As a candidate member state of the EU, Türkiye aims to align its national legislation with the EU acquis. The DP Law is mostly influenced by the EU Directive 95/46/EC. Currently, amending the DP Law to harmonise it with the GDPR is on Türkiye’s agenda. The DP Authority has been one of the accredited members of the European Conference Data Protection Authorities since May 2019. The DP Authority also hosted the 44th Global Privacy Assembly in 2022.
1.5. Major NGOs and Self-Regulatory Organisations
Although their number is relatively small, there are some associations established mainly by legal professionals to raise awareness about the DP Law among the public. Certain industry-specific organisations and chambers of commerce/industry have created working groups to assist their members in complying with the DP Law. The DP Authority obtains opinions from these NGOs while drafting legislation.
1.6. System Characteristics
Türkiye follows the EU omnibus model. The DP Law draws a framework for the DP Authority and controllers by providing a general perspective of the obligations and principles that must be sought for data processing activities. The DP Authority steers the data processing practice by regulating secondary legislation and publishing guidelines and/or the DP Board’s resolutions. The DP Authority seeks to take a proportionate approach to enforcement, prioritising cases with a significant risk of harm to individuals. The amounts of the administrative fines set forth in the DP Law are considerably lower than those set forth in the GDPR. However, the DP Authority’s tendency for enforcement is relatively higher, in particular on data breaches, when compared to its European counterparts.
1.7. Key Developments
Key developments in Türkiye in the past 12 months are as follows:
- announcement on the consideration of extraordinary conditions for the assessment of deadlines for data subjects, controllers and lawyers affected by the earthquake of 6 February 2023;
- publication of the Guideline on Good Practices for Personal Data Protection in the Banking Sector (Guideline on Banking Sector);
- publication of the Guideline on Practices of Cookies (“Cookie Guideline”);
- publication of the By-Law on the Collection, Storage and Sharing of Insurance Data (“By-Law on Insurance Data”);
- DP Board’s decision on joint data controllership (see also 1.8 Significant Pending Changes, Hot Topics and Issues);
- DP Board’s decision on accepting the validity of explicit consent for transferring employment data abroad in case of the employer is established abroad (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers);
- publication of the Draft Guideline on Assessment of Loyalty Programs Within the Scope of Personal Data Legislation for public consultation (“Draft Guideline on Loyalty Programs”); and
- publication of the Draft Guideline on the Issues to be Considered in the Processing of Genetic Data for public consultation (“Draft Guideline on Genetic Data”).
1.8. Significant Pending Changes, Hot Topics and Issues
Personal Data Transfer Abroad and Amendments to the DP LAW
Personal data transfer abroad has been the most problematic and controversial issue under the DP Law since its enactment (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers). According to the Economic Reform Action Plan by the Ministry of Treasury and Finance of the Republic of Türkiye (Action Plan), which was announced on 12 March 2021, the DP Law is under review to have its provision on data transfer abroad (Article 9) be amended in line with the GDPR. However, the scope of the revisions may be broader as per the 2019–23 Development Plan, dated July 2019, and the Human Rights Action Plan, dated April 2021. Although the targeted date for the entry into force of this amendment was 31 March 2022, there is still no development announced to date and preparatory works are still ongoing.
Cookies
The Cookie Guideline was published by the DP Authority on 20 June 2022 after public consultation. In this guideline, the DP Authority clarifies the definition and the scope of cookies, and the conditions of processing personal data in terms of cookies within the scope of the DP Law. Although principles set forth in the guideline are generally in line with EU legislation on cookies, certain principles, in particular obligation to inform, are significantly different.
Disinformation
A series of amendments to some major laws were made by the Law on the Amendment of the Press Law and Further Laws (so-called Disinformation Law) on 18 October 2022. Some of these amendments criminalise disseminating any misleading information concerning internal or external public security, public order or public health with the motive of disturbing the public peace, creating anxiety, fear or panic among the public. The Disinformation Law has been criticised by the public and some scholars claiming that it may lead to censorship. Amendments introduced by the Disinformation Law also impose certain obligations on Social Network Providers (SNP) (see also 2.2 Sectoral and Special Issues.)
Joint Data Controllership
Unlike the GDPR, there is no explicit provision in DP Law on joint controllership. However, in January 2022, the DP Board published a decision in which it considered the relationship between several car rental companies, which benefit from the same software, to create and maintain a blacklist for potential car rental customers, as a joint data controllership. In addition to this decision, the DP Authority has referred to this concept in its recent guidelines. However, the assessment of the DP Board/Authority on this concept is quite limited and lacks a clear criterion or instructions on how to act in case of joint controllership.
2. Fundamental Laws
2.1. Omnibus Laws and General Requirements
Territorial Applicability
Unlike the GDPR, the DP Law is silent on the subject of territorial scope. As a general rule on the territoriality principle, the DP Law applies to controllers and processors established in Türkiye. The DP Authority has not yet set certain criteria for determining the DP Law’s extraterritorial scope. On the other hand, based on the DP Board’s decisions, it seems that it is of the view that when the relevant data processing activities are realised in Türkiye or related to data subjects located in Türkiye, the DP Law shall be applicable.
Obligation to Register with VERBIS (Data Controllers’ Registry)
Controllers who meet certain criteria set by the DP Law are obliged to register with VERBIS. Those who are obliged to register with VERBIS are controllers who are:
- established in Türkiye and have equal to or more than 50 employees or whose total annual financial balance sheet is equal to or more than TRY25 million;
- established in Türkiye and have less than 50 employees and an annual financial balance of less than TRY25 million but whose main activity is processing special categories of personal data; and
- established outside of Türkiye.
In order to register with VERBIS, controllers who are based outside of Türkiye are required to appoint a representative to represent controllers before the DP Authority and data subjects. The representative may be either a Turkish citizen or a legal person in Türkiye. Those obliged to register with VERBIS should also appoint a “contact person”, who may only be a natural person in Türkiye and is mainly responsible for submitting certain information to VERBIS and facilitating the communication between the DP Authority and controllers.
Data Protection Principles
The general principles which must be followed in all data processing activities are set out under Article 4 of the DP Law, and are as follows:
- lawfulness and fairness;
- being accurate and kept up to date where necessary;
- being processed for specified, explicit and legitimate purposes (purpose limitation);
- being relevant, limited and proportionate to the purposes for which they are processed (data minimisation); and
- being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data is processed (storage limitation).
Lawful Basis for Processing of Personal Data
In order to ensure that the data processing is lawful, controllers must satisfy one of the following legal bases (provided by Article 5 of the DP Law):
- explicit consent of the data subject is obtained;
- it is expressly provided for by the laws;
- it is necessary for the protection of life or physical integrity of the person himself/herself, or of any other person who is unable to explain their consent due to physical disability or whose consent is not deemed legally valid;
- processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract;it is necessary for compliance with a legal obligation to which the controller is subject;
- personal data has been made public by the data subject themself;
- data processing is necessary for the establishment, exercise, or protection of any right; and
- processing of data is necessary for the legitimate interests pursued by the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Lawful Basis for Processing of Special Categories of Personal Data
For this purpose, please see 2.2 Sectoral and Special Issues.
Privacy Impact Analyses
Data protection impact assessment is not specifically regulated in the DP Law, but it may be considered a technical and organisational measure that the controllers should take as per the DP Authority’s guidelines.
Application of “Privacy by Design” or “Privacy by Default” Concepts
The DP Law does not include the concepts of “privacy by design” or “privacy by default”. However, controllers may be required to apply ”privacy by design” and/or “privacy by default” concepts to comply with the DP Law, particularly the general principles and data processing conditions it sets forth.
Internal or External Privacy Policies
Controllers must provide privacy notices to data subjects. Such privacy notice must at least include:
- the identity of the controller and its representative (if any);
- the purpose(s) of the processing of personal data;
- to whom and for which purposes the processed personal data may be transferred;
- the method and legal basis of the collection of personal data; and v) the rights of data subjects.
Moreover, the DP Authority expects that personal data (and/or categories of personal data), purposes, legal basis and collection methods are to be matched in privacy notices.
Controllers, who are obliged to register with VERBIS, are also obliged to:
- maintain a data processing inventory; and
- adopt a Personal Data Retention and Destruction Policy, details of which are as set forth under the By-Law on the Deletion Destruction or Anonymization of Personal Data.
Further, as per the DP Board’s decisions, controllers are also required to maintain:
- procedures on responding to data breaches; and
- a specific privacy policy for the processing of special categories of data.
Except for the above, controllers are not directly obliged to adopt internal or external privacy policies. However, the DP Board considers having internal and external privacy policies on data protection and cybersecurity as one of the organisational measures that controllers should take. Thus, it is recommended to adopt internal and external privacy policies.
Anonymisation, De-identification and Pseudonymisation
The DP Law obliges controllers to erase, destroy or anonymise the personal data, ex officio or upon the request of the data subject(s), in the event that the purposes for the processing no longer exist. The DP Law and the By-Law on the Deletion, Destruction or Anonymization of Personal Data define the concept of anonymisation as a technique that is used to ensure that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. A reference to de-identification is only made in the By-Law on Processing of Personal Health Data (By-Law on Health Data) issued by the Ministry of Health. This By-Law requires controllers who process health data to take partial de-identification or masking measures on health data such as medical diagnosis and examination in printed materials, as well as other measures to make it difficult to determine the data subject in cases of access by unauthorised persons. Pseudonymisation is not specifically referred in any of the legislation, but the DP Authority regards pseudonymisation as one of the technical and organisational measures that data controllers must take.
Injury or Harm
There is no requirement under the DP Law to prove any “harm” or “injury” to be held responsible by the DP Authority for non-compliance with the DP Law from an administrative law or criminal law perspective. On the other hand, for a data subject to seek for compensation from a controller (or processor) due to its non-compliance with the DP Law, such a data subject must prove that they have been harmed or injured (see also 2.5 Enforcement and Litigation).
Data Breach Notification Process
Unlike the GDPR, pursuant to the DP Law, controllers are obliged to notify the DP Board of all data breaches, regardless of whether or not there is a risk to the rights and freedoms of natural persons. The notification must be made to the DP Authority within 72 hours of the controller becoming aware of the incident, and within the shortest time possible to the data subjects who are affected by the breach.
Rules on Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis, AI, Algorithms
According to the DP Law, “the data subject has right to object to the occurrence of a result against themself by analysing the data processed solely through automated systems”. This right may be at stake in cases of big data analytics, automated decision-making, profiling or microtargeting, artificial intelligence (including machine learning) and autonomous decision-making (including autonomous vehicles). However, the application sphere of this provision is not yet clarified by the DP Board. Apart from the above provision, there are no specific regulations about profiling, automated decision-making, online monitoring or tracking, big data analysis, artificial intelligence, or algorithms. Therefore, the general rules would apply.
Data Protection Officers (DPOs)
Unlike the GDPR, there is no requirement to appoint a DPO for any controller, in the public or private sectors. Neither the representative nor the contact person may be considered to have the same role as the DPO in the GDPR. The DP Authority published the Communique on Principles and Procedures of the Mechanism About Personnel Certification on 6 December 2021. Even though the concept of DPO defined in this Communique seems similar to the concept of the GDPR’s DPO, the DP Authority announced that the DPO in the Communique has a different role. The Union of Turkish Bar Associations requested the annulment of the Communique from the court on the ground that, according to the Attorneys Act, only lawyers can advise on Turkish law. The approach of the court remains to be seen.
2.2. Sectoral and Special Issues
Special Categories of Personal Data
According to the DP Law, special categories of personal data are as follows:
- racial or ethnic origin;
- political opinions;
- philosophical, religious, sect or other beliefs;
- clothing and attire;
- association, foundation, or trade union membership;
- health and sexual life;
- criminal convictions and security measures on individuals; and
- biometric and genetic data.
Special categories of personal data may be processed if the data subject’s explicit consent is obtained. Except for data on health and sexual life, special categories of personal data may only be processed without the data subject’s explicit consent in the cases provided by laws. Data on health and sexual life may be processed by the persons subject to a confidentiality obligation (eg, doctors) or competent public institutions and organisations (eg, hospitals, social security institutions) for the following purposes:
- protection of public health;
- operation of preventive medicine;
- medical diagnosis;
- treatment and care services;
- planning and management of health services; and
- financing of healthcare services.
In 2018, the DP Board issued a resolution on the additional technical and organisational measures to be taken by controllers to ensure that an adequate level of protection must be provided while the special categories of data are being processed, such as adopting a separate processing policy and implementing two-factor authentication for remote access to data. In 2021, the DP Board published a guideline on biometric data. The guideline provides a definition of biometric data, mentions the general principles that need to be respected and technical and organisational measures in addition to those mentioned above. In 2022, the DP Authority published a Draft Guideline on Genetic Data. The draft guideline refers to the GDPR for the definition of genetic data and sets forth the general principles to be complied with when processing genetic data, as well as additional technical and organisational measures to be taken.
Problems with Processing Health Data: The above-mentioned limited legal basis for the processing of health data causes controllers to face some challenges, particularly in an employment context. In certain situations, such as absence due to sickness, occupational sickness or workplace accidents, employers need to process the health data of employees in the course of the employment relationship. In fact, the Occupational Health and Safety Law No 6331 (OHCL) requires employees to do so. However, due to limitations on the legal basis of processing health data as per the DP Law, employers can process health data (i) via an occupational doctor, which is not always a viable option in practice, or (ii) by obtaining explicit consent from their employees. However, obtaining employees’ explicit consent creates a significant problem for a data processing activity, which must be carried out by a controller, considering that explicit consent must be freely given and can be withdrawn anytime. This article is also expected to be amended as per the Action Plan.
Employment Data: There is no detailed legislation in Türkiye except Article 419 of the Turkish Code of Obligations (TCO), Article 75 of the Turkish Labour Law and Article 15(5) of OHCL, which draws the framework for employers to process their employees’ personal data (see also2.4 Workplace Privacy). Thus, the general rules apply to personal data processing in the employment context.
Children’s Data: Unlike the GDPR, there is no special provision in the DP Law on the collection and/or processing of minors’ personal data. Only the By-Law on Health Data sets forth the parents’ right to access to their child’s health data. However, the DP Board stated in one of its decisions that personal data is strictly considered as an element of personal right. Thus, a minor who has the power of discernment, as well as the legal representative of the minor, should be able to exercise data protection rights according to the TCiC. More recently, the DP Board imposed a fine on TikTok – among others – for failing to take necessary measures to protect children’s data. In particular, it focuses on the protection of data of children under age 13, a criterion which is not included in DP Law. Hence, in the authors’ view, the grounds for this decision are debatable (also see 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation) In addition to the above, the Cookie Guideline states that if the product and services of a website is targeting children, the privacy notice on cookies should be drafted in accordance with their perception level, and if required, must be supported with images, etc. Also, SNPs must take necessary measures to provide separated services for children. Due to the lack of concrete legislation, despite the DP Board’s above-mentioned decisions and guidelines, the questions as to whether minors may give consent for processing personal data without obtaining their legal representative’s approval – and, if so, which age group is considered to have the power to give consent by themselves from a data protection standpoint – is not crystal clear.
Confidential Customer Data in the Banking Sector
Except for certain exemptions or as otherwise stipulated by the laws, personal data specific to banking relationships is also considered as customer secrets regarding Article 73 of the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad, without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained as per the DP Law. This provision is highly criticised under Turkish data protection practice. Based on its assessment on economic security, the BRSA is authorised (i) to ban disclosing or transferring of any kind of data abroad, including customer secrets or bank secrets, to third parties, (ii) to order banks to keep the information systems and back-ups that are used in carrying out their activities, in Türkiye (obligation of data localisation). In addition to above, the Guideline on Banking Sector published by the DP Authority in July 2022, refers to technical and organisational measures to be taken for transfer of customer secrets.
Insurance Data
The By-Law on Insurance Data was published in the Official Gazette on 18 October 2022. The By-Law defines insurance data as “all data that are related with insurance contracts, insurant and insurance companies’ parties of an insurance contract, insured, beneficiaries and other third parties who directly or indirectly benefit from an insurance contract, and consist of a basis for risk assessment”. It sets forth the principles for processing and sharing of insurance data.
Internet, Streaming and Video Issues
The Law on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication No 5651 (“Internet Law”) sets forth certain obligations to hosting/platform providers, content providers and access providers such as removing unlawful content (see also1.8 Significant Pending Changes, Hot Topics and Issues, and the Social Media section below).
Voice Telephony and Text Messaging and Content of Electronic Communications
Personal data processed in the telecommunications sector is subject to the By-Law on Processing of Personal Data and Protection of Confidentiality in Electronic Communication Sector. The provision of this By-Law is in line with the DP Law – however, this By-Law includes more specific provisions on traffic data and location data. Voice communications and text messages are protected under the fundamental right to privacy (Article 20) and freedom of communication (Article 22) of the Constitution. Certain types of crimes are defined in the TCrC to protect communication secrecy and private life. Only under specific and very limited circumstances and by a judge’s decision, or a public prosecutor’s decision in the cases of peril in delay, is it allowed to intervene in private communication (see also3.1 Laws and Standards for Access to Data for Serious Crimes).
Cookies and Other Similar Technologies
Electronic Communication Law No 5809 includes a provision on cookies. However, such provision is only applicable to electronic communication service providers. Although there is no specific provision on cookies under the DP Law, the DP Authority published the Cookie Guideline in June 2022 (see also1.8 Significant Pending Changes, Hot Topics and Issues).
Social Media
As per some of the amendments introduced by the Disinformation Law, SPNs are required to establish a mechanism for complaints on the removal of hashtags and featured contents in co-operation with ICTA. Accordingly, SNPs will be held liable for crimes committed through posting third-party content via hashtags or featured content, if such illegal content has not been removed at the latest within four hours of receiving a notification of such. SNPs, whose daily access is more than 1 million, must also report to ICTA on information on hashtags, algorithms for featured or reduced content, advertisements, and transparency policies. This report should also include information on the measures taken to enable users to update their preferences regarding suggested contents and options provided to users for limiting the use of personal data. ICTA may request any kind of information from SNPs including regarding data processing mechanisms. Natural and legal persons claiming that their personal rights have been violated due to content available online may apply for the removal of such content. SNPs, whose daily access is more than 1 million, are required to answer to applications regarding the violation of personal rights or the right to privacy within 48 hours of receiving such applications (also see the discussion on Internet, Streaming and Video Issues above). The Disinformation Law also places other obligations on SNPs, such as data retention (see also4.4 Data Localisation Requirements), There is no specific regulation regarding browsing data, viewing data, beacons, tracking technology, behavioural or targeted advertising, search engines, large online platforms and intermediary liability for user-generated content. Thus, the data processing activities that deal with this kind of data or technologies are subject to the general provisions of the DP Law (see also1.8 Significant Pending Changes, Hot Topics and Issues). On the other hand, the Draft Guideline on Loyalty Programs gives significant importance to establishing certain principles on processing of data via location-tracking technologies.
Addressing Hate, Discrimination and Deepfake
According to the Constitution and TCrC, everyone – regardless of their language, race, nationality, skin colour, gender, political opinion, philosophical belief, religion or sect, etc – is equal before the law. The TCrC criminalises and sets forth imprisonment for certain acts which aim to incite hate and/or discrimination between persons based on language, race, nationality, skin colour, gender, disability, political opinion, philosophical belief, religion or sect, etc. Moreover, the TCrC criminalises and sets forth imprisonment for preventing someone from disposing of property, receiving services, being recruited for a job, or undertaking an ordinary economic activity on the ground of hatred based on differences of language, race, nationality, colour, gender, etc. There is no specific regulation regarding deepfake. As long as deepfake leads to a crime, it may be punishable, depending on what crime is committed. On the other hand, the input data, such as the voice or image that is used to generate deepfake is also part of a personality right and is classified as personal data. Hence, the general provisions that cover personality rights and personal data are also applicable in these cases.
Data Subject’s Rights
According to Article 11 of the DP Law, data subjects’ rights are as follows:
- learning whether their personal data is processed or not;
- requesting information as to whether their personal data has been processed or not;
- learning the purpose(s) of the processing of their personal data and whether such personal data is used in compliance with the purpose or not;
- finding out the third parties to whom their personal data is transferred, in-country or abroad;
- requesting rectification of any incomplete or inaccurate data;
- requesting erasure or destruction of their personal data under the conditions referred to in Article 7 of the DP Law;
- requesting information about third parties to whom their personal data has been transferred;
- objecting to the occurrence of a result against themself by analysing the data processed solely through automated systems; and
- claiming compensation for the damage arising from the unlawful processing of their personal data.
Unlike the GDPR, a data portability right is not set forth in the DP Law.
Right to Be Forgotten
Currently, no specific legislation in Türkiye regulates the “right to be forgotten”. However, it is accepted by Turkish Constitutional Court decisions that data subjects have the right to be forgotten. Also, the DP Authority published an opinion on the right to be forgotten and made a publicly announced resolution that outlined the criteria on exercising the right to be forgotten. The 2020 amendment to the Internet Law includes a provision to ease the use of the right to be forgotten by specifically obliging search engines to delist the links from the search results upon a court order.
To read the rest of this article series, please click on Data Protection & Privacy 2023 Guide for Turkey - 2
First published by Chambers & Partners on 03.03.2023
Tagged with: Yazıcıoğlu Legal, Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce, Merve Betül Baltürk, Data Protection, Data Privacy