Data Protection & Privacy 2024 - Part 2

2. Fundamental Laws

2.1 Omnibus Laws and General Requirements

Territorial Applicability

Unlike the GDPR, the DP Law is silent on territorial scope. As a general rule regarding the territoriality principle, the DP Law applies to controllers and processors established in Türkiye.

However, based on the DPB’s decisions, it seems it is of the view that when the relevant data-processing activities are realised in Türkiye or related to data subjects located in Türkiye, the DP Law shall be applicable. In an unpublished decision, the DBP emphasised that the territorial scope provisions of the TCrC should serve as the basis for applying administrative fines defined under the DP Law. This implies that if the behaviour or the result occurs in Türkiye, the DP Law shall be applicable.

Obligation to Register With VERBIS (Controllers’ Registry)

Controllers who meet certain criteria set out by the DP Law are obliged to register with VERBIS. Such controllers are those:

- established in Türkiye and who have equal to or more than 50 employees, or whose total annual financial balance sheet is equal to or more than TRY100 million;

- established in Türkiye and who have less than 50 employees and an annual financial balance of less than TRY100 million, but whose main activity is processing special categories of personal data; and

- established outside Türkiye.

To register with VERBIS, controllers based outside Türkiye are required to appoint a representative to represent controllers before the DPA and data subjects. The representative may be either a Turkish citizen or a legal person in Türkiye.

Those obliged to register with VERBIS should also appoint a “contact person”, who may only be a natural person in Türkiye and is mainly responsible for submitting certain information to VERBIS and facilitating the communication between the DPA and controllers.

Data Protection Principles

The general principles for all data-processing activities are as follows:

- lawfulness and fairness;

- being accurate and kept up to date where necessary;

- being processed for specified, explicit and legitimate purposes (purpose limitation);

- being relevant, limited and proportionate to the purposes for which it is processed (data minimisation); and

- being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data is processed (storage limitation).

Lawful Basis for Processing of Personal Data

To ensure that the data processing is lawful, controllers must satisfy one of the following legal bases (provided by Article 5 of the DP Law):

- explicit consent of the data subject is obtained;

- it is expressly provided for by law;

- it is necessary for the protection of life or physical integrity of the person themself, or of any other person who is unable to explain their consent due to physical disability or whose consent is not deemed legally valid;

- processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract;

- it is necessary for compliance with a legal obligation to which the controller is subject;

- personal data has been made public by the data subject themself;

- data processing is necessary for the establishment, exercise or protection of any right; and

- processing of data is necessary for the legitimate interests pursued by the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Lawful Basis for Processing of Special Categories of Personal Data

See 2.2 Sectoral and Special Issues.

Privacy Impact Analyses

Data protection impact assessments are not specifically regulated in the DP Law, but may be considered a technical and organisational measure that controllers should take as per the DPA’s guidelines.

Application of the “Privacy by Design” or “Privacy by Default” Concepts

The DP Law does not include the concepts of “privacy by design” or “privacy by default”. However, as per the DPB’s decisions, controllers are required to apply the “privacy by design” and/or “privacy by default” concepts to comply with the DP Law, particularly with the general principles and data-processing conditions it sets forth.

Internal or External Privacy Policies

Controllers must provide privacy notices to data subjects. Such privacy notice must at least include:

- the identity of the controller and its representative (if any);

- the purpose(s) of the processing of personal data;

- to whom and for which purposes the processed personal data may be transferred;

- the method and legal basis of the collection of personal data; and

- the rights of data subjects.

Moreover, the DPA expects personal data (and/or categories of personal data), purposes, legal basis and collection methods to be matched in privacy notices.

Controllers who are obliged to register with VERBIS are also obliged to:

- maintain a data-processing inventory; and

- adopt a Personal Data Retention and Destruction Policy, as detailed under the By-Law on the Deletion, Destruction or Anonymisation of Personal Data.

Further, as per the DPB’s decisions, controllers are also required to maintain:

- procedures on responding to data breaches; and

- a specific privacy policy for the processing of special categories of data.

Except for the above, controllers are not directly obliged to adopt internal or external privacy policies. However, the DPB considers having internal and external privacy policies on data protection and cybersecurity as one of the organisational measures that controllers should take. Thus, it is recommended to adopt internal and external privacy policies.

Anonymisation, De-identification and Pseudonymisation

The DP Law obliges controllers to erase, destroy or anonymise personal data, ex officio or upon the request of the data subject(s), if the purposes for the processing no longer exist.

The DP Law and the By-Law on the Deletion, Destruction or Anonymisation of Personal Data define the concept of anonymisation as a technique that is used to ensure that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

A reference to de-identification is made in the By-Law on Processing of Personal Health Data (the “By-Law on Health Data”) issued by the Ministry of Health. The By-Law on Health Data mandates health data controllers to implement partial de-identification measures, such as masking medical details, to safeguard data subjects’ identities in printed materials and to prevent unauthorised access.

Similarly, the Regulation on the Sharing of Confidential Information issued by the BRSA refers to the concepts of anonymisation, aggregation, and de-identification as a security measure to be applied within the scope of the data processing if intended purposes can still be achieved following their application, particularly during the sharing of secrets.

Pseudonymisation is not specifically referred to in any legislation, but the DPA considers pseudonymised data as personal data, and regards pseudonymisation as one of the technical and organisational measures that controllers must take.

Injury or Harm

There is no requirement under the DP Law for any “harm” or “injury” to be proved for non-compliance with the DP Law, from an administrative law or criminal law perspective.

However, for a data subject to seek compensation from a controller (or processor) due to its non-compliance with the DP Law, such data subject must prove that they have been harmed or injured (see 2.5 Enforcement and Litigation).

Data Breach Notification Process

Unlike under the GDPR, pursuant to the DP Law, controllers are obliged to notify the DPB of all data breaches, regardless of whether there is a risk to the rights and freedoms of natural persons.

The notification must be made to the DPA within 72 hours of the controller becoming aware of the incident, and to the data subjects who are affected by the breach within the shortest time possible.

Rules on Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis, AI and Algorithms

According to the DP Law, the “data subject has the right to object to the occurrence of a result against themself by analysing the data processed solely through automated systems”. This right may be at stake in cases of big data analytics, automated decision-making, profiling or microtargeting, AI (including machine-learning) and autonomous decision-making (including autonomous vehicles). However, the application sphere of this provision has not yet been clarified by the DPB.

Apart from the above provision, there are no specific regulations concerning profiling, automated decision-making, online monitoring or tracking, big data analysis, AI or algorithms. Therefore, the general rules apply.

Data Protection Officers (DPOs)

Unlike under the GDPR, there is no requirement to appoint a DPO for any controller, in the public or private sectors. Neither the representative nor the contact person may be considered to have the same role as the DPO in the GDPR.

The DPA published the Communique on Principles and Procedures of the Mechanism About Personnel Certification on 6 December 2021. Even though the concept of a DPO defined in this Communique seems similar to the concept of the GDPR’s DPO, the DPA announced that the DPO in the Communique has a different role.

The Union of Turkish Bar Associations requested the annulment of the Communique from the court on the grounds that, according to the Attorneys Act, only lawyers can advise on Turkish law. The approach of the court remains to be seen.

2.2 Sectoral and Special Issues

Special Categories of Personal Data

According to the DP Law, special categories of personal data are as follows:

- racial or ethnic origin;

- political opinions;

- philosophical, religious, sect or other beliefs;

- clothing and attire;

- association, foundation or trade union membership;

- health and sexual life;

- criminal convictions and security measures on individuals; and

- biometric and genetic data.

Special categories of personal data may be processed if the data subject’s explicit consent is obtained.

Except for data on health and sexual life, special categories of personal data may only be processed without the data subject’s explicit consent in the cases provided by law.

Data on health and sexual life may be processed by the persons subject to a confidentiality obligation (eg, doctors) or competent public institutions and organisations (eg, hospitals) for the following purposes:

- protection of public health;

- operation of preventative medicine;

- medical diagnosis;

- treatment and care services;

- planning and management of health services; and

- financing of healthcare services.

For the amendments on special categories of personal data see 1.8 Significant Pending Changes, Hot Topics and Issues.

In 2018, the DPB issued a resolution requiring controllers to implement additional technical and organisational measures to ensure adequate protection when processing special categories of data are processed, such as adopting a separate processing policy and implementing two-factor authentication for remote date access.

In 2021, the DPB published a guideline on biometric data. The guideline provides a definition of biometric data, and mentions general principles as well as technical and organisational measures in addition to those mentioned above.

In 2023, the DPA published the Genetic Data Guideline (see 1.8 Significant Pending Changes, Hot Topics and Issues). The guideline refers to additional technical and organisational measures to be taken when processing genetic data.

Problems With Processing Health Data

The above-mentioned limited legal basis for the processing of health data challenges controllers, particularly in an employment context.

In certain situations, such as absence due to sickness, occupational sickness or workplace accidents, employers need to process the health data of employees in the course of the employment relationship. In fact, the Occupational Health and Safety Law No 6331 (OHCL) requires employees to do so. However, due to limitations on the legal basis for processing health data as per the DP Law, employers can process health data:

- via an occupational doctor, which is not always a viable option in practice; or

- by obtaining explicit consent from their employees.

However, obtaining employees’ explicit consent creates a significant problem considering explicit consent must be freely given and can be withdrawn anytime.

The amendments incorporate specific legal provisions regarding the fulfilment of legal obligations in areas such as employment, occupational health and safety, social security, social services, and social assistance, thereby addressing this issue (see 1.8 Significant Pending Changes, Hot Topics and Issues).

Employment Data

There is no detailed legislation in Türkiye except for Article 419 of the Turkish Code of Obligations (TCO), Article 75 of the Turkish Labour Law (TLL) and Article 15(5) of the OHCL, which draw the framework for employers when processing their employees’ personal data (see 2.4 Workplace Privacy). Thus, the general rules apply.

Children’s Data

Unlike under the GDPR, there is no special provision in the DP Law on the collection or processing of minors’ personal data. Only the By-Law on Health Data sets forth the parents’ right to access their child’s health data.

However, the DPB stated that personal data is strictly considered as an element of personality rights. Thus, a minor who has the power of discernment, as well as the legal representative of the minor, should be able to exercise data protection rights according to the TCiC.

The DPB imposed a fine on TikTok – among others – for failing to take necessary measures to protect children’s data. It particularly, it focused on the protection of data of children under age 13, a criterion not included in the DP Law. Hence, in the authors’ view, the grounds for this decision are debatable.

Additionally, the Guideline on Practices of Cookies (the “Cookie Guideline”) advises tailoring cookie privacy notices for children-targeted websites to their comprehension level, possibly using images. Social network providers (SNPs) must offer segregated services for children as well.

Due to the lack of concrete legislation, and despite the DPB’s above-mentioned decisions and guidelines, the questions as to whether minors may give consent for processing personal data without obtaining their legal representative’s approval – and, if so, which age group is considered to have the power to give consent by themselves – is not crystal clear.

It is important to note that, according to the revised Regulation on Preschool and Primary Education Institutions by the Ministry of National Education on 14 October 2023, written permission both from parents and students supervised by the school counsellor is necessary for publishing images taken during in-school and out-of-school activities.

Confidential Customer Data in the Banking Sector

Except for certain exemptions or as otherwise stipulated by law, personal data specific to banking relationships is also considered as customer secrets under Article 73 of the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad, without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained as per the DP Law. This provision is highly criticised in Turkish data protection practice.

Based on its assessment on economic security, the BRSA is authorised to:

- ban disclosing or transferring of any kind of data abroad, including customer secrets or bank secrets, to third parties; and

- order banks to keep the information systems and back-ups that are used in carrying out their activities in Türkiye (obligation of data localisation).

In addition, the Guideline on Good Practices for Personal Data Protection in the Banking Sector, published by the DPA in July 2022, refers to technical and organisational measures to be taken for transfer of customer secrets.

Insurance Data

The By-Law on the Collection, Storage and Sharing of Insurance Data defines insurance data as “all data related with insurance contracts, insurant and insurance companies’ parties of an insurance contract, insureds, beneficiaries and other third parties who directly or indirectly benefit from an insurance contract, and that consists of a basis for risk assessment”. It sets forth the principles for processing and sharing insurance data.

Internet, Streaming and Video Issues

The Law on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication No 5651 (the “Internet Law”) sets forth obligations for hosting/platform providers, content providers and access providers, such as obligations relating to the removal of unlawful content (see 1.8 Significant Pending Changes, Hot Topics and Issues, and under Social Media below).

However, the Constitutional Court has nullified certain provisions of the Internet Law, effective from 10 October 2024. If there is no legislative change by this date, natural persons and legal entities claiming that their personality rights were violated by online content will not be able to request its removal from hosting providers or apply to the Magistrates’ Court for the removal of and/or blocking of access to such content. Furthermore, decisions regarding the removal of and/or blocking of access to content related to the listed crimes specified under the law will be restricted, limited only to access-blocking measures and with administrative fines applicable solely to access providers.

Voice Telephony, Text Messaging and Content of Electronic Communications

Personal data processed in the telecommunications sector is subject to the By-Law on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector, in line with the DP Law. However, this By-Law includes more specific provisions on traffic and location data.

Voice communications and text messages are protected under the fundamental right to privacy (Article 20) and freedom of communication (Article 22) of the Constitution. Certain types of crimes are defined in the TCrC to protect communication secrecy and private life. Only under specific and very limited circumstances, and by a judge’s or public prosecutor’s decision in the cases of peril in delay, is it permitted to intervene in private communication (see 3.1 Laws and Standards for Access to Data for Serious Crimes).

Cookies and Other Similar Technologies

Electronic Communications Law No 5809 includes a provision on cookies. However, such provision is only applicable to electronic communications service providers.

There is no specific provision on cookies under the DP Law, the DPA published a Cookie Guideline in June 2022.

Social Media

According to the Press Law and Further Laws (the “Disinformation Law”) amendments, SNPs must set up a complaint mechanism in co-operation with the ICTA for removal of hashtags and featured content. Failure to remove illegal content within four hours of notification could result in liability for SNPs.

SNPs with daily access exceeding one million must report hashtags, algorithms for featured or reduced content, advertisements, and transparency policies to the ICTA, along with measures taken to enable users to update their preferences regarding suggested content and options provided to users for limiting the use of personal data. Applicants can request content removal for personality rights violations, with these SNPs being required to respond within 48 hours.

The Disinformation Law also places other obligations on SNPs, such as data retention (see 4.4 Data Localisation Requirements).

The nullification of certain provisions of the Internet Law by the Constitutional Court  may affect certain obligations imposed on SNPs under the Disinformation Law. Consequently, unless there is a legislative amendment, these obligations may cease to be valid as of 10 October 2024 (see under Internet, Streaming and Video Issues above).

There is no specific regulation regarding browsing data, viewing data, beacons, tracking technology, behavioural or targeted advertising, search engines, large online platforms and intermediary liability for user-generated content. Thus, the general provisions of the DP Law appy to processing activities that deal with such data or technologies . Nonetheless, the Draft Guideline on Loyalty Programmes places significant importance on establishing certain principles for processing of data via location-tracking technologies.

Addressing Hate, Discrimination and Deepfake

According to the Constitution and TCrC, everyone – regardless of their language, race, nationality, skin colour, gender, political opinion, philosophical belief, religion or sect, etc – is equal before the law.

The TCrC criminalises and penalises with imprisonment certain acts which aim to incite hate and/or discrimination between persons based on language, race, nationality, skin colour, gender, disability, political opinion, philosophical belief, religion or sect, etc.

While there is no specific regulation on deepfakes, its use in criminal activities may lead to punishment. The input data for deepfakes, such as voice or images, falls under personality rights and personal data regulations, with general provisions applying in such cases.

In its Deepfake Memorandum released in January 2024, the DPA also outlined that the use of deepfake technology could lead to criminal charges.

Data Subject’s Rights

Data subjects’ rights are as follows:

- learning whether their personal data is processed or not;

- requesting information as to whether their personal data has been processed or not;

- learning the purpose(s) of the processing of their personal data and whether such personal data is used in compliance with the purpose or not;

- finding out the third parties to whom their personal data is transferred, in-country or abroad;

- requesting rectification of any incomplete or inaccurate data;

- requesting erasure or destruction of their personal data under the conditions referred to in Article 7 of the DP Law;

- requesting information about third parties to whom their personal data has been transferred;

- objecting to the occurrence of a result against themself by analysing the data processed solely through automated systems; and

- claiming compensation for the damage arising from the unlawful processing of their personal data.

Unlike under the GDPR, a data portability right is not set forth in the DP Law.

Automated Decision-Making

There is no specific regulation in the DP Law regarding profiling and automated decision-making – apart from the provision that regulates a data subject’s right to “object to the occurrence of a result against themself by analysing the data processed solely through automated systems” – nor has there been any public DBP decision on the subject.

Right to Be Forgotten

Currently, no specific legislation in Türkiye regulates the “right to be forgotten”. However, it is accepted by Constitutional Court and Court of Cassation decisions that data subjects have the right to be forgotten. Also, the DPA published an opinion on the right to be forgotten and made a resolution that outlined the criteria on exercising this right.

2.3 Online Marketing

Online marketing is governed by the Law on Regulation of Electronic Commerce No 6563 (the “E-Commerce Law”) and the By-Law on Commercial Communication and Commercial Electronic Messages (the “By-Law on Commercial Communication”), as well as by the DP Law.

According to the E-Commerce Law and the By-Law on Commercial Communication, the recipient’s prior approval must be obtained to make calls or send SMS or emails for marketing purposes (marketing communication). The DPB also seeks data subjects’ explicit consent for controllers to send push messages.

However, it is permissible to make a marketing communication without prior consent in the business-to-business (B2B) model, unless the receiver opts out.

The contents of a marketing communication must include certain identification information of the sender, as well as an option to opt out.

The Message Management System (MMS) is an online platform where receivers can manage their approvals for receiving marketing communications and withdrawals therefrom (ie, opt-outs). All senders of marketing communications must register with the MMS and upload the information regarding the approvals/withdrawals for this purpose. Any approval or withdrawal received by the sender must be uploaded to the MMS within three business days upon their receipt.

The DPA has recently published a public announcement on obtaining explicit consent for electronic commercial messages during in-store shopping via SMS verification codes, which only permits the sending of such SMS after the completion of the shopping process.

There are no specific provisions for behavioural and targeted advertising under Turkish law. Therefore, the relevant processing activities are subject to general provisions of the DP Law. In this regard, based on the DPB’s approach to this matter, it may be argued that prior explicit consent of the data subjects must be obtained in order to carry out behavioural or targeted advertising.

2.4 Workplace Privacy

Privacy in the workplace is not specifically regulated in Turkish law, but can be considered within the scope of the DP Law.

There are also provisions regarding this matter in various laws, for example:

- pursuant to Article 419 of the TCO, an employer can use the personal data of their employee only to the extent that it is necessary for the employee’s employability or for the performance of the employment contract;

- pursuant to Article 75 of the TLL, an employer is obliged to use the information obtained about their employee in accordance with the rules of good faith and law, and to not disclose any information that the employee has a justified interest in keeping confidential; and

- pursuant to Article 15(5) of the OHCL, health data must be kept confidential in order to protect the private life and reputation of the employee who has undergone a medical examination.

Monitoring Workplace Communications

According to the decisions of the Constitutional Court and DPB, an employer is entitled to monitor the work computers, work mobile phones and other electronic devices which it provides to its employees, provided that it fulfils the following conditions:

- providing information to employees in advance (eg, by way a privacy notice addressed to the employees);

- pursuing a legitimate purpose (eg, a compliance investigation based on a reasonable doubt); and

- observing the principle of proportionality (eg, if it is clear from the subject of the email/file that it is a personal email/file, it should not be opened and reviewed).

These principles shall also be applied to the implementation of cybersecurity tools, insider threat detection and prevention programmes.

Processing Special Categories of Personal Data

As a general principle for processing special categories of employees’ personal data, the explicit consent of employees must be obtained unless a justifying ground is provided by laws (see 2.2 Sectoral and Special Issues).

The DP Law amendments explicitly foresee employment relationship as a legal ground for processing special categories of data which can be viewed as a positive step addressing a contemporary need in the employment sphere (See 1.8 Significant Pending Changes, Hot Topics and Issues)

2.5 Enforcement and Litigation

Regulators

Under the DP Law, the DPB has extensive enforcement powers, as described in 1.3 Administration and Enforcement Process. The DPB arguably has a higher tendency for imposing administrative fines compared to its EU counterparts, especially for data breaches.

So far, the DPB has investigated and fined several national and international companies, including Marriot International Inc, Facebook, Amazon Türkiye, WhatsApp and TikTok.

The DP Law outlines four types of violations with administrative fine amounts for these violations subject to annual adjustment each year. At time of writing in 2024:

- failure to inform data subjects of processing activities may be subject to an administrative fine of TRY47,303 to TRY946,308;

- failure to take the necessary technical and organisational measures (interpreted very broadly and including unlawful data transfer abroad, breach of fundamental principles) may be subject to an administrative fine of TRY141,934 to TRY9,463,213;

- failure to comply with the decisions issued by the DPB may be subject to an administrative fine of TRY236,557 to TRY9,463,213; and

- failure to comply with the obligation to register with VERBIS and failure to submit information to VERBIS may be subject to an administrative fine of TRY189,245 to TRY9,463,213.

The DP Law Amendments introduced a new administrative fine. Failure to notify the DPB within five business days following the signature of the SCCs by either controller or processor result in an administrative fine ranging from TRY50,000 to TRY1,000,000 (see 1.8 Significant Pending Changes, Hot Topics and Issues). Unlike other failures stipulated in the DP Law where only controller is responsible, for this failure both controller and processor will be liable.

The highest fine issued by the DPB to date is TRY2.65 million, separately imposed on WhatsApp and Meta.

The DPB is also entitled to decide to cease certain data-processing activities or personal data transfers (see 1.3 Administration and Enforcement Process). The DBP is known to sporadically exercise its enforcement authority.

Criminal Sanctions

There are also criminal sanctions regulated under the TCrC, as follows:

- unlawful recording of personal data is subject to imprisonment of one to three years;

- unlawful transfer, publication or acquisition of personal data is subject to imprisonment of two to four years – if these are realised by exploiting the advantages of a profession or art, such actions are subject to imprisonment of three to six years; and

- failure to destroy personal data after the retention period set forth in the law has passed is subject to imprisonment of two to six years.

The investigation may commence without the need for any complaint – ie, ex officio by public prosecutors. However, there is no established jurisprudence on how criminal sanctions will be harmonised with the DP Law.

Private Litigation

The right to seek compensation is clearly stated as one of the data subject’s rights under the DP Law.

Moreover, as per the TCiC and the TOC, data subjects can seek compensation and ask courts to:

- prevent a threatened infringement;

- cease an existing infringement; and

- make a declaration that an infringement is unlawful.

A controller is jointly liable for the lack of technical and organisational measures which must be taken by the processor, from a civil law perspective.

There is no concept of class action under the Turkish legal system.