Turkish Law Blog

Data Protection in Turkey

Nihan Akkaş Nihan Akkaş/ NAZALI Tax and Legal Services
09 May, 2019
7728

This chapter contains legal history of the data protection in Turkey. In addition, in this chapter, data protection law that came in to force in 2006 is going to be analysed in addition to the specific information.

1. Legal History of Turkish Personal Data Protection Law

The history of the data protection in Turkey began with the Council of Europe`s Convention in order to provide individuals with protection concerning the Automatic Processing of Personal Data. Even though Turkey signed the convention about it on 28 January 1981, the confirmation was concluded on 30 January 2016.[1] However, the Constitution and some certain legislations contain provisions about the data protection in the absence of specific data protection act in Turkey.[2]

Firstly, protection of personal data is set out under the paragraph 3 of the Article 20 in the Turkish Constitution.[3] After the constitutional referendum in Turkey, the Act No. 5982 was added into Article 20. Accordingly, individuals have constitutional right to request for protecting their personal data.

In 2014, in the 5237 numbered Turkish Criminal Code first provisions on the protection of personal data appeared. Article 135[4], 136[5] and 138[6] sets out the unlawful recording of personal a sensitive personal data, unlawful sharing and acquiring of personal data and failure of destruction of personal data, respectively.

In addition, Turkish Civil Code which is numbered 4721 comprises provisions regarding to the freedoms and protection of personal rights. Accordingly, Article 23[7], 24[8] and 25[9] contain of protection of personal rights, right to seek protection and right to sue.

Along with Turkish Civil Code, Article 419 under the 4721 numbered Turkish Code of Obligations regulates an obligation of protection the personal data for employers concerning to their employees’ qualifications and performances. Moreover, under the 4857 numbered Turkish Labour Act, according to the Article 75[10]; employers might only manage employees` record data under the scope of employment contract and relationship.

Lastly and finally, on 7 April 2016 in Turkey 6698 numbered Protection of Personal Data Law came into force by publishing on the Official Gazette.[11] This main law which is specific to the personal data protection follows provisions and the legal framework of the Directive 95/46/EC.[12]

2. Turkish Personal Data Protection Law No: 6698

2.1. Purpose and the Scope

According to the Article 1 under the Law No: 6698, the goal of this act is to protect the right of individuals` privacy regarding to the processing of their personal data. In addition the aim of this act is to set out the liabilities and principles of people who process the personal data.[13] With regards to the article, the aim of the act is pursuant to the Article 20 of the Constitution which is explained above in a brief way.[14]

Article 2 sets out the scope of the act. According to the article 2, this Law applies to individuals who process the personal data and individuals whose personal data are processed. Moreover. This Law applies only if the processing of personal data is made manually or automatically on the condition of being a part of filling system.[15]

2.2. Understanding the Key Definitions

2.2.1. Personal Data

Personal data is defined as any information which relates to an identified or identifiable natural person[16] under the Article 3 of the Law. Thus, accordingly, information that certainly provide individuals to be identified such as name, surname, birth date and birthplace; family, physical, social and economic information should be also considered as a personal data.[17] In addition, according to the preamble of this definition, name, vehicle registration plate number, phone number, passport and social security number, photo, image, video records, curriculum vitae, genetic data and finger prints of an individual are also regarded as a personal information since these all information have a feature of identifying an individual.[18]   

2.2.2. Processing of Personal Data

According to the Article 3, data processing comprises of several operations like, recording, storing, transferring or blocking the usage of data partly or as a whole provided that it's a part of a filing system.[19] In addition, as stated in the preamble; the processing of personal data contains any operation held upon personal data in addition to the obtaining personal data.[20]

2.2.3. Explicit Consent

Article 3 under the Law defines explicit consent as a consent which is given freely, specifically and based on information.[21] In most of regulations, receiving the individual`s consent is essential before collecting, storing and processing their personal data. Thus, receiving the explicit consent of individual is important with regard to the compliance with the law.[22]

2.2.4. Filling System

The definition of Filing System under the Law is any recording system where personal data is processed by structuring according to certain criteria.[23] It can be either manual or electronic according to the preamble.[24]

2.2.5. Data Controller and Data Processor

Accordingly, the instruments and the purposes of the processing personal data are being determined by data controllers. In addition, the data controller is responsible for managing and establishing filing systems.[25]

With regards to the data processors, they are the natural or legal persons who processes the personal data on behalf of data controllers.[26]

These definitions under the Turkish Personal Data Protection Law in are similar with GDPR. However, whilst both data processor and data controller share the liability in case of personal data breaches under the GDPR, under the Turkish Personal Data Protection law only data controller is the responsible for administrative fines and the obligation to register with Data Controller’s Registry. In addition, as mentioned in Chapter 4, whilst under the GDPR the data processor need to obtain the explicit consent of data controller before engaging sub-process, under the Turkish Law there is no any provision about such obligation of data processors.

2.3. General Principles

The general principles are being regulated under Article 4 of the Act. The act regulates five principles.

Accordingly, the principles must be:

  • “processed fairly and must be lawful,
  • accurate and, where necessary, kept up to date,
  • collected for specified, explicit and legitimate purposes,
  • adequate, relevant and not excessive in relation to the purposes for which they are processed,
  • stored for no longer than is necessary for the purposes for which the data was collected or the time designated by relevant law.”[27]

2.4. Rights of the Individuals and Duties of the Data Controller

Article 10 of the Act sets out that the data controller must provide the data subject who are being processed the personal data with the information which are the purposes of the processing for which the data is intended, the recipients of the data and the means with the legal basis for the data collection.[28] The Data controller also has to take proper measures required for the security of personal data in case of an unlawful process and access without permission.[29]

Article 11 sets out certain rights for data subjects. They are:

(a) Learn whether or not her/his personal data have been processed

(b) Learn the purpose of the processing of the personal data and whether data are used in accordance with their purpose;

(c) Know the third parties in the country or abroad to whom personal data have been transferred;

(d) Request rectification in case personal data are processed incompletely or inaccurately;

(e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7[30];

(f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;

(g) Object to occurrence of any result that is to her/his detriment by means of the analysis of personal data exclusively through automated systems;

(h) Request compensation for the damages in case the person incurs damages due to the unlawful processing of personal data. [31]

As clearly seen the rights given to data subject under the Turkish Law are similar to the GDPR. However, unlike GDPR, the right of access and the right to data portability are not being presented in Turkish Law.

2.5. Personal Data Transfers

The law sets out personal data transmission to third parties and transmission outside Turkey under Article 8 and 9 of the Act.[32] Accordingly, personal data shall not be transferred without receiving data subject`s explicit consent. However; there are some exemptions under both article. The Law sets out that the consent of the data subject is not necessary if the transfer is obliged by law or the data is public for transferring to third parties. In addition to that, the consent is not obligatory if the transferee country has sufficient protection or if there is no sufficient protection in the transferee country and if the data controller gives a written security undertaking and the Board grants permission.[33] Thus, regarding the exemptions of the Articles, it could not be wrong to say that the personal data is not being protected in a guaranteed way.

3. Problematic Points of the Data Protection under Law No: 6698. Does This Act Meet the Expectations?

It is clear that the law on Protection Personal Data brought a new era for all individuals and entities in Turkey. This act is an important step for Turkey because of being its first specific data protection law. However, there are some controversial issues which could be necessary to mention.

Firstly, as explained before briefly, Turkish Data Protection Law is the long-awaited law on Protection of Personal Data which almost took three decades to come into force. Because of the fact that even though the principles of this Act follow the principles EU Directive 95/46 EC which replaced by GDPR on May 2018 and regarding to the legal system for personal data protection this Act could be satisfactory, it is not reflected in the GDPR which explained in detail in Chapter 4. This Act is far from new technological developments. In other words, it is outdated in the near future, while the principles under the GDPR and DPA 2018 comply with the new developments in the field of technologies.

Secondly, according to the Article 28(1) (c)[34]  if the processing of personal data is for the purpose of national security, public safety, public order, economic safety and national defence, the Law is not going to apply. This provision provides institutions with a huge authority without following the provisions concerning to the protection of personal data. In addition, under the Article 17[35] and 18[36] of this Act set out the crimes and misdemeanours. Accordingly, the provisions under the both articles do not give any permission to public authorities. With regards to the principle of crime responsibility, although contraveners might be penalised under the Turkish Criminal Code and the scope of the Act, there is no administrative fee for the public authorities. Because of the fact that the public authorities collect and process on the huge amount of personal data, the provisions for the administrative fee for the public authorities should be regulated under the Act. [37]

Another problematic point can be seen under the Article 6. It sets out the conditions for processing special categories of personal data. In addition it also defines such data by giving information about religious beliefs, sect, appearance and dressing. This approach which evaluates personal data concerning to the sect and dressing information does not take place in another country.[38] In addition Article 6 (4) sets out that the defined special category personal data might be processed if the adequate measures which are designated by the Board are taken.[39] However, according to the Article 135(2) of the Criminal Code, these provisions under the Article 6 may be seen like as an exemption. According to the Article 135 (2) of the Turkish Criminal Code:

“political, philosophical or religious concepts of individuals, or personal information relating to their racial origins, ethical tendencies, health conditions or connections with syndicates.” [40] In addition, according to the Article 6(3) when explicit consent of the data subject is not necessary, processing sensitive personal data is processed by persons under the obligation of secrecy or authorized institutions and organizations is one of the exemptions. As the intelligence and security units could be considered as persons under the obligations of secrecy[41], a high level of risk with regards to the sensitive personal data on blacklisting concerns is also being confirmed by the article.

Lastly, According to Article 9, if interests of Turkey or data subject are at stake, the Board has to approve the transfer or the personal data with getting the opinion of the relevant body. The provision is not only very wide in context but also this article does not regulate any criteria for the determination of any serious harm of interest. The provisions under this Article should also be updated. It might be a serious issue for both individuals and organizations.


Bibliography

İbrahim Korkmaz, “Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme” (2016) 124 Türkiye Barolar Birliği Dergisi, http://tbbdergisi.barobirlik.org.tr/m2016-124-1571 accessed 14/08/2018.

Hande Hancar Celik, Ozan Karaduman, “The New Personal Data Protection Law in Turkey”https://uk.practicallaw.thomsonreuters.com/4-631 1678?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk&bhcp=1.

Constitution of the Republic of Turkey, https://global.tbmm.gov.tr/docs/constitution_en.pdf

Turkish Criminal Code.

Turkish Civil Code.

Burak Ozdagistanli, Ozdagistanli Ekici, “Data Protection In Turkey”, https://uk.practicallaw.thomsonreuters.com/7-520-1896?transitionType=Default&contextData=(sc.Default).

Law no:6698 on Protection of Personal Data, Article 3, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/.

Burcu Tuzcu Ersin and A. Ülkü Solak, “Turkey Completes Final Step In Approving Data Protection Legislation” (Moroğlu Arseven, 2016) https://morogluarseven.com/news/turkey-completes-final-step-approving-data-protection-legislation

Faruk Çayır, “Kişisel Verilerin Korunması Kanununa İlişkin Değerlendirme”

https://yenimedya.wordpress.com/2016/04/27/kisisel-verilerin-korunmasi-kanuna-iliskin-degerlendirme/

Gökhan Uğur Balcı, 'Kişisel Veri Ne Anlama Geliyor? Neden Kişisel Verilerin Korunması Çok Önemli?'

 http://www.eticarethukuku.com/14-soruda-kisisel-verilerin-korunmasi-kanunu

İktisadi Kalkınma Vakfı, “Türkiye'de Ve AB'de Kişisel Verilerin Korunması”(Dünya Yayıncılık 2015)

http://www.verigazeteciligi.com/wp-content/uploads/2015/12/T%C3%BCrkiyede-ve-ABde-Ki%C5%9Fisel-Verilerin-Korunmas%C4%B1.pdf


[1] İbrahim Korkmaz, “Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme” (2016) 124 Türkiye Barolar Birliği Dergisi, http://tbbdergisi.barobirlik.org.tr/m2016-124-1571 accessed 14/08/2018

[2] Hande Hancar Celik, Ozan Karaduman, “The New Personal Data Protection Law in Turkey” https://uk.practicallaw.thomsonreuters.com/4-631-1678?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk&bhcp=1 accessed 14/08/2018

[3] Constitution of the Republic of Turkey, Privacy of private life Article 20, https://global.tbmm.gov.tr/docs/constitution_en.pdf accessed 22 September 2018.

[4] Turkish Criminal Code, Recording of personal data Art (135),  http://www.wipo.int/edocs/lexdocs/laws/en/tr/tr171en.pdf accessed 22 September 2018.

[5] Turkish Criminal Code, Recording of personal data Art (136),  http://www.wipo.int/edocs/lexdocs/laws/en/tr/tr171en.pdf accessed 22 September 2018

[6] Turkish Criminal Code, Recording of personal data Art (138),  http://www.wipo.int/edocs/lexdocs/laws/en/tr/tr171en.pdf accessed 22 September 2018

[7] Turkish Civil Code, Against waiver and extreme registration Article 23, https://www.tusev.org.tr/usrfiles/files/Turkish_Civil_Code.pdf accessed 22 September 2018.

[8] Turkish Civil Code, Against Assault Basic Principles  Article 24, https://www.tusev.org.tr/usrfiles/files/Turkish_Civil_Code.pdf accessed 22 September 2018.

[9] Turkish Civil Code, Lawsuits Article 25, https://www.tusev.org.tr/usrfiles/files/Turkish_Civil_Code.pdf accessed 22 September 2018.

[10] Turkish Labour Act, Personnel File of the employee Article 75, https://www.ilo.org/dyn/natlex/docs/ELECTRONIC/64083/77276%20/%20F75317864/TUR64083%20English.pdf accessed 22 September 2018.

[11] Hande Hancar Celik, Ozan Karaduman, “The New Personal Data Protection Law in Turkey” https://uk.practicallaw.thomsonreuters.com/4-631-1678?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk&bhcp=1 accessed 14/08/2018

[12] Burak Ozdagistanli, Ozdagistanli Ekici, “Data Protection In Turkey”, https://uk.practicallaw.thomsonreuters.com/7-520-1896?transitionType=Default&contextData=(sc.Default) accessed 14/08/2018

[13] İbrahim Korkmaz, 'Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme' (2016) 124 Türkiye Barolar Birliği Dergisi <http://tbbdergisi.barobirlik.org.tr/m2016-124-1571> accessed 15 August 2018.

[14] Ibid.

[15] Ibid.

[16] Law no:6698 on Protection of Personal Data, Article 3, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[17] İbrahim Korkmaz, 'Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme' (2016) 124 Türkiye Barolar Birliği Dergisi <http://tbbdergisi.barobirlik.org.tr/m2016-124-1571> accessed 15/08/2018 p.92.

[18] Ibid.

[19] Law no:6698 on Protection of Personal Data, Article 3, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ 22 September 2018.

[20] İbrahim Korkmaz, 'Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme' (2016) 124 Türkiye Barolar Birliği Dergisi <http://tbbdergisi.barobirlik.org.tr/m2016-124-1571> accessed 15/08/2018 p.95

[21] Law no: 6698 on Protection of Personal Data, Article 3, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[22] Ibid.

[23] Law no:6698 on Protection of Personal Data, Article 3, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ 22 September 2018.

[24] İbrahim Korkmaz, 'Kişisel Verilerin Korunması Kanunu Hakkında Bir Değerlendirme' (2016) 124 Türkiye Barolar Birliği Dergisi <http://tbbdergisi.barobirlik.org.tr/m2016-124-1571> accessed 15/08/2018 p.96.

[25]

[26] Ibid.

[27] Arzu Sema Çakmak, “Turkey: First Personal Data Protection Act In Force” (schunner 2016) https://www.schoenherr.eu/uploads/tx_news/LI_TU_First_Personal_Data_Protection_Act_in_force.pdf accessed 15/08/2018.

[28] Ibid.

[29] Ibid.

[30] Law no:6698 on Protection of Personal Data, Article 7, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ 22 September 2018

[31] Law no:6698 on Protection of Personal Data, Article 11[un-official translation from Yusuf Mansur Özer, “Turkish Law On The Protection Of Personal Data No. 6698” (Kişisel Verilerin Korunması, 2016) <http://www.kisiselverilerinkorunmasi.org/ingilizce-ceviri/> accessed 17 August 2018

[32] Law no:6698 on Protection of Personal Data, Articles 8 and 9, https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[33] Burcu Tuzcu Ersin and A. Ülkü Solak, “Turkey Completes Final Step In Approving Data Protection Legislation” (Moroğlu Arseven, 2016) https://morogluarseven.com/news/turkey-completes-final-step-approving-data-protection-legislation accessed 17 August 2018

[34] Law no:6698 on Protection of Personal Data, Article 28(1)(c)  https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[35] Law no:6698 on Protection of Personal Data, Article 7. https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[36] Law no:6698 on Protection of Personal Data, Article 8. https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018

[37] Faruk Çayır, “Kişisel Verilerin Korunması Kanununa İlişkin Değerlendirme”

<https://yenimedya.wordpress.com/2016/04/27/kisisel-verilerin-korunmasi-kanuna-iliskin-degerlendirme/> accessed 17 August 2016.

[38] Gökhan Uğur Balcı, 'Kişisel Veri Ne Anlama Geliyor? Neden Kişisel Verilerin Korunması Çok Önemli?' http://www.eticarethukuku.com/14-soruda-kisisel-verilerin-korunmasi-kanunu accessed 17 September 2018.

[39] Law no: 6698 on Protection of Personal Data, Article 6(4) https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/ accessed 22 September 2018.

[40] Turkish Criminal Code Article 135(2) http://www.wipo.int/edocs/lexdocs/laws/en/tr/tr171en.pdf accessed 22 September 2018.

[41] İktisadi Kalkınma Vakfı, “Türkiye'de Ve AB'de Kişisel Verilerin Korunması”(Dünya Yayıncılık 2015) http://www.verigazeteciligi.com/wp-content/uploads/2015/12/T%C3%BCrkiyede-ve-ABde-Ki%C5%9Fisel-Verilerin-Korunmas%C4%B1.pdf accessed 17 September 2018.

Leave a comment

Please login or register to comment

Comments