Until very recently, Turkey did not have speciic legislation governing protection of personal data. The situation has changed upon the enactment of the Data Protection Law. The Data Protection Law has introduced solid principles of data protection in Turkey that are in line with compatible principles of European Union regulations. The Data Protection Law aims to protect fundamental rights and regulate the transfer, processing and storage of personal data. It applies to individuals whose personal data are processed and to individuals or legal entities who process personal data wholly or partially through automatic means or through non-automatic means, provided that the process is a part of a data registry system.

In principle, pursuant to the Data Protection Law, personal data cannot be processed or transferred (domestically or abroad) without the explicit consent of the data subject. The exceptions to this rule are in line with, but more broadly drafted than the relevant regulation of the European Union on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Data Protection Law classiies certain data as “sensitive personal data” which includes biometric and genetic data of individuals together with data regarding their race, ethnic background, philosophical and political view, religion, union ailiations, health and/or sexual life. The major diference between personal data and sensitive personal data is that the general exceptions to the prohibition on processing personal data under the Data Protection Law do not apply to certain types of sensitive personal data (such as personal date related to health and sexual life) and consequently such sensitive personal data can only be processed upon the data subject’s explicit consent or only for the purpose of the protection of public health, rendering preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and inancing.

The Data Protection Authority has been established in order to supervise implementation of the Data Protection Law and publish its secondary legislation. Data controllers either individuals or legal entities, (i) residing abroad or (ii) who employ more than 50 employees annually or (iii) have an annual balance-sheet total exceeding 25,000,000 TRY have to register to the data controllers registry by 30 September 2019. Turkish residents which do not meet this threshold are not subject to such registry obligation, unless they process sensitive personal data, data controllers registry will include the identity of data processor, the purpose of processing, receiver groups to which personal data are transferred, personal data considered to be transferred to foreign countries, measures taken for personal data security, and the maximum time for personal data to be stored. The Regulation on the Data Controller Registry has exempted public notaries, associations, foundations and workers’ unions (established per relevant laws and providing that the respective legal entity only processes data limited to their scope of activities), attorneys and certiied public accountants and sworn-in certiied public accountants from the obligation to register.

Following registration, data processors must ensure that processed data is collected for speciied, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Within this context, while processing personal data the data controller must hold an inventory, which includes the details of data processing with a company policy covering how and when the personal data, retained by the data controller will be destroyed.

Legal entities residing abroad must appoint a representative authorized to communicate with the Data Protection Authority and notify necessary information during registration.

Additionally, the data subject must be informed of the identity of the controller; the purpose of the data processing; third parties to whom the data may be transferred and the purpose of such transfer; the methods and legal reasons for collection of personal data; and data subject’s rights.

Data subjects have the right to apply to data controller to:

(i) learn whether their personal data are processed;

(ii) request information if their personal data are processed;

(iii) learn the purpose of the processing of their personal data and whether this data is used for intended purposes;

(iv) know who the third parties are to whom their personal data is transferred within Turkey or abroad;

(v) request rectiication of incomplete and inaccurate data;

(vi) request the deletion or destruction of personal data under certain conditions;

(vii) request notiication of their requests and actions taken in relation to (e) and (f) to whom personal data have been transferred;

(viii) object to the processing, exclusively by automatic means, of their personal data, which leads to an unfavourable consequence for data subject; or

(ix) request compensation for damages arising from the unlawful processing of their personal data.

Non-compliance with the aforesaid principles and procedure may lead to a monetary ine of up to TRY 1,000,000 and a custodial sentence from 1 to 4 years.

Finally, the Data Protection Law does not apply to data processing:

(i) by data subjects concerning their purely personal activities or those of family members living in the same dwelling, provided that the data are not disclosed to third parties and data security obligations are complied with.

(ii) for oicial statistical and planning purposes after anonymization.

(iii) for artistic, historical, literary, and scientiic purposes, or within the scope of freedom of expression without violating national defence, national security, public security, public order, economic security, the right to privacy or personal rights, or without constituting a crime.

(iv) within the scope of preventive, protective and intelligence activities carried out by authorised public institutions and organizations.

(v) by judicial/execution authorities in the context of investigation, prosecution, criminal and execution proceedings