Personal Data Protection
PURPOSE, SCOPE, AND DEFINITONS
ARTICLE 1 –
(1) The purpose of this Law is to protect the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.
ARTICLE 2 –
(1) The provisions of this Law shall apply to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.
ARTICLE 3 –
(1) In practice of this Law, the terms used herein shall have the following meanings:
a) Explicit Consent: Freely given specific and informed consent;
b) Anonymization: Rendering personal data by no means identified or identifiable with a natural person even by linking with other data;
c) President: President of the Board of Protection of Personal Data;
ç) Data subject : Natural person whose personal data are processed;
d) Personal Data: Any information relating to an identified or identifiable natural person;
e) Processing of personal data: Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;
f) Board: The Board of Protection of Personal Data;
g) Authority: The Authority of Protection of Personal Data;
ğ) Data processor: Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller;
h) Filing system : Any recording system through which personal data are processed by structuring according to specific criteria;
ı) Data controller: Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
PROCESSING OF PERSONAL DATA
ARTICLE 4 –
(1) Personal data shall only be processed in accordance with the procedures and principles set forth by this Law or other laws.
(2) The below principles shall be complied with when processing personal data:
a) Being in conformity with the law and good faith;
b) Being accurate and if necessary, up to date;
c) Being processed for specified, explicit, and legitimate purposes;
ç) Being relevant, limited and proportionate to the purposes for which data are processed;
d) Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.
Conditions for Processing of Personal Data
ARTICLE 5 –
(1) Personal data shall not be processed without obtaining the explicit consent of the data subject.
(2) Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:
a) It is expressly permitted by any law;
b) It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
c) It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
ç) It is necessary for compliance with a legal obligation which the controller is subject to;
d) The relevant information is revealed to the public by the data subject herself/himself;
e) It is necessary for the institution, usage, or protection of a right;
f) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Conditions for Processing of Special Categories of Personal Data
ARTICLE 6 –
(1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.
(2) It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject.
(3) Personal data indicated in paragraph 1, other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
(4) It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.
Deletion, Destruction, and Anonymization of Personal Data
ARTICLE 7 – (1) Personal data that is processed in accordance with this Law or relevant other laws shall be deleted, destroyed or anonymized either ex officio or upon request by the data subject in case the reasons necessitating their processing cease to exist.
(2) Provisions of other laws relating to deletion, destruction, and anonymization of personal data are reserved.
(3) Procedures and principles relating to deletion, destruction and anonymization of personal data shall be set forth by a regulation.
Transfer of Personal Data
ARTICLE 8 –
(1) Personal data shall not be transferred without obtaining the explicit consent of the data subject.
(2) Personal data may be transferred without obtaining the explicit consent of the data subject if one of the conditions set forth under the following exists:
a) The second paragraph of article 5,
b) On the condition that adequate measures are taken, the third paragraph of article 6.
(3) Provisions of other laws relating to the transfer of personal data are reserved.
Transfer of Personal Data Abroad
ARTICLE 9 –
(1) Personal data shall not be transferred abroad without obtaining the explicit consent of the data subject.
(2) Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of the conditions set forth in the second paragraph of article 5 or third paragraph of article 6 is present and
a) If the foreign country to whom personal data will be transferred has an adequate level of protection,
b) In case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists.
(3) The countries where an adequate level of protection exist shall be declared by the Board.
(4) The Board shall decide whether there is adequate level of protection in a foreign country and whether approval will be granted in terms of indent (b) of the second paragraph by evaluating
a) The international agreements to which Turkey is a party,
b) Reciprocality regarding transfer of personal data between the country requesting personal data and Turkey,
c) With regard to each present transfer of personal data, nature of personal data and purpose of processing and retention,
ç) Relevant legislation and practice of the country to whom personal data will be transferred,
d) Measures committed by the data controller in the country to whom personal data will be transferred
and if it requires, by obtaining the opinion of relevant public institutions and organizations.
(5) Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations.
(6) Provisions of other laws relating to the transfer of personal data abroad are reserved.
RIGHTS AND OBLIGATIONS
Data Controller’s Obligation to Inform
ARTICLE 10 –
(1) Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to
a) The identity of the data controller and if any, its representative,
b) The purposes for which personal data will be processed,
c) The persons to whom processed personal data might be transferred and the purposes for the same,
ç) The method and legal cause of collection of personal data,
d) The rights set forth under article 11.
Rights of Data Subject
ARTICLE 11 –
(1) Everyone, in connection with herself/himself, has the right to;
a) Learn whether or not her/his personal data have been processed;
b) Request information as to processing if her/his data have been processed;
c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;
ç) Know the third parties in the country or abroad to whom personal data have been transferred;
d) Request rectification in case personal data are processed incompletely or inaccurately;
e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7;
f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;
g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;
ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data
by applying to the data controller.
Obligations Regarding Data Security
ARTICLE 12 –
(1) Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to
a) Prevent unlawful processing of personal data,
b) Prevent unlawful access to personal data,
c) Safeguard personal data.
(2) In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph.
(3) The data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of this Law.
(4) Data controller and persons who process data shall not disclose and misuse personal data they learned contrary to the provisions of this Law. This obligation shall continue after leaving office.
(5) In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.
APPLICATION, COMPLAINT, DATA CONTROLLERS’ REGISTRY
Application to Data Controller
ARTICLE 13 –
(1) The data subject shall convey her/his requests relating to the enforcement of this Law to the data controller in writing or by other means designated by the Board.
(2) The data controller shall conclude the requests included in the application free of charge and as soon as possible considering the nature of the request and within 30 days at the latest. However, in case the operation necessitates a separate cost, the fee in the tariff designated by the Board may be collected.
(3) The data controller shall accept the request or reject it by explaining the reason and notify the data subject of its reply in writing or electronically. In case the request included in the application is accepted, it shall be fulfilled by the data controller accordingly. In case the request is resulted from the fault of the data controller, the collected fee shall be returned to the data subject.
Complaint to the Board
ARTICLE 14 –
(1) In case the application is rejected, replied insufficiently, or not replied in due time; the data subject may file a complaint with the Board within 30 days following the date he/she learns the reply of the data controller and in any event, within 60 days following the date of application.
(2) Complaint remedy cannot be applied to without exhausting the application remedy set forth under article 13.
(3) Compensation rights of the ones whose personal rights are violated are reserved.
Procedures and Principles of Inspection Ex Officio or upon Complaint
ARTICLE 15 –
(1) The Board shall conduct necessary inspection within the scope of its remit either ex officio in case it learns the allegation of a violation or upon complaint.
(2) Notices and complaints which do not meet the conditions set forth under the 6th article of The Law on the Exercise of the Right to Petition numbered 3071 and dated 1/11/1984 shall not be inspected.
(3) Except for the information and documents that constitute state secrets; data controller shall submit the information and documents requested by the Board related to its subject of inspection in 15 days and if necessary, provide for examining on-site.
(4) Upon complaint, the Board inspects the request and replies to those concerned. If not replied within sixty days following the date of the complaint, the request shall be deemed to be rejected.
(5) As a result of the inspection conducted either ex officio or upon complaint, in case it is understood that a violation exists, the Board decides that the illegalities it identified shall be eliminated by the data controller and serves it to those concerned. This decision shall be fulfilled accordingly without delay and within 30 days at the latest as from the notice.
(6) As a result of the inspection conducted either ex officio or upon complaint, in case it is determined that the violation is prevalent, the Board shall adopt a resolution and publish it. The Board, if necessary before adopting the resolution, may obtain the opinion of relevant public institutions and organizations.
(7) In case serious or irreparable losses occur and illegality clearly exists, the Board may decide processing of data or transfer of data abroad to be ceased.
Data Controllers’ Registry
ARTICLE 16 –
(1) Under the supervision of the Board, Data Controllers Registry shall be kept by the Presidency in a publicly available manner.
(2) Natural or legal persons who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.
(3) Registry application to the Data Controllers Registry shall be made with a notification including the following matters:
a) Identity and address information of the data controller and of the representative thereof, if any.
b) The purposes for which personal data will be processed.
c) The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons.
ç) Recipient or groups of recipients to whom personal data may be transferred.
d) Personal data which is envisaged to be transferred abroad.
e) Measures taken for the security of personal data.
f) The maximum period of time necessitated by the purposes for which personal data are processed.
(4) Changes to the information provided as per the third paragraph shall be immediately reported to the Board.
(5) Other procedures and principles relating to the Data Controllers Registry shall be regulated by a regulation.
CRIMES AND MISDEMEANOURS
ARTICLE 17 –
(1) With respect to crimes relating to personal data, provisions of articles 135 to 140 of Turkish Criminal Code dated 26/9/2004 and numbered 5237 shall apply.
(2) Ones who do not delete or anonymize personal data contrary to article 7 of this Law shall be punished in accordance with article 138 of the Law numbered 5237.
ARTICLE 18 –
(1) To the ones who do not fulfil
a) Obligation to inform stipulated in article 10 of this Law, an administrative fine of 5.000 Turkish liras to 100.000 Turkish liras;
b) Obligations regarding data security stipulated in article 12 of this Law, an administrative fine of 15.000 Turkish liras to 1.000.000 Turkish liras;
c) Decisions of the Board as per article 15 of this Law, an administrative fine of 25.000 Turkish liras to 1.000.000 Turkish liras;
ç) Obligation to register with the Data Controllers Registry and notification stipulated by article 16 of this Law, an administrative fine of 20.000 Turkish liras to 1.000.000 Turkish liras
shall be imposed.
(2) Administrative fines envisaged by this article shall apply to natural persons and private law legal persons who are data controllers.
(3) In case the acts listed in the first paragraph are conducted within public institutions and organizations or professional organizations with public institution status, upon notification of the Board, disciplinary action shall be taken with regard to the officers and other public officials who serve under the relevant public institution or organization and the ones who serve under the professional organizations with public institution status, and the result shall be reported to the Board.