By virtue of Turkey’ s obligation to align its legislation with the EU Acquis, the long awaited Law on Protection of Personal Data (the “Law”) drafted in line with the Directive 95/46/EC (dated 24 October 1995) on the protection of individuals with regard to the processing of personal data and on the free movement of such data was finally enacted by the Turkish Parliament on 24 March 2016 and entered into force on April 7, 2016.
In accordance with the Article 32 of the Law, articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months following the date of publication. Other articles shall enter into force on the date of publication. Therefore, it is highly significant to take necessary measures to comply with the Law regarding aforementioned articles before October 7, 2016.
Purpose and Scope of the Law
As defined in Article 1, the purpose of the Law is to protect the fundamental rights and freedoms of persons, notably their right to privacy and to regulate the obligations of natural or legal person which processes personal data and set forth the procedures and principles which they shall comply with while data processing.
As a quick glance at Article 2 which determines the “scope of the Law”, the provisions of the Law are only applicable to natural persons whose personal data are processed. In other words, the Law does not cover the personal data processing which concerns the data of legal persons.
Conditions for Personal Data Processing
In accordance with Article 5/1, personal data shall be processed only if the data subject gives his or her explicit consent which shall be freely given in specific subject and based on information. “Explicit consent given based on information” refers to Data Controller’s obligation to inform (Art.10). To accept that explicit consent of data subject is obtained, data subject shall be informed by data controller or by its representative with regard to the following;
- Identity of the data controller and it’s representative,
- The purpose for data processing,
- To whom and for what purpose the processed data can be transferred,
- The method and legal ground of data collection and
- The rights of data subject stipulated by Article 11 of the Law.
However, in continuance of Article 5, several exceptions to the explicit consent requirement are regulated. Accordingly, personal data of the data subject may be processed without obtaining his or her explicit consent in below circumstances;
- If processing personal data is expressly permitted by any other Law,
- If it is required for protection of the life or physical integrity of the data subject or another person where they are physically or legally incapable of giving such consent,
- If processing personal data of the contracting parties is required, provided that the processing is directly related to the establishment or execution of the contract,
- If it is mandatory for data controller to fulfill his or her legal obligation,
- If the personal data was made public by data subject himself/herself,
- If processing is required for establishment, use or protection of a right,
- If processing personal data is required for legitimate interests of the data controller, provided that fundamental rights and freedoms of data subject are not harmed.
Rights of the Data Subject
Pursuant to article 11 of the Law stipulating the rights of the data subject, everyone has a right to;
- learn whether or not their data are processed,
- if their data are processed, request information concerning data processing,
- learn the purpose for data processing and whether their personal data are used in accordance with this purpose,
- know the third parties in Turkey or abroad to whom the personal data are transferred,
- request correction, if their personal data has been processed incompletely or incorrectly,
- request deletion or destruction of personal data,
- request that the third parties to whom personal data are transferred to be notified on correction, deletion or destruction of transferred personal data,
- object to the results that are occurred to the detriment of the data subject as a result of analysis of personal data solely via automatic systems,
- request compensation for the damages resulting from unlawful data processing by applying to the data controller.
Data controller is obliged to conclude the requests stated in the applications within 30 (thirty) days at the latest.
Sensitive Personal Data and Its Processing Conditions
A special category of personal data is introduced by the Law. Personal data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, association, foundation or trade-union membership, health, sexual life, criminal conviction and security measures, biometrics and genetics is regarded as “sensitive personal data” and subjected to more strict regulation. Explicit consent of data subject for processing him/her sensitive personal data is required as well, however some exemptions to explicit consent requirement are stipulated by the Law.
Transfer of Personal Data to Third Parties and Abroad
As a general rule personal data cannot be transferred to the third parties or abroad without obtaining explicit consent of the data subject. However, in case the conditions that are set forth in article 5/2 and article 6/3 are present, personal data can be transferred without explicit consent of the data subject. In addition to those conditions, it is also required that the countries to which personal data will be transferred to have adequate level of protection. Where the country does not provide adequate level of protection, data controller in Turkey and abroad shall undertake the protection in writing and obtain the approval of the Data Protection Board.
Penalties for Noncompliance with the Data Protection Law
Imprisonment of one to four years according to the Turkish Criminal Code numbered 5237 and administrative fines of up to TRY 1.000.000 would be imposed to those who do not fulfill the obligations stipulated by the Law.
For further information regarding data privacy regulation, please contact us at firstname.lastname@example.org
Av. Gülce BAHÇIVANCILAR (email@example.com)
© BBA Law Firm 2016