Data Protection in Turkey

The DPL is the main national law regulating the collection, use and disclosure of personal data in Turkey. The Turkish Personal Data Protection Authority (DPA) has issued various pieces of secondary legislation, including the following:

• Regulation on the Deletion, Destruction or Anonymisation of Personal Data dated 28 October 2017.
• Regulation on the Establishment of the Registry of Data Controllers dated 30 December 2017.
• Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad dated 10 July 2024 (International Data Transfer Regulation).
• Regulation on the Working Procedures and Principles of the Personal Data Protection Board dated 16 November 2017.
• Regulation on the Organisation of the Personal Data Protection Authority dated 26 April 2018.
• Communiqué on the Principles and Procedures for Applications to the Data Controller dated 10 March 2018.
• Communiqué on the Procedures and Principles Regarding the Data Controller’s Obligation to Inform Data Subjects dated 10 March 2018.

The DPA also publishes decisions and guidelines on data protection practices, such as the processing of biometric data, the right to be forgotten or the use of cookies.

Data privacy is also protected by the Turkish Constitution, and the following general laws include rules related to data protection:

• Articles 134 to 140 of the Turkish Criminal Code No. 5237 address privacy breaches and unlawful data handling, with potential sanctions of up to four years’ imprisonment.
• Articles 23 and 24 of Turkish Civil Law No. 4721 define the rights related to individual personality.
• The breach of personal rights is considered a tortious breach of privacy rights under the Turkish Code of Obligations No. 6098.

Various sectoral laws and regulations intersect with data protection, such as the Electronic Communications Law No. 5809 or the Electronic Commerce Law No. 6563.

The Turkish Constitutional Court and other judicial bodies have also adjudicated numerous cases, reinforcing the principles of data privacy and protection enshrined in the DPL and the Constitution. These decisions cover a wide range of issues, from employer monitoring of employee communications to the right to be forgotten in both digital and non-digital contexts.

The DPL applies to (i) natural persons whose personal data is processed (i.e. data subjects); and (ii) natural or legal persons who process such data fully or partially through automatic or non-automatic means only as part of a data recording system.

“Data controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, whereas “data processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorisation.

Businesses have to comply with the DPL to the extent they process data relating to individuals, who may be employees, job applicants, individual customers, suppliers or business partners, individual contacts at corporate customers, suppliers or business partners, etc.

Unlike the GDPR, the DPL does not have a territorial scope. The decisions of the DPA, however, suggest that the DPL applies to data processing activities carried out in Turkey or relating to the data of individuals located in Turkey, and that the DPA may to some extent apply the establishment and targeting criteria set forth in the GDPR. Therefore, even if a data controller is located outside of Turkey, its data processing activities may fall within the scope of the DPL. Further decisions will be needed to clarify how the DPA applies the targeting criterion to determine whether a foreign data controller is subject to the DPL.

The DPL defines the processing of personal data as any kind of operation performed on such data, including collection, recording, storage, retention, alteration, re-organisation, disclosure, transfer, acquisition, retrieval, classification or prevention of use, whether fully or partially automated or manual, as long as it is part of any data recording system. Therefore, any system organised by specific criteria to facilitate access to personal data falls within the scope of the DPL.

“Personal data” means any information relating to an identified or identifiable natural person. The DPL does not list information that constitutes personal data (other than sensitive data), and this may include any information related to a natural person, such as their name, ID number, location data, email address, health or economic condition, and social or cultural identity. Information on legal entities is not considered personal data.

Anonymisation means rendering personal data impossible to associate with an identified or identifiable natural person by the data controller or recipient under any circumstances, even if the personal data is matched with other data. In such cases, the data will no longer fall within the scope of the DPL. Pseudonymous data is not defined under the DPL. The DPA guidance lists pseudonymisation as a technical measure to manage data security, but it still considers pseudonymous data as personal data subject to the DPL as such data is not anonymised.

The DPL provides an exhaustive list of special categories of personal data (sensitive data), namely information relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. These are subject to specific data processing conditions and the adoption of additional security measures determined by the DPA.

Personal data can be processed with the explicit consent of the data subject, or based on one of the following exceptions to consent:

• the processing is expressly contemplated by the law;
• the data subject is physically or legally incapable of giving consent, and the processing is mandatory to protect the life or physical integrity of the data subject or another person;
• the processing is necessary for and directly related to the establishment or performance of a contract, and limited to the personal data of the parties to the contract;
• the processing is mandatory for the data controller to fulfil its legal obligations;
• the data has been disclosed to the public by the data subject;
• the processing is mandatory for the establishment, exercise or protection of a right; or
• the processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

To be valid, consent must be freely given, informed and related to one or more specific data processing activities. It cannot be obtained implicitly. Data subjects must not suffer, or get the impression they may suffer, any adverse consequences if they refuse consent. Consent should not be conditional upon any advantage, including the provision of goods or services.

Consent should be obtained on a separate form (i.e. not as part of a privacy notice or agreement). There is no specific formal requirement, so consent can be obtained by email or ticking a box online. In case of dispute, the burden will be on the data controller to prove that consent was obtained, therefore appropriate records should be kept for that purpose.

Sensitive data can only be processed where:

• the consent of the data subject is obtained;
• the processing is expressly provided by the law;
• the processing is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to give consent or whose consent is not legally valid;
• the processing relates to personal data made public by the data subject of their own free will;
• the processing is mandatory for the establishment, use or protection of a right;
• the processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under a confidentiality obligation or authorised institutions;
• the processing is mandatory for the fulfilment of legal obligations relating to employment, occupational health and safety, social security, social services and social assistance; or
• the processing is intended for current or former members of non-profit organisations established for political, philosophical, religious or trade union purposes, or for persons who are in regular contact with these, provided it is in accordance with the legislation to which they are subject and their purposes, limited to their field of activity and not disclosed to third parties.

The above requirements do not apply in certain exceptional circumstances, including where data processing is performed (i) for research, planning or statistical purposes in an anonymised form; (ii) for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defence, national security, public security, public order, economic security, privacy or personal rights or constitute a crime; (iii) for preventive, protective and intelligence activities carried out by public institutions authorised by law to ensure national defence, national security, public security, public order or economic security; and (iv) for investigations, prosecutions, trials or executions by judicial or enforcement authorities.

Personal data must be: (i) processed lawfully and fairly; (ii) accurate and kept up-to-date; (iii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (iv) relevant, limited and proportionate to the purposes for which it is processed; and (v) retained for no longer than necessary for the purposes of the processing.

At the time personal data is obtained, the data controller must inform the data subjects of (i) the identity of the controller and its representative, if any; (ii) the purposes of the data processing; (iii) the recipients to whom the data may be transferred and the purpose of the transfer; (iv) the methods and legal grounds for collecting the personal data; and (v) the rights of the data subjects under the DPL.

There is no specific format requirement for the provision of this information, but the burden is on the data controller to prove that adequate privacy notices have been given. Privacy notices should be provided in a separate form (not as part of a consent form or agreement).

Data controllers must take all necessary technical and organisational measures to prevent unlawful processing of or access to personal data. In case of a data breach, data controllers must notify the DPA without delay and at the latest within 72 hours of learning of the breach, and notify the affected data subjects promptly after identification. Neither the DPL nor the DPA makes a distinction between an intentional or inadvertent data breach, and unlike the GDPR, the DPL does not provide for any materiality threshold with regard to data breach notifications.

Data controllers meeting certain criteria must register with the Data Controller Registry through the online system established by the DPA (VERBIS) on the basis of a data inventory. Data controllers established in Turkey whose annual number of employees is below 50 and whose annual total balance sheet is below TRY 100,000,000 (approx. USD 2,850,000) are exempt from registration (unless they process sensitive data as part of their main activity). Data controllers established abroad are subject to registration without any exemption. Data controllers who are not subject to registration remain subject to all other requirements of the DPL.

The DPL does not contain any data localisation requirement, but entities providing services in a critical infrastructure sector must ensure that critical data is securely stored domestically pursuant to Presidential Circular No. 2019/12 regarding Information and Communication Security Measures and the Information and Communication Security Guidelines released by the Digital Transformation Office. Sector-specific data localisation requirements also apply to electronic communications providers and financial institutions.

Data subjects have the right to:

• learn whether their personal data is being processed;
• request information as to the processing;
• learn the purposes for which the data is processed and whether the data is used in accordance with these purposes;
• be informed of the third parties, in Turkey or abroad, to whom their personal data has been transferred;
• request that their personal data be rectified if it is incomplete or inaccurate;
• request that their personal data be deleted or destroyed;
• request that the rectification, deletion or destruction of their personal data upon their request be notified to any third party to whom their data has been transferred;
• object to any result to their detriment reached by the analysis of their personal data exclusively through automated means; and
• request compensation for any damages incurred due to the unlawful processing of their personal data.

Except for the right to compensation, the above rights do not apply in certain exceptional cases, e.g. where the data processing is necessary to prevent a crime or conduct a criminal investigation, or the data has been made public by the data subject.

The Electronic Commerce Law No. 6563 and the Commercial Communication Regulation provide that commercial electronic messages (including email, SMS/text, or calls) cannot be sent without the prior “commercial communication approval” of the recipient. Tradesmen and merchants can be sent messages for the purpose of business-to-business marketing without prior approval, but they still have the right to object to receiving such messages.

A registry named the Message Management System (IYS) was established for the management of commercial communication approvals. All entities that wish to send commercial electronic messages must register with the IYS, and either obtain approvals through the IYS or upload duly obtained approvals to the IYS within three business days.

Marketing communications to a business address containing a natural person’s name must also comply with the requirements of the DPL, as this constitutes the processing of personal data for marketing purposes. Such processing must be based either on the individual’s consent or on one of the statutory exceptions to consent, such as the pursuit of the sender’s legitimate interest, to be assessed on a case-by-case basis. Regardless of the legal ground for processing, the recipient should receive a privacy notice in accordance with the DPL

Recent amendments to the DPL which entered into force on 1 June 2024 provide for a complete overhaul of the legal basis to transfer data abroad. Cross-border data transfers are now possible:

• where the DPA has issued an adequacy decision (in relation to a specific country or sector);
• where an exception to consent applies and one of the appropriate safeguards listed in the DPL is in place, provided that the data subject has the opportunity to exercise their rights and apply for effective legal remedies in the country where the transfer will be made; or
• in other exceptional cases specified in the DPL.

The International Data Transfer Regulation clarifies the procedures and principles to implement the new rules on cross-border data transfers, in particular those based on appropriate safeguards.

The DPA has not published any adequacy decision to date.

Appropriate safeguards include (i) an agreement between a foreign public institution and a Turkish public institution with the DPA’s prior authorisation to the transfer; (ii) binding corporate rules (BCRs) approved by the DPA; (iii) standard contractual clauses (SCCs) entered on the basis of the models published by the DPA and notified to the DPA within five business days of execution; and (iv) written undertaking containing provisions to ensure adequate protection with the prior approval of the DPA.

Exceptional cases only apply provided that the transfer remains occasional, and include the following:

• the data subject has given consent to the transfer, provided that they have been informed of the possible risks;
• the transfer is mandatory for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the request of the data subject;
• the transfer is mandatory for the conclusion or performance of a contract between the controller and another natural or legal person for the benefit of the data subject;
• the transfer is mandatory for an overriding public interest;
• the transfer is mandatory for the establishment, exercise or protection of a right;
• the transfer is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to give consent or whose consent is not legally valid; or
• the transfer is made from a registry open to the public or to persons with a legitimate interest, at the request of the person with a legitimate interest and provided that the legal conditions for access to the registry are met.

The DPA acts as an independent regulatory authority and holds the powers to:

• authorise the transfer of personal data abroad where required, and adopt adequacy decisions for cross-border data transfers;
• handle data subject complaints and conduct audits and investigations ex officio or upon complaint;
• handle data breach notifications;
• order remedies to data infringements and publish decisions on issues of general interest;
• manage the data controller registry;
• issue regulatory procedures and guidelines for data security and data controller responsibilities;
• provide opinions on draft legislation related to personal data; and
• impose administrative fines and sanctions.

Failure to comply with the obligations set forth under the DPL may result in the imposition of administrative fines by the DPA, as follows:

• Failure to comply with the information obligation: TRY 47,303–946,308 (approx. USD 1,350–27,000).
• Failure to comply with the obligations to ensure data security: TRY 141,934–9,463,213 (approx. USD 4,000–269,600).
• Failure to comply with the decisions of the DPA: TRY 236,557–9,463,213 (approx. USD 6,740–269,600).
• Failure to comply with the obligation to register with VERBIS: TRY 189,245–9,463,213 (approx. USD 5,400–269,600).
• Failure to notify SCCs for cross-border data transfers: TRY 50,000–1,000,000 (approx. USD 1,425–28,500).

These amounts are given for 2024 and are subject to annual adjustment. The actual fine is determined by the DPA, taking into consideration the revenue and culpability of the data controller or data processor (the latter only for the failure to notify SCCs).

The DPA can also impose various measures, such as the suspension of a data processing activity or data transfer it considers unlawful, and may order the publication of its decisions.

The sanctions imposed by the DPA can be challenged before administrative courts.

In addition, the following sanctions apply under the Turkish Criminal Code:

• Unlawful recording of the personal data: one to three years’ imprisonment.
• Unlawful disclosure, publication or acquisition of personal data: two to four years’ imprisonment.
• Failure to destroy personal data despite the expiry of the legally prescribed period: one to two years’ imprisonment.

While criminal sanctions may not be imposed on legal entities, they can be subject to safety measures, including the cancellation of operational licences and the seizure of goods.

Data subjects are entitled to be compensated for the losses arising from a breach of the DPL or other laws governing the protection of personal data. The right to compensation will be determined in accordance with the general principles of civil liability under Turkish law.