{"id":149861,"date":"2025-02-26T06:26:46","date_gmt":"2025-02-26T06:26:46","guid":{"rendered":"https:\/\/paksoy.av.tr\/?p=149861"},"modified":"2025-08-22T12:16:38","modified_gmt":"2025-08-22T09:16:38","slug":"data-protection-in-turkey","status":"publish","type":"post","link":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/","title":{"rendered":"Data Protection in Turkey"},"content":{"rendered":"\r\n<div class=\"row\">\r\n<div class=\"col-xs-12\">\r\n<div class=\"question\">\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<p>Scroll down to read the full chapter or click on the headings below to jump to the relevant section.<\/p>\r\n<\/div>\r\n<\/div>\r\n<h4><a style=\"color: #000000;\" href=\"#section-1\">1. What national laws regulate the collection, use and disclosure of personal data?<\/a><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-2\">2. To whom do the laws apply?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-3\">3. What is the territorial scope of the law?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-4\">4. What acts and operations relating to personal data are regulated?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-5\">5. What personal data does the law regulate?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-6\">6. Are any types of personal data subject to a higher level of protection under the law?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-7\">7. What requirements must be fulfilled in order to process personal data?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-8\">8. What obligations apply when processing personal data?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-9\">9. What rights does the data subject have in relation to personal data?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-10\">10. What rules regulate the sending of commercial or direct marketing communications?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-11\">11. What rules and requirements regulate the transfer of personal data outside your jurisdiction?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-12\">12. What are the investigatory and enforcement powers of the regulator?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<div class=\"row\">\r\n<div class=\"col-sm-12\">\r\n<h4><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"#section-13\">13. What are the sanctions and remedies for non-compliance with data protection laws?<\/a><\/span><\/h4>\r\n<\/div>\r\n<\/div>\r\n<h2>Introduction<\/h2>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.<\/p>\r\n<p>The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.<\/p>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n<div class=\"row\">\r\n<div class=\"col-xs-12\">\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-1\" class=\"question\">1. What national laws regulate the collection, use and disclosure of personal data?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The DPL is the main national law regulating the collection, use and disclosure of personal data in Turkey. The Turkish Personal Data Protection Authority (DPA) has issued various pieces of secondary legislation, including the following:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Regulation on the Deletion, Destruction or Anonymisation of Personal Data dated 28 October 2017.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Regulation on the Establishment of the Registry of Data Controllers dated 30 December 2017.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad dated 10 July 2024 (International Data Transfer Regulation).<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Regulation on the Working Procedures and Principles of the Personal Data Protection Board dated 16 November 2017.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Regulation on the Organisation of the Personal Data Protection Authority dated 26 April 2018.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Communiqu\u00e9 on the Principles and Procedures for Applications to the Data Controller dated 10 March 2018.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Communiqu\u00e9 on the Procedures and Principles Regarding the Data Controller\u2019s Obligation to Inform Data Subjects dated 10 March 2018.<\/span><\/li>\r\n<\/ul>\r\n<p>The DPA also publishes decisions and guidelines on data protection practices, such as the processing of biometric data, the right to be forgotten or the use of cookies.<\/p>\r\n<p>Data privacy is also protected by the Turkish Constitution, and the following general laws include rules related to data protection:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Articles 134 to 140 of the Turkish Criminal Code No. 5237 address privacy breaches and unlawful data handling, with potential sanctions of up to four years\u2019 imprisonment.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Articles 23 and 24 of Turkish Civil Law No. 4721 define the rights related to individual personality.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">The breach of personal rights is considered a tortious breach of privacy rights under the Turkish Code of Obligations No. 6098.<\/span><\/li>\r\n<\/ul>\r\n<p>Various sectoral laws and regulations intersect with data protection, such as the Electronic Communications Law No. 5809 or the Electronic Commerce Law No. 6563.<\/p>\r\n<p>The Turkish Constitutional Court and other judicial bodies have also adjudicated numerous cases, reinforcing the principles of data privacy and protection enshrined in the DPL and the Constitution. These decisions cover a wide range of issues, from employer monitoring of employee communications to the right to be forgotten in both digital and non-digital contexts.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-2\" class=\"question\">2. To whom do the laws apply?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The DPL applies to (i) natural persons whose personal data is processed (i.e. data subjects); and (ii) natural or legal persons who process such data fully or partially through automatic or non-automatic means only as part of a data recording system.<\/p>\r\n<p>\u201cData controller\u201d means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, whereas \u201cdata processor\u201d means the natural or legal person who processes personal data on behalf of the data controller upon its authorisation.<\/p>\r\n<p>Businesses have to comply with the DPL to the extent they process data relating to individuals, who may be employees, job applicants, individual customers, suppliers or business partners, individual contacts at corporate customers, suppliers or business partners, etc.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-3\" class=\"question\">3. What is the territorial scope of the law?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Unlike the GDPR, the DPL does not have a territorial scope. The decisions of the DPA, however, suggest that the DPL applies to data processing activities carried out in Turkey or relating to the data of individuals located in Turkey, and that the DPA may to some extent apply the establishment and targeting criteria set forth in the GDPR. Therefore, even if a data controller is located outside of Turkey, its data processing activities may fall within the scope of the DPL. Further decisions will be needed to clarify how the DPA applies the targeting criterion to determine whether a foreign data controller is subject to the DPL.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-4\" class=\"question\">4. What acts and operations relating to personal data are regulated?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The DPL defines the processing of personal data as any kind of operation performed on such data, including collection, recording, storage, retention, alteration, re-organisation, disclosure, transfer, acquisition, retrieval, classification or prevention of use, whether fully or partially automated or manual, as long as it is part of any data recording system. Therefore, any system organised by specific criteria to facilitate access to personal data falls within the scope of the DPL.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-5\" class=\"question\">5. What personal data does the law regulate?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>\u201cPersonal data\u201d means any information relating to an identified or identifiable natural person. The DPL does not list information that constitutes personal data (other than sensitive data), and this may include any information related to a natural person, such as their name, ID number, location data, email address, health or economic condition, and social or cultural identity. Information on legal entities is not considered personal data.<\/p>\r\n<p>Anonymisation means rendering personal data impossible to associate with an identified or identifiable natural person by the data controller or recipient under any circumstances, even if the personal data is matched with other data. In such cases, the data will no longer fall within the scope of the DPL. Pseudonymous data is not defined under the DPL. The DPA guidance lists pseudonymisation as a technical measure to manage data security, but it still considers pseudonymous data as personal data subject to the DPL as such data is not anonymised.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-6\" class=\"question\">6. Are any types of personal data subject to a higher level of protection under the law?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The DPL provides an exhaustive list of special categories of personal data (sensitive data), namely information relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. These are subject to specific data processing conditions and the adoption of additional security measures determined by the DPA.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-7\" class=\"question\">7. What requirements must be fulfilled in order to process personal data?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Personal data can be processed with the explicit consent of the data subject, or based on one of the following exceptions to consent:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is expressly contemplated by the law;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the data subject is physically or legally incapable of giving consent, and the processing is mandatory to protect the life or physical integrity of the data subject or another person;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is necessary for and directly related to the establishment or performance of a contract, and limited to the personal data of the parties to the contract;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the data controller to fulfil its legal obligations;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the data has been disclosed to the public by the data subject;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the establishment, exercise or protection of a right; or<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.<\/span><\/li>\r\n<\/ul>\r\n<p>To be valid, consent must be freely given, informed and related to one or more specific data processing activities. It cannot be obtained implicitly. Data subjects must not suffer, or get the impression they may suffer, any adverse consequences if they refuse consent. Consent should not be conditional upon any advantage, including the provision of goods or services.<\/p>\r\n<p>Consent should be obtained on a separate form (i.e. not as part of a privacy notice or agreement). There is no specific formal requirement, so consent can be obtained by email or ticking a box online. In case of dispute, the burden will be on the data controller to prove that consent was obtained, therefore appropriate records should be kept for that purpose.<\/p>\r\n<p>Sensitive data can only be processed where:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the consent of the data subject is obtained;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is expressly provided by the law;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to give consent or whose consent is not legally valid;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing relates to personal data made public by the data subject of their own free will;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the establishment, use or protection of a right;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under a confidentiality obligation or authorised institutions;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is mandatory for the fulfilment of legal obligations relating to employment, occupational health and safety, social security, social services and social assistance; or<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the processing is intended for current or former members of non-profit organisations established for political, philosophical, religious or trade union purposes, or for persons who are in regular contact with these, provided it is in accordance with the legislation to which they are subject and their purposes, limited to their field of activity and not disclosed to third parties.<\/span><\/li>\r\n<\/ul>\r\n<p>The above requirements do not apply in certain exceptional circumstances, including where data processing is performed (i) for research, planning or statistical purposes in an anonymised form; (ii) for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defence, national security, public security, public order, economic security, privacy or personal rights or constitute a crime; (iii) for preventive, protective and intelligence activities carried out by public institutions authorised by law to ensure national defence, national security, public security, public order or economic security; and (iv) for investigations, prosecutions, trials or executions by judicial or enforcement authorities.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-8\" class=\"question\">8. What obligations apply when processing personal data?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Personal data must be: (i) processed lawfully and fairly; (ii) accurate and kept up-to-date; (iii) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (iv) relevant, limited and proportionate to the purposes for which it is processed; and (v) retained for no longer than necessary for the purposes of the processing.<\/p>\r\n<p>At the time personal data is obtained, the data controller must inform the data subjects of (i) the identity of the controller and its representative, if any; (ii) the purposes of the data processing; (iii) the recipients to whom the data may be transferred and the purpose of the transfer; (iv) the methods and legal grounds for collecting the personal data; and (v) the rights of the data subjects under the DPL.<\/p>\r\n<p>There is no specific format requirement for the provision of this information, but the burden is on the data controller to prove that adequate privacy notices have been given. Privacy notices should be provided in a separate form (not as part of a consent form or agreement).<\/p>\r\n<p>Data controllers must take all necessary technical and organisational measures to prevent unlawful processing of or access to personal data. In case of a data breach, data controllers must notify the DPA without delay and at the latest within 72 hours of learning of the breach, and notify the affected data subjects promptly after identification. Neither the DPL nor the DPA makes a distinction between an intentional or inadvertent data breach, and unlike the GDPR, the DPL does not provide for any materiality threshold with regard to data breach notifications.<\/p>\r\n<p>Data controllers meeting certain criteria must register with the Data Controller Registry through the online system established by the DPA (VERBIS) on the basis of a data inventory. Data controllers established in Turkey whose annual number of employees is below 50 and whose annual total balance sheet is below TRY 100,000,000 (approx. USD 2,850,000) are exempt from registration (unless they process sensitive data as part of their main activity). Data controllers established abroad are subject to registration without any exemption. Data controllers who are not subject to registration remain subject to all other requirements of the DPL.<\/p>\r\n<p>The DPL does not contain any data localisation requirement, but entities providing services in a critical infrastructure sector must ensure that critical data is securely stored domestically pursuant to Presidential Circular No. 2019\/12 regarding Information and Communication Security Measures and the Information and Communication Security Guidelines released by the Digital Transformation Office. Sector-specific data localisation requirements also apply to electronic communications providers and financial institutions.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-9\" class=\"question\">9. What rights does the data subject have in relation to personal data?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Data subjects have the right to:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">learn whether their personal data is being processed;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">request information as to the processing;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">learn the purposes for which the data is processed and whether the data is used in accordance with these purposes;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">be informed of the third parties, in Turkey or abroad, to whom their personal data has been transferred;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">request that their personal data be rectified if it is incomplete or inaccurate;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">request that their personal data be deleted or destroyed;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">request that the rectification, deletion or destruction of their personal data upon their request be notified to any third party to whom their data has been transferred;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">object to any result to their detriment reached by the analysis of their personal data exclusively through automated means; and<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">request compensation for any damages incurred due to the unlawful processing of their personal data.<\/span><\/li>\r\n<\/ul>\r\n<p>Except for the right to compensation, the above rights do not apply in certain exceptional cases, e.g. where the data processing is necessary to prevent a crime or conduct a criminal investigation, or the data has been made public by the data subject.<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-10\" class=\"question\">10. What rules regulate the sending of commercial or direct marketing communications?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The Electronic Commerce Law No. 6563 and the Commercial Communication Regulation provide that commercial electronic messages (including email, SMS\/text, or calls) cannot be sent without the prior \u201ccommercial communication approval\u201d of the recipient. Tradesmen and merchants can be sent messages for the purpose of business-to-business marketing without prior approval, but they still have the right to object to receiving such messages.<\/p>\r\n<p>A registry named the Message Management System (IYS) was established for the management of commercial communication approvals. All entities that wish to send commercial electronic messages must register with the IYS, and either obtain approvals through the IYS or upload duly obtained approvals to the IYS within three business days.<\/p>\r\n<p>Marketing communications to a business address containing a natural person\u2019s name must also comply with the requirements of the DPL, as this constitutes the processing of personal data for marketing purposes. Such processing must be based either on the individual\u2019s consent or on one of the statutory exceptions to consent, such as the pursuit of the sender\u2019s legitimate interest, to be assessed on a case-by-case basis. Regardless of the legal ground for processing, the recipient should receive a privacy notice in accordance with the DPL<\/p>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-11\" class=\"question\">11. What rules and requirements regulate the transfer of personal data outside your jurisdiction?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Recent amendments to the DPL which entered into force on 1 June 2024 provide for a complete overhaul of the legal basis to transfer data abroad. Cross-border data transfers are now possible:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">where the DPA has issued an adequacy decision (in relation to a specific country or sector);<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">where an exception to consent applies and one of the appropriate safeguards listed in the DPL is in place, provided that the data subject has the opportunity to exercise their rights and apply for effective legal remedies in the country where the transfer will be made; or<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">in other exceptional cases specified in the DPL.<\/span><\/li>\r\n<\/ul>\r\n<p>The International Data Transfer Regulation clarifies the procedures and principles to implement the new rules on cross-border data transfers, in particular those based on appropriate safeguards.<\/p>\r\n<p>The DPA has not published any adequacy decision to date.<\/p>\r\n<p>Appropriate safeguards include (i) an agreement between a foreign public institution and a Turkish public institution with the DPA\u2019s prior authorisation to the transfer; (ii) binding corporate rules (BCRs) approved by the DPA; (iii) standard contractual clauses (SCCs) entered on the basis of the models published by the DPA and notified to the DPA within five business days of execution; and (iv) written undertaking containing provisions to ensure adequate protection with the prior approval of the DPA.<\/p>\r\n<p>Exceptional cases only apply provided that the transfer remains occasional, and include the following:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the data subject has given consent to the transfer, provided that they have been informed of the possible risks;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is mandatory for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the request of the data subject;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is mandatory for the conclusion or performance of a contract between the controller and another natural or legal person for the benefit of the data subject;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is mandatory for an overriding public interest;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is mandatory for the establishment, exercise or protection of a right;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is mandatory for the protection of the life or physical integrity of the data subject or another person who is unable to give consent or whose consent is not legally valid; or<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">the transfer is made from a registry open to the public or to persons with a legitimate interest, at the request of the person with a legitimate interest and provided that the legal conditions for access to the registry are met.<\/span><\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-12\" class=\"question\">12. What are the investigatory and enforcement powers of the regulator?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>The DPA acts as an independent regulatory authority and holds the powers to:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">authorise the transfer of personal data abroad where required, and adopt adequacy decisions for cross-border data transfers;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">handle data subject complaints and conduct audits and investigations\u00a0<\/span><i><span dir=\"ltr\" lang=\"EN-MY\">ex officio<\/span><\/i><span dir=\"ltr\" lang=\"EN-MY\">\u00a0or upon complaint;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">handle data breach notifications;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">order remedies to data infringements and publish decisions on issues of general interest;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">manage the data controller registry;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">issue regulatory procedures and guidelines for data security and data controller responsibilities;<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">provide opinions on draft legislation related to personal data; and<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">impose administrative fines and sanctions.<\/span><\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n<div class=\"\">\r\n<div class=\"question\">\r\n<h3 id=\"section-13\" class=\"question\">13. What are the sanctions and remedies for non-compliance with data protection laws?<\/h3>\r\n<\/div>\r\n<div class=\"answer\">\r\n<p>Failure to comply with the obligations set forth under the DPL may result in the imposition of administrative fines by the DPA, as follows:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to comply with the information obligation: TRY 47,303\u2013946,308 (approx. USD 1,350\u201327,000).<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to comply with the obligations to ensure data security: TRY 141,934\u20139,463,213 (approx. USD 4,000\u2013269,600).<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to comply with the decisions of the DPA: TRY 236,557\u20139,463,213 (approx. USD 6,740\u2013269,600).<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to comply with the obligation to register with VERBIS: TRY 189,245\u20139,463,213 (approx. USD 5,400\u2013269,600).<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to notify SCCs for cross-border data transfers: TRY 50,000\u20131,000,000 (approx. USD 1,425\u201328,500).<\/span><\/li>\r\n<\/ul>\r\n<p>These amounts are given for 2024 and are subject to annual adjustment. The actual fine is determined by the DPA, taking into consideration the revenue and culpability of the data controller or data processor (the latter only for the failure to notify SCCs).<\/p>\r\n<p>The DPA can also impose various measures, such as the suspension of a data processing activity or data transfer it considers unlawful, and may order the publication of its decisions.<\/p>\r\n<p>The sanctions imposed by the DPA can be challenged before administrative courts.<\/p>\r\n<p>In addition, the following sanctions apply under the Turkish Criminal Code:<\/p>\r\n<ul>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Unlawful recording of the personal data: one to three years\u2019 imprisonment.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Unlawful disclosure, publication or acquisition of personal data: two to four years\u2019 imprisonment.<\/span><\/li>\r\n<li><span dir=\"ltr\" lang=\"EN-MY\">Failure to destroy personal data despite the expiry of the legally prescribed period: one to two years\u2019 imprisonment.<\/span><\/li>\r\n<\/ul>\r\n<p>While criminal sanctions may not be imposed on legal entities, they can be subject to safety measures, including the cancellation of operational licences and the seizure of goods.<\/p>\r\n<p>Data subjects are entitled to be compensated for the losses arising from a breach of the DPL or other laws governing the protection of personal data. The right to compensation will be determined in accordance with the general principles of civil liability under Turkish law.<\/p>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n\r\n\r\n\r\n<p>Originally published in\u00a0<a href=\"https:\/\/www.globallegalpost.com\/lawoverborders\/data-protection-1072382791\/turkey-1532212849\">The Global Legal Post<\/a>.<\/p>\r\n\r\n\r\n\r\n<p>&nbsp;<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.<\/p>\n<p>The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.<\/p>\n","protected":false},"author":3,"featured_media":149901,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[281],"tags":[],"class_list":["post-149861","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-publications"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data Protection in Turkey | Paksoy Attorneys at Law<\/title>\n<meta name=\"description\" content=\"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.  The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Protection in Turkey | Paksoy Attorneys at Law\" \/>\n<meta property=\"og:description\" content=\"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.  The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/\" \/>\n<meta property=\"og:site_name\" content=\"Paksoy Attorneys at Law\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-26T06:26:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-22T09:16:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"1125\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Paksoy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paksoy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/\"},\"author\":{\"name\":\"Paksoy\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#\\\/schema\\\/person\\\/e33fb913cae3e4a64cadb6532d203514\"},\"headline\":\"Data Protection in Turkey\",\"datePublished\":\"2025-02-26T06:26:46+00:00\",\"dateModified\":\"2025-08-22T09:16:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/\"},\"wordCount\":3443,\"publisher\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/Data-Protection-in-Turkey.jpg\",\"articleSection\":[\"Publications\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/\",\"name\":\"Data Protection in Turkey | Paksoy Attorneys at Law\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/Data-Protection-in-Turkey.jpg\",\"datePublished\":\"2025-02-26T06:26:46+00:00\",\"dateModified\":\"2025-08-22T09:16:38+00:00\",\"description\":\"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016. The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\\\/679 (GDPR), EU Directive 95\\\/46\\\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#primaryimage\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/Data-Protection-in-Turkey.jpg\",\"contentUrl\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/Data-Protection-in-Turkey.jpg\",\"width\":2000,\"height\":1125},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/2025\\\/02\\\/data-protection-in-turkey\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Ana Sayfa\",\"item\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Protection in Turkey\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/\",\"name\":\"Paksoy\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#organization\",\"name\":\"Paksoy\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/paksoy-logo-avatar.png\",\"contentUrl\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/paksoy-logo-avatar.png\",\"width\":1500,\"height\":1500,\"caption\":\"Paksoy\"},\"image\":{\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/paksoy-law-firm\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/#\\\/schema\\\/person\\\/e33fb913cae3e4a64cadb6532d203514\",\"name\":\"Paksoy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/paksoy-logo-avatar.png\",\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/paksoy-logo-avatar.png\",\"contentUrl\":\"https:\\\/\\\/paksoy.av.tr\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/paksoy-logo-avatar.png\",\"caption\":\"Paksoy\"},\"url\":\"https:\\\/\\\/paksoy.av.tr\\\/en\\\/team\\\/pseditor\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Protection in Turkey | Paksoy Attorneys at Law","description":"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.  The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/","og_locale":"en_US","og_type":"article","og_title":"Data Protection in Turkey | Paksoy Attorneys at Law","og_description":"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016.  The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.","og_url":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/","og_site_name":"Paksoy Attorneys at Law","article_published_time":"2025-02-26T06:26:46+00:00","article_modified_time":"2025-08-22T09:16:38+00:00","og_image":[{"width":2000,"height":1125,"url":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg","type":"image\/jpeg"}],"author":"Paksoy","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Paksoy","Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#article","isPartOf":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/"},"author":{"name":"Paksoy","@id":"https:\/\/paksoy.av.tr\/en\/#\/schema\/person\/e33fb913cae3e4a64cadb6532d203514"},"headline":"Data Protection in Turkey","datePublished":"2025-02-26T06:26:46+00:00","dateModified":"2025-08-22T09:16:38+00:00","mainEntityOfPage":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/"},"wordCount":3443,"publisher":{"@id":"https:\/\/paksoy.av.tr\/en\/#organization"},"image":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#primaryimage"},"thumbnailUrl":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg","articleSection":["Publications"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/","url":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/","name":"Data Protection in Turkey | Paksoy Attorneys at Law","isPartOf":{"@id":"https:\/\/paksoy.av.tr\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#primaryimage"},"image":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#primaryimage"},"thumbnailUrl":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg","datePublished":"2025-02-26T06:26:46+00:00","dateModified":"2025-08-22T09:16:38+00:00","description":"The protection of personal data in Turkey is primarily regulated under Turkish Law No. 6698 on the Protection of Personal Data (DPL), which entered into force in 2016. The DPL is mostly based on the predecessor of the General Data Protection Regulation (EU) 2016\/679 (GDPR), EU Directive 95\/46\/EC. The DPL generally provides for principles and conditions regarding accountability and transparency in the processing, transfer and destruction of personal data, and defines the rights of data subjects. It predominantly follows European terminology for data protection concepts, although there are certain differences.","breadcrumb":{"@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#primaryimage","url":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg","contentUrl":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2025\/02\/Data-Protection-in-Turkey.jpg","width":2000,"height":1125},{"@type":"BreadcrumbList","@id":"https:\/\/paksoy.av.tr\/en\/2025\/02\/data-protection-in-turkey\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Ana Sayfa","item":"https:\/\/paksoy.av.tr\/en\/"},{"@type":"ListItem","position":2,"name":"Data Protection in Turkey"}]},{"@type":"WebSite","@id":"https:\/\/paksoy.av.tr\/en\/#website","url":"https:\/\/paksoy.av.tr\/en\/","name":"Paksoy","description":"","publisher":{"@id":"https:\/\/paksoy.av.tr\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/paksoy.av.tr\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/paksoy.av.tr\/en\/#organization","name":"Paksoy","url":"https:\/\/paksoy.av.tr\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/paksoy.av.tr\/en\/#\/schema\/logo\/image\/","url":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2024\/03\/paksoy-logo-avatar.png","contentUrl":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2024\/03\/paksoy-logo-avatar.png","width":1500,"height":1500,"caption":"Paksoy"},"image":{"@id":"https:\/\/paksoy.av.tr\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/paksoy-law-firm\/"]},{"@type":"Person","@id":"https:\/\/paksoy.av.tr\/en\/#\/schema\/person\/e33fb913cae3e4a64cadb6532d203514","name":"Paksoy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2024\/03\/paksoy-logo-avatar.png","url":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2024\/03\/paksoy-logo-avatar.png","contentUrl":"https:\/\/paksoy.av.tr\/wp-content\/uploads\/2024\/03\/paksoy-logo-avatar.png","caption":"Paksoy"},"url":"https:\/\/paksoy.av.tr\/en\/team\/pseditor\/"}]}},"_links":{"self":[{"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/posts\/149861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/comments?post=149861"}],"version-history":[{"count":26,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/posts\/149861\/revisions"}],"predecessor-version":[{"id":152723,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/posts\/149861\/revisions\/152723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/media\/149901"}],"wp:attachment":[{"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/media?parent=149861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/categories?post=149861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paksoy.av.tr\/en\/wp-json\/wp\/v2\/tags?post=149861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}