The Law on the Protection of Personal Data No. 6698 dated March 24, 2016 (“Data Protection Law” or “DPL”) is the main legislation, which regulates the processing of personal data in Turkey. The DPL regulates the procedures and principles for individuals and legal entities processing the personal data in Turkey. It largely reflects the EU Data Protection Directive No. 95/46/EC and protects the right to privacy and other fundamental rights and freedoms of individuals in the processing of personal data. Furthermore, the DPL provides a definition to the concepts of personal data, sensitive data, regulates the transfer, processing and deletion of personal data, and imposes rules on data controllers, and regulates the establishment of the Data Protection Authority.
The DPL has a significant importance for legal entities who are involved in transactions containing data processing such as sale, purchase, and service operations as much as it has for real persons. The DPL applies to legal entities and individuals who process personal data through automatic means or as part of a data filing system. However, it does not apply if the data is processed (i) by a natural person as a result of personal or household activity, (ii) for official statistical purposes or for research, planning and statistical purposes as long as they are kept anonymous, (iii) for artistic, historic or scientific purposes or within the scope of freedom of expression provided that such processing does not infringe the privacy and personal rights, national defence and security or constitute a crime, (iv) for criminal investigations, prosecutions and cases by judicial bodies and execution offices.
Legal entities and natural persons that process personal data has to be registered to the Data Controllers Registry prior to any processing of personal data. Furthermore, they must comply with data processing rules in processing, retention, and transfer of personal data. They must take appropriate security measures to protect personal data and conduct either external or internal audits to confirm that measures are in place. Also, in case of data breaches, data controllers must disclose the breach to the Data Protection Authority and data subjects.
According to the DPL, the data controller is required to provide certain information to data subject at the time of collection of the personal data including; (i) the identity of the data controller and of his representative, if any, (ii) the purposes of the processing (ii) the recipients to whom data can be transferred, and the purpose of such a transfer (iii) the method and legal ground of the data collection (iv) the rights of data subject.