Turkey’s critical data privacy law is Law No. 6698 on the Protection of Personal Data (the Data Protection Law). The Data Protection Law establishes the KVKK and the Data Protection Board (‘the Board’) to oversee its provisions for protecting personal data. The Board is the decision-making body of the Data Protection Authority, and the KVKK is the administrative body mainly responsible for keeping a registry of data controllers. The Data Protection Law took effect on Apr. 7, 2016, and is expecting some amendments soon.
Compared to other jurisdictions, the Data Protection Authority has taken an incredibly active role in ensuring the accountability of organizations to protect the privacy and security of personal data in the face of growing cybersecurity threats. The Authority has released numerous guidelines since its establishment and will increase its investigations for compliance in the future. Recent amendments and increased government oversight require organizations to be undoubtedly compliant.
Here are the highlights of data protection in Turkey:
The DPL applies to organizations collecting personal data from individuals in Turkey, regardless of whether the company is within the jurisdiction.
Organizations cannot process personal data without the explicit consent of the data subject unless certain limited cases apply. The data subject also has the right to withdraw consent and cease or restrict the processing of their personal data.
Data that reveals a natural person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, health, sexual life, convictions and security measures, and the biometric and genetic is classified as sensitive data. Sensitive data—excluding health and sexual data, which is further restricted—cannot be processed unless given explicit consent or required by law. The proposed recent amendment realigns health and sexual data with other forms of sensitive data.
The Law protects the rights of individuals to access their personal data and related information and to request the correction and erasure of their personal data.
The Authority expects data controllers to implement appropriate technical, physical, and organizational safeguards. Encryption and anonymization are considered appropriate safeguards for data.
Unless exempted by the Board, organizations must establish their own procedures for the periodic storage and destruction of data. Data controllers must destroy personal data in the first period following completion of the legal bases for processing.
Data controllers must register with the Registry (VERBIS) and appoint a contact person for management and communication with the Authority before processing personal data. They also must notify the Authority and affected individuals of security breaches.
Turkish banks, public companies and institutions, and payment and electronic money institutions are required to maintain their primary and secondary data systems in Turkey. Social network providers must also retain the data of Turkish users in Turkey.
Organizations can only transfer data outside Turkey if they obtain explicit consent (or another legal basis for processing) and there is an adequate level of protection in the foreign country, a standard contractual clause between the controller and transferee, or binding corporate rules approved by the Board. The Board considers the nature of data, the reciprocity of data transfer between jurisdictions, the purpose of processing, legislation in the recipient jurisdiction, and international treaties between the recipient jurisdiction and Turkey when approving transfers. However, to date, the Board has not announced the approved jurisdictions that provide an adequate level of protection for data transfer. The proposed amendment seeks to allow transfers simply upon issuance of an adequacy decision by the Board.
The restrictive consent framework, localization requirements for primary and secondary data systems, and lack of a safe country list are incredibly problematic for companies. Companies are ultimately compelled to settle their infrastructure within Turkey. Unfortunately, global cloud providers do not have established zones within Turkey. Companies are also waiting to see whether the Turkish parliament introduces and passes the proposed amendments, as they will significantly impact the landscape and opportunities in Turkey for data-driven activities. As for personal data retention and deletion, companies should settle the infrastructure for retaining personal data that has finished processing. CIOs should also establish and select the appropriate procedures for destroying or erasing said data. Finally, organizations should note the types of data they are collecting and seek to utilize various technical safeguards like encryption throughout the data flow to protect personal data. Turkey’s regulations present challenges for organizations to conduct their data-driven operations.