Data Protection in Turkiye
The Data protection is an increasingly important issue in today’s digital world. The rapid development of information technologies has made it easier for state institutions and private sector organizations to access thousands of personal data daily. This situation has increased the processing and transfer of personal data and has led to the necessity of protection.Legal Development Stages of Data Protection in Turkiye
In Turkiye, regulations on personal data have been enacted since the early 2000s. As a first step, the Turkish Penal Code No. 5237, which entered into force in 2004, criminalized the recording, unlawful disclosure, or acquisition of personal data. In 2010, a provision added to the Turkish Constitution recognized the protection of personal data as a personal right and stipulated that anyone can claim this right.
In March 2016, Turkiye ratified the Council of Europe Convention No. 108 on the Protection of Individuals regarding Automatic Processing of Personal Data. Then, in April 2016, the Turkish Data Protection Law entered into force. Since 2016, a dynamic and evolving process regarding the protection of personal data was initiated in Turkiye and Protocol No. 181 was adopted in May 2016, introducing regulations on transboundary data flows and supervisory authorities.
Recently, in March 2024, amendments to the Data Protection Law were introduced, covering in particular the processing of sensitive personal data, transfer of personal data abroad, administrative fines, and appeal authorities. Before the amendment, personal data could not be transferred abroad without the explicit consent of the data subject.
With this latest amendment, personal data can be transferred abroad if one of the conditions for processing personal data regulated in the law is present and if there is an adequacy decision on the country, sectors within the country, or international organizations to which the transfer will be made. Qualification decisions shall be reviewed by the Personal Data Protection Board of Turkiye every four years and may be changed when necessary. Currently, it should be stated that the Personal Data Protection Board of Turkiye has not announced the countries, sectors, or international organizations for which it has made an adequacy decision.
Requirements for Compliance with the Law
Although compliance with the law is not explicitly stated in the regulations, the procedures within the scope of the guidelines issued by the Personal Data Protection Board of Turkiye are: due diligence, formation of a compliance team, business plan, data inventory, risk assessment, preparation of disclosure text, explicit consent text, declaration and policies, preparation for data breaches, determination of security measures, registration to the Data Controllers Registry Information System, training, awareness raising, compliance with third parties with whom data is shared, and internal audit and continuous monitoring procedures. Since the compliance process is very demanding and detailed, it is very important that these procedures are carried out by expert lawyers.
Sanctions for Violation of the Law
The Turkish Penal Code regulates that the person who unlawfully records personal data shall be sentenced to imprisonment from one to three years. The person who unlawfully gives, disseminates, or obtains personal data to another person shall be sentenced to imprisonment from two to four years. Lastly, those who are obliged to destroy the data in the system despite the expiry of the periods determined by the law shall be sentenced to imprisonment from one to two years if they fail to fulfill their duties.
Administrative fines start from TRY 47,000 and can reach up to TRY 9 million in the case of failure of data security obligations for 2024.
Problems and Suggestions
Since the law is a new regulation, many institutions in Turkiye have not yet fully adapted to it. The law is constantly being updated and the implementation practice is developing. One of the most common problems encountered in this process is the lack of adequate measures for data security. Organizations exposed to cyber-attacks face great risks for both data owners and them.
In order to overcome these problems, companies should cooperate with expert lawyers, provide training to their employees, and increase data security by making technological investments. In this way, both legal and criminal sanctions can be avoided and the process of protecting personal data can be managed more effectively.
By Sena Avci, Head of Data Protection, Sakar Law Firm
This article was originally published in Issue 11.9 of the CEE Legal Matters Magazine.