November 09, 2022

Data protection laws in Turkey: how to comply

Data protection laws in Turkey: how to comply

Like many other countries, Turkey has regulations to protect the personal and sensitive information of its government, citizens, and residents. Therefore, companies operating in Turkey and every other country must seek compliance with data protection laws to evade the unfortunate consequences of non-compliance.

Multinational corporations like Facebook and several other SaaS companies have faced severe penalties for breaking laws on data protection in Turkey. These penalties span beyond fines and financial losses but include loss of reputation and goodwill among citizens. 

As data residency and compliance are the DNA of InCountry, we have put together this article to help multinational companies get a good grasp of data protection laws and how they can stay compliant while operating in Turkey.

Who is covered by Turkey’s data privacy laws?

Article 2 of the Turkish Data Protection Law provides that the law applies to natural persons whose data are processed and natural or legal persons involved in processing these data for lawful purposes. It follows that every individual or corporate body which obtains and processes the personal data of citizens and residents is under the authority of data privacy laws.

In today’s world, many organizations either offer software-as-a-service or provide their services through software technologies. Thus, the scope of companies covered by data protection laws in Turkey is now expanding.

To name a few, the industries covered by Turkey’s data privacy laws include:

  • E-commerce and online retail 
  • Digital banking and insurance companies
  • Cloud service providers
  • E-learning institutions
  • Hospitals and health facilities 
  • Social media companies
  • Internet and network service providers, etc.

Article 28 of the Law provides specific exemptions, for instance, where personal data is being processed for statistical and planning purposes, educational purposes, crime prevention or investigation, etc.

Turkey’s key data protection laws you need to know

The chief data protection legislation in Turkey is the Law on the Protection of Personal Data. Though a relatively recent law, it has significantly affected the terrain of data protection in Turkey and has birthed several other regulations.

Let us examine some key data protection laws in brief detail:

  • Law on The Protection Of Personal Data (DPL) No. 6698: This is Turkey’s primary data protection law. It was published in 2016 and is regulated by the Data Protection Authority, called the KVKK. The DPL prohibits the processing of personal data without the subject’s express consent, except in certain stipulated cases. It also provides rules for the cross-border transfer of data. The provisions of the DPL gave rise to several other regulations governing the activities of data controllers and processors and creating liabilities for non-compliance.
  • Constitution of the Republic of Turkey: The Constitution was the governing data protection law before the enactment of the Data Protection Law and still operates in parallel with it. Article 20 of the Turkish Constitution empowers citizens to demand the protection of personal data from individual or corporate bodies that collect them. This includes the rights to be informed of what personal data is held about them, as well as the ability to access, erase, and correct such data, and ensure that it is being used for the purpose for which it was obtained. Thus, private individuals can enforce the protection of their data through legal action.
  • The Criminal Code Law No 5327: Articles 134-140 of the Turkish Criminal Code outlines several provisions for protecting the privacy of data. These provisions impose criminal liability on natural or legal persons who engage in the unlawful acquisition, delivery, and destruction of data. Under Turkish law, a company can not be held liable for data privacy violations, but board members of the company will bear the consequences of the breach.
  • The General Data Protection Law: The provisions of the GDPR apply to all members of the European Union, Turkey inclusive. The GDPR is regarded as the world’s strictest and most detailed protection law. It creates rules for maintaining the privacy of personal data, outlines the duties of controllers and processors in protecting data, creates a framework for immediate reporting of data breaches, and imposes significant penalties for non-compliance.

The KVKK also regularly publishes regulations and guidelines that help companies apply the provisions of DPL in their specific business sectors.  

Cross-border transfer rules in Turkey 

Turkey’s Personal Data Protection Law governs matters relating to the cross-border transfer of personal data in Turkey. This regulation stipulates, among other things, that the Personal Data Protection Board should authorize cross-border data transfer. However, the provision contemplates only the bilateral transfer of data between Turkey and an importing nation.

The KVKK subsequently created Binding Corporate Rules to guide cross-border data transfer for global companies operating in countries with inadequate data protection standards. These rules help data controllers regulate cross-border transfer across different countries.

For lawful cross-border data transfer, the following minimum requirements must be met:

Consent of the data subject:

Article 9 of Turkey Data Protection Law provides that consent must be sought and obtained expressly from the individual whose personal data is to be transferred outside Turkey. The individual must be informed of the details of the transfer, namely: the identity of the data controller, the purpose of processing, the purpose of data transfer, and the legal implications of the transfer. Consent must be clearly expressed by positive action like ticking a box or clicking a button.

Approval by the KVKK:

Authorization must be obtained from the Data Protection Authority to transfer data from Turkey to another country. The data controller must have adequate measures for protecting personal data in Turkey and enter a written agreement with the recipient to employ the same. This agreement must be written according to the template provided by the Data Protection Board, followed by a written attestation of adequate compliance with data protection laws before approval can be granted.

Safe receiving country:

In transferring data to countries whitelisted as having adequate data protection laws, no further approval needs to be sought from the board. Such transfer is lawful, given that the requirements of Articles 5(2) and 6(3) have been fulfilled.  However, a practical challenge to this rule is that the KVKK is yet to publish a list of approved countries. In other words, no country is yet deemed to have an adequate level of protection for free data transfer.

How to comply with data protection laws in Turkey — InCountry’s approach

Here are some best practices for compliance with data protection laws in Turkey:

Keep a coordinated data processing system:

It helps to create a framework for data collection and processing. Everything pertaining to data collection, categorization, processing, and even erasure should be done systematically. This way, you can monitor your data lifecycle and make sure there are no weak links along the way.

Appoint a data protection officer:

A data protection officer is squarely responsible for supervising data compliance efforts within an organization. The GDPR, in Article 37, makes it mandatory for organizations to appoint a DPO if they are involved in large-scale data processing.

A trained data protection officer measures and optimizes internal data compliance efforts.

Update privacy policies and consent forms:

It is essential that controllers notify data subjects of the purpose of data collection, its implication, and its use. Also, website cookies should be subject to explicit consent from users. Where the subject denies consent, it is not sufficient reason to deny them continued access to the site. It is ideal to outsource professional legal help in creating standard privacy policies for data compliance.

Set up access controls:

Large organizations are more susceptible to data breach incidents for many reasons. One is that many workers have access to sensitive data, some of which may be unskilled or fraudulent. Access to regulated data should be restricted to a select few workers to enhance accountability.

Compliance with data protection laws is a continuous process rather than a one-off activity. For a country like Turkey, with tedious and multiple provisions on data protection, compliance requires extreme attention to detail and constant review of compliance efforts. The process is even more tedious for multinational companies, who have the added burden of complying with cross-border transfer rules.

However, this does not have to be. Data protection and security are why InCountry exists.

  • InCountry offers data residency-as-a-service to more than 90 countries across the world. This offering helps you implement data protection laws simultaneously across many countries without undertaking the expensive venture of repeatedly building your full stack.
  • InCountry helps your company comply with data localization requirements. Through our certified cloud infrastructure, we can manage your company’s regulated data according to localization laws in each country.
  • InCountry also provides excellent security standards to avoid breaches of data protection laws. We use high-level data encryption, firewalling, network isolation, intrusion detection, and other measures to keep your data secure from unauthorized access. 

Contact our experts to learn how your company can avoid all risks of non-compliance and operating business in Turkey.