Last month, Turkey’s new “Law on the Protection of Personal Data” entered into force.  It provides a framework similar to the European Union’s data protection regime.  The law applies to personal data processed “wholly or partly by automatic means” and to non-automatic processing of personal data “which form part of a filing system.”  The law also requires the establishment of a Data Protection Authority and a Data Protection Board by October 7, 2016 to oversee its provisions, including establishing and maintaining a registry of active data controllers, which must register with the Board.

The law defines “personal data” as any information relating to an identified or identifiable living individual.  It defines “sensitive data” (on which additional processing obligations are imposed) as information that reveals racial or ethnic origin; political opinions; religious or philosophical beliefs; appearance; memberships in unions, associations or foundations; as well as information about health, sexual life, criminal records, punitive measures, and biometric and genetic data.

Like the EU system, Turkey’s law distinguishes between “data controllers” and “data processors,” and outlines the responsibilities of each.  It also applies general principles on data processing, such as requiring that data be processed fairly and lawfully, be kept accurate and up-to-date, and be processed for specific, explicit and legitimate purposes.  Processing should also be relevant, limited, and proportional to the purposes for which it is processed.  Erasure, destruction, or anonymization of personal data is also required once the purpose for its collection has expired.

The Law also provides certain rights for data subjects.  For example, it requires data controllers to provide notice to data subjects regarding their data handling process.  Data controllers must also implement security measures to prevent unlawful processing or access to data, and must notify data subjects and the Data Protection Authority as soon as possible if personal data has been obtained by third parties “in an illegal manner.”  In addition, data subjects have the right to access and correct information about them.

The law generally prohibits the processing of personal or sensitive data without explicit consent of the data subject.  There are a few exceptions to this consent for personal data, including where it is necessary to perform a contract with the data subject, to comply with a legal obligation, or for the purposes of the “legitimate interests” of the data controller.  Additionally, the law requires explicit consent for transfer of data to third parties or outside of Turkey, unless the sharing is necessary to exercise a right, is required by law, or the data is public.  However, when data is shared outside Turkey without consent, the country to which it is transferred must have sufficient protections or the data controller must have received permission from the Data Protection Board.

Violators of the law could face harsh penalties, including six-month to four-year prison sentences for certain breaches, criminal judicial fines, and administrative fines.  Individuals also have the right to compensation for unlawful collection or processing of their data.

The law entered into force on April 7, 2016.  For the collection of new information, companies must now comply with most of the law’s provisions; but for data collected before April 7, companies have a two-year period in which to ensure compliance.

For more information, contact Steptoe’s eTeam.

Michael Vatis and Kaitlin Cassel of Steptoe’s Washington office authored this advisory