The history and fundamentals of Turkish data protection law

Ata Umur Kalender

Bozoğlu – İzgi Attorney Partnership, Istanbul

ata.kalender@bi.legal

Introduction

Today, both public institutions and private organisations can access a vast range of information about thousands of people every day. This information can be processed and analysed more and more easily as technology evolves. lnevitably, the information collected by states and companies includes personal data. Therefore, various regulations have been made by many countries around the world for the purpose of protecting personal data.

The history of Turkish data protection law

The legislation process regarding data protection law for Turkey has been ongoing for more than 35 years, starting with the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’), which entered into force on 1 October 1985.

However, the concept of data privacy was not introduced into the Constitution of the Republic of Turkey until 2010, via a Constitutional amendment.[1] The amendment regulated that each person is entitled to request the protection of personal data related to them. This right entitles the relevant person to obtain information regarding personal data related to them, to access such data, to request correction or deletion of such data, and to inquire whether such data has been used in line with the purpose for which consent was given. The Constitutional amendment served as the basis for privacy law in Turkey, while other laws regulated more specific aspects of data protection.[2]

When the Personal Data Protection Law No 6698 (the ‘Law’) entered into force in the Official Gazette on 7 April 2016, Turkey reached its first comprehensive law specific to the protection of personal data. This article considers the fundamentals of the law, its main issues and developments expected in the near future.

The fundamentals of Turkish data protection law

The Law is largely based on the European Union Data Protection Directive (95/46/EC). In brief, it introduced:

• core terms such as personal data, data processor and data controller, among others;
• a broad definition for personal data, which includes all information belonging to an identified person or that can be used to identify an individual;
• a separate classification for ‘sensitive’ personal data, which is subject to further protection mechanisms due to the potential for abuse and discrimination;
• a definition for ‘data controller’, a person who determines the purpose and tools for processing personal data, and who is liable to set up and manage the data registry system;
• a definition for ‘data processor’, which is a real or legal person who processes the data on behalf of, and with authorisation by, the data controller; and
• a definition for ‘data processing’, which covers almost all actions that can be performed on personal data.

The Law sets forth main principles for data processing, such as processing being (1) in compliance with law and the principle of good faith; (2) correct and up to date; (3) performed for defined, clear and legitimate purposes; and (4) limited and proportional to the scope of these defined purposes. Finally, a general principle is that personal data may be retained for a particular time period as outlined in relevant legislation or required for the purpose of processing.

As per the Law, data controllers are compelled to provide information to, and in some cases obtain consent from, data subjects regarding data processing activities. This kind of information, commonly referred to as ‘enlightenment’ by Turkish practitioners, shall set forth the main aspects of data processing beforehand.

Consent provided by the data subjects must be based on their free will and the prior information provided to them. ln certain cases (such as data processing being mandatory for the performance of contractual duties or legal obligations), consent is not necessary for data processing; providing information to data subjects (or ‘enlightenment’) is considered sufficient.

In addition, the Law provides for the establishment of two new bodies: the Personal Data Protection Authority (the ‘Authority’) and the Board of Personal Data Protection. These bodies are responsible for ensuring that the Law is applied and enforced.

The Authority has been shaping practice and helping in the interpretation of the Law by conducting inspections and publishing summary decisions. The IT and telecommunications, banking and finance, and health sectors have been the main focus for the Authority in the past five years, as well as where the majority of the penalties imposed by the Authority have been issued so far.

Penalties for violations of the Law are imposed by the Authority. Unlike the General Data Protection Regulation (GDPR), the penalties are based on applicable upper and lower limits, which are renewed each year. The highest penalty observed among these sectors was handed down to instant messaging platform WhatsApp. According to the Authority, its owner, Facebook (now known as Meta), violated its obligation to prevent the unlawful processing of personal data and its obligation to inform data subjects in accordance with the Law. WhatsApp was issued an administrative fine of a total of TL 1,950,000 (approximately $113,000).

The Law has brought many new subjects and rules for their respective parties, but there have been two overwhelming issues that to this day still cannot be resolved completely, which are discussed in the following sections.

1. VERBIS data registry

The Law introduced a registry known as VERBIS, where all real person or legal entity data controllers must register before processing personal data. As a rule, the obligation to register falls to all data controllers, though the Authority has allowed many exceptions. Most importantly, data controllers with fewer than 50 employees and an annual balance sheet below TL 25m are exempt if their main activity does not require the processing of special categories of data. Further, deadlines for VERBIS registry have been pushed back several times; the last deadline was 31 December 2021 for all data controllers, whether a Turkish or foreign company.

Even if a data controller is a foreign company under the Law, if the data subjects are Turkish citizens or the data is being processed in Turkey, the data controller must register with VERBIS. However, there are no thresholds for this registry obligation, and it is largely omitted by foreign companies. In the case that a foreign company does not register with VERBIS, the Authority may stop the data transfer and the data-processing activity or may apply penalties as per the Law, but the question of whether the Authority is competent to issue an administrative sanction to a foreign company is still a widely discussed matter and has no definitive answer.

2. Data transfer abroad

Perhaps one of the most problematic issues of the Law is ‘the transfer of personal data abroad’. According to the Law, personal data cannot be transferred broad without the explicit consent of the data subject, unless (i) the transfer is made to a country providing an adequate level of protection for personal data (as outlined by the Turkish Data Protection Authority); or (ii) commitments of adequate protections are provided by the Turkish and foreign data controller, and approved by the Authority; or (iii) binding corporate rules are present and approved by the Authority.

Unfortunately, the Authority has not yet made a ruling regarding any country it considers as having an adequate level of protection for personal data. ln theory, it would be expected that EU countries would be ruled as providing an adequate level of protection for personal data, considering that the Law has similarities with previous European legislation, and that European law itself has progressed in step with the GPDR.

A decision dated 26 October 2020 and issued by the Authority stated that the Authority's aim is not to complicate the international transfer of personal data, but intends to secure the right to privacy with highly effective protection. The important elements of the decision can be summarised as follows:

• transferring personal data abroad is also a data processing activity according to both the Law and the GDPR;
• it is crucial for personal data transferred abroad to be actively protected in the receiving country;
• when considering adequacy decisions for a third country, the reciprocity principle is an absolute must (within this scope, Turkey continues to negotiate with other countries, especially the EU); and
• where explicit consent is absent, a commitment or binding corporate rules approved by the Authority should exist.

Since explicit consent is required to be based on prior information provided to the data subjects, and it is difficult in some cases to cover every channel of data flow, the alternative of ‘commitment’ applications (one from the data controller to another data controller, the other for the transfer from the data controller to the data processor) are increasingly used for the transfer of data abroad. However, as of today, the Authority has only accepted three commitment applications so far. Combined with the lack of an announcement regarding which countries provide an adequate level of protection, in practice, the transfer of data abroad today is mostly based on explicit consent.

What’s next for data protection in Turkey?

Following the introduction of the Law, secondary legislation was introduced to further outline how Turkey's data protection system operates in practice. The Authority regularly publishes guidelines and decisions to clarify grey areas, alongside guidance on data protection matters in Turkey. The decisions are considered especially important since the Law and the Authority have been recently established and legal practice is still developing.

In its decisions the Authority has begun to expressly refer to EU laws, and it was also officially announced that changes will be made to the Law in 2022, in line with GDPR provisions. While there are many changes expected, some are expected to have a more profound effect than others. The expectation is that the rules on transfer of data abroad will be adapted to align more closely with the GDPR, perhaps allowing more flexibility and different options for data controllers. Granting new rights to data subjects, such as the right to restriction of processing and data portability, may also come into question. If realised, these will both be changes that widen the scope of the Law.

There may also be a change in the calculation method used for administrative fines, where focus is placed on the turnover of the data controller rather than applying upper and lower limits.

Finally, regarding data transfers abroad, it is expected that countries considered to have an adequate level of protection will be announced. As a result, it is expected that the Authority will review and approve binding corporate rules and commitments much faster.

Conclusion

Every day a new business model is imagined, new technologies are designed and the seemingly infinite need for personal data grows. While Turkey has recently introduced legislation regarding personal data, it is beyond doubt that the law and practice of data protection must be constantly updated and developed, either via new legislation, amendments or, most commonly, decisions and guidelines issued by the Authority. Significant work falls on lawyers to remain informed and up to date.