Legislation

AW ON THE PROTECTION OF PERSONAL DATA

Law Number: 6698 Date of Acceptance: 24/3/2016 Published in the Official Gazette: Date: 7/4/2016 Number: 29677 Published in the Düstur: Volume: 5 Number: 57

CHAPTER ONE

Purpose, Scope, and Definitions

Purpose

ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, particularly the right to privacy, in the processing of personal data and to establish the obligations and procedures and principles that must be followed by natural or legal persons who process personal data.

Scope

ARTICLE 2- (1) The provisions of this Law apply to natural persons whose personal data are processed, and to natural or legal persons who process such data wholly or partially by automatic means or by non-automatic means provided that they are part of a data recording system.

Definitions

ARTICLE 3- (1) For the implementation of this Law, the following terms shall have the meanings ascribed to them below: a) Explicit consent: Freely given, specific, informed, and unambiguous consent, b) Anonymization: Rendering personal data in such a way that the data cannot be linked to an identified or identifiable natural person, even if matched with other data, c) President: The President of the Personal Data Protection Authority, ç) Data subject: The natural person whose personal data are processed, d) Personal data: Any information relating to an identified or identifiable natural person, e) Processing of personal data: Any operation performed on personal data such as collecting, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use thereof by fully or partially automatic means or by non-automatic means provided that they are part of a data recording system, f) Board: The Personal Data Protection Board, g) Authority: The Personal Data Protection Authority, ğ) Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller, h) Data recording system: The recording system in which personal data are processed by being structured according to specific criteria, ı) Data controller: The natural or legal person who determines the purposes and means of processing personal data, and who is responsible for establishing and managing the data recording system.

CHAPTER TWO

Processing of Personal Data

General Principles

ARTICLE 4- (1) Personal data may only be processed in accordance with the procedures and principles set forth in this Law and other laws. (2) The following principles must be adhered to in the processing of personal data: a) Lawfulness and fairness. b) Accuracy and, where necessary, up-to-date. c) Processing for specified, explicit, and legitimate purposes. ç) Being relevant, limited, and proportionate to the purposes for which they are processed. d) Being stored only for the time designated by relevant legislation or necessary for the purposes for which they are processed.

Conditions for Processing Personal Data

ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the data subject. (2) Personal data may be processed without the explicit consent of the data subject if one of the following conditions is met: a) It is expressly provided for by laws. b) It is necessary to protect the life or physical integrity of the person or another person who is incapable of giving his/her consent due to actual impossibility or whose consent is not legally valid. c) It is necessary for the performance or conclusion of a contract to which the data subject is a party. ç) It is necessary for compliance with a legal obligation to which the data controller is subject. d) The data is made public by the data subject. e) It is necessary for the establishment, exercise, or protection of a right. f) It is necessary for the legitimate interests pursued by the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject.

Conditions for Processing Special Categories of Personal Data

ARTICLE 6- (1) Personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire and dress, membership in associations, foundations or trade unions, health, sexual life, convictions, and security measures, as well as biometric and genetic data are special categories of personal data. (2) The processing of special categories of personal data is prohibited without explicit consent. (3) Special categories of personal data may be processed without explicit consent of the data subject in the following cases: a) If it is expressly provided for by laws, b) If it is necessary to protect the life or physical integrity of the person or another person who is incapable of giving his/her consent due to actual impossibility or whose consent is not legally valid, c) If the data subject has made the data public, ç) If it is necessary for the establishment, exercise, or protection of a right, d) If it is necessary for the purposes of preventive medicine, medical diagnosis, treatment, and care services, or the management and financing of healthcare services, provided that sufficient measures are taken. (4) It is also necessary to take adequate measures determined by the Board for the processing of special categories of personal data.

Deletion, Destruction, or Anonymization of Personal Data

ARTICLE 7- (1) Personal data, although processed in accordance with the provisions of this Law and other relevant laws, shall be deleted, destroyed, or anonymized by the data controller ex officio or upon request by the data subject when the reasons for their processing no longer exist. (2) Provisions of other laws relating to the deletion, destruction, or anonymization of personal data are reserved. (3) The procedures and principles regarding the deletion, destruction, or anonymization of personal data shall be regulated by a by-law.

Transfer of Personal Data

ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the data subject. (2) Personal data may be transferred without the explicit consent of the data subject in the presence of one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6, provided that sufficient measures are taken. (3) Provisions of other laws relating to the transfer of personal data are reserved.

Transfer of Personal Data Abroad

ARTICLE 9- (1) Personal data may be transferred abroad provided that one of the conditions set forth in the fifth and sixth articles exists, and that: a) There is an adequate level of protection in the foreign country where the data is to be transferred, or b) The data controllers in Turkey and in the relevant foreign country undertake in writing to provide an adequate level of protection and the Board grants permission. (2) The Board determines whether there is an adequate level of protection in the foreign country and announces the list of such countries. (3) The transfer of personal data abroad without explicit consent may be carried out under the condition of sufficient measures determined by the Board in the cases specified in the third paragraph of Article 6.

CHAPTER THREE

Rights of the Data Subject

Right to Information

ARTICLE 11- (1) Each person has the right to learn whether his/her personal data are processed, to request information if his/her personal data have been processed, to learn the purpose of processing of his/her personal data and whether they are used in accordance with their purpose, to know the third parties to whom his/her personal data are transferred in country or abroad, to request the rectification of the incomplete or inaccurate data, if any, to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7, to request notification of the operations carried out pursuant to subparagraphs (d) and (e) to third parties to whom his/her personal data have been transferred, to object to the processing, exclusively by automatic means, of his/her personal data, which leads to an unfavorable consequence for the data subject, and to request compensation for the damage arising from the unlawful processing of his/her personal data.

CHAPTER FOUR

Obligations Regarding Data Security

Data Security Obligations

ARTICLE 12- (1) The data controller is obliged to: a) Prevent unlawful processing of personal data, b) Prevent unlawful access to personal data, c) Ensure the protection of personal data, d) Take all necessary technical and organizational measures to provide a sufficient level of security, e) Carry out or have carried out the necessary inspections within his own institution or organization, f) Ensure that the data processor, to whom the personal data are transferred, takes all necessary technical and organizational measures to ensure data security.

(2) In case the processed personal data is obtained by others unlawfully, the data controller shall notify the data subject and the Board within the shortest time. (3) The Board may announce such a breach on its website or by any other method it deems appropriate.

CHAPTER FIVE

Organizational Structure

Establishment of the Personal Data Protection Authority

ARTICLE 19- (1) The Personal Data Protection Authority, having public legal personality and administrative and financial autonomy, is established in order to carry out the duties assigned by this Law. The Authority is affiliated with the Ministry of Justice.

Duties and Powers of the Authority

ARTICLE 20- (1) The duties and powers of the Authority are as follows: a) To ensure that personal data are processed in compliance with the fundamental rights and freedoms, b) To make decisions on complaints and inform the concerned parties, c) To carry out inspections on its own initiative or upon complaints, d) To impose administrative sanctions as stipulated in this Law, e) To encourage the establishment of data protection awareness, f) To cooperate with foreign institutions on personal data protection matters, g) To publish an annual report.

CHAPTER SIX

Penal Provisions

Crimes

ARTICLE 26- (1) The following acts are considered crimes: a) Unlawful recording of personal data, b) Unlawful transfer, dissemination, or obtaining of personal data, c) Failure to destroy personal data within the required period.

(2) These crimes are punished in accordance with the relevant provisions of the Turkish Penal Code.

Misdemeanors

ARTICLE 27- (1) The following acts are considered misdemeanors: a) Failure to fulfill the obligation to inform, b) Failure to take necessary security measures, c) Failure to comply with the decisions issued by the Board.

(2) These misdemeanors are punished with administrative fines.

CHAPTER SEVEN

Final Provisions

Entry into Force

ARTICLE 30- (1) This Law enters into force six months after the date of its publication.

Enforcement

ARTICLE 31- (1) The provisions of this Law are enforced by the President.

CHAPTER FOUR

Obligations Regarding Data Security

Data Security Obligations

Obligation to Inform

ARTICLE 13- (1) During the collection of personal data, the data controller or the person authorized by the data controller is obliged to inform the data subjects about: a) The identity of the data controller and his/her representative, if any, b) The purposes for which personal data will be processed, c) To whom and for what purposes the processed personal data can be transferred, d) The method and legal basis of collection of personal data, e) Other rights listed in Article 11.

Application to the Data Controller

ARTICLE 14- (1) Data subjects shall convey their requests regarding the application of this Law to the data controller in writing or by other means to be determined by the Board. (2) The data controller shall conclude the requests included in the application free of charge and as soon as possible, and within thirty days at the latest, depending on the nature of the request. (3) If the request is denied, the reasons for the denial shall be communicated in writing or electronically within thirty days at the latest. (4) Data subjects may lodge a complaint with the Board within thirty days from the date the response is learned, or within sixty days from the date of the request, in case the request is rejected, the response is found unsatisfactory, or no response is provided. (5) Lodging a complaint is not a precondition for other administrative and judicial remedies.

Duties and Powers of the Board

ARTICLE 15- (1) The Board shall perform the following duties and exercise the following powers: a) To ensure that personal data are processed in compliance with the fundamental rights and freedoms, b) To make decisions on complaints and inform the concerned parties, c) To carry out inspections on its own initiative or upon complaints, d) To impose administrative sanctions as stipulated in this Law, e) To encourage the establishment of data protection awareness, f) To cooperate with foreign institutions on personal data protection matters, g) To publish an annual report.

Supervision by the Board

ARTICLE 16- (1) The Board shall perform its duties and exercise its powers independently. (2) The Board, when performing its duties, may request all kinds of information and documents from public institutions and organizations, and from other real and legal persons, including those subject to private law. (3) The requested information and documents shall be provided to the Board within fifteen days. (4) The Board may also conduct on-site examinations.

Obligation to Register with the Data Controllers' Registry

ARTICLE 17- (1) The data controllers are obliged to register with the Data Controllers' Registry before commencing data processing. (2) The Registry is publicly accessible. (3) The principles and procedures regarding the operation of the Registry are determined by a by-law.

Exception to the Obligation to Register

ARTICLE 18- (1) The Board may determine exceptions to the obligation to register with the Data Controllers' Registry, considering the nature and quantity of the processed data, whether the data is publicly available, and other criteria.

CHAPTER FIVE

Organizational Structure

Establishment of the Personal Data Protection Authority

Duties and Powers of the Authority

Structure of the Authority

ARTICLE 21- (1) The Authority consists of the Board and the Presidency. (2) The Board is the decision-making body of the Authority. (3) The Board consists of nine members, five of whom are appointed by the President of the Republic and four by the Parliament. (4) The term of office of the Board members is four years, and they may be re-elected. (5) The President of the Board is elected by the Board members. (6) The duties and powers of the Board are carried out by the President of the Board and the members within the framework of this Law and other relevant legislation.

President and Members of the Board

ARTICLE 22- (1) The President of the Board and the members must have the following qualifications: a) To have graduated from a four-year higher education institution, b) To have at least ten years of professional experience, c) Not to have been convicted of crimes specified in Article 11 of the Civil Servants Law No. 657. (2) The President of the Board and the members work on a full-time basis. (3) The President of the Board and the members cannot be dismissed before the expiry of their term of office, except in cases where they lose the qualifications required for appointment, or in cases of disciplinary action.

Duties and Powers of the President of the Board

ARTICLE 23- (1) The President of the Board performs the following duties and exercises the following powers: a) To represent the Board, b) To manage the Board, c) To determine the agenda of the Board meetings, d) To carry out inspections and to report the results to the Board, e) To ensure the implementation of the Board's decisions, f) To prepare the Board's annual report and present it to the Board for approval, g) To perform other duties assigned by the Board.

Meetings of the Board

ARTICLE 24- (1) The Board convenes at least once a month with the participation of at least six members. (2) Decisions are taken by a majority of the total number of members. (3) The Board may also convene extraordinary meetings upon the call of the President of the Board or upon the written request of at least three members. (4) The working principles and procedures of the Board are determined by a by-law.

Administrative and Financial Provisions

ARTICLE 25- (1) The administrative and financial provisions of the Authority are determined by a by-law. (2) The budget of the Authority is prepared in accordance with the principles and procedures applicable to public administrations with a special budget.