Personal Data Protection Law

This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply. The detailed content can be obtained from the link below:

https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law (05.08.2022)

The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. General Principles

1. Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.
2. The following principles shall be complied within the processing of personal data:
a) Lawfulness and fairness
b) Being accurate and kept up to date where necessary.
c) Being processed for specified, explicit and legitimate purposes.
ç) Being relevant, limited and proportionate to the purposes for which they are processed.
d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Conditions for processing personal data

1. Personal data shall not be processed without explicit consent of the data subject.
2. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself/herself.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Conditions for processing of Special categories of personal data

1. Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
2. It is prohibited to process special categories of personal data without explicit consent of the data subject.
3. Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
4. Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.

Transfer of personal data

1. Personal data shall not be transferred without explicit consent of the data subject.
2. Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken.
3. The Provisions of other laws relating to transfer of personal data are reserved.

Crimes and Misdemeanours

1. Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.
2. Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of the Law No. 5237.

Misdemeanours

1. For the purposes of this Law;
a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,
b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,
ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.
2. The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers.
3. In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.