Personal Data Protection Law
This is an English translation. In the event of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply. The detailed content can be obtained from the link below:
The purpose of this Law is to protect the fundamental rights and freedoms of persons, particularly the right to privacy, with respect to the processing of personal data and to set forth obligations, principles, and procedures that shall be binding upon natural or legal persons who process personal data.
1. Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.
2. The following principles shall be complied within the processing of personal data:
a) Lawfulness and fairness
b) Being accurate and keeping up-to-date where necessary
c) Being processed for specified, explicit, and legitimate purposes
ç) Being relevant, limited, and proportionate to the purposes for which they are processed
d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed
Conditions for processing personal data
1. Personal data shall not be processed without the explicit consent of the data subject.
2. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person who is unable to explain his or her consent due to a physical disability or whose consent is not deemed legally valid.
c) The processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself or herself.
e) Data processing is necessary for the establishment, exercise, or protection of any right.
f) The processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Conditions for processing of special categories of personal data
1. Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect, or other belief, appearance, membership to associations, foundations, or trade unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
2. It is prohibited to process special categories of personal data without explicit consent of the data subject.
3. Personal data, except for data concerning health and sexual life, listed in the first paragraph, may be processed without seeking the explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking the explicit consent of the data subject, by persons subject to secrecy obligations or competent public institutions and organizations, for the purposes of protecting public health, the operation of preventive medicine, medical diagnosis, treatment, and nursing services, the planning and management of health-care services, as well as their financing.
4. Adequate measures determined by the Board shall also be taken while processing the special categories of personal data.
Transfer of personal data
1. Personal data shall not be transferred without the explicit consent of the data subject.
2. Personal data may be transferred without seeking the explicit consent of the data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken.
3. The Provisions of other laws relating to transfer of personal data are reserved.
Crimes and Misdemeanours
1. Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.
2. Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of Law No. 5237.
1. For the purposes of this Law,
a) Those who do not fulfill the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,
b) For those who do not fulfill the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,
ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.
2. The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers.
3. In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board, and the result is reported to the Board.