Law: Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (the Law)

Regulator: National Cyber Governance and Assurance Affairs, a division of the National Cyber Security Agency (NCSA)

Summary: Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (the Law) was published in the Official Gazette on December 29, 2016, and became effective in 2017.

The Law is broadly modeled on the former European Union Data Protection Directive (Directive 95/46/EC). The Law establishes the consent of the data subject as the main legal basis for processing personal data and details specific notification requirements for the processing of sensitive data. From an enforcement perspective, the Law prescribes that corporate entities can be found liable for actions of third parties, such as contractors, where actions were carried out on the organization's behalf. It is also stipulated that contracts or agreements concluded in violation of the Law shall be deemed null and void. However, this provision is likely to require further specifications considering its potential effects on several business sectors as well as its civil law implications. Furthermore, the Law presents a unique approach to data transfers, providing that the data controller should not block a cross-border data flow unless it results in violation of the Law or constitutes a serious violation of the data subject's right to privacy.

The National Cyber Governance and Assurance Affairs, a division of the National Cyber Security Agency (NCSA) is the supervisory authority and has released detailed guidelines to aid regulated entities and individuals in implementing the Law.