Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey - Data Protection Overview
workspace-icon
Back

Turkey - Data Protection Overview

August 2024

1. Governing Texts

In April 2016, Turkey completed the final step in a long-running process to enact the Law on Protection of Personal Data No. 6698 (the Data Protection Law). The Data Protection Law received Presidential approval and its final text was published in the Official Gazette, Number 29677 on April 7, 2016. Prior to this date, Turkey did not have specific legislation addressing personal data protection.

From April 7, 2016, onward, a general prohibition applied in Turkey on the processing or storing of personal data without explicit consent from the data subject, subject to certain limited exceptions where such consent is not required. Companies which held personal data prior to April 7, 2016, received a two-year grace period to ensure the data met the new legislative requirements.

The enactment process for a local data protection law had been ongoing for more than 35 years, starting with the execution of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108). Turkey executed Convention 108 with other Member States on January 28, 1981, but delayed its ratification into national law until May 2, 2016, and it entered into force on September 1, 2016.

The Data Protection Law was prepared based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (Directive 95/46/EC) on data protection which was repealed with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Since 2021, however; aligning the Data Protection Law with the GDPR has been on Turkey's agenda. Although it is not yet fully compliant with the GDPR, significant amendments to the Data Protection Law were made through the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad No. 32598 dated March 12, 2024, which was published in the Official Gazette (only available in Turkish here) (the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad). The provisions introduced by the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad came into effect on June 1, 2024. These amendments primarily address the processing of special categories of personal data and international data transfers, considering the urgency of these matters. While differences from the GDPR still exist, the relevant provisions are evaluated to be more aligned with the GDPR than with Directive 95/46/EC. It is anticipated that the Data Protection Law will be fully compliant with the GDPR in the forthcoming period.

1.1. Key acts, regulations, directives, bills

The Data Protection Law outlines a similar framework to the European data protection system within the framework of the:

In addition, secondary legislation in the form of regulations and communications further outlines how Turkey's data protection regime operates in practice.

Key regulations include:

  • Regulation on Deletion, Destruction, or Anonymization of Personal Data 2017 (only available in Turkish here) (the DDA Regulation);
  • Regulation on the Registry of Controllers No. 30286 2017 (only available in Turkish here) (the VERBIS Regulation)
  • Regulation on the Procedures and Principles of the Personal Data Protection Board 2017 (only available in Turkish here);
  • Regulation on Organization of the Personal Data Protection Authority 2018 (only available in Turkish here);
  • Regulation on Promotion and Title Change of the Personnel of the Personal Data Protection Authority 2018 (only available in Turkish here);
  • Regulation on Personal Data Protection Expertise 2018 (only available in Turkish here);
  • Regulation on Disciplinary Supervisors of Personal Data Protection Authority 2019 (only available in Turkish here);
  • Regulation on Personal Health Data 2019 (only available in Turkish here); and
  • Regulation on Disciplinary Supervisors of the Personal Data Protection Authority (only available in Turkish here).

Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.Key communiqués include:

  • Communiqué on Principles and Procedures for Application to Data Controller 2018 (only available in Turkish here) (Application Communiqué);
  • Communiqué on Procedures and Principles Regarding the Data Controller's Obligation to Inform Data Subjects 2018 (Obligation to inform Communiqué) (only available in Turkish here);
  • Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism (only available in Turkish here) (Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism); and
  • Data Protection Officer Certification Program (the Program) (only available in Turkish here).

Furthermore, the Personal Data Protection Board (Board) has explained the minimum elements to be included in the undertaking for cross-border transfers, executed between the data exporter and data importer abroad (only available in Turkish here). As of July 10, 2024, the Board published additional document requirements for the Binding Corporate Rules (BCRs) for data controllers to regulate intragroup transfers. In line with the changes to the provisions on cross-border data transfers introduced by the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, the BCR application documents have been revised into two modules; the BCR Application Form for Data Controllers (only available in Turkish here), and the BCR Application Form for Data Processors (only available in Turkish here). Additionally, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad stipulates that standard contractual clauses (SCCs) can also be used for cross-border data transfers; in this regard, four modules of the SCCs (controller to controller (available in Turkish here and in English here), controller to processor (available in Turkish here and in English here), processor to processor (available in Turkish here and in English here), and processor to controller (available in Turkish here and in English here)) have been published.

Constitutional measures

Before the Data Protection Law was enacted, data protection was governed by the Constitution of the Republic of Turkey (the Constitution), as well as general and sectoral laws and regulations. These other pieces of legislation continue to be effective in parallel to the Data Protection Law's provisions, as outlined below.

The Constitution does not specifically address data protection. However, the right to protection of personal rights and privacy can be found in Article 20 of the Constitution, under the section regarding Privacy of Private Life. Accordingly, everyone has the constitutional right to:

  • ask for protection of their personal information;
  • be informed of what personal data is held about them;
  • access, delete, and/or correct such data; and
  • be informed about whether the data is being used in accordance with the purpose for which consent was given.

General laws

Criminal law

Articles 134 to 140 of the Criminal Code No. 5237 (the Criminal Code) outline provisions regarding the protection of privacy. The Articles in the Criminal Code establish a framework for privacy violations and the unlawful recording of personal data, as well as unlawful delivery, acquisition, and destruction of data. In addition, the Criminal Code provides the basis for sanctions and penalties under the Data Protection Law.

Turkish law clearly states that criminal responsibility is personal and, therefore, cannot be attached to legal entities. Nevertheless, the board members of a company can still be held liable for their actions with respect to privacy violations. Criminal sanctions envisaged in this respect range from six months to four years. In addition, legal entities may be subject to safety measures where stipulated by law. Accordingly, the Criminal Code envisages safety measures for:

  • privacy violations (Article 134);
  • recording personal data (Article 135); and
  • unlawful delivery or acquisition of data (Article 136).

Possible measures imposed on legal entities include:

  • license cancellation if a crime is committed in favor of the legal entity by the legal entity's organs or representatives, via an abuse of the authorization provided by the license; and
  • government seizure of:
    • pecuniary benefits obtained by legal entities from the commissioned crime; and/or
    • goods used for or gained as a result of the commissioned crime.

Civil law

Articles 23 and 24 of Turkish Civil Law No. 4721 (only available in Turkish here) (the Civil Law) outline individual personality rights. Pursuant to the Civil Law, no person can waive their rights and capacity to act freely, even in the smallest degree. Neither can a person waive their freedom, nor have anyone impose restrictions on a person which are contrary to laws and ethics.

Tort law

Infringement of personal rights may constitute a tortious violation of privacy rights under the Turkish Code of Obligations No. 6098 (only available in Turkish here).

Sectoral laws

Electronic communications

A general framework exists for using personal data in the electronic communications field, with particular reference to traffic and individuals' location data. Accordingly, except to the extent required for providing electronic communication service, operators cannot store or access information in the terminals of their users/subscribers without giving comprehensive and clear information about the data processing, as well as obtaining explicit consent.

Traffic data may be processed for:

  • traffic management;
  • interconnection;
  • billing;
  • fraud detection;
  • customer enquiries; and
  • settling disputes (particularly, interconnection and billing disputes. Such data must be kept completely and confidentially held until the dispute is settled).

Traffic data or location data used for marketing electronic communication services, or for providing value added electronic communications services, can be processed only to the extent and for the duration necessary for such services (or similar services); and either:

  • with explicit consent from users/subscribers; or
  • using anonymization.

Traffic and location data may only be transferred outside Turkey with explicit consent from the data subjects. Operators must also allow users/subscribers to reject to their location data being processed.

Internet crimes

Turkish legislation does not directly address the protection of personal data on the Internet. However, it does define actors within the internet environment and regulates access blocking schemes where breaches of personal rights and criminal offenses occur (Law No. 5651 Regulating Internet Broadcasting and Combatting Crimes Committed through Internet Broadcasting (only available in Turkish here).

Electronic commerce

Personal data collected from a consumer can only be used and shared with third parties with the consumer's consent (Electronic Commerce Law No. 6563 (only available in Turkish here) (the Electronic Commerce Law)). Therefore, customer consent must be obtained to use personal data for marketing purposes; such as online mailing or online behavioral advertising, as well as other electronic commercial communications. Service providers and intermediary service providers are responsible for establishing and maintaining security systems for personal data. The details of the electronic commercial communication have been determined under the Regulation on Commercial Electronic Communication, published in the Official Gazette numbered 29417 on 15 July 2015 (only available in Turkish here).

Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages No. 30998 (only available in Turkish here) (the Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages) that sets forth the establishment of a central and singular platform with the purpose of conducting the transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, usage of the right of rejection by the recipient and complaint procedures entered into effect by being published in Official Gazette numbered 30998 on January 4, 2020 (only available in Turkish here).

The Commercial Electronic Messages Management System (MMS) was established with the purpose of conducting transactions regarding obtaining prior consent from recipients in order to send electronic commercial messages, and the usage of the right of rejection by the recipient and complaint procedures introduced by the Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages. In addition, the registry to the system is mandatory for real or legal persons aiming to send commercial messages and it was enacted so that these types of messages cannot be sent to the recipients whose approval are not on the MMS. The service providers wishing to send commercial electronic messages should either obtain the consent through MMS or upload the consent to the MMS within three business days after they obtain it.

Health Data and Insurance Data

In accordance with the provisions of the Data Protection Law, detailed procedures and principles to be followed in the processes and practices carried out by the central and provincial units of the Ministry of Health, as well as by the healthcare service providers operating under their supervision, and their affiliated and related organizations, has been regulated under the Regulation on Personal Health Data (only available in Turkish here) (the  Personal Health Regulation). The  Personal Health Regulation covers the processing of health data, access to data by healthcare personnel, the Ministry of Health, lawyers, and patient relatives, as well as the processing of data for scientific purposes and regulations regarding data security.

The health data can be classified under insurance and regulated by Insurance Data Regulation No. 5684 (only available in Turkish here) (the Insurance Data Regulation). The Insurance Data Regulation covers how the insurance data is processed and store in detail.

National Disabled Data System

The Regulation on the Issuance of Identification Cards to Disabled Individuals and the Establishment of the National Disabled Data System (only available in Turkish here) has been put in place to govern the procedures and principles pertaining to the provision of identification cards to individuals with disabilities, enabling them to avail themselves of the rights and services afforded to them, and the establishment of the National Disabled Data System. It outlines the necessary requirements for processing, transferring, destroying, erasing, and anonymizing personal data, including special categories of personal data, in accordance with the Data Protection Law. Moreover, the authority to establish the data system and define security measures in relation to this matter has been granted to the Information Technologies General Directorate.

Remote Identity Verification

The Regulation on the Methods of Remote Identity Verification and the Establishment of Contractual Relationships in Electronic Media to be Used by Banks (only available in Turkish here) (the Regulation on the Methods of Remote Identity Verification) aims to regulate the procedures and principles for methods of remote identity verification that banks can use for new customer acquisition, and for establishing contractual relationships either remotely or through an information or electronic communication device that substitutes the written form, following the verification of customer identity. In this regard, the Regulation on the Methods of Remote Identity Verification applies to the processing of personal data during remote identity verification processes.

Personal Data of Children in the Field of Education

The Regulation on Amending the Regulation of the Ministry of National Education on Preschool Education and Primary Education Institutions (only available in Turkish here) (the Regulation on Amending the Regulation of the Ministry of National Education) was published in the Official Gazette on October 14, 2023, and came into effect on the same day. The Regulation on Amending the Regulation of the Ministry of National Education stipulates that, without obtaining written consent from parents and the supervision of a guidance teacher, students' images captured during educational activities, social and cultural events, as well as trips and observations conducted within and outside the school, cannot be shared on social media platforms or communication groups under any name. Thus, in preschool education and training institutions, images of children taken during activities can be shared on social platforms only with consent from either the parents or the children.

1.2. Guidelines

The Board consistently publishes guidelines to clarify grey areas in practice as well as guidance on data protection matters in Turkey. In addition, various other guidelines on specific data protection related matters have been published by Board on its website (only available in Turkish here and here).

Guide on the Protection of Personal Data in Election Activities

The Guide on the Protection of Personal Data in Election Activities (only available in Turkish here), published by the Personal Data Protection Authority (KVKK), provides comprehensive instructions for handling personal data during election processes. It emphasizes the importance of safeguarding voters' personal information and ensuring compliance with data protection laws. The guide covers the lawful collection and processing of personal data during election campaigns, ensuring that data is collected fairly and with explicit consent. It also highlights the need for robust security measures to protect personal data from unauthorized access, breaches, or misuse, and stresses the importance of transparency and accountability in data processing activities. Additionally, the guide outlines the rights of individuals whose data is being processed, including the right to access, rectify, and object to data processing. It advises on the principles of data minimization and retention, ensuring that only necessary data is collected and kept for no longer than required for election purposes. Furthermore, the guide provides recommendations on managing and protecting personal data when third parties are involved in the election process. Overall, the guide aims to ensure that all stakeholders in election activities adhere to data protection principles and protect voters' personal data throughout the election process.

Guide on Processing Turkish Republic Identity Numbers

The Guide on Processing Turkish Republic Identity Numbers (only available in Turkish here), published by the KVKK, provides detailed information on the proper and secure handling of Turkish Republic Identity Numbers (TRINs). It outlines the legal framework, emphasizing compliance with data protection laws and regulations. The guide covers best practices for data controllers and processors, including minimizing data use, implementing security measures, and ensuring transparency and accountability in the processing of TRINs. It aims to protect individuals' personal data and prevent misuse or unauthorized access to sensitive identity information.

Guide on Considerations for Processing Genetic Data

The Guide on Considerations for Processing Genetic Data (only available in Turkish here) (the Genetic Data Guide), initially published as a draft by the KVKK on August 24, 2022, was finalized and shared with the public on October 13, 2023. The Genetic Data Guide provides detailed information on the following topics:

  • the definition of genetic data;
  • the roles of data controllers, data processors, data subjects, and general principles under the Personal Data Protection Law in the terms of genetic data processing;
  • the evaluation of genetic data processing conditions and cross border transfer under the Data Protection Law;
  • the obligations of data controllers and the technical and administrative measures for genetic data security; and
  • recommendations and advice related to the processing of genetic data.

Guide on Recommendations for Protecting Privacy in Mobile Applications

On December 22, 2023, the Board published the Recommendations for Protecting Privacy in Mobile Applications  (only available in Turkish here) (the Mobile Application Guide). The Mobile Application Guide emphasizes the critical importance of protecting individuals' personal data in mobile applications due to the extensive use of various sensors such as microphones, cameras, accelerometers, GPS, Wi-Fi, and Bluetooth in mobile devices, as well as the widespread use of cloud services by mobile application developers. In this context, the Mobile Application Guide addresses the existing and potential risks to privacy in mobile applications and aims to provide general recommendations for individuals and data controllers regarding personal data processing activities conducted through mobile applications.

Banking Sector Good Practice Guide on Personal Data Protection

The Banking Sector Good Practice Guide on Personal Data Protection (only available in Turkish here), published by the KVKK, provides comprehensive guidelines and best practices for banks to ensure the protection of personal data. The guide covers key principles such as data minimization, consent management, transparency, and security measures. It emphasizes the importance of compliance with data protection laws and regulations, addressing specific scenarios relevant to the banking sector, such as handling customer information, secure transactions, and data sharing with third parties. The aim is to help banks implement effective data protection strategies, safeguard customer privacy, and build trust.

Guide to Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence ('AI')

On September 15, 2021, the Board published the Recommendations on the Protection of Personal Data in the Field of AI (only available in Turkish here) (the AI Guide), which contains recommendations for the protection of personal data in the context of Data Protection Law for developers, manufacturers, service providers, and decision makers operating in the field of artificial intelligence (AI) on its official website. During the preparation of the AI Guide, previous studies of the European Commission and Organization for Economic Co-operation and Development (OECD) were taken into consideration. In addition, the Board published the following

Guideline on Considerations in the Processing of Biometric Data

On September 16, 2021, the Board published the Guidance Regarding the Considerations in the Processing of Biometric Data (only available in Turkish here) (the Biometric Data Guide) in order to provide guidance on the principles to be considered in the processing of biometric data by data controllers and biometric data security on its official website.

Guidelines on the Right to be Forgotten

On October 20, 2021, the Board published the Guideline on the Right to Be Forgotten (only available in Turkish here) (the RBF Guideline), which regulates the rights of the data subjects regarding the request to be forgotten, specific to search engines. The RBF Guideline, published by the Board with the aim of clarifying the discussions on whether there is a right to be forgotten in practice and/or how it can be used, once again highlighted that this right can be exercised by the data subjects.

As stated in the RBF Guideline, although there is no specific regulation regarding the right to be forgotten within the framework of Data Protection Law, there are already different provisions providing this right. Namely, Article 4 of the Data Protection Law regulating the general principles regarding the processing of personal data, Article 7 of the Data Protection Law regulating the right to request the deletion, destruction, or anonymization of personal data, and Article 11 of the Data Protection Law regulating the rights of the data subjects, including the right to request the deletion or destruction of personal data are the basis of the right to be forgotten.

According to the Data Protection Law, for the establishment of the right to be forgotten, it does not need to be defined as a separate right. The requests of the data subjects regarding this right must be fulfilled by data controllers. The RBF Guideline refers to the Board's decision dated June 23, 2020 and numbered 2020/481 (only available in Turkish here) (Decision No. 2020/481) in which it has been decided that the data subject can make a request for removal of the results shown on search engines with their own name and surname, and in case this is rejected by the data controller search engines or their requests are not answered, it is also possible to apply for judicial remedies while making an application to the Board.

The right to be forgotten is not an absolute right that can be asserted by the data subjects under all circumstances due to the necessity of making an evaluation specific to each specific case based on the balance test attributed by the Board in Decision No. 2020/481.

Guideline on Cookies Practices

The Board published a guideline in order to create an advisory and guiding document for data controllers who process personal data through cookies and presented it to the public on its official website (only available in Turkish here).

In the guideline, first, cookies are defined and information about the types of cookies is given, then the link between Electronic Communication Law No. 5809 (only available in Turkish here) (the Electronic Communication Law) and the Data Protection Law is evaluated. Further, in the guide, there are explanations about the types of cookies that either require or do not require explicit consent. In this context, explicit consent will be required for cookie applications that are not based on a legal basis within the scope of Article 5 of the Data Protection Law. However, in any case, the application of cookies must comply with the principles in Article 4 of the Data Protection Law.

The following are examples of cookie applications that do not require explicit consent:

  • cookies with user input, such as cookies for the creation of the user basket;
  • authentication cookies used to identify the user when logging into a website;
  • user-centered security cookies used to increase security within the scope of a service expressly requested by the user;
  • multimedia player session cookies used to store technical data needed for video playback or audio content;
  • load balancing cookies that allow the distribution of web server requests over a pool of machines rather than a single machine, user interface customization, cookies, and social add-on content sharing (like, share, comment) cookies used to store the user's preferences for a service on the internet pages;
  • cookies used for open consent management platform; and
  • first-party analytical cookies.

1.3. Case law

Judicial cases

Some notable judicial consideration of the area is outlined below:

  • The Constitutional Court (the Constitutional Court) dismissed an application decision numbered 2016/125 seeking to suspend and strike out certain clauses in the Data Protection Law, on the basis that the clauses are vague, broad, subjective, open to interpretation, and are not proportionate. The Constitutional Court considered international legislation, EU legislation, and the Constitution, ultimately deciding that the clauses were not unconstitutional (only available in Turkish here).
  • The Constitutional Court decided that in the application numbered 2018/3454, the employer's access to the content of private messages on the WhatsApp application downloaded by the applicant to its computer and the termination of its employment contract based on the content, violates the right to respect the privacy guaranteed in Article 20 of the Constitution and the freedom of communication guaranteed in Article 22 of the Constitution.
  • The Izmir Regional Court of Justice considered an appeal where the execution office refused to fulfill a creditor's request to acquire family records from the civil registry, in order to question whether the debtor may have any inheritance. The Court indicated that while it may be beneficial for the creditor to acquire such knowledge for debt collection purposes, having easy access to personal data may be more detrimental than beneficial, if the possible benefits and damages are compared.
  • The Assembly of the Civil Chambers, the highest body within Turkey's civil court system, accepted the existence of the right to be forgotten for the first time (2014/4-56 E, and 2015/1679 K, dated 17 June 2015). It held that the right to be forgotten includes digital data, as well as non-digital personal data kept in publicly accessible mediums. The digital aspect of this decision adopts and applies a similar scope as was granted by the Court of Justice of the European Union in its decision Google LLC v. CNIL Case C‑507/17 (24 September 2019) (the Google LLC v. CNIL Case). However, unlike the decision in the Google LLC v. CNIL Case, the Assembly also held that the right to be forgotten applies to non-digital personal data which is stored in mediums which are easily accessible by the public.
  • The Constitutional Court considered a claim that Article 136(1) of the Criminal Code is unconstitutional because there is no clear definition or limitation for the phrase 'personal data,' violating Article 20 (right to privacy) and Article 38 (principle of legality) of the Constitution (decision number 2015/32, 12 November 2015 only available in Turkish here). Article 136 of the Criminal Code states that persons who unlawfully give out, release, or acquire personal data belonging to other people will be subject to imprisonment for between two to four years. In seeking to have the provision struck out, the Criminal Court claimed the article is ambiguous because there is no definite definition or limitation for the phrase 'personal data.' The Constitutional Court rejected the claim, ruling that technological developments mean it is impossible for legislators to specify all types of 'personal data.'
  • Penal Department No. 12 of the Supreme Court ruled that even though data which is shared on Facebook or by using any other social media tool is considered to be personal data, if data is shared via a non-confidential social media account, use of the data is not unlawful (2014/4081 E and 2014/19490 K dated 13 October 2014) (only available in Turkish here).
  • Penal Department No. 4 of the Supreme Court ruled in favor of the plaintiff regarding the request for non-pecuniary damages due to the fact that the plaintiff's identification information had been used without their consent (only available in Turkish here).
  • Supreme Court Assembly of Criminal Chambers ruled that that the creation of membership on the internet sites through using someone else's information violates Article 136 of the Criminal Code that regulates unlawful delivery or acquisition of data (only available in Turkish here).The Constitutional Court held that an employer who monitored an employee's email acted lawfully where the surveillance right was recited in the employment contract (Decision Number 2018/31036, January 12, 2021 (only available in Turkish here). In this case, the employer (as the data processor) terminated the employment contract after discovering that an employee (as the data subject) was using their company email for non-company commercial matters. The Constitutional Court considered that the inspection of the corporate emails was within the limits of the legitimate interest of the data controller, and since the data controller has such a legitimate interest, the explicit consent of the data subject is not required. Moreover, the data processor fulfilled its obligation to inform the employee by outlining the right to inspect corporate emails in the employment agreement, therefore, granting their consent by signing the employment contract (only available in Turkish here).
  • The Constitutional Court has determined that the employer's act of terminating the employment agreement on the grounds of Whatsapp correspondences infringes upon the employee's 'freedom of communication' and 'right to privacy' ( the decision numbered 2018/34548, and dated December 28, 2021 (only available in Turkish here). It was ascertained that, in the specific case, explicit information regarding the potential monitoring and supervision of communications carried out through the computer provided by the employer at the workplace was not provided. Moreover, the termination of the applicant's employment contract was based on the content of WhatsApp messages, which falls within the realm of their private life. However, the employer, as the defendant in the legal proceedings, has failed to present valid reasons and justifications for the intervention, while taking into consideration the applicant's expectations and rights, as well as informing the applicant about the intervention. Furthermore, the courts have not deliberated on whether adequate notification was given regarding the WhatsApp messaging program or private communications on workplace computers, which constituted the primary grounds for termination during the judicial process. It was observed that the applicant's substantial claims, asserting that access to message content was unlawfully obtained without their consent or prior notification, even though the applicant did not disclose such information publicly, have not been addressed.
  • The Constitutional Court determined that the denial of the applicant's request to access their personal data constitutes a violation of their right to the protection of personal data, encompassing the right to respect for private life, as well as their effective right to an appropriate remedy (decision number 2018/6161, 28 Jun 2022 (only available in Turkish here). Within the case, the applicant has requested access to their personal data, specifically internet data, log records, IMEI information of their company-provided mobile phone line, and the date information of their Hot Spot usage. However, the company has refused this request. The Constitutional Court affirmed that the right of individuals to be informed about their personal data and their entitlement to access such data are integral aspects of the transparency or clarity principle in the data processing. Being aware of the specific data being processed, including the responsible parties, the timing, and the underlying reasons, empower individuals to exercise their rights to rectify, erase, or block such data. Furthermore, the court underscored that these constitutional safeguards serve as supplementary mechanisms to ensure the effective implementation of these rights.
  • The Advertising Board, particularly focusing on the processing of personal data on websites, the provision of cookie and commercial communication consent in favor of consumers, and the sharing of personal data, has included numerous decisions in its Bulletin No. 343. (Relevant decisions: 2024/2142; 2024/2148; 2024/2150; 2023/7102; 2023/8202; 2023/8426; 2024/2208; 2023/407; 2024/2203; 2023/1858; 2023/7120; 2024/1249) (only available in Turkish here). These decisions reinforce the importance of adhering to the Data Protection Law and ensuring that consumer rights are protected, particularly concerning transparency and consent in the processing of personal data. Key points include:
    • The use of personal data for targeted advertising and marketing without obtaining explicit consent from consumers is a recurring issue. Companies have been found to implement practices that require consumers to agree to the processing of their personal data for marketing purposes as a condition for using services or purchasing products. This includes a lack of options for consumers to refuse targeted advertising.
    • Several companies have been identified for failing to provide clear and accessible methods for consumers to withdraw their consent or delete their accounts, which is required under data protection regulations.
    • Decisions also emphasize the necessity for transparent communication to consumers regarding how their personal data will be used, including sharing with third parties for marketing purposes.
    • Some companies were penalized for misleading advertisements, which involved incorrect or exaggerated claims about their products or services, potentially misleading consumers regarding the capabilities or benefits of the products.

2. Scope of Application

2.1. Personal scope

Article 2 of the Data Protection Law states the scope of the law. Accordingly, the Data Protection Law shall apply to:

  • natural persons whose personal data are processed; and
  • natural or legal persons who process such data fully or partially through automatic or non-automatic means only for the process which is part of any data registry system set out in the law.

In this regard, the Data Protection Law ensures protection for data belonging to natural persons and data related to legal persons who do not fall within the scope of the Data Protection Law.

There is no distinction between private corporations and public authorities before the law. Therefore, rules and procedures determined by the Data Protection Law apply to all institutions and organizations.

2.2. Territorial scope

Unlike the GDPR, the Data Protection Law does not have a territorial scope. That being said, in line with the principle of territoriality applicable under Turkish law, the Data Protection Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.

2.3. Material scope

Processing of personal data is defined as an operation that is carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic or non-automatic means only for the process which is a part of any data registry system. Accordingly, any system structured according to a specific criterion to facilitate access to personal data, will be evaluated within the scope of the Data Protection Law.

The Data Protection Law foresees several exceptions under Article 28(1) which provides that the Data Protection Law shall not apply in the following circumstances:

  • processing of personal data by natural persons within the scope of activities related to themselves or family members living together in the same dwelling, provided that it is not to be disclosed to third parties and the data security obligations are to be complied with;
  • processing of personal data for official statistics and research, planning, and statistical purposes after having been anonymized;
  • processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy, or personal rights are not violated and the processing shall not constitute a criminal offense;
  • processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order, or economic security; and
  • processing of personal data by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings, or execution proceedings.

In addition to the above exemptions, the Data Protection Law also grants partial exemptions in specific circumstances. As per Article 28(2) of the Data Protection Law, Article 10 of the Data Protection Law regarding the data controller's obligation to inform, Article 11 of the Data Protection Law regarding the rights of the data subject, excluding the right to demand compensation, and Article 16 of the Data Protection Law regulating the requirement to register with the data controller registry system shall not apply to the circumstances where personal data processing:

  • is required for the prevention of a crime or crime investigation;
  • is carried out on the data which is made public by the data subject themselves;
  • is required for the conduct of supervisory or regulatory duties, for disciplinary investigation, or prosecution by the public institutions, organizations, and professional associations having the status of public institutions assigned and authorised for such actions, in accordance with the power granted to them by law; and
  • is required for the protection of the state's economic and financial interests with regard to budgetary, tax-related, and financial issues.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Data Protection Law establishes regulatory bodies to oversee its provisions; that is, the KVKK and the Board. The KVKK serves a mostly administrative and government-relations role, whereas the Board is the decision-making organ within the authority.

The Board began operating in January 2017, once all appointments were made. The Board comprises nine members, elected as follows:

3.2. Main powers, duties and responsibilities

The KVKK was established as an independent regulatory authority with institutional and financial autonomy. It is responsible for ensuring personal data protection and raising awareness in this respect.

It is stipulated that the Board shall perform and use the duties and powers assigned by the Data Protection Law and other legislation independently under its responsibility. In addition, no organ, authority, office, or person may issue orders instructions to the Board concerning the matters falling within its scope of duties and powers.

The duties and responsibilities of the Board are regulated mainly under Article 22 of the Data Protection Law, yet some are also included in other articles. The main duties of the Board are as follows:

  • to take necessary and adequate measures for the processing of the special personal data categories (Article 6(4) of the Data Protection Law);
  • to allow the transfer of personal data abroad if the controllers in Turkey and in the related country guarantee an adequate protection in writing, where sufficient protection is not provided (Article 9(2) of the Data Protection Law);
  • to determine and announce the countries where an adequate level of protection is provided (Article 9(3) of the Data Protection Law);
  • (if necessary) to announce data breaches on its official website or through other methods it deems appropriate (Article 12(5) of the Data Protection Law);
  • to examine and conclude the complaints made in cases where (Article 14 of the Data Protection Law):
    • the application is declined by the data controller;
    • the response given by the data controller is found unsatisfactory; or
    • the response is not given in due time;
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller and, in cases where the infringement is widespread, the Board shall adopt and publish resolutions in this regard (Articles 15(5) and 15(6) of the Data Protection Law);
  • following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller (Articles 15(5) and 15(6) of the Data Protection Law);
  • to decide that the processing of data or transfer of data abroad is to be stopped, in the event that such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful (Article 15(7) of the Data Protection Law);
  • to ensure that the data registry system is maintained and, in cases of necessity, to make exceptions to the obligation to register with the data registry system (Articles 16(1) and 16(2) of the Data Protection Law);
  • to notify relevant institutions in order to conduct disciplinary investigations against civil servants who violate the prescribed obligations regarding the protection of personal data (Article 18(3) of the Data Protection Law);
  • to ensure that the personal data is processed in compliance with fundamental rights and freedoms (Article 22(1)(a) of the Data Protection Law);
  • to carry out regulatory procedures:
    • in order to lay out the liabilities concerning data security;
    • regarding the matters concerning the Board's field of duty and the KVKK's operation; and
    • regarding the data controller and their representative duties, powers, and responsibilities (Articles 22(1)(e), 22(1)(f), and 22(1)(g) of the Data Protection Law);
  • to deliver its opinion on draft legislation prepared by other institutions and organizations that contain provisions on personal data (Article 22(1)(h) of the Data Protection Law);
  • to decide on the administrative sanctions foreseen under the Data Protection Law (Article 22(1)(g) of the Data Protection Law);
  • to conclude the KVKK's strategic plan in order to determine the KVKK's purpose, targets, service quality standards, and performance criteria, and to discuss and decide on strategic plans and the budget proposal which are prepared in compliance with its purposes and targets (Articles 22(1)(i) of the Data Protection Law);
  • to approve and publish the draft reports prepared on KVKK's performance, financial situation, annual activities, and required issues (Article 22(1)(j) of the Data Protection Law); and
  • to negotiate and decide proposals on the purchase, sale, and lease of immovable properties (Article 22(1)(k) of the Data Protection Law); and
  • to fulfil duties assigned by any other law (Article 22(1)(l) of the Data Protection Law).

4. Key Definitions

Data controller: means a real person or entity who determines the intended purposes and means of processing personal data. Data controllers are responsible for establishing and administering data registry systems.

Data processor: means a real person or entity processing data with the authorization of the data controller.

Personal data: includes any information relating to an identified or identifiable natural person that can be used to identify that individual. For example, a customer's name and address, IP address, e-mail address, or a database of customer email addresses.

Special categories of personal data: 'special categories of personal data' receive extra protection. This includes information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, appearance, memberships of unions, associations, or foundations, as well as information about health, sexual life, criminal records, or punitive measures, as well as biometric and genetic data.

Health data: means the health-related personal data (physical or mental) which constitute special categories of personal data, such as information about medical conditions.

Biometric data: means the personal data that uniquely identify a person. Personal data derived from technical processing relating to a real person's physical, physiological, or behavioral pseudonymization traits. For instance, photo, fingerprint, DNA, and genetic characteristics.

Pseudonymisation: is a technical and organizational measure by which personal data cannot be attributed to the data subject without any additional information. The related additional information is kept separately through an algorithm to ensure that the data subject cannot be attributed by using them.

Data Subject: (natural person concerned) means the natural person, whose personal data are processed. Under the Data Protection Law, real persons, are the only beneficiaries of the Data Protection Law.

Explicit consent: means the consent which is based on information and given with free will by the data subject. The Data Protection Law introduces a general prohibition on processing personal data or special categories of personal data without explicit consent. However, it does not envisage a specific method to obtain the explicit content. In light of this, companies would be prudent to both record and retain consents, either in writing or electronically.

Processing activities: means any operation performed on personal data such as collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully, or partially through automatic means, or, provided that the process is part of a data registry system, through non-automatic means.

Data registry system: means the registry system which the personal data is registered into through being structured according to certain criteria.

5. Legal Bases

5.1. Consent

Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).

5.2. Contract with the data subject

Personal data of each party to a contract may be processed by the other party provided that it is strictly necessary to execute or perform the contract, for example, processing personal information of an employee by an employer in order to execute an employment agreement (Article 5(2)(c) of the Data Protection Law).

5.3. Legal obligations

If explicitly provided for by law or it is necessary for compliance with a legal obligation to which the data controller is subject to, personal data may be processed without the data subject's explicit consent. For example, preparing and holding personnel files by employers, collecting and reporting certain information by banks and financial institutions, and reporting personal information of a new employee to law enforcement agencies by employers.

5.4. Interests of the data subject

Personal data can be processed in the protection of the life or physical integrity of a person, or of any other person who is incapable of giving their consent, or whose consent would otherwise be deemed not legally valid. For example, location data of a mobile device carried by a missing person, or CCTV records processed for locating a missing person.

5.5. Public interest

As per the Data Protection Law, public interest is not a legal basis to process personal data of a data subject without obtaining their explicit consent. However, the Board considers public interest as a criterion while evaluating limits of the independent press and the balance between the right to privacy and right to freedom of expression.

5.6. Legitimate interests of the data controller

Personal data may be processed without a data subject's explicit consent if such processing is necessary for the data controller's legitimate interests; provided, however, that processing does not harm the data subject's fundamental rights and freedoms (Article 5(2)(f) of the Data Protection Law). For example, the preamble of the Data Protection Law states that the owner of a company may process employee personal data to arrange job promotions, social rights, or in determining their role in the company's restructuring, each of which constitutes legitimate interests of the company.

5.7. Legal bases in other instances

As per Article 5 of the Data Protection Law, under the following conditions, personal data can be processed without obtaining the explicit consent of the data subject:

  • if the personal data is publicized by the data subjects themselves; and
  • if it is mandatory for the establishment, exercise, or protection of certain rights.

6. Principles

Principles for processing personal data

All data processing activities should be carried out in compliance with the principles for processing personal data (Article 4 of the Data Protection Law). The following key principles need to be adhered to for all personal data processing activities. Personal data must be:

  • processed lawfully and fairly;
  • accurate and where necessary, kept up to date;
  • processed for specified, explicit, and legitimate purposes;
  • relevant, limited, and proportionate to the purposes for which they are processed; and
  • retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing.

Personal data processing conditions

Data controllers are obliged to comply with data processing conditions while processing personal data. Personal data can be processed in cases where:

  • the data subject has given their explicit consent;
  • it is explicitly permitted by the laws;
  • it is mandatory for the protection of life or to prevent the physical injury of a person, where such person is physically or legally incapable of providing their consent;
  • processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the execution or performance of that contract;
  • it is mandatory for the data controller to fulfill its legal obligations;
  • the personal data is publicized by the data subjects themselves;
  • it is mandatory for the establishment, exercise, or protection of certain rights; or
  • it is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not compromised.

7. Controller and Processor Obligations

Data security measures

Data controllers are obliged to (Article 12 of the Data Protection Law):

  • prevent unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the retention of personal data.

The data controllers must take all necessary technical and organizational measures to provide appropriate data security. The Personal Data Security Guide (only available in Turkish here) (the Personal Data Security Guide) regarding technical and administrative measures published by the Board in January 2018 and the guideline for technical and administrative measures to be taken by public authorities and key infrastructure organizations published by the Digital Transformation Office in July 2020 can be taken as references while complying with the obligation on data security measures.

In addition to these sources, Decision 2018/10 must be taken with regard to the processing of special categories of personal data. The Board declared with this decision that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasized the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Accordingly, sufficient measures to be taken while processing special categories of personal data must be ensured by the data controllers.

In addition to the above stated Board decisions and security guides published by the authorities, the Decision of the Board dated 9 October 2020 and numbered 2020/787 (only available in Turkish here) would be sufficient to see how the Board will treat certain aspects of security breaches. Such a decision is resolved upon the data breach notification submitted by the related data processor, operating in the health sector, within the statutory notification period. The Board carried out its investigations and concluded that the data breach was not caused by the lack of precaution of the data controller, but a common-used application; and the data controller cannot interfere in this situation. The data controller noticed the violation in a short time and took all necessary technical and administrative measures promptly and in line with the Data Protection Law. Therefore, the Board does not impose any sanctions on the data controller.

The Board imposed administrative fines on the data controller for not committing the data breach, but for not taking security measures despite knowing that there is a data breach. For instance, a data subject lodged a complaint regarding the unauthorized dissemination of photographs captured during a rhinoplasty surgery by a doctor employed within the organization acting as the data controller. These photographs were shared on the doctor's social media account without obtaining explicit consent from the data subject. The Board determined that the hospital, serving as the data controller, had obtained explicit consent within the framework of the aforementioned data processing activity. Therefore, it is deemed responsible for the dissemination of the photographs without securing explicit consent from the data subject. However, the Board found that the data subject was aware of the sharing of their photographs on the doctor's social media account. Consequently, the data controller hospital has been imposed an administrative fine of TRY 100,000  ($2,990) due to its failure to implement the necessary administrative and technical measures to prevent the doctor from sharing such photographs on social media (only available in Turkish here).

The Board also has a principle decision regarding the necessity of using a two-factor authentication system within the scope of technical measures to prevent unauthorized access to personal data. In the decision, a complaint was raised due to the fact that on the online platforms provided by municipalities for real estate tax payments or debt inquiries, it was possible to access citizens' property information simply by entering their Turkish ID number. The Board stated that easy access to personal data by solely entering the Turkish ID number constitutes a violation of the data controller's obligation to implement technical and administrative measures. It emphasized the necessity of using a two-step verification system to ensure that personal data cannot be easily accessed by third parties (only available in Turkish here).

With the Amendment to the Data Protection Law, the obligations of data processors have been regulated for the first time within the scope of Turkey's legal framework. It has been acknowledged that, in the process of transferring personal data abroad, data processors are also responsible alongside data controllers in the application of Article 9 of the Data Protection Law. Data processors also have an obligation to ensure data security jointly with the data controllers. Data processors shall comply with the instructions of the data controller while processing personal data transferred to themselves and shall not disclose the personal data that they have obtained. In addition, they shall not use such data for purposes other than the processing purpose determined by the data controller. This obligation shall continue even after the end of their term as the data processor.

Other obligations:

  • data controllers are obliged to carry out (or have third parties carry out) necessary audits to ensure compliance with the Data Protection Law within their own organization; and
  • data controllers are obliged to comply with data transfer conditions for data transfers within Turkey and cross-border transfers. (Please see Section 13 of the Data Protection Law for further information).

7.1. Data processing notification

The Board established the Registry, which became operational on October 1, 2018. This is an online database, which only accepts online registration applications from data controllers through the Data Controllers Information System (VERBIS). Real or legal persons processing personal data must register prior to commencing their data processing activities. The Board published its Decision No. 2020/482 on the Extension of Data Controllers Information System Registration Periods (only available in Turkish here) (Decision No. 2019/387).

Data controllers must prepare a data inventory for all data processed in Turkey, which must include at least the following certain information, including the following:

  • identifying information (including the address of the data controller or its representative);
  • data categories;
  • purpose of the data processing;
  • data subject groups;
  • recipient or recipient groups to which the data may be transferred;
  • information on whether the relevant data category is transferred abroad;
  • data security measures taken; and
  • the maximum time period for processing personal data.

The data inventory must be kept up-to-date, accurate, and lawful. The registration process should be carried out in line with the data inventory and the changes in data inventory must be updated on the data registry system via VERBIS within seven business days.

The data controllers must appoint a contact person who will be in charge of submitting data inventories and completing the registration process. Please note that the contact person must be a real person and a Turkish citizen residing in Turkey. In case the data controller is located abroad, the data controller must appoint a 'data controller representative' in addition to a contact person.

The Board published a decision numbered 2020/542 on 16 July 2020 (only available in Turkish here) and put forward its opinion on the appointment of a contact person for multiple data controllers. Accordingly, a single person can be a contact person for only one data controller in Turkey, and can be a contact person for multiple data controllers, which are located abroad, at the same time.

The Board ruled with its decision number 2019/225 (only available in Turkish here) on the VERBIS registration obligation of data controllers located outside Turkey. Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices.

The Board announced that the registration obligation will apply in line with the periods under decision number 2018/88 (only available in Turkish here), and failure to comply with these dates risks a fine ranging from TRY 189,245 (approx. $5,790,41) and TRY 9,463,213 (approx. $289,550).

The deadline for registration to VERBIS ended on December 31, 2021. Data controllers employing less than 50 employees and with an annual balance of less than TRY 100 million (approx. $3,059,799) (unless the data controller's main business activity is processing special categories of personal data) do not have VERBIS registration obligation. However, if either of these conditions are met, VERBIS registration is required, and the above penalty may apply. If these conditions are met after December 31, 2021, VERBIS registration must be made within 30 days after the VERBIS registration obligation arises.

Data controllers that are required to enroll in the registration have to prepare a personal data processing inventory and a policy regarding the retention and destruction of personal data (Articles 9(2) and 9(5) of the VERBIS Regulation).

Any changes to the information provided to the registration must be reported via VERBIS within seven business days (Article 13 of the VERBIS Regulation).

Exemptions from registration with VERBIS

In addition, the Board held that the following categories of data controllers are exempt from having to register with VERBIS:

  • data controllers employing less than 50 employees and with an annual balance of less than TRY 100 million (approx. $3,059,799) (unless the data controller's main business activity is processing special categories of personal data);
  • data controllers processing personal data through non-automatic means, provided the processing is part of a data filing system;
  • public notaries;
  • associations (only for personal data processed in accordance with their area of activity);
  • foundations;
  • unions;
  • political parties;
  • lawyers;
  • public accountants and sworn-in public accountants;
  • customs brokers and authorized customs brokers; and
  • mediators.

In addition, a data controller is exempt from the registration obligation where (Article 15 of the VERBIS Regulation):

  • processing of personal data is necessary for the prevention of crime or criminal investigation;
  • processing is carried out on personal data that is made public by the data subject;
  • processing is necessary for the performance of monitoring and regulating duties of the authorized public authorities and professional organizations with public institution status and for the disciplinary investigation and prosecution; or
  • processing is necessary to protect the economic and financial interests of the State in relation to budget, tax, and financial matters.

Furthermore, data controllers which process personal data through non-automatic means are also exempt from registration, provided the processing is part of a data filing system (see the Guide on VERBIS).

Finally, pursuant to Article 16 of the VERBIS Regulation, the Board may also provide derogation from the registration obligation by considering, among other things, the nature and quantity of personal data, the purpose of processing, the field of activity in which personal data is processed, and the financial information of the data controller.

As of December 31, 2021, administrative fines have been initiated against data controllers who have been found to have failed to fulfil their obligation of registration and notification to the Registry.

7.2. Data transfers

The Data Protection Law addresses the transfer of personal data to third parties, as well as transfers outside of Turkey. This is particularly relevant for multinational companies and local companies which have operations crossing Turkey's national borders. Companies should review their operations to ensure that they are aware where personal data is stored and whether the new legislative rules will apply.

Sectoral obligations

Banking Law No. 5411 of 2005 (only available in Turkish here) (the Banking Law) foresees specific rules for cross-border transfers of customer data. According to Article 73 of the Banking Law, data belonging to real and legal persons formed after establishing a customer relationship with banks specifically for banking activities becomes customer data and is subject to the regulations stipulated under the Banking Law. Therefore, conditions regarding the cross-border transfer of customer data set forth under the Banking Law should take precedence over conditions set forth under the Data Protection Law. Consequently, for customer data within the scope of Article 73 of the Banking Law, the provisions of the Banking Law should be considered as special legal provisions before the Data Protection Law.

The Banking Law stipulates that even if the explicit consent of the customer is obtained pursuant to the Data Protection Law for cross-border transfers or transfers of customer data to third parties located in Turkey, the customer data should not be shared with and transferred to third parties located in Turkey or outside Turkey without the customers' instructions or requests.

Furthermore, under the Banking Law, the Banking Regulation and Supervision Authority (BRSA) is authorized to prohibit the sharing or transfer of customer data or bank secrets with third parties located outside Turkey, as well as to make decisions regarding keeping information systems used by banks and their backups locally due to evaluations regarding economic security.

In addition, on August 5, 2022, the KVKK published the Guide for Best Practices in the Banking Sector Regarding the Protection of Personal Data (only available in Turkish here) and provided detailed explanations regarding data transfers in the banking sector.

Transfers to third parties

The Data Protection Law requires explicit consent from data subjects for the transfer of personal data to third parties. However, consent is not required if the transfer is carried out in the following circumstances:

  • expressly permitted under laws;
  • necessary to protect the life or physical integrity of the data subject (or another person) where the data subject is physically or legally incapable of providing their consent;
  • necessary to process data of the parties to a contract, if such processing is directly related to the execution or performance of the contract;
  • necessary for the data controller to fulfill its legal obligations;
  • already publicized by the individuals themselves;
  • necessary to establish, use, or protect a right; or
  • necessary for the legitimate interests of the data controller, provided that such processing does not violate fundamental rights and freedoms.

In addition, the Data Protection Law stipulates that personal data on health and sexual life may only be transferred without explicit consent by persons under a confidentiality obligation, or by competent authorities, for the purposes of:

  • protecting public health;
  • operating preventive medicine;
  • medical diagnosis;
  • treatment and care services; or
  • planning and managing health services and financing.

In accordance with the Personal Data Security Guide regarding technical and administrative measures, the requirement to sign a confidentiality agreement when transferring data to third parties is considered within the scope of taking administrative measures for the protection of personal data. The Board decisions specify that confidentiality agreements shall identify the parties involved in the data transfer and include certain minimum provisions. In this regard, it is recommended to include the following aspects in confidentiality agreements:

  • the information technology systems or other methods to be used for the collection of personal data;
  • the method of storage for personal data;
  • the method of transfer for personal data and detailed security measures to protect personal data;
  • the method to accurately implement the storage periods for personal data,
  • the authority responsible for making decisions regarding the erasure; and destruction, and anonymization of personal data.

Transfers outside of Turkey

With the amendment to the Data Protection Law following the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad the Data Protection Law was revised to align with the GDPR, introducing alternative methods for cross-border transfers. New approaches for transferring cross-border data have been instituted, alongside comprehensive revisions to the existing provisions. In light of these changes, a three-stage process has been implemented to ensure the lawfulness of cross-border data transfer: adequacy decisions, adequate safeguards, and exceptional cases.

Furthermore, the KVKK launched a new Standard Contract Notification Module (only available in Turkish here) (the module) to streamline compliance with data transfer regulations under the Personal Data Protection Law. The module enables data controllers and processors to fulfill their notification obligations when transferring personal data abroad.

Adequacy Decisions

A decision of adequacy by the Board can be made for a country, sector, or international organization, allowing lawful data transfers to those entities. To date; however, the Board has not issued any adequacy decisions for any country, sector, or international organization. Furthermore, there have been no public announcements regarding the expected timing of such decisions. Therefore, this method is currently not applicable.

Article 9 of the Data Protection Law  specifies the criteria to determine the countries, sectors, and international organizations  with an adequate level of protection. Matters to be taken into account are as follows:

  • reciprocity condition;
  • legislation of the relevant country regarding the processing of personal data and its implementation;
  • existence of an independent data protection authority;
  • party status to international agreements on the protection of personal data;
  • membership status to international organizations;
  • membership status to global and regional organizations that Turkey is a party to; and
  • the volume of trade with the relevant party.

Data Transfer with Adequate Safeguards

In the absence of an adequacy decision, the transferring controller or processor may provide the appropriate safeguards outlined below, provided that the data subject has the opportunity to exercise their rights and access effective legal remedies in the destination country, and provided that the data transfer occurs on a regular and systematic basis:

  • the existence of an agreement between the public and international authorities that is not an international contract, and the Board authorizes the transfer;
  • existence of a written undertaking letter containing provisions to ensure adequate protection and authorization of the transfer by the Board (Until the enactment of the Data Protection Law in 2016, the Board approved only ten undertakings).
  • existence of SCCs containing the matters announced by the Board. The data controller or data processor must notify the Board within 5 business days regarding the execution of the SCCs; and/or
  • the existence of BCRs approved by the Board containing provisions on the protection of personal data;

The Board must announce that minimum contractual clauses, such as undertakings, BCRs, and SCCs, are required for transferring personal data outside Turkey. These essential clauses must be included in contracts for transferring personal data to countries that Turkey does not consider providing adequate protection.

BCRs are defined as data protection rules applicable for cross-border transfers that allow multinational group companies, operating in unsafe countries, to achieve an adequate level of data protection for intra-group data transfers. BCRs, introduced by the KVKK, would allow multinational companies to transfer personal data from Turkey to a member of the same corporate group, located in a country with an inadequate level of data protection. BCRs are to be considered as a commitment to adequate data protection for intra-group cross-border data transfer in such circumstances. In line with the changes to the provisions on cross border data transfers introduced by the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, the BCR application documents have been revised into two modules ( BCR Application Form for Data Controllers (only available in Turkish here), and BCR Application Form for Data Processors (only available in Turkish here)) and were published on the KVKK's official website on July 10, 2024.

Additionally, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad stipulates that SCCs can also be used for cross-border data transfers; in this regard, four SCCs modules (controller to controller (available in Turkish here and in English here), controller to processor (available in Turkish here and in English here), processor to processor (available in Turkish here and in English here), and processor to controller (available in Turkish here and in English here)) have been published.

The Board reviews the applications both from the procedural perspective and from material aspects. While considering the material aspects, the most critical point is to determine whether the data transfer is from data controller to data controller or from data controller to data processor. The transfer process must be carefully analyzed by the applicants. To determine the relationship between a data controller and data processor, the Board's decision dated January 30, 2020, and numbered 2020/71 can be taken as a reference (only available in Turkish here).

When granting permissions, the Board must evaluate international treaties, reciprocity of countries, measures taken by the data controller, as well as the period and purpose of the data processing. This requirement is particularly relevant for multinational companies and local companies, having cross-border operations or keeping data servers outside Turkey.

Transfer Conditions for Exceptional Cases

In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if the following conditions are met:

  • the presence of the conditions specified in Articles 5 and 6 of the Data Protection Law;
  • the data subject has the ability to exercise their rights and seek effective legal remedies in the country to which the data will be transferred; and
  • one of the appropriate safeguards listed below is provided by the parties.  

It is important to note that before resorting to appropriate safeguards, the presence of the other two conditions must always be examined. This aligns with the Transfer Impact Assessment (TIA) practices in the European Union. Conducting a TIA is particularly crucial within the scope of the accountability and proof obligations of the data controller and data processor. The appropriate safeguards can be listed as follows:

  • obtaining explicit consent;
  • necessity for the purposes of legitimate interests pursued by the data controller or by a third party to whom the data is disclosed, except where such interests are overridden by the fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
  • necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data is disclosed;
  • necessity for compliance with a legal obligation;
  • necessity for the protection of vital interests of the data subject or another natural person;
  • necessity for the establishment, exercise, or protection of a right; and
  • necessity for the performance of a contract with the data subject or for the implementation of pre-contractual measures.

Failure to comply with the regulations governing cross-border data transfer may lead to the imposition of an administrative fine by the Board, ranging from TRY 141,934 (approx. $4,342,96) to TRY 9,463,213 (approx. $289,559,65) for the year 2024.

7.3. Data processing records

The concept of 'data processing records' is not defined under the Data Protection Law. It is expected that such a concept will be adopted in the following amendments within the scope of the GDPR harmonization process.

7.4. Data protection impact assessment

Data Protection Impact Assessment (DPIA) is not mandatory and  is not explicitly regulated under the Data Protection Law. As clearly stated in the Genetic Data Guide, data controllers processing genetic data must apply a DPIA considering the nature of the data and the potential risks to the data subjects. The DPIA, referenced by Article 35 of the GDPR, is emphasized as a tool used during data processing activities that could be high-risk due to the nature of the data or the use of new technology. It aims to identify potential data breaches and minimize the predicted risks to data subjects.

According to Article 35(7) of the GDPR, the DPIA must include the following minimum elements:

  • explanations of the data controller's processing activities, the legal basis for processing, and the method of processing;
  • assessments of whether the processing activities are appropriate and proportionate to the purpose;
  • evaluations of whether the processing purpose could be achieved with less risk; identification of risks to the data subjects posed by the processing activities and methods; descriptions of these risks; and
  • explanations of the technical and administrative measures taken to mitigate these risks and the assurances provided to the data subjects.

While the concept of a DPIA is not explicitly included in our legislation, it is recommended within this guide as a method to assist data controllers in fulfilling their obligations to implement necessary technical and administrative measures.

7.5. Data protection officer appointment

The Data Protection Law itself, does not require the appointment of a data protection officer (DPO). That being said, the VERBIS Regulation, which includes the details of the registration process, requires data controllers located outside Turkey to appoint a data controller representative in Turkey to establish an account within the VERBIS. The representative can be either a legal entity, located in Turkey or a Turkish individual. The appointment of the representative must be made with a resolution of the data controller, which needs to be notarised and apostilled (or otherwise legalized).

Professional qualifications

Article 6(1) of the Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism emphasizes that those who are successful in the exam, will be entitled to use the title of DPO. In addition, Article 4(1)(ç) of the Communiqué on Procedures and Principles Regarding Personnel Certification Mechanism outlines that a certificate of participation will be given only to those who complete the training program, the procedures and principles of which are determined by the Board..

7.6. Data breach notification

Data controllers are obliged to notify the data subject and the Board within the shortest time, in case the processed data is collected by other parties through unlawful methods. Where necessary, the Board may announce such breach on its official website or through other methods it deems appropriate.

The Board has published the Board decision numbered 2019/10 dated 24 January 2019 and numbered 2019/10 regarding the notification procedures and principles related to personal data breach. According to this decision:

  • a data controller shall notify the Board without delay and within 72 hours at the latest from the date they learn of such breach. After identifying the persons affected by the data breach, the data controller shall promptly notify the related persons by appropriate methods;
  • in the event that the data controller cannot notify the Board within 72 hours for a good cause, they should explain the reasons which caused the delay to the Board with the notification to be made; and
  • data controllers are obliged to use the document attached to such decision (only available in Turkish here).

The Board ruled that the purpose of data breach notification is creating an opportunity to swiftly avoid or minimize the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271 (only available in Turkish here), the Board determined the minimum requirements of a data breach notification to data subjects. The Board stated that data breach notifications to data subjects must be in clear, plain language, and must include at least:

  • the time and date of breach;
  • categories of data (personal data, special categories of personal data) affected by the breach);
  • possible consequences of the breach;
  • measures that have since been taken, or will be taken by the data controller to address the breach and mitigate its consequences; and
  • the name and contact details of the contact person(s) from whom data subjects may obtain more information about the breach, or some other means of communication, such as the data controller's website, call center, etc.

7.7. Data retention

Erasure, destruction, and anonymization of personal data

Personal data shall be maintained for the purpose for which it is processed, as required by the principle of purpose limitation. In this regard, the data controller is obliged to take the following administrative and technical measures:

  • establishing personal data retention and erasure policy and principles;
  • determining storage periods as well as technical and administrative measures to be applied in the storage; and
  • ensuring the storage of personal data in accordance with these principles.

Data controllers shall comply with the periods foreseen in the legislation for the retention of the relevant personal data. In case such a prediction is not available, the data shall only be retained as long as is necessary for the purpose for which it was processed.

7.8. Children's data

The Data Protection Law does not distinguish between personal data of adults and minors. Personal data of adults and children are protected equally by the Data Protection Law though it contains no specific definition of a child. However, Authority published a patch of guidelines regarding the matters which shall be considered in order to protect children's data. These guidelines are meant to raise awareness of personal data concepts, and they do not regulate any legal requirement regarding the processing of child's data. It is expected to be introduced and to include specific provisions concerning the protection of children's data.

While the Data Protection Law does not explicitly regulate this, the Regulation on Amending the Regulation of the Ministry of National Education stipulates that, without obtaining written consent from parents and under the supervision of a guidance teacher, students' images captured during educational activities, social and cultural events, as well as trips and observations conducted within and outside the school, cannot be shared on social media platforms or communication groups under any name. Thus, in preschool education and training institutions, images of children taken during activities can be shared on social platforms only with consent from either the parents or the children.

7.9. Special categories of personal data

The Data Protection Law envisages specific rules for the processing of special categories of personal data that is defined as data relating to:

  • race;
  • ethnic origin;
  • political beliefs;
  • philosophical beliefs;
  • religion, denomination, or other faiths;
  • clothing and attire;
  • membership of an association, charity, or union;
  • health;
  • sexual life;
  • criminal convictions and security measures; and
  • biometric and genetic data.

Article 6 of the Data Protection Law defines special categories of personal data within the scope of legislation based on the principle of numerous clauses.

The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad has updated the conditions for processing special categories of personal data, aligning them more closely with Article 9 of the GDPR, although there are still differences. While the prohibition on processing these special categories of personal data types remains, exceptions are now clearly defined. Special categories of personal data can be processed under certain conditions, and the obligation to implement adequate measures, as set out by the Board, continues to apply.

The conditions for processing special categories of personal data, as exhaustively listed in the Data Protection Law, are as follows:

  • where the data subject has given explicit consent for the processing of special categories of personal data;
  • processing of special categories of personal data, including health and sexual life data, is permitted by applicable law;
  • processing of special categories of personal data is necessary to protect the life or body integrity of persons who cannot express their consent due to physical impossibility or whose consent is not legally valid;
  • processing of special categories of personal data relates to data made public by the data subject and the processing is consistent with subject’s intention to make the data public;
  • processing of special categories of personal data is necessary for the establishment, exercise or protection of a right;
  • processing of special categories of personal data by persons who are under the obligation of confidentiality, or by authorized institutions and organizations is necessary for the protection of public health, preventative medicine, medical diagnosis, the delivery of treatment and care, and the planning, management and finance of healthcare services;
  • processing of special categories of personal data is compulsory to fulfill legal obligations regarding employment, occupational health and safety, social security, social services, or social aid; and
  • processing of special categories of personal data is undertaken by foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or union purposes with respect to their current of former members, or persons who are in regular contact with these organizations and entities, where the processing complies with applicable law and their purposes, is limited to their fields of activity and is not disclosed to third parties.

The amendments to the Data Protection Law allows for the processing of special categories of personal data of employees for employment, occupational health, and safety purposes.

7.10. Controller and processor contracts

Data processor agreements are not a concept introduced by the Data Protection Law. However, as the obligations of the data processors have not been regulated in a detailed manner under the Data Protection Law, when a data processor is involved in the data processing, the data controllers will jointly be responsible for the data security (Article 12 of the Data Protection Law).

Data controllers need to execute data processing agreements to ensure the data processors' compliance with the data protection legislation. Furthermore, the authorization granted to the data processors and the limits of the authorization, the technical details of the processing activity, and the principles and rules to be complied by the data processors should be contractually regulated between the data controller and the data processor to ensure the proper flow of the personal data processing.

8. Data Subject Rights

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about the correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analyzed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The Board published a decision numbered 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here). The Board clarified the periods for filing complaints to the Board and applying to data controllers. Accordingly, the following principles apply when calculating application periods if:

  • the data controller fails to respond within 30 days, the data subject has 60 days to apply to the Board, starting from the date of its application to the data controller;
  • the data controller responds within 30 days, the data subject can file a complaint with the Board no later than 30 days after such response; and
  • the data controller responds after the 30-day period has lapsed, the data subject can file a complaint with the Board no later than 60 days following the date of application to the data controller, which complaint may be submitted immediately upon expiration of the 30-day period, whether or not a response has been received from the data controller.

8.1. Right to be informed

Regardless of the legal basis of data processing, data controllers are obliged to inform data subjects when collecting personal data in respect of the minimum mandatory content outlined below (Article 10 of the Data Protection Law):

  • the identity of the data controller and its representative, if any;
  • the purpose of personal data processing;
  • the recipients to whom the personal data can be transferred, and the purpose of the transfer;
  • the methods and legal reasons of the collection of personal data; and
  • the data subject's rights under Article 11 of the Data Protection Law.

8.2. Right to access

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

  • information about whether their personal data has been processed;
  • if personal data has been processed, the information about such data and processing;
  • information about the purpose for the data processing and whether the data was used for this purpose;
  • information about the identities of natural or legal persons whom the data is transferred to;
  • correction, erasure, or removal of the personal data;
  • if data is transferred, that the data controller advise the recipient about the correction, erasure, and removal of the personal data;
  • objection to any negative consequence of their data being analyzed exclusively through automated systems; and
  • compensation where a data subject suffers any damage due to the illegal processing of their data.

The KVKK has issued the Application Communiqué which regulates the methods and procedures to lodge a request with data controllers. Accordingly, data controllers should respond to requests duly lodged by data subjects within 30 days. The Application Communiqué also provides for a processing fee of TRY 1 (approx. $0.1) for each page which may be charged for responses exceeding ten pages, or the cost of the data recording medium (if the answer is given in this manner).

8.3. Right to rectification

In accordance with the principles of lawful data processing activity, personal data is only processed when it is accurate and kept up to date. In line with such principle, data subjects are entitled to request for rectification from the data controllers, in case of contrary practice.

8.4. Right to erasure

Data controllers are obliged to erase, destruct, or anonymize the personal data ex officio or upon the demand of the data subject, in the event that the reasons for which it was processed are no longer valid (Article 7 of the Data Protection Law).

The details of the erasure, destruction, and anonymization process is governed by the DDA Regulation. In addition, a guide on Erasure, Destruction, or Anonymisation of Personal Data has been prepared by the Board (only available in Turkish here), in order to clarify the implementation to this respect. It should also be mentioned that data controllers which are required to be registered with the Registry must draft a data storage and extermination policy. The mandatory content of the policy has been envisaged under the aforementioned regulation. Data controllers are obliged to publish their policy/procedures related to data retention and extermination.

8.5. Right to object/opt-out

The Data Protection Law does not provide a general right to object to data subjects. In case of the existence of legal basis for data processing, the right to object will not be sufficient to cease processing activities. However, in case of the legal basis purpose excess, the data subject may use its right to object in order to cease processing activities which are exceeding the purpose of legal basis such as legitimate interest. In addition to that, data subjects may always have the option to revoke their consent and stop the data processing which is being carried out based on the explicit consent of the data subject.

In addition to the above stated perspective of the Data Protection Law, there is an alternative legislation regulating the right to object/opt-out of the data subjects within electronic commerce practice. The Electronic Commerce Law No. 6563 states that personal data collected from a consumer can only be used and shared with third parties with the consumer's consent. Therefore, the consent of the data subjects, that is consumers in this context, must be obtained in order to use their personal data for marketing purposes.

The same legislation entitles the consumers/data subjects to use their right to object/opt-out. Data controllers, which are acting as service providers, are obliged to include their accessible contact addresses in the commercial electronic communications, so that recipient data subjects can exercise their opt-out rights. Whichever communication channel the commercial electronic message was sent, opt-out notification must be also provided through the same communication channel, easily, and free of charge. As per the Regulation on Commercial Electronic Communication (and its amendments), a national and centralized commercial electronic communication management system has been established. The consumers or data subjects may use their right to object/opt-out through this system (or through the system designed by the relevant service provider).

8.6. Right to data portability

Unlike the GDPR, the Data Protection Law does not provide right to portability to data subjects. Under the Data Protection Law, data subjects are not entitled to have their personal data transmitted directly from one controller to another. It is important to highlight that certain regulations address data transfer explicitly. For instance, the Electronic Commerce Law mandates that electronic commerce service providers must ensure the technical capability to transfer data obtained from sales without charge. Additionally, electronic commerce service providers are required to provide free and efficient access to these data and any processed data derived from them.

8.7. Right not to be subject to automated decision-making

The Data Protection Law does not grant a general right not to be a subject to automated decision-making systems. The processing limits and rights of the data subjects shall be evaluated by considering the other legal requirements under the Data Protection Law such as the purpose of the legal basis etc. However, based on the Article 11(1)(g) of the Data Protection Law, data subjects have the right to object to any negative consequence of their data being analyzed exclusively through automated systems. Please note that such right can be used by the data subjects in the existence of a negative consequence. The existence of an automated decision-making system is not enough to use such a right, but it is necessary for negative consequences against the data subject to be created by the system.

8.8. Other rights

The Data Protection Law does not provide any other rights.

9. Penalties

Certain breaches of data protection law can result in imprisonment under Turkish law:

  • prison sentences (ranging from six months to four years) or judicial fines can apply for unlawful collection, processing and transfer of personal data under the Criminal Code;
  • safety measures may be imposed on legal entities such as cancelation of licenses or seizure of the goods used for or gained as a result of the commissioned crime or benefits gained from the commissioned crime determined under Article 60 of the Criminal Code;
  • administrative fines ranging between TRY  47,303 (approx. $1,447) and TRY 9,463,213 (approx. $289,574,32) will apply for breaches of the Data Protection Law;
  • data subject can claim compensation for unlawful collection or processing of personal data (under Civil Code, Law No. 4721 (as amended) (only available in Turkish here); and
  • sector-specific regulations also contemplate administrative fines, see for example the Regulation on Administrative Sanctions of Information and Communications Authority (only available in Turkish here), which imposes fines on authorized operators (service providers, network providers, infrastructure operators) worth up to 3% of the preceding calendar year's net sales for violating personal data and security obligations.

9.1 Enforcement decisions

The Board published eight principle-decisions stating the main principles which shall be taken into consideration by the data controllers. The details of such principle-decisions are mentioned below under board decisions. Such principle-decisions underline the following criteria:

  • all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the law;
  • the entities providing services at service counters, box-offices, and desks must ensure that only authorized persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data;
  • the data controllers must take all necessary technical and organizational measures to provide appropriate data security in order to cease and prevent unauthorized accesses and misuse of the authority;
  • advertising, using data subjects' contact details unlawfully should cease;
  • individuals and organizations use software programs, which allow them to question personal data, through data which obtained in various ways are unlawful and such usages are subject to procedural actions under Turkish Criminal Law;
  • reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or email address, etc;
  • data controllers must not engage in the practice of blacklisting data subjects and profiling them without adhering to the general principles of the Data Protection Law, data processing conditions, and data transfer provisions; and
  • data controllers must implement technical measures, such as a two-factor authentication system, to ensure that personal data cannot be easily accessed by third parties.

In addition to above mentioned principle-decisions, some sample decisions of the Board, which are significant to clarify, are as follows:

  • the Board imposed an administrative fine of TRY 900,000 (approx. $27,540) in its decision numbered 2020/559 only available in Turkish here) on a data controller for transferring personal data abroad without having a valid legal basis. The data controller's claim that Convention 108 is sufficient per se for data transfers abroad among the parties has been declined by the Board. Being a party to Convention 108 is not sufficient to accept such a party as a safe country and the data controller relies on Convention 108 for data transfers abroad does not meet the requirements under the Data Protection Law;
  • the Board stated under its decision numbered 2019/157 (only available in Turkish here) that usage of email services from service providers having their servers/data centres outside of Turkey, shall be deemed as a data transfer abroad; therefore, storage services obtained through data controllers/data processors whose servers are located abroad shall also be required to comply with Article 9 of the Data Protection Law;
  • the Board stated under its decision numbered 2020/746 (only available in Turkish here) that the right to inform covers the right to access and the data subjects' request of receiving the personal data is lawful. However, if the related personal data record includes the personal data of anyone other than the related data subject, the data processor shall have the option to mask the third parties' personal data and/or to provide the record in an alternative format (such as transcript or the record);
  • the Board found under its decision numbered 2020/494 (only available in Turkish here) that it is lawful for the employer to present the camera recordings as evidence in the reemployment lawsuit filed by the employee whose employment contract was terminated;
  • the Board has decided in its decision numbered 2021/115 (only available in Turkish here) to impose an administrative fine of TRY 175,000 (approx. $5,355) on the data controller for registering the phone number of a debtor's brother as an alternative phone number because the bank had previously contacted by using this phone number;
  • the Board decided in its decision numbered 2020/755 only available in Turkish here) that a real estate property manager-data controller did not violate the Data Protection Law by sharing with the data subject's landlord certain personal data requested, including an accounting of delinquent property dues and mobile phone number, since processing was necessary to the landlord's exercise of rights granted by Article 22 of the Property Ownership Law No. 634 (only available in Turkish here);
  • the Board decided in its decision numbered 2021/111 (only available in Turkish here) that regarding the contact with the relatives of the debtor concerning the debt, the Board decided to impose an administrative fine of TRY 50,000 (approx. $1,530) against the first law firm that processed personal data without any reason for data processing, TRY 115,000 (approx. €3,519) against the company that transferred this data to another law firm without checking its accuracy, and TRY 100,000 (approx. $3,060) against the law firm that contacted them, despite knowing that the data in question belonged to the debtor themselves;
  • the Board decided in its decision numbered 2020/407 (only available in Turkish here) to impose an administrative fine of TRY 100,000 (approx. $3,060) on the data controller hospital, which transmitted the health data of the relevant person to a third person along with the data subject via email;
  • the Board decided in its decision numbered 2020/404 (only available in Turkish here) to impose a total administrative fine of TRY 250,000 (approx. $7,652,54) on the data controller who did not provide proper disclosure, processed special categories of personal data (biometric data such as fingerprints during entrances and exits to the workplace) without valid consent, and transferred the personal data abroad; and
  • the Board has imposed in its decision numbered 2020/335 (available in Turkish here) an administrative fine of TRY 50,000 (approx. $1,530,51) on the data controller who made express consent as a condition of car rental services and did not provide services to the customer who did not give his express consent;
  • the highest penalty is is a fine of TRY 1,950,000 (approx. $59,689,79) given to WhatsApp under the decision number 2021/891 on 3 September 2021 (only available in Turkish here). This penalty is the highest fine that has been announced since the Board started its activities and that was imposed in a single instance; and
  • the Board decided in its decision numbered 2022/388 to instruct the municipality due to its failure to implement the necessary technical and administrative measures, resulting in unauthorized access to the data of data subjects by unrelated individuals without utilizing an identity verification system (available in Turkish here).

Board decisions

In addition, the Board issues decisions to clarify areas within the Data Protection Law, regulations, and practice. Key decisions include:

  • Decision Number 2018/10 on the adequate measures to be implemented when processing special categories of personal data (only available in Turkish here) (Decision 2018/10): the Board declared that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasized the importance of implementing measures which had previously been determined in the Personal Data Security Guide.
  • Decision Number 2017/62 on the data security in service areas (only available in Turkish here): the Board declared that entities providing services at service counters, box-offices, and desks must ensure that only authorized persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other's personal data. The Board specifically referred to banks and healthcare organizations in this context.
  • Decision Number 2017/61 on phone directory services (only available in Turkish here): the Board found that websites and applications which offer phone directory services (searchable via phone number or name) and share personal data without any justifiable reason determined under the Data Protection Law and relevant legislation, must immediately cease their activities or face either administrative or criminal sanctions. The decision underlines that all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Data Protection Law.
  • Decision Number 2021/361 (only available in Turkish here) on sending push notification to the mobile phone. The Board decided that sending push notifications to the mobile phone via two mobile applications offered by the data controller bank, ensuring that the electronic message receiving preference is automatically approved in the settings of the banking application installed by the data controller bank customers with Android operating system on their devices, and that the approval preference is considered valid unless the customers change this preference, is not in accordance with the relevant legislation. Such notifications, called 'push notifications', which are instantly sent to users via mobile applications by service providers, are approved in the default settings of mobile applications. The Board evaluated this as unlawful and has imposed an administrative fine on the data controller on the grounds that it contradicts with the regulation in the Electronic Communication Law that electronic messages will be subject to the consent of the recipients and violates the requirement to rely on explicit consent in the processing of personal data in Article 5 of the Data Protection Law.
  • Decision Number 2020/763 (only available in Turkish here) on electronic commerce. Regarding the data breach notification, the Board decided not to impose a penalty, considering the facts that all recipients were added to the BCC part of the relevant bulk email in order to protect the confidentiality of the recipient email addresses while sending an email to a group of 400 recipients for data breach notification, during the said process the email address of 43 customers was mistakenly added to the subject part of the email by the employee who sent the e-mail. Therefore, the information of 43 recipients, whose email address is in the subject part of the e-mail, is shared with the group of 400 recipients to whom the email is sent, as soon as the email in question is sent, it is determined by the employee that the email was sent in error as stated above, and the people responsible for the technology department are contacted to take immediate action. However, it was learned that it would not be possible to retrieve the email, that the email address information of the customers was affected by the breach, the identity and communication data were affected by the breach, since email addresses may also contain the name and surname of the person, 43 data subjects were informed about the said sharing and that the level of exposure of the data subject to the violation was minimized, that the data subject were contacted directly via their email addresses as soon as possible (within 48 hours) following the occurrence of the violation, and notification was made on September 29, 2020.
  • Decision Number 2020/915 (only available in Turkish here) on the processing of fingerprints. The Board stated that the processing of fingerprints, which are biometric data for the purpose of overtime control within the body of the data controller, is contrary to the principle of being limited and proportional to the purpose in clause Article 4(ç) titled 'General Principles' of the Data Protection Law, on the other hand, the data processing activity in question is not in accordance with the law, considering that it is not based on the data processing condition. The Board decided that the said application of the data controller constitutes a violation of the Data Protection Law. In this context, it was decided that the fingerprint-related data processed and kept by the data controller to date are promptly destroyed in accordance with the provisions of Article 7 of the Data Protection Law and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data (only available in Turkish here), if the relevant special category personal data is to be transferred to third parties, ensuring that the procedures for destruction are promptly notified to the third parties to whom this data has been transferred, ensuring work entry and exit procedures in alternative ways, also valid besides the epidemic period, to instruct the data controller to end the practice of entering and exiting transactions with biometric data and to remove the existing system.
  • Decision Number 2021/989 (only available in Turkish here) on explicit consent: Regarding the use of the image of the data subject in the news about the adoption of the person on a website by a celebrity without the explicit consent of the data subject, the Board decided that the content in the event subject to the news is not of public interest and benefit. It is clear that the data subject was appointed as a guardian to his mother's side and therefore the data subject was not adopted by the aforementioned celebrity. The Board ruled an administrative fine on the data controller considering that the photograph of the data subject was published on the website with incorrect content not related to the data subject, by an editor working under the data controller, without the explicit consent of the guardian on behalf of the data subject or one of the other processing conditions in the Data Protection Law.

Principle decisions published by the Board include:

  • Decision Number 2018/63 on the unauthorized access and usage of the data (only available in Turkish here): the Board announced that the data controllers must take all necessary technical and organizational measures to provide appropriate data security in order to cease and prevent unauthorized accesses and misuse of the authority.
  • Decision Number 2018/119 on advertising using data subjects' contact addresses unlawfully (only available in Turkish here): the Board announced that advertising using data subjects' contact details unlawfully should cease. The Board stated that those advertising via e-mail, SMS, and calls should also cease such activities and the Board will impose sanctions for failures to do so.
  • Decision Number 2019/308 on individuals and institutions using various software programs that allow questioning personal data (only available in Turkish here): the Board determined that individuals and organizations use software programs, which allow them to question personal data, through data which obtained in various ways. The Board specifically referred to attorneys, law firms, individuals, and organizations operating in finance, real estate, and insurance sectors. The Board announced that use of such software programs is not in not in compliance with Article 12 of the Data Protection Law and the data processors using such software programs shall be subject to procedural actions under Turkish Criminal Law.
  • Decision Number 2020/966 on the technical and administrative measures to be taken by data controllers in order to verify the contact addresses provided by data subjects (only available in Turkish here): In order to ensure that personal data are kept accurate and up-to-date when necessary, the Board decided that reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.
  • Decision Number 2019/125 on specifying the criteria to determine the countries with an adequate level of protection (only available in Turkish here): within the scope of Article 9 of the Data Protection Law;
  • Decision Number 2019/10 on notification procedures and principles related to the personal data breach (only available in Turkish here);
  • Decision Number 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here); and
  • Decision Number 2019/225 on the Registry registration obligation of data controllers located outside Turkey (only available in Turkish here). Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices.

Decisions on the exemptions from registration to the VERBIS include:

  • decision Number 2018/32 (only available in Turkish here);
  • decision Number 2018/68 (only available in Turkish here);
  • decision Number 2018/75 (only available in Turkish here);
  • decision Number 2018/87 (only available in Turkish here);
  • decision Number 2019/353 (only available in Turkish here);
  • decision Number 2020/315 (only available in Turkish here) please see section 5 for further information on this decision;
  • decision Number 2018/88 on registration deadlines (only available in Turkish here); and
  • Decision on Exemption of Village Legal Entities from the Obligation to Register in the Data Controllers' Registry deadlines (only available in Turkish here);

Decisions on the registration deadlines include:

  • decision Number 2019/265 (only available in Turkish here);
  • decision Number 2019/387 (only available in Turkish here);
  • decision Number 2020/482 (only available in Turkish here);
  • decision Number 2021/238 (only available in Turkish here); and
  • decision Number 2021/571 (only available in Turkish here).
  •  

The KVKK also published the Board's summarised and anonymized decisions help to clarify legislation and practices in this developing area, giving some insight on how the Board will treat certain aspects of data processing, transfers, and security breaches. Notable points from the decisions include:

  • Decision Number 2020/481 on the right to be forgotten (only available in Turkish here): The Board stated that the search engines, operating based on the data collected from third party websites are data controllers, carrying out data processing activities. The Board evaluated the delisting requests of the data subjects from search engines as a subtitle of right to be forgotten. To consider such requests, a balance test between the data subject's fundamental rights and freedoms and public's interest for obtaining the information is required. The Board published a list consisting of 13 criteria, which may be used while making such balance test;
  • the Board ruled that notifying data subjects about a breach of personal data security 17 months after the breach exceeds the reasonable period, constituting a breach of data security (only available in Turkish here);
  • if other grounds of processing personal data exist, granting explicit consent of data subjects constitutes abuse of right, by the data controller and the explicit consent cannot be requested as a pre-condition for the services (only available in Turkish here);
  • the Board ruled that transferring personal data to courts which exceeds the requested amount violates the principle of data minimization (only available in Turkish here);
  • the Board warned data controllers which do not respond to data subjects who wish to exercise their rights within 30 days (only available in Turkish here);
  • the Board warned a company for processing personal data for purposes other than its legal obligations where the company kept personal data for ten years on the basis of its legal obligations (only available in Turkish here);
  • the Board sanctioned a data controller which sent a customer's personal data to another customer with the same name on the basis that the error indicates a lack of technical and administrative measures (only available in Turkish here);
  • the Board ruled that adding an employee's residential address to sample contracts which were sent to third parties without any legal basis is a violation (only available in Turkish here);
  • the Board refused a data subject's request to remove their name from a column in a journal, on the basis that freedom of press overrides their right to privacy (only available in Turkish here);
  • the Board sanctioned a data controller which obtained additional documents including personal data that are not necessary for the execution of the related transaction (only available in Turkish here);
  • the Board decided with its decision numbered 2019/122 to apply disciplinary procedures against a bank's employees who did not respond to the application made by the data subject and ruled that such bank should change its privacy notice available on its official website in accordance with the Obligation to Inform Communiqué (only available in Turkish here).
  • the Board ruled with its decision numbered 2019/82 that a company's loyalty card is designed as a marketing tool and consequently seeking consent for processing of special categories personal data is not related, limited nor proportionate to the scope of the activities of data controller (only available in Turkish here);
  • the Board noted in its decision numbered 2018/90 that the data controller's obligation to inform and seek the data subject's explicit consent should be carried out separately (only available in Turkish here);
  • the Board noted in its decision numbered 2019/106 that unidentified person(s) shall not be determined as data controllers (only available in Turkish here);
  • the Board ruled with its decision numbered 2018/156 that applications made to the Authority regarding issues falling under the jurisdiction of the judicial authorities shall not be considered within the scope of the Data Protection Law (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 8 May 2019 due to a data breach occurred in the company system. Microsoft instructed that the ID information of a customer support manager working for one of its service providers has unauthorisedly been obtained by the third parties. The company reported that this manager violated Microsoft's policy and shared their account login information with 13 support representatives. As a result, third parties were able to partly reach Microsoft users' e-mail accounts between 1 January 2019 and 28 March 2019. (only available in Turkish here);
  • the Board announced that Microsoft notified the Board on 29 January 2020 due to a data misconfiguration on its security systems that lead to a breach which resulted in illegal disclosure of Microsoft customer records;
  • the Board has put forward two recent decisions numbered 2019/81 and 2019/165 on biometric data (only available in Turkish here). Accordingly, the Board has imposed administrative sanctions on two different data controllers which are both operating fitness centres due to processing of biometric data during entrances and exits of their members. The Board construes that explicit consent obtained from members has been presented as a pre-condition for receiving the services; therefore, explicit consents cannot be considered as given with free will and hence invalid. In addition, the Board has decided that data controllers' practice of requiring their members to use fingerprints as the obligatory and only way to entering the fitness centres, is not compliance with the principle of proportionality which requires minimization of the data collected, to the extent possible. The Board also explicitly stated that obtaining explicit consent do not legalize collection of excessive personal data and the collection needs to be proportionate and limited with the purpose of processing;
  • the Board ruled that rejecting data subjects' access request due to the application was not sent notary public or via electronically signed email is a pecuniary burden that is not foreseen in the Data Protection Law or the Application Communiqué with its decision Number 2019/296 (only available in Turkish here). Therefore, the right of the data subject to make an appropriate application is prevented and this situation which constitutes breach of law and rules of honesty which is stipulated under Article 6 of the Application Communiqué;
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here);
  • the Board ruled with its decision Number 2020/173 (only available in Turkish here), that explicit consent cannot be incorporated into a general privacy notice and must be obtained before the transfer of personal data. Obtaining the consent of the data subject through an opt-in section is not enough to comply with the explicit consent requirements. The transfers carried out based on this approval are unlawful;
  • the Board highlighted the difference between wet-ink signature and biometric signature in its decision numbered 2020/649 (only available in Turkish here). Biometric signature solutions are not defined within the framework of a specific standard, they have different fictional features and are not considered equivalent to wet-ink signature. The provisions regarding a signature in the Turkish Code of Obligations No. 6098 ('Turkish Code of Obligations') are the regulations for classical signature and electronic signature and does not include the biometric signature. As the biometric signature falls in the scope of a special category of personal data, it can only be processed in the presence of the explicit consent of the data subject or if clearly prescribed by the law. However, the provisions of the Turkish Code of Obligations do not fulfill the requirement of being 'clearly prescribed by the law';
  • the Board issued a decision numbered 2020/927 (only available in Turkish here) on a data subject's request regarding to be excluded from results of search engine queries. The Board decided that, the request is subject to evaluation of trial court and does not related to scope of Data Protection Law;
  • the Board decided with its decision numbered 2020/93 (only available in Turkish here) that there is no ground for deleting or modifying health data (including mental health data), since the data were processed by the Ministry, who fulfills 'the authorized institutions and establishments' requirement and for the purpose of 'protection of public health, preventive medicine, medical diagnosis, provision of health care services and treatment, planning, and management of health care services and their financing';
  • the Board ruled with its decision numbered 2020/508 only available in Turkish here) that processing personal data, which became public for a special purpose, for the same purpose, does not breach the Data Protection Law. Since the personal data, posted on the attorney's search websites, are processed for the same purpose as the Turkish Bar Association, the process of personal data is not unlawful;
  • the Board decided with its decision numbered 2020/667 (only available in Turkish here) that since to obtain special category personal data is necessary for renewal of the insurance policy, the insurance company's explicit consent request from its client in order to process their special category personal data is lawful;
  • the Board issued a decision, numbered 2020/710 (only available in Turkish here on the process of personal data during enforcement proceedings. As Article 89 of Enforcement and Bankruptcy Law No. 2128 ('Enforcement and Bankruptcy Law') (only available in Turkish here) allows a secured creditor in an enforcement proceeding to pursue recovery against non-debtor third parties who may be in possession of debtor assets, to process the data of non-debtor third parties in this regard does not violate the Data Protection Law;
  • the Board issued a decision, numbered 2020/212 (only available in Turkish here) on CCTV camera with audio video recording practice. The Board highlighted that each audio video recording practice of data controllers shall be considered based on the principle of proportionality;
  • the Board evaluated the trade registry offices practice and principle of publicity of trade registry records with its decision number 2020/307 (only available in Turkish here). The documents recorded by the trade registry offices includes personal data pertaining to real person representatives. Therefore, the trade registry offices must provide the requested documents and/or information to third parties provided that the sections including personal data are redacted. The Board noted that the trade registry offices are under a confidentiality obligation with regards to the personal data in its possession and are not the authorized body in order to provide civil registry information as per the Civil Registry Services Law No. 5490 (only available in Turkish here);
  • the Board ruled with its decision numbered 2020/507 only available in Turkish here) that the legal inheritors of the deceased persons are entitled to obtain records including personal data related to health;
  • the Board issued a decision, numbered 2020/504 (only available in Turkish here) regarding the request of an airline company's customer who requests to obtain the audio records pertaining to conversation between the customer and the call center. Since the audio records include other personal data belonging to third parties in addition to related customer's data, the airline company provided its customer a redacted transcript of the related conversation. The Board noted that, the right to information right involves the right to obtain the related data, unless the related data does not violate third parties' rights. In case the data violates third parties' rights, providing the content of the data, which includes all details pertaining to related data subject, in an alternative form such as its transcripts is an eligible way to satisfy the data subject's request;
  • the Board ruled that the purpose of data breach notification is to create an opportunity to swiftly avoid or minimize the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271(only available in Turkish here), the Board determined the minimum requirements that should be included in a data breach notification;
  • the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here);
  • the Board imposed an administrative fine of TRY 800,000 (approx. $24,487,82)   with its decision numbered 2022/229, due to the unlawful processing of personal data through cookies used on the website and mobile applications by the data controller company operating in the e-commerce sector (available in English here); and
  • the Board, through decision number 2023/134, has imposed an administrative fine of Try 1,750,000 (approx. $53,566,62) on TikTok Pte. Ltd. for failing to share its service terms in Turkish, thereby failing to provide accurate information to the data subjects; for having a privacy policy that does not comply with the Data Protection Law; for using the privacy policy instead of an information notice, which does not contain the elements of a valid information notice (only available in Turkish here).

The Board imposed fines on:

  • a hospital which could not provide an adequate level of protection for patients' personal data (only available in Turkish here);
  • a career platform which shared an applicant's personal data with other applicants without any legal basis (only available in Turkish here);
  • a company which shared an applicant's CV with the other group companies through a mutual electronic platform, without the applicant’s consent (only available in Turkish here);
  • a technical service provider company which could not take necessary technical and administrative measures to protect its customers. Afterwards, the Board imposed a second fine to this company for not complying with the Board's previous decision (decision numbered 2019/52 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user's visual data. This data breach was caused by an 'API bug',' as a result, third-party applications were able to access user photos, for 12 days. The total amount of the fine issued was TRY 1.65 million (approx. $50,505,68), coming in two parts: The Board firstly imposed TRY 1.1 million (approx. $33,670,45) on Facebook for failure to react in time to take necessary technical and administrative measures, and secondly imposed TRY 550,000 (approx. $16,835,27) (for not notifying the Board as soon as possible after detecting the API bug (decision numbered 2019/104 only available in Turkish here);
  • three different companies working on transportation sector and lodging industry: The Board imposed TRY 550,000 (approx. $16,835,27) to transportation companies separately and imposed TRY 1.45 million (approx. $44,383,91) to a hotel due to non-compliance with taking necessary administrative and technical measures and obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/144 is only available in Turkish here);
  • an asset management company that sent text messages to data subject on multiple times regarding the same issue without obtaining data subject's explicit consent (decision numbered 2019/159 only available in Turkish here);
  • a data controller that sent commercial electronic communication without obtaining data subject's explicit consent. The Board decided that sending commercial electronic communication to data subject is a data processing activity and it should be compliant to data processing conditions stipulated under Article 5 of the Data Protection Law (decision numbered 2019/162 is only available in Turkish here);
  • a data controller an administrative fine of TRY 50,000 (approx. $2,035) on the data controller for failing to fulfil its obligation to prevent illegal processing of personal data (decision numbered 2019/166 is only available in Turkish here);
  • a social media platform (Facebook) which failed to prevent unlawful access to the user’s data. This data breach was caused by the complex interaction of multiple bugs related to three different Facebook features. However, the breach in question was not duly notified by Facebook to the Board as envisaged under the Personal Data Protection Law. In this respect, the Board started an ex-officio investigation on Facebook in accordance with Article 15(1) of the Data Protection Law. As a result of the investigation, the Board fined Facebook TRY 1.6 million (approx. $1,530,48) due to the facts that Facebook did not take the necessary technical and administrative measures to prevent possible data breaches and failed to notify the Board of the breach (decision numbered 2019/269 is only available in Turkish here);
  • a data controller that fails to ensure an adequate level of administrative and technical measures to protect personal data and also imposed second administrative fine due to applicant that violates the obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/122 is only available in Turkish here);
  • an airline company that requests both-sided identification card by the data subject in response to the data subject's request to change the username and password of his loyalty membership due to processing of data subject's health and religion data (special categories of personal data) on the ID card without obtaining explicit consent from data subject. Also, the Board decided that the data controller has processed personal data non-compliant to the principle of being relevant with, limited to and proportionate to the purposes for which they are processed (decision numbered 2019/294 is only available in Turkish here);
  • a data controller that processes personal data that is made public by the data subject inconsistently with its purpose. (decision numbered 2019/331 is only available in Turkish here);
  • a newspaper that has disclosed a special kind of personal data of the data subject in a column without obtaining his explicit consent. The Board decided that the special kind of personal data was disclosed against the personal data processing conditions and imposed administrative fine on the newspaper that failed to prevent unlawful processing of personal data (decision numbered 2020/32 is only available in Turkish here);
  • a bank which did not take adequate administrative and technical measures in line with its obligations to ensure the protection of personal data during the delivery of the credit card and did not make sufficient and reasonable efforts to keep the data of the data subject up-to-date. The Board decided that the courier does not act as data controller for the data contained in the envelope but acts as data controller for the data such as the sender and receiver name and surname used to provide its service (only available in Turkish here);
  • a gaming company which fails to ensure adequate level of administrative and technical measures to run sufficient vulnerability testing. The unauthorised access was detected via the company's log records; however, the company did not detect the potential breach risk through its log records. The preventative technical measures were taken after the users' data breach, and no notification was made to the Board (decision numbered 2020/286 only available in Turkish here);
  • a media company which published the legal notification on rectification request without masking the sections including personal data (decision numbered 2020/145 is only available in Turkish here);
  • a car rental company which uses credit card information, obtained at previous rental transaction, for the payments of another rental transaction. The provisions of the customer agreements, allowing the usage of credit card information for any potential future transactions, are deemed as unfair condition and such provisions do not enough to comply with the explicit consent requirements (decision numbered 2020/166 is only available in Turkish here);
  • a private school which implements CAS Test (Cognitive Assessment System) to assess the planning skills and attention processes of its students without obtaining explicit consent from data subject's custodian. Since the results of the CAS Test includes information on students' mental assessment system, which shall be considered within the scope of special categories of personal data, the data controller must fulfil its obligation to inform and obtain the explicit consent of the data subject's custodian (decision numbered 2020/255 is only available in Turkish here);
  • a car rental company which obtains its customers' explicit consent as a pre-condition for its services (decision numbered 2020/335 is only available in Turkish here);
  • a company who implements fingerprints practice at its workplace. The Board decided that the special kind of personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obligation to inform and obligation to obtain explicit consent (decision numbered 2020/404 is only available in Turkish here);
  • a bank who contacted the sibling of its debtor regarding its receivables. The Board decided that personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obtain explicit consent. Additionally, the Board did not impose administrative fine on the attorney of the bank who contacted the sibling of the debtor on behalf of the bank to perform its receivables, since the attorney made the phone call based on the contact details provided by the bank and since the attorney ended the conversation after he/she recognized that the contact person is not the debtor of the bank (decision numbered 2021/115 is only available in Turkish here);
  •  the Board imposed an administrative fine of TRY 30,000 (approx. €1,403)   in its decision number 2022/13, due to the sharing of the exam result document by a local news website without the explicit consent of the data subject (only available in Turkish here);
  • within the Board’s decision numbered 2021/1243, an administrative fine of TRY 50,000 (approx. $1,530,48) was imposed due to sending e-mails for advertising and marketing purposes by a human resources company without the explicit consent of the e-mail address of the data subject (only available in Turkish here);
  • the Board within the In its decision numbered 2021/1239 decided that the sharing of data by the bank as a data controller by making calls over the phones of the data subject's family was not a violation of the Data Protection Law since the calls were made for having debts and alternative numbers in the Risk Centre (only available in Turkish here);
  • in the training given by a university, since the attendance list containing the personal data of the people receiving the training is organized in a way that can be seen by other participants, the data controller has not fulfilled its obligation to inform (only available in Turkish here);
  • in the Board's decision numbered 2021/1187, an administrative fine of TRY 250,000 (approx. €11,696) was imposed due to the data controller's access to the bank account data of the data subject, a former employee, in the corporate e-mail account of the data subject and failure to fulfil the disclosure obligation in this regard (only available in Turkish here);
  • the Board, in its decision numbered 2021/1107, imposed an administrative fine of TRY 150,000 (approx. $7,652,70)  for keeping the credit rating of the data subject up-to-date and accurate by the bank and sharing it with third parties (only available in Turkish here);
  • the Board, in its decision numbered 2022/336, concluded that the announcement, including the name and surname of the data subject and the accusations against the data subject, was published on the company's social media corporate account, which is accessible not only to the company's customers but also to everyone, and that the action causes a violation of the principle of proportionality due to the lack of a reasonable balance between the data processing and the purpose to be achieved, and imposed an administrative fine of TRY 30,000 (approx. $918,32)  (only available in Turkish here);
  • the Board issued Decision No. 2022/107 concerning the processing of a data subject's phone number by a savings financing company and the sending of promotional SMS messages without a legal basis for data processing. The financing company, acting as the data controller, sent commercial messages to the data subject's phone number. Upon investigation, the Board found that the sending of commercial electronic messages must not only comply with the regulations on commercial electronic communications but also be based on a legal ground for data processing as per Article 5 of the Data Protection Law. Despite the data controller's claim that the data subject was registered in the Message Management System (İYS), there was no evidence of a relationship with the data controller that would justify the registration or proof of obtaining the data subject's explicit consent for processing personal data. As a result, the Board imposed an administrative fine of TRY 75,000 (approx. $2,295,68) on the data controller (only available in Turkish here);
  • the Board issued Decision No. 2022/768 regarding a bank transferring a data subject's personal data to an insurance company without explicit consent. The data subject complained of receiving numerous calls from the insurance company. The bank claimed the calls were authorized under an agency agreement and that the data subject had consented to commercial communications. However, the bank failed to provide evidence of explicit consent or any confidentiality agreement required under relevant regulations. The Board found that the data transfer did not meet the conditions of Article 8 of the Data Protection Law and imposed a fine of TRY 250,000 (approx. $7,652,28)  (only available in Turkish here);
  • the Board issued Decision No. 2023/932 concerning the processing of a phone number not provided by the data subject to the bank. The data subject claimed that although they applied for a loan online using one phone number, they received SMS messages on another number not used in their banking transactions. The bank stated that the alternate number was obtained from the Credit Bureau (KKB). The bank argued that processing the alternate number was necessary for legal obligations and fraud prevention. The Board found that the phone number provided during the loan application was verified, and using an alternate number from the KKB was legitimate under banking regulations. Therefore, the Board concluded no action was needed under the Data Protection Law, advising the data subject to address concerns about KKB data accuracy directly with the KKB (only available in Turkish here);
  • the Board issued Decision No. 2022/249 regarding a technology company's unauthorized transfer of personal data abroad without explicit consent. The data subject complained about the lack of a cookie policy and not giving consent for data transfers mentioned in the privacy policy. Despite contacting the company, they received no response within the legal timeframe. The company admitted the oversight and stated that data was transferred to cloud services abroad for protection. The Board found the company failed to inform data subjects and meet data transfer conditions required by the Data Protection Law. As a result, the Board fined the company TRY 950,000 (approx. $ 29,085) (only available in Turkish here);
  • the Board investigated TikTok following complaints about improper consent, illegal data collection, and security issues. They found that TikTok made profiles of users aged 13-16 publicly accessible by default, collected data on children under 13 without parental consent, and lacked clear information in its Privacy Policy on data processing purposes. The Terms of Service were not available in Turkish, making them hard for users to understand. Additionally, cookies were used for profiling without user consent. As a result, TikTok was fined TRY 1,750,000 (approx. $53,577) for not ensuring adequate data security. The Board also instructed TikTok to translate its Terms of Service into Turkish within one month, revise its Privacy Policy to comply with the Data Protection Law within three months, and ensure proper user information practices (only available in Turkish here);
  • the Board issued Decision No. 2022/1201 regarding a request to remove search results from an internet search engine. The data subject complained about a link to an Official Gazette notice appearing when their name was searched and requested its removal under the right to be forgotten. The search engine operator argued that public interest outweighed privacy concerns. The Board found that indexing personal data is data processing and that the search engine is a data controller. The content, over 20 years old, was irrelevant to the data subject's current professional life and lacked public interest. The Board ordered the search engine to de-index the URL so it would no longer be associated with the data subject's name (only available in Turkish here);
  • the Board issued Decision No. 2022/630 regarding the unauthorized sharing of surgery photos on social media by a doctor working at a hospital. The data subject complained that photos taken during a rhinoplasty surgery were shared on the doctor's social media account without their explicit consent. The Board found that the data subject had only given consent to the hospital, not the individual doctor, for the processing of their personal data. The hospital failed to take necessary administrative and technical measures to prevent the doctor from sharing the photos. As a result, the Board imposed a fine of TRY 100,000 (approx. $3,061) on the hospital. Additionally, the Board informed the data subject that they could pursue legal action against the doctor under the Turkish Penal Code (only available in Turkish here);
  • the Board issued Decision No. 2022/594 regarding a complaint about a health institution sending drug test results to a third party at the data subject's workplace without explicit consent. The investigation revealed that the institution failed to meet the data processing conditions required by the Data Protection Law and did not obtain the necessary explicit consent. The Board determined that the institution did not implement sufficient measures to prevent the unlawful processing of sensitive health data. Consequently, the Board imposed a fine of TRY 75,000 (approx. $2,296) on the health institution (only available in Turkish here);
  • the Board issued Decision No. 2023/787 regarding a complaint that a hospital unlawfully obtained patient consent for processing personal and health data for marketing. The hospital claimed it aimed to raise awareness about diseases through photos and videos shared online with patient consent. The Board found that processing health data was unnecessary for raising awareness and violated the principle of proportionality. Additionally, sectoral regulations prohibit private hospitals from advertising to create demand, making the consent invalid under the Data Protection Law. As a result, the Board fined the hospital TRY 250,000 (approx. $7,653) (only available in Turkish here);
  • the Board issued Decision No. 2023/692 regarding a complaint about a healthcare institution requiring marketing consent to book online appointments. The Board found this practice coerced patients into giving consent, compromising their free will. Despite the institution's subsequent changes, the Board imposed a fine of TRY 300,000 (approx. $9,184) for initially unlawful practices and required further amendments to the consent process (only available in Turkish here);
  • the Board issued Decision No. 2023/695 regarding a complaint that a doctor at a private medical centre accessed a data subject's e-Nabız health records without authorization. The medical center claimed this was done by a secretary without their knowledge, despite e-Nabız settings allowing all Ministry of Health doctors to access data. The Board found the medical center failed to implement necessary privacy measures and access restrictions. As a result, the Board fined the center TRY 200,000 (approx. $6,123) for not preventing unauthorized access to personal data (only available in Turkish here);
  • the Board issued Decision No. 2023/767 regarding the publication of a married couple's health data in a newspaper without consent. The couple had complained about their treatment at a private hospital, and their health data was published in a high-circulation newspaper. The Board found that the publication was not justified by public interest or freedom of expression, as it unnecessarily detailed their health issues, violating their privacy. Consequently, the Board fined the responsible party TRY 100,000 (approx. $3,061) for not preventing the unlawful processing of personal data (only available in Turkish here);
  • the Board issued Decision No. 2023/1130 regarding a pharmacy that shared a person's medical records with their ex-spouse without consent. The pharmacy claimed it was unaware of the divorce and custody issues, thinking the ex-spouse was authorized to collect medications. The Board found the pharmacy violated the Data Protection Law by sharing sensitive data without legal grounds and failing to implement necessary security measures. The Board fined the pharmacy TRY 50,000 (approx. $1,530) and advised the pharmacist to adhere strictly to legal requirements (only available in Turkish here);
  • the Board issued Decision No. 2022/653 regarding a request for credit card and phone information used in an online purchase. The company refused, stating the information was linked to a third party and they did not store credit card data. The Board found the credit card data was held by a payment service provider and cited guidelines recommending that access to personal data should not infringe on others' rights. The Board concluded the data subject couldn't access the phone number as it wasn't their personal data but instructed the company to verify and provide the phone number used for delivery. No fines were imposed, but the company was directed to comply with personal information sharing guidelines (only available in Turkish here);
  • the Board issued Decision No. 2022/491 regarding a complaint by a model whose photos were still displayed on a clothing store's website after their employment ended, without explicit consent. The investigation found that the photos were published based on a contract between the model and the store under Article 5/2(c) of the Data Protection Law. The Board concluded that the photos could be used for the duration that the related clothing items were in stock. As such, no further action was required under the Data Protection Law (only available in Turkish here);
  • the Board issued Decision No. 2022/774 regarding a complaint about an e-commerce site sending a third party's order information to the complainant's email address. The complainant stated that despite notifying customer service and having the email removed due to a name similarity, they continued to receive promotional emails. The Board found that the e-commerce site had sent order details to the wrong recipient without any confirmation mechanism in place, violating the data processing conditions in Article 5 of the Data Protection Law. The site also failed to fulfill data security obligations. Considering the potential loss of rights from such errors, the Board imposed a fine of TRY 120,000 (approx. $3,673) on the data controller (only available in Turkish here);
  • the Board issued Decision No. 2023/426 regarding a company that requested e-Government passwords from customers to verify employment for consumer loan purchases. The company claimed it only asked for insurance records, not passwords. However, the Board found evidence that passwords were accessed, allowing unauthorized access to special categories of personal data. The Board fined the company TRY 400,000 (approx. $12,246) for violating the Data Protection Law (only available in Turkish here);
  • the Board issued Decision No. 2023/567 regarding an e-commerce site's requirement to save customers' credit/debit card information to complete purchases. The Board found this practice violated data processing principles by misleading customers and not obtaining explicit consent for storing card information beyond the initial purchase. As a result, the Board fined the e-commerce site TRY 500,000 (approx. $59,000) (only available in Turkish here);
  • the Board issued Decision No. 2023/845 regarding a complaint about a courier sending harassing messages to a customer after delivering a package. The Board found the company responsible for failing to implement measures to prevent unauthorized use of personal data, despite the company's claim that the courier was not their employee. The Board imposed a fine of TRY 250,000 (approx. $7,652,14) on the company for failing to ensure data security and prevent unlawful data processing (only available in Turkish here);
  • the Board issued Decision No. 2022/776 regarding a marketing company sending promotional brochures to an 8-year-old child without parental consent. The company claimed the brochures were sent by an independent contractor without their instruction. The contractor used the child's name provided by the parent during an online purchase. The Board found the marketing company not directly responsible but fined the independent contractor TRY 30,000 (approx. $ 9,182) for processing data without a legal basis (only available in Turkish here);
  • the Board issued Decision No. 2022/861 regarding a marketing company that sent promotional emails to a lawyer's work email without consent. The company claimed it sourced email addresses from internet searches for relevant professional communication. The Board found that while public data can be processed without consent, it must align with the purpose for which it was made public. In this case, the lawyer's email was intended for professional use, not marketing. Additionally, lawyers do not qualify as tradesmen or craftsmen under the Attorneyship Law, so prior consent is required for marketing emails. The Board fined the company TRY 150,000 (approx. $4,600) for processing data without a legal basis (only available in Turkish here);
  • the Board issued Decision No. 2022/328 regarding a complaint about a payroll service provider sending a notice containing personal data (including T.C. identity number and address) to the data subject and seven other employees, violating their privacy. The payroll service provider claimed that the data subject was an employee of a group company for which they provided payroll services. Due to the COVID-19 pandemic, mandatory unpaid leave was implemented, and the information had to be communicated. The notice included the personal data of all affected employees and was shared with a notary. The Board found that the personal data of the data subject and the other seven employees were included in the same notice, resulting in the unlawful sharing of personal data. Consequently, the Board imposed a fine of TRY 100,000 (approx. $3,060) on the payroll service provider (only available in Turkish here);
  • the Board issued Decision No. 2022/1358 regarding a complaint about a gaming platform not providing information on its cookie processing practices and not obtaining explicit consent for non-essential cookies. The investigation revealed that the website used numerous cookies without proper notification or consent for those tracking user activities for advertising or statistical purposes. As a result, the Board imposed a fine of TRY 300,000 (approx. $9,180) on the data controller for failing to comply with data protection regulations (only available in Turkish here);
  • the Board issued Decision No. 2023/1645 regarding a complaint against the Turkish distributor of a popular online game. The data subject claimed their requests under the Data Protection Law were ignored and misleading information was provided about data transfers abroad. The Board's investigation revealed several issues. The distributor did not clearly inform users about cross-border data transfers. The privacy policy, prepared by the foreign parent company, mentioned data transfers abroad, but the data subject was not adequately informed. The privacy and cookie policies contained vague language and did not comply with the Data Protection Law. Non-essential cookies were used without obtaining explicit consent from users. The Board concluded that the distributor violated data protection regulations and imposed a fine of TRY 750,000 (approx. $22,970) (only available in Turkish here);
  • the Board issued Decision No. 2022/386 regarding a complaint from the data subject whose employment termination was publicly shared on their former employer's social media account. The post included a statement that the data subject was dismissed due to misconduct and apologized for any inconvenience caused. The employer argued that the post was intended to inform customers and prevent potential harm to the company's reputation. However, the Board found that the public disclosure of the data subject's name and the accusations against them violated the principle of proportionality under Article 4 of the Data Protection Law, as there was no reasonable balance between the purpose of the data processing and the means used. Consequently, the Board determined that the employer's actions constituted unlawful data processing and imposed a fine of TRY 30,000 (approx. $920) (only available in Turkish here);
  • the Board issued Decision No. 2022/798 regarding a complaint from the data subject who had attended a job interview with a company while employed elsewhere. The company conducting the interview shared information about the interview and negative comments made by the data subject about their current employer with that employer.  The Board found that the sharing of the data subject's interview details and comments violated the obligation to implement necessary technical and administrative measures to prevent unlawful data processing. The Board determined that the company's actions constituted unlawful data processing and imposed a fine of TRY 100,000 (approx. $3,060) (only available in Turkish here);
  • the Board issued Decision No. 2022/896 regarding a data subject whose former employer shared legal correspondence, including their personal data, with their sibling. The employer argued that the data was processed within the employment context. However, the Board found that sharing the judicial correspondence with the sibling violated data protection obligations. Consequently, the Board fined the employer TRY 150,000 (approx. $4,600) for failing to prevent unlawful data processing (only available in Turkish here);
  • the Board issued Decision No. 2022/1147 regarding a complaint from a former employee whose image was used in advertisements and whose phone number was used in deliveries post-termination. The employer argued that the data subject had consented to this use by signing a consent form. The Board found that storing the images was lawful, but continuing to use and share them after termination was not. Consequently, the Board imposed a fine of TRY 250,000 (approx. $7,650) for unlawful data processing (only available in Turkish here);
  • the Board issued Decision No. 2023/1356 regarding a complaint about a former employer submitting images of the data subject praying in a mosque in a reinstatement lawsuit without consent. The employer argued the termination was for neglecting duties and making false accusations. The Board found the consent was not freely given and that the data processing lacked a legal basis. Consequently, the Board imposed a fine of TRY 300,000 (approx. $9,180) and ordered the cessation and destruction of the data processing activities (only available in Turkish here);
  • the Board issued Decision No. 2023/570 regarding a complaint about a cryptocurrency service provider requesting excessive personal data for membership upgrades. The provider requested photos of the user's ID card and their own photo. The provider justified this by citing compliance with the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism. The Board determined the request was legally justified under relevant laws, including the Law on Prevention of Laundering Proceeds of Crime, and no action was taken against the provider (only available in Turkish here);
  • the Board issued Decision No. 2023/1234 regarding a complaint from a data subject who was asked for a Findeks Report by a car rental company. The company required the data subject's consent to process the report's data to proceed with the rental. The car rental company claimed the data subject refused to pay the deposit and that the platform handling reservations processed the data. The platform stated it was merely an intermediary and not responsible for data processing. The Board found that processing personal data via the Findeks Report required explicit consent under the Data Protection Law. By making the rental service conditional on providing the Findeks Report, the company violated legal obligations. Consequently, the Board imposed a fine of TRY 100,000 (approx. $3,060) and instructed the company to address the data subject's request properly (only available in Turkish here);
  • the Board issued Decision No. 2023/1309 regarding a data subject who discovered personal information of four unknown individuals while checking in with an airline. The data included names, birthdates, and document details. The data subject requested information under Data Protection Law Article 11 but received incomplete details. The airline attributed the issue to a travel agency's error. The Board found that the airline failed to implement adequate measures to prevent unlawful access, affecting many data subject. Consequently, a fine of TRY 300,000 (approx. $9,180) was imposed on the airline (only available in Turkish here);
  • the Board issued Decision No. 2023/1327 regarding a complaint from a data subject who received a document via social media revealing their stay details, shared by hotel staff with third parties. The hotel claimed the sharing was a standard procedure to ensure personalized service and emergency responses. However, the Board found the inclusion of guests' names in the document excessive and noted a lack of adequate administrative and technical measures to prevent unauthorized access. Consequently, the Board imposed a fine of TRY 500,000 (approx. $15,310) on the hotel and mandated that the hotel obtain explicit consent for data processing in its marketing activities and report compliance to the Board (only available in Turkish here);
  • the Board issued Decision No. 2023/1414 regarding a data subject's complaint about a lawyer accessing and using DNA test results without consent. The lawyer argued the data was used in a paternity lawsuit, with consent from the data subject's ex-spouse and children. The Board found that the processing of this data was lawful under the Attorneyship Law and Data Protection Law. No evidence showed unlawful access by the lawyer, and the data was also related to the subject's children, making it a joint personal data. Consequently, the Board decided no action was required under the Data Protection Law (only available in Turkish here); and
  • the Board issued Decision No. 2023/1461 about an educational institution recording audio and video during a dispute meeting. The institution claimed the recordings were for security and evidence purposes, asserting compliance with the Turkish Penal Code and claiming exemption from VERBIS registration due to fewer than 50 employees. The Board found the video recording legitimate for security purposes, but the audio recording unjustified, as it significantly infringed on privacy without legitimate interest. A fine of TRY 200,000 was imposed for the unlawful audio recording, and an additional TRY 30,000 for not informing data subjects about the video recording. (only available in Turkish here).

The Board imposed disciplinary action on:

A public university that made students' exam results accessible to third parties by publishing them on the internet. The Board stated that the examination results of students who took the examination years ago cannot remain accessible to third parties with no time limitation and the Board decided that the data controller did not respond in a timely manner to the Board's information and document request (decision numbered 2019/188 only available in Turkish here).

Public Announcement on the Processing of Personal Data by Sending a Verification Code to Data Subjects via SMS during Shopping in Stores

On December 17, 2021, the Board published a public announcement regarding the allegations that a verification code was sent to the data subjects via SMS during the cash register transactions in shopping stores and that the said code was requested by the cashier on the grounds that it was necessary for completing the payments or updating their information (only available in Turkish here), however, after the said transaction, commercial electronic messages from the stores in question were sent to the data subjects.

In the examinations made by the Board regarding the complaints and notices, it has been determined that the data controllers misled the data subjects in obtaining explicit consent for commercial electronic messages by not providing any information on the contents of the SMS, why the verification code is sent during the payment transactions or before the SMS is sent, and/or the code is requested by the cashiers claiming that the said code is necessary for completing the payment transactions or updating the information.

In this respect, importance of the following matters was emphasized;

  • as a requirement of layered approach, the purpose of the SMS to be sent to the phone of the data subjects and what kind of consequences will occur if the code is provided to the cashiers must be explained in a clear and understandable manner to the data subjects by the persons authorized by the data controller in the stores at the first stage, as well as providing the necessary channels in the content of the SMS in order to fulfill the obligation of information;
  • ending the practices for carrying out different processing activities such as membership agreement, permission to process personal data, commercial electronic message approval by a single action – by sending a verification code to the data subjects via SMS during the payment; and obtaining explicit consent separately by offering the option for each different processing activities;
  • avoiding situations that may cause alignment of obtaining explicit consent and fulfillment of the obligation to inform; and
  • if a practice is carried to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, it is essential that the explicit consent to be received in the said transaction covers all elements of an explicit consent.

Public Announcement on 'requests regarding the non-transfer of financial account data of turkish citizens living abroad'

Turkish citizens residing abroad have submitted numerous petitions expressing concerns about the transfer of their financial account data to foreign authorities. They sought information from the Turkish Revenue Administration and their banks but received insufficient responses, prompting them to seek action under the Data Protection Law. The Board clarified that, according to Article 9 of the Data Protection Law, personal data can only be transferred abroad with the Board's permission if the transfer would harm Turkey's or the data subject's interests, except where international treaties apply. The Board referred to international agreements like the Multilateral Competent Authority Agreement on Automatic Exchange of Financial Account Information, which allows data transfer without explicit consent or Board permission. The Board's decision dated December 28, 2023, stated that data transfers under these international agreements are lawful and not subject to additional requirements under the Data Protection Law. Thus, no further action is needed regarding the petitions.

Privacy Law ConceptsPrivacy Law Reform

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.