Data Protection & Privacy 2024 - Part 1

1. Basic National Regime

1.1 Laws

The right to protection of personal data is regulated under the Constitution of the Turkish Republic (the “Constitution”) as an individual right, since its amendment in 2010.

According to Article 20(3) of the Constitution, the right to protection of personal data includes the right to:

• be informed about the processing of personal data;

• have access to personal data;

• rectification or deletion of personal data; and

• be informed about whether personal data is used in accordance with the appropriate purposes.

According to the same article, personal data may be processed only if the processing is allowed by the law, or if the data subject gives their explicit consent. The article finally states that the procedures and principles of processing personal data must be regulated by the law.

The Turkish Data Protection Law

Pursuant to Article 20(3) of the Constitution, Turkish lawmakers enacted the Turkish Data Protection Law No 6698 (the “DP Law”), which is the first general law that specifically regulates the procedures and principles for processing personal data in Türkiye. It entered into force on 7 April 2016.

Although it came into force only one month before the European Union General Data Protection Regulation (GDPR), the DP Law was drafted by considering only EU Directive 95/46/EC. Currently, efforts are underway to align DP Law with the GDPR. As part of these efforts, the Law on Amendments to the Criminal Procedure Law and Certain Laws (which includes also DP Law Amendments) was published in the official gazette on 12 March 2024 (see 1.8 Significant Pending Changes, Hot Topics and Issues). Important secondary regulations issued by the Personal Data Protection Authority (DPA) include:

• the By-Law on the Deletion, Destruction or Anonymisation of Personal Data;

• the By-Law on the Registry of Controllers;

• the Communique on Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform;

• the Communique on Principles and Procedures for the Request to Controllers;

• processing of genetic data;

• good practices on personal data protection in the banking sector;

• cookie practices;

• processing of biometric data;

• artificial intelligence (AI);

• preparing an inventory of personal data processing;

• fulfilment of the obligation to inform;

• technical and organisational measures;

• deletion, destruction or anonymisation of personal data; and

• the concepts of controller and processor.

In addition, the Personal Data Protection Board (DPB) adopts resolutions, which are published on the DPA’s website and/or in the Official Gazette.

Turkish Criminal Law

Certain actions, which violate protection of personal data, are defined as crimes in the Turkish Criminal Code (TCrC) (see 2.5 Enforcement and Litigation).

Turkish Civil Law

Personal data is considered a part of personality under Turkish law; hence it is also protected under the protection of personality rights in the

Turkish Civil Code (TCiC)

Other

There is also some sector-specific legislation on the processing of personal data in certain sectors, such as the telecommunications, banking, electronic payment, health and education sectors.

Currently, there is no specific legislation dedicated solely to AI. However, an exception exists in Additional Article 1 of the Regulation on Remote Identification Methods Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment. This provision grants authority to the Banking Regulation and Supervision Agency (BRSA) to establish principles and procedures for ID verification transactions conducted by customer representatives using AI-based methods. The BRSA has not yet regulated this issue.

Moreover, the DPA released Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (the “Recommendations on AI”), highlighting concerns associated with the utilisation of AI in processing personal data.

1.2 Regulators

The primary supervisory and regulatory authority in Türkiye is the DPA. It is an independent administrative institution with administrative and financial autonomy. The DPA is empowered to regulate data protection activities and to safeguard the rights of data subjects. The decision-making body of the DPA is the DPB. Some of the main duties and powers of the DPB are as follows:

• conducting investigations following complaints of data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;

• concluding the complaints of those who claim that their rights concerning personal data protection have been violated;

• maintaining the Registry of Controllers (VERBIS);

• imposing the administrative sanctions provided in the DP Law;

• determining and announcing those countries with adequate levels of protection of personal data for the purpose of international data transfers; and

• approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.

The Ministry of Trade is authorised to oversee marketing communication. Apart from the above, sector-specific administrative institutions such as the BRSA, the Capital Markets Board, the Turkish Republic Central Bank and the Information and Communication Technologies Authority (ICTA) have authority to regulate issues regarding AI and the processing of personal data within their respective sectors.

However, there is no specific authority solely dedicated to regulating AI matters in Türkiye.

1.3 Administration and Enforcement

Process

The DPB may initiate investigations either upon receiving a complaint from a data subject or ex officio if it becomes aware of the alleged violation.

The Course of an Investigation

The DPB may request information and/or documents from controllers during its investigations. Controllers must provide this information and/or documents within 15 days, unless they constitute a state secret. The DPB may request further information and/or documents, and on-site inspection during an investigation.

Administrative Fines

If the DPB identifies a violation of the DP Law, it can impose administrative fines, which may vary between TRY47,303 and TRY9,463,213 depending on the type of violation. As per the Misdemeanours Law No 5326, when determining fines, the DPB must consider the severity of the breach, the fault of the breaching party and its economic condition.

Administrative Orders

The DPB may also order the controller to bring processing activities in compliance with the DP Law. The DPA is also entitled to cease certain personal data-processing activities or transfers abroad if it finds that such processing activities result in damages which are difficult or impossible to compensate for, and the act would be clearly unlawful. When the DPB issues an order to a controller to bring its processing activities into compliance with the DP Law, this decision must be implemented without any delay and, at the latest, within 30 days upon receipt of the notification by the controller.

Appealing a Sanction

Controllers have the right to appeal against the DPB’s decisions. If the DPB’s decision includes only an administrative fine, the controller may object to this decision before the Magistrates’ Court within 15 days from receipt of the decision. The decisions of the Magistrates’ Court can be appealed to another Magistrates’ Court in the same district. Where the DPB’s decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions can be appealed to the Council of State. However, the DP Law Amendments foresees that the DPB’s decisions with administrative fines will be appealed before administrative courts rather than Magistrates’ Court as of 1 June 2024 (see 1.8 Significant Pending Changes, Hot Topics and Issues).

1.4 Multilateral and Subnational Issues

Türkiye does not belong to any multinational system such as the European Union (EU) or the European Economic Area. However, the European system has a highly noticeable effect on DP Law practice.

Türkiye was one of the first countries to become a member of the Council of Europe and signed Convention No 108 in 1981, ratifying it in 2016, shortly before the adoption of the DP Law. However, Türkiye has not yet signed the Modernised Convention (also known as Convention 108+). As a candidate member state of the EU, Türkiye aims to align its national legislation with the EU acquis. As outlined in the Medium-Term Programme adopted by the Presidential Decree on 6 September 2023 (the “Medium-Term Programme”), the alignment process of the DP Law with EU legislation (particularly with the GDPR) is expected to conclude in the final quarter of 2024 (see 1.8 Significant Pending Changes, Hot Topics and Issues). The National Artificial Intelligence Strategy for 2021–2025 introduced by the Turkish government in August 2021 (the “National AI Strategy”) underscores Türkiye’s dedication to keeping pace with global advancements in AI, promoting partnerships, actively participating in international research endeavours, and strengthening connections between the domestic AI community and stakeholders worldwide.

Furthermore, as a member state of the Council of Europe, Türkiye initially held membership in the Ad hoc Committee on Artificial Intelligence (CAHAI) between May 2019 and December 2021, and joined the Committee on Artificial Intelligence in February 2022 following the dissolution of CAHAI. Türkiye joined the Global Partnership on Artificial Intelligence, as of 22 November 2022. Additionally, as a member, Türkiye adheres to the studies and recommendations made by the OECD.

1.5 Major NGOs and Self-Regulatory

Organisations

Certain industry-specific organisations and chambers of commerce/industry have created working groups to assist their members in complying with the DP Law and in working on AI-related matters. Among these working groups, the Data Protection Association founded in 2018 plays an active role in addressing practical challenges arising from the implementation of the DP Law, and organises numerous meetings where scholars and practitioners convene to and discuss pertinent topics in the field. Additionally, established as an independent association in February 2021, the Artificial Intelligence Policy Association stands out as the first non-governmental organisation dedicated to AI in Türkiye, with the aim of raising awareness about AI.

1.6 System Characteristics

Türkiye follows the EU omnibus model. The DP Law draws a framework for the DPA and controllers by providing a general perspective of the obligations and principles that must be sought for data-processing activities. The DPA steers data-processing practice by regulating secondary legislation and publishing guidelines and/or the DPB’s resolutions. The DPA aims to take a proportionate approach to enforcement, prioritising cases with a signifi- cant risk of harm to individuals. The amounts of the administrative fines set forth in the DP Law are considerably lower than those set forth in the GDPR. However, the DPA’s tendency for enforcement is relatively higher, in particular on data breaches, when compared to its European counterparts.

1.7 Key Developments

Key developments in Türkiye in the past 12 months are as follows:

• the adoption of the DP Law Amendments (see 1.8 Significant Pending Changes, Hot Topics and Issues);

• the DPB’s decisions approving the undertakings of two more entities for data transfers abroad;

• publication of the Guidelines on the Protection of Personal Data in Election Activities;

• publication of the Guidelines on the Processing of Republic of Türkiye Identity Numbers;

• publication of the Guidelines on Recommendations for Protecting Privacy in Mobile Applications;

• publication of the Guidelines on Issues to be Considered in the Processing of Genetic Data (the “Genetic Data Guidelines”).

• announcement on obtaining explicit consent from customers in physical stores via SMS verification codes (see 2.3 Online Marketing).

1.8 Significant Pending Changes, Hot Topics and Issues

Amendments to the DP Law

The 12th Development Plan (2024–2028), issued on 31 October 2023 by the Presidency of the Republic of Türkiye, envisages the alignment of the DP Law with the GDPR (along with other EU legislation) as one of the major goals for upcoming years. As per the Medium-Term Programme, the alignment of the DP Law is expected to be completed by the final quarter of 2024. The DP Law Amendments regarding some most problematic articles were recently published in the official gazette as of 12 March 2024.

DP Law Amendments enter into force on 1 June 2024, and foresee a specific transition period for personal data transfers abroad, based on the explicit consent of data subjects, until 1 September 2024. The DP Law Amendments have brought significant changes regarding the processing of special categories of personal data, transfer of personal data abroad, and procedures for appealing against DPB decisions. However, in addition to these amendments, there is also an expectation for broader amendments regarding the DP Law.

Legal grounds for processing special categories of personal data

The DP Law Amendments have introduced five alternative legal bases for processing special categories of personal data, in addition to existing three legal bases (see 2.2 Sectoral and Special Issues) applicable to all special categories of personal data as follows:

• being necessary for the protection of life or physical integrity of a person, who cannot express themselves due to an actual impossibility or whose consent is not deemed legally valid, or of any other person;

• personal data made public by the data subject themselves, provided that it aligns with their intention to make it public;

• being necessary for the establishment, exercise, or defence of a right;

• being necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance; and

• for current or former members and affiliates, or individuals who are in regular contact with the foundation, association, and other non-profit organisations or formations established for political, philosophical, religious, or trade union purposes, provided that it is in accordance with the legislation and purposes they are subject to, limited to their field of activity, and not disclosed to third parties.

The previous differentiation among special categories of personal data will no longer apply, and all conditions stipulated in the article will uniformly apply to all special categories of personal data.

Transfer of personal data abroad

The DP Law Amendments foresees a gradual and alternative regime for international transfers of personal data, comprising three levels of transfers based on:

• adequacy decisions,

• appropriate safeguards,

• occasional causes.

In the current DP Law, transfer of personal data abroad is allowed if the data subject’s explicit consent is obtained. However, with DP Law Amendments, explicit consent will only be permissible if the data transfer abroad is occasional. Explicit consent obtained for the transfers of personal data abroad will be considered compliant with DP Law until 1 September 2024. After this date, circumstances allowing data transfers abroad based on explicit consent will be restricted.

Parallel to the current DP Law, adequacy decisions remain a valid legal basis for transferring data abroad. The amendments grant the DPB the ability to issue adequacy decisions not only for countries but also for international organisations and specific sectors within third countries. Given that the DPB has yet to establish a Whitelist, it is expected that these amendments will not affect current practices.

In the absence of an adequacy decision, data transfers abroad can still occur through the implementation of appropriate safeguards. However, these safeguards can only be utilised if the conditions for processing personal data are met, and if it is feasible for data subjects to exercise their rights and access effective legal remedies in the third country where the data will be transferred. There are primarily four established methods to deploy appropriate safeguards:

• an agreement (excluding international treaties) between public institutions and organisations or international organisations abroad and public institutions and organisations or public professional organisations in Türkiye, subject to the DPB’s approval;

• Binding Corporate Rules (BCR), subject to the DPB’s approval;

• Standard Contractual Clauses (SCCs) announced by the DPB, with a requirement for notification to the DPB within five 5 business days from the date of the signature of the SCCs; and

• a written undertaking containing provisions that will provide adequate protection, subject to the DPB’s approval.

If occasional data transfers abroad occur without an adequacy decision, and if one of the appropriate safeguards cannot be ensured, the data transfer abroad is possible under the condition that the transfer is not repetitive and one of the following criteria is met:

• the data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers;

• the transfer is necessary for the performance of a contract between the data subject and controller, or the implementation of precontractual measures taken at data subject’s request;

• the transfer is necessary for the conclusion or performance of a contract concluded between controller and another natural or legal person in the interest of data subject;

• the transfer is necessary for an overriding public interest;

• the transfer is necessary for the establishment, exercise, or defence of a right;

• the transfer is necessary for the protection of the life or physical integrity of the person who is unable to give themselves consent due to actual impossibility or whose consent is not legally valid; and

• the transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with legitimate interest requests it.

It is crucial to underline that the regulations specified in the DP Law Amendments regarding the personal data transfer abroad and to international organisations also extend to onward transfers conducted by either controllers or processors.

Procedures For appealing against DBP decisions

In the current version of the DP Law, controllers have the right to object to the decision of the DPB before administrative courts only if such decision involves an administrative order. If not, appeals must be made to the Magistrates’ Court (see 1.3 Administration and Enforcement Process).

With the introduction of the DP Law Amendments, administrative courts will be the sole appellate courts.

AI

Published in September 2021, the Recommendations on the Protection of Personal Data in AI (Recommendations on AI) stands as the sole guideline issued by the DPA pertaining to the use of AI in data-processing activities.

The National AI Strategy emphasises international legislative studies’ significance and Türkiye’s commitment to this field but lacks clarity on its legislative modification objectives. Developing an ethical-legal framework to address the evolving requirements in AI is outlined as a key goal in the 12th Development Plan.

Geographic Data Rules

Depending on the scope of their activity, natural persons and legal entities engaged in processing geodata were required to seek permits and licences from the Ministry of Environment, Urbanisation and Climate Change (the “Ministry of Environment”). The Ministry of Environment was responsible for regulating the principles and procedures for obtaining such permits.

The Constitutional Court nullified the provisions granting the Ministry of Environment authority to define the scope, duration, procedures, principles and content of permits. The basis for nullification was the lack of adequate specification of the Ministry’s powers in the legislation.

Genetic Data

The Genetic Data Guideline published by the DPA in October 2023 refers to the GDPR for defining genetic data, and outlines conditions for processing data and limitations on its transfer abroad. Controllers must offer detailed privacy notices, separate from general ones, covering processing casueses and risks of cross-border transfers. The guideline stresses the importance of explicit consent and warn against making genetic data processing a prerequisite for services.

* Originally published by Chambers & Partners on 13 February 2024.