The ELA is proud to welcome our newest member firms: Potter, Anderson & Corroon in Delaware and Morais Leitão in Portugal! 
Menu
The ELA is proud to welcome our newest member firms: Potter, Anderson & Corroon in Delaware and Morais Leitão in Portugal! 
Home / Lawyer Directory / Karadağ Law Office / Articles / Personal Data Protection Obligations of Turkey

News

Personal Data Protection Obligations of Turkey

Submitted by Firm:
Karadağ Law Office
Firm Contacts:
Melek Onaran Yüksel, Nisa Saraç
Article Type:
Legal Update
Share:

Obligations of Data Controllers which Process Data in Turkey Relevant Deadlines and Administrative Fines as per the Protection of Personal Data Law no. 6698

Turkish Protection of Personal Data Law no. 6698 (the “Law”) sets forth significant obligations for Data Controllers that process personal data in or from Turkey. The Law also determines deadlines for certain obligations and significant administrative fines to be imposed in case of non-compliance with the said obligations.

Although the Law was enacted in 2016, many employers, doing business in Turkey, were reluctant to ensure compliance with the requirements of the Law so far.  However, following establishment of the Personal Data Protection Institution (the “Institution”), compliance with the Law becomes more important as the Institution currently imposes considerable administrative fines to Data Controllers, who do not comply with the Law. 

Registration to the Data Controllers’ Information Registry System (“VERBIS”) and Deadline

VERBIS is an official online registration system to which the Data Controllers should register. Data controllers are required to include the following information while registering: (i) the purposes of data processing, (ii) data groups and data subjects and categories of personal data, (iii) recipient, recipient groups and countries to which the data will be transferred, (iv) administrative and technical security measures taken to protect personal data, (v) maximum retention period for each data category, and (vi) data controller contract person.

Registration to VERBIS is a requirement for certain data controllers. According to the Law, registration to VERBIS is obligatory;

  • for real person and legal entity data controllers (and their branches) reside in Turkey whose annual number of employees are more than 50 or whose total annual financial balance sheet is more than TRY 25 million,
  • for the real person and legal entity data controllers located abroad (regardless of the total number of employees and financial balance sheet).

The final registration dates of the Data Controllers to VERBIS, is prolonged to 31.12.2019 by the Institution.

Compliance with the Law

As explained above, the Law sets forth significant obligations for Data Controllers. Other than registration to VERBIS, all Data Controllers are required to comply with the requirements of the Law. Although it is not possible to list all, the main requirements for compliance with the Law can be summarized as follows:

  • Preparation of the Personal Data Processing Inventory: The Data Inventory is a comprehensive document that should include all information which is required for VERBIS registration as explained above.
  • Preparation of policies such as Personal Data Request and Response Policy, Personal Data Loss Notification Policy, Personal Data Processing Policy, Personal Data Retention and Disposal Policy.
  • Preparation of the needed forms such as PDPL consent/explicit consent for the employees, data controller application form
  • Preparation of additional PDPL protocol to suppliers
  • Preparation of PDPL clause which may be used in various contract types
  • Providing training to employees in order to comply with the Obligation of Clarification

There is no specific deadline for the above explained actions; therefore, all data controllers are required to ensure the compliance with the Law as soon as possible.

Criminal Sanctions, Administrative Fines and Practice of the Institution

Criminal Sanctions as per Turkish Criminal Code

Under Article 138 of the Turkish Criminal Code, the unlawful processing of personal data is regulated as a crime. As per the relevant provisions, “any person who unlawfully delivers data to another person, or publishes or acquires the same through illegal means is punished with imprisonment from one year to four years. Security precautions specific to legal entities are imposed in case of commission of offences defined above articles by legal entities”.

Administrative Sanctions as per Protection of Personal Data Law

As per Article 18 of the Law, an administrative fine from TRY 20.000 to TRY 1.000.000 is applied in case data controllers, who are obliged to register to VERBIS, do not meet deadline of registration or does not register at all.

The administrative fines for non-compliance with the Law is scattered through the Law. The important administrative fines are as follows:

  • From TRY 5.000 to TRY 100.000 for data controllers who do not fulfill the obligation of clarification,
  • From TRY 15.000 to TRY 1.000.000 for data controllers who do not fulfill the obligation of data security,
  • From TRY 25.000 to TRY 1.000.000 for data controllers who do not fulfill Institution’s decisions regarding procedures and principles of review upon complaint or ex officio.

Current Practice of the Institution

As the deadline for registration to VERBIS is not reached yet, the Institution did not impose any administrative fine within this regard. However, the Institution’s stance is very strict on this obligation and accordingly it is expected from the Institution to impose administrative fines as of 01.01.2020.

As there is no deadline for data controllers to comply with the Law, the Institution imposes significant administrative fines in case of non-compliance. Some of the recent decisions of the Institution regarding administrative fines due to non-compliance with the Law are as follows:

  • An administrative fine in the amount of TRY 700.000 is imposed to a foundation university due to unlawful data processing stated in Article 18.
  • An administrative fine in the amount of TRY 450.000 is imposed to a Company due to being defective in taking the technical and administrative measures stated in Article 12;
  • An administrative fine in the amount of TRY 450.000 is imposed to a company due to not taking the necessary technical and administrative measures. Administrative fine in the amount of TRY 550.000 was also imposed to the same Company due to failure of notification to affected persons;
  • An administrative fine in the amount of TRY 400,000 is imposed to the Company due to not taking the necessary measures. And an administrative fine of TRY 100,000 TL was imposed to the same Company for not notifying the relevant persons regarding the violation determined.

In light of the foregoing, for all companies, it is strongly advised to carry out and complete an audit to ensure compliance with the Law as soon as possible in order to avoid above stated administrative fines.

Loading...