Impact of the GDPR in Turkey

The key piece of legislation governing data protection in Turkiye is the Personal Data Protection Law No. 6698 (“DPL”).

The secondary legislation comprises several regulations, such as:

1. The Regulation On Data Controllers Registry;
2. The Regulation on Erasure, Destruction or Anonymization of Personal Data; and
3. The Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform Data Subjects.

Additional by-laws further regulate the operating procedures and principles of the Turkish Data Protection Authority (“DPA”). Resolutions of the DPA board (“Board”) set standards for implementing the DPL and the secondary legislation.

Like the GDPR, the DPL regulates the processing of personal data under two primary categories: (i) (ordinary) personal data, and (ii) sensitive personal data (i.e. special categories of personal data).

The sub-categories of sensitive personal data are also parallel with the GDPR, except the personal data related to criminal convictions, which is listed as one set of sensitive personal data among the others, whereas this is regulated under a separate article under the GDPR.

While the definitions of the data controller and data processor are similar under the DPL and the GDPR, the DPL does not set out data controllers’ and processors’ obligations in as much detail as the GDPR. For instance, joint controllership is not explicitly recognized under the DPL and data contollers are not obligated to appoint data protection officers. In the same vein, the appointment of sub-processors by a processor is also not specifically regulated under the DPL, although specific provisions to this effect exist under the GDPR.

The rights of the data subject are regulated in a somewhat similar manner under both texts. However, the GDPR grants data subjects various rights seemingly not recognized under the DPL (such as the right to data portability).

Without prejudice to the rights of data subjects explained above, the DPL foresees data controllers implementing technical and administrative measures for the protection of personal data. The exact nature of these measures is not specified under the DPL but have been the subject of various decisions rendered by the Board.

On the other hand, the GDPR makes a general reference to technical and operational measures and provides certain examples to this effect, which are not present under the DPL.

Unlike the GDPR, the DPL does not set forth an obligation to designate a data protection officer.

Unlike the GDPR, the DPL stipulates that in order to use the right to lodge a complaint with the DPA, the data subject must apply to the data controller first. If the data controller’s response is found to be insufficient or if the data controller does not respond at all, the data subject has the right to lodge a complaint to the DPA.

The DPL and GDPR regulate fines in a different manner and the fines regulated under the GDPR are potentially significantly higher compared to the DPL. While the administrative fines foreseen in the DPL are between TRY 9,834 (Approx. EUR 1027) and TRY 1,966,862 (Approx. EUR 205.428), the GDPR mandates penalties up to EUR 20,000,000 and 4% of the worldwide annual revenue from the preceding financial year of the related data controller/processor.

Unlike the GDPR, it is mandatory under the DPL for data controllers resident in Turkiye who employ more than fifty employees or have an annual financial statement worth more than TRY 25,000,000 and all foreign data controllers (who are engaged in data processing in Turkiye) to register with the Data Controller’s Registry.

On the other hand, the GDPR lists numerous exemptions according to which special categories of personal data may be processed without consent, which are unavailable under the DPL.

Similarly, certain Board decisions make references to the GDPR, which indicates that, going forward, the GDPR might continue to influence the legal practice in Turkiye as well as the decisions of the relevant public authorities.

Even though the Turkish legislation on data protection is not directly affected by the GDPR, the GDPR has a certain influence over the data privacy practice in Turkiye, such as the implementation of binding corporate rules, although such rules are not directly set out under the DPL.

Certain decisions rendered by the Board make reference to the GDPR which indicates that, going forward, the GDPR might continue to influence the legal practice in Turkiye as well as the decisions of the relevant public authorities.

As of today, Turkish legislation on data protection is not aligned with the GDPR. In fact, it should be stated that the DPL closely resembles the Directive no 95/46/EC (Data Protection Directive) which governed these matters prior to the implementation of the GDPR. This has resulted in major differences between the two texts. In this respect, we expect that the Turkish practice will continue to be influenced by the EU practice and the GDPR but the legal and economic circumstances in Turkiye will also result in certain differences between the practices in Turkiye and the EU.