Turkey’s first comprehensive data protection law was being launched in April 2016. The 2016 Law on the Protection of Personal Data (“Turkish Data Protection Law”) is based largely on EU Data Protection Law.
As a candidate state for EU membership, Turkey aligns much of its legal system with EU law. Turkish data protection law consequently shares many essential features with Europe’s data protection regime. Turkey’s 1982 constitution conferred a right of privacy, but this was drafted well before the advent of the internet. Turkey’s 2016 Law on the Protection of Personal Data was the first comprehensive law to establish standard practices and procedures for handling personal data in the internet age. As a nation keen to attract foreign direct investment, especially in the communications and technology sectors, a reliable data protection regime is vital.
In our globalized economy, even companies without any presence in Turkey can be affected by Turkish data protection law if their data processing activities have an effect in Turkey. Overseas tech companies processing the data of Turkish individuals should mindful that overseas data processors can be required to register in Turkey.
We see in the news that data breaches are becoming ever more commonplace, as fraudsters target major companies and government entities. We also see how such major breaches can have an effect on millions of people across multiple jurisdictions. How does Turkish law protect people from data breaches?
Turkish Data Protection Law represented a good start in the battle to protect private information in Turkey. The law allows for administrative fines of up to three per cent of a company’s net annual sales can be levied if personal data is stolen, or disclosed without consent. This provides a strong incentive for companies to keep their security tight. Personal data refers to the data of natural persons, and not that of companies or other legal persons.
Turkish Data Protection Law is largely based on Directive 95/46/EC. It applies to both sensitive and non-sensitive personal information. Sensitive data is defined in Turkish law as including data relating to a subject’s race, ethnicity, religion, appearance, political views, union membership, health, sexual life and criminal convictions.
Unlike General Data Protection Regulation (“GDPR”), however, “explicit consent” is required to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data and where such processing is necessary to protect the life of the subject. Further processing is not allowed without specific consent, and there is no “compatible purpose” exception in Turkish law. The definitions of consent differ in Turkish law and under GDPR.
While registration with an authority is not mandatory under GDPR, a registration system for data processors is currently being rolled out in Turkey. Since 1 October 2018, certain data processors must register with Turkey’s Data Controller Registry Information System which is named VERBIS. These include Turkish resident data processors employing more than 50 employees or whose annual turnover is over 25 million Turkish Lira – or those who process certain specified categories of data. Data processors resident outside Turkey whose activities have an effect in Turkey may also have to register and will have until 30 September 2019 to do so.
Data processors have general obligations which include ensuring that data is processed lawfully, for a specific and legitimate purpose, that it’s accurate and up to date and only kept as long as is necessary. Data subjects must be informed of the purpose for which their data will be processed, to whom the data could be transferred and the subject’s rights in relation to the data.
The Personal Data Protection Board was created in 2017. This government body ensures that companies providing electronic communication services inform the Data Protection Authority if there is a data breach, or a risk to the security of a network and personal data held within it.
There is an obligation on processors to report a data breach to the Data Protection Authority and to notify the affected subject as soon as possible. There is no specific timeframe specified, but a company was fined for delaying by ten months before notifying the authority. The Data Protection Authority can make a data breach public knowledge if necessary Personal data should not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Where the “interests of Turkey or the data subject will be seriously harmed” by a transfer of data outside Turkey, the approval of the Personal Data Protection Board is required.
As with GDPR, data subjects must generally opt in before they are sent commercial communications by electronic means. Every such communication must also provide a simple way to opt out. A significant exception to these general rules in Turkish law is that commercial traders and merchants may be sent commercial communications without their consent having first been obtained.
The penalties for data breaches in Turkey are not limited to fines. The criminal code allows for possible imprisonment for data breaches. Those illegally collecting personal data can be imprisoned for one to three years. This penalty rises if the data illegally collected is sensitive. Those who collect illegally publish or transfer personal data may be imprisoned for two to four years.
Penalties can be increased by half if offences are committed by a public official abusing their authority, or to secure a professional advantage. Even failing to delete data lawfully collected after the retention period expires can be punished by one to two years’ imprisonment. Once the VERBIS register of data processors is fully established, it will make the regulator’s task simpler and so enforcement actions are likely to increase.
Although Turkish data protection regime is based on EU law, it does have several distinct aspects which businesses operating in Turkey need to be mindful of.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.