Data Protection Overview (Turkey)


There is not yet a specific protection in Turkey for privacy of personal data through data protection laws. Data protection in Turkish law is governed by the Constitution and a variety of general and sectorial laws such as the Civil Code, Criminal Code, Labor Law, Banking Law and the Bank Cards and Credit Cards Law though there is a Draft Law on Data Privacy, which was prepared and developed by the Turkish Ministry of Justice for several years without success. As part of the process for becoming a member of the European Union, Turkey has introduced a Draft on the protection of personal data, but it has not been adopted into Turkish legislation yet.

As a result, although there is not any special act regulating data protection in Turkey, there are specific provisions concerning data protection in several acts or secondary legislations that are mentioned below.


As part of Turkey’s Accession Partnership with the European Union, Turkey is required to “adopt a law on protection of personal data” and “establish an independent supervisory authority.”

The Bill of Data Protection Act was drafted by Ministry of Justice and sent to Office of Prime Minister in 9/11/2005. Preparations for the draft law for harmonization are at the final stage, but the draft law has not been adopted yet. The draft protects the personal data handled either by people or entities, with the aim of protecting natural people. It aims to protect the right of personality and the fundamental rights of persons who are the subjects of data processing. With the Draft Law, where all personal data is undergoing automatic processing, the following issues will be regulated; respect for protection of rights and fundamental freedoms, in particular the right to privacy; ensuring that the data stored is accurate and up-to-date, and where necessary corrected or erased, safeguarding personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data regarding health or sexual data.

The main provisions of the Draft could be summarized as follows:

Individual Rights and fair and lawful processing: Right of Access, modification and deletion are included. The Bill allows for data to be collected in situations where the individual has provided consent, to meet legal obligations, or the information collected is in the public interest.

Retention: Data should be anonymised or erased when no legal provisions for the retention exist.

Confidentiality: It must be guaranteed by law if personal information is going to be collected.

Data Transfers: It follows the Data Protection Directive general rule of allowing transfers only to countries with and adequate level of data protection.

Penalties and fines: It introduces jail sentences for collecting personal data in breach of law as well as for disclosing it illegally to third parties.

An autonomous data protection authority is also foreseen by the Draft with the power to act independently from the government.

The Draft Law, which was prepared as a part of Turkey’s commitments toward the European Union under the National Program for Accession to the European Union, mainly follows the Agreement 108 of EU “Convention for Protection of Individuals with regard to Automatic Data Processing” which Turkey is a signatory to, European Union Data Protection directive No. 95/46/EC and the Commission Decision 2001/497/EC on Standard contractual clauses for the transfer of personal data to third countries.


Section Five of the 1982 Turkish Constitution is entitled “Privacy and Protection of Private Life”. Article 20 of the Turkish Constitution deals with individual privacy and states, “Everyone has the right to demand respect for his private and family life. Privacy of individual and family cannot be violated.” This regulation also constitutes that; “every person has absolute freedom to decide whether to provide or not his/her personal data and in the Latter, he/she shall not be compelled to do so.”

Restriction and limitation of these rights are possible in exceptional circumstances by governmental authorities, police, courts and by some other legal entities. However, such particular restrictions must be legitimized with a court’s decision or with a state of emergency or restriction conditions must be defined explicitly in a regulation.

Article 22 preserves the secrecy of communication and states that “Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly passed by a judge in cases explicitly defined by law in cases where delay is deemed prejudicial.”


Pursuant to Article 24 of the Civil Code, an individual whose personal rights are violated unjustly may bring a civil action to protect against such violation and/or the compensation of damages arising from such violation.

Disclosing or misuse of personal and/or confidential data can be considered as an infringement of personal rights according to these general rules for the protection of personal rights. An aggrieved party may file a lawsuit and receive indemnification of its material and immaterial damages pursuant to Article.49 of the Code of Obligations.


The new Criminal Code entered into force on 1 June 2005 sets forth number of provisions specifically dealing with the protection on personal data. The New Criminal Code regulates that unlawful storage of personal data is subject to a penalty of imprisonment from six months to three years. In the case of unlawful transmission or reception of personal data, the penalty is increased to imprisonment from one to four years. Furthermore, those who do not erase or destroy the personal data in spite of the expiry of the time period stipulated in the relevant laws for the maintenance of such data shall be punished by imprisonment from 6 months to 1 year.

There is also another criminal liability of violating personal rights by infringing rights of personal data is evaluated within the context of computer-related offenses and the sanctions regarding the issue is regulated Under the Turkish Criminal Code Amendment no. 3756 “Crimes on Informatics”.


Turkey, as a member of the Council of Europe signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1981, but has not ratified it yet.


Apart from the provisions in the abovementioned general Codes, there are many specific laws, regulations and communiqués dealing with data protection issues including but not limited to By-Law on processing of personal data and the protection of confidentiality in the telecommunication sector, Law on Criminal Records, Law on Tax Procedure, Labor Law, Banking Law, Debit and Credit Cards Law, By-Law on Medical Examination of body, genetic examinations and designation of physical identities, Electronic Communications Law, Electronic Signature Law.

Dila GUR