The Personal Data Protection Law numbered 6698 (“Law”) has recently been published in the Official Gazette numbered 29677 on 07.04.2016.
Although Turkey signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on 28 January 1981, in the recent years, the protection of personal data has become more significant in line with the developments made in the information and communication technology and especially in the european countries, legal regulation and arrangements have been made in this scope.
The Law foresees provisions concerning various sectors such as information tecnology, banking, insurance and the areas such as e-commerce, e-healt and e-learning etc.
The aims of the Law are protecting fundemantal rights and freedoms in the processing of the personal data as well as regulating the obligations of the real and legal persons processing personal data and procedures to be complied by these persons.
The personal data is defined under article 3 of the Law as “any information related to an identified or identifiable real person”.
As per article 5 of Law, the personal data cannot be processed without the explicit consent of the related person. However, there are certain exceptions to this rule set forth under the Law such as the processing that are clearly foreseen by laws.
The Law makes the distinction between the personal data of a general nature and the personal data of a special nature. According to article 6 of the Law, certain personal data such as race, ethicity, political views, sexual life are considered sensitive and it is obligatory to take measures to be designated by the Personal Data Protection Board in the processing of the personal data of a special nature.
The Law stipulates that the Personal Data Protection Board shall be incorporated within 6 months as of the enactment of the Law.
The Law further regulates the transfer of the personal data along with the processing of the same. Pursuant to article 8 of the Law, the personal data cannot be transferred without the explicit consent of the data subject. Furthermore, the transfer of the personal data abroad is regulated under article 9 of the Law. Both articles shall enter into force after 6 months as of the enactment of the Law.
It should be also mentioned that the real and legal persons processing personal data must be registered with the Data Controller Registry before starting the processing the personal data. This Registry shall be established after 6 months as of the enactment of the Law.
Certain criminal sanctions and adminstrative monetary sanctions are foreseen especially in case of the breach of the obligations under the Law.
Since this Law is a framework law, it is expected that separate regulations and arrangements will be issued for main sectors such as insurance, banking etc.
The protection of personal data should also be assessed in terms of technical aspects along with its legal aspects. In this scope, the relevant technical standards set up by entities for tracking, encryption, recording and storing of the personal data will have to be rewieved and revised to conform with the international standards.
Important dates set forth under the Law are as follows: