​

​

LAW ON THE PROTECTION OF PERSONAL DATA

​

CHAPTER ONE

​

 Purpose, Scope and Definitions Purpose

​

ARTICLE 1 - (1) The purpose of this Law is to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. Scope

 

ARTICLE 2 - (1) The provisions of this Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. Definitions

 

ARTICLE 3 - (1) For the purposes of this Law the following definitions shall apply: a) Explicit consent: freely given, specific and informed consent, b) Anonymizing: rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data, c) President: President of the Personal Data Protection Authority, ç) Data subject: the natural person, whose personal data is processed, d) Personal data: all the information relating to an identified or identifiable natural person, e) Processing of personal data: any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means, f) Board: the Personal Data Protection Board, g) Authority: the Personal Data Protection Authority, ğ) Processor: the natural or legal person who processes personal data on behalf of the controller upon his authorization, h) Data registry system: the registry system which the personal data is registered into through being structured according to certain criteria, 2 ı) Controller: the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system. CHAPTER TWO Processing of Personal Data General principles ARTICLE 4 - (1) Personal data may only be processed in compliance with the procedures and principles set forth in this Law and other laws. (2) The following principles shall be complied within the processing of personal data: a) Lawfulness and conformity with rules of bona fides. b) Accuracy and being up to date, where necessary. c) Being processed for specific, explicit and legitimate purposes. ç) Being relevant with, limited to and proportionate to the purposes for which they are processed. d) Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed. Conditions for processing of personal data ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the data subject. (2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: a) it is clearly provided for by the laws. b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid. c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract. ç) it is mandatory for the controller to be able to perform his legal obligations. d) the data concerned is made available to the public by the data subject himself. e) data processing is mandatory for the establishment, exercise or protection of any right. f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. 3 Conditions for processing of personal data of special nature ARTICLE 6- (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature. (2) It is prohibited to process the personal data of special nature without explicit consent of the data subject. (3) Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. (4) It is stipulated that adequate measures determined by the Board are also taken while processing the personal data of special nature. Erasure, destruction or anonymizing of personal data ARTICLE 7- (1) Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process. (2) Provisions of other laws concerning the erasure, destruction or anonymizing of personal data are reserved. (3) Procedures and principles for the erasure, destruction or anonymizing of personal data shall be laid down through a by-law. Transfer of personal data ARTICLE 8- (1) Personal data cannot be transferred without explicit consent of the data subject. (2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken. (3) Provisions of other laws concerning transfer of personal data are reserved. Transfer of personal data abroad 4 ARTICLE 9- (1) Personal data cannot be transferred abroad without explicit consent of the data subject. (2) Personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that; (a) sufficient protection is provided in the foreign country where the data is to be transferred, (b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided. (3) The Board determines and announces the countries where sufficient level of protection is provided. (4) The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of related public institutions and organizations, where necessary: a) the international conventions to which Turkey is a party, b) the state of reciprocity concerning data transfer between the requesting country and Turkey, c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer, ç) the relevant legislation and its implementation in the country to which the personal data is to be transferred, d) the measures guaranteed by the controller in the country to which the personal data is to be transferred, (5) In cases where interest of Turkey or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations. (6) Provisions of other laws concerning the transfer of personal data abroad are reserved. CHAPTER THREE Rights and Obligations Obligation of Controller to Inform ARTICLE 10- (1) Whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data, 5 d) other rights referred to in Article 11. The Rights of Data Subject ARTICLE 11- (1) Each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, ç) to know the third parties to whom his personal data is transferred at home or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, f) to request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred, g) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject, ğ) to request compensation for the damage arising from the unlawful processing of his personal data. Obligations concerning data security ARTICLE 12- (1) The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to: a) prevent unlawful processing of personal data, b) prevent unlawful access to personal data, c) ensure the retention of personal data. (2) In case of the processing of personal data by a natural or legal person on behalf of the controller, the controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph. (3) The controller shall be obliged to conduct necessary inspections, or have them conducted in his own institution or organization, with the aim of implementing the provisions of this Law. (4) The controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term. (5) In case the processed data are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.