Introduction
The Data Privacy in the Turkish Legal System is founded on constitutional guarantees and codified primarily in the Law on the Protection of Personal Data (KVKK, No. 6698). This framework ensures that personal data is processed lawfully, fairly, and transparently. For businesses, professionals, and foreigners operating in Turkey, compliance with the rules of data privacy in the Turkish legal system is both a legal obligation and a necessity for building trust with customers and partners.
For businesses, professionals, and foreigners operating in Turkey, understanding the data privacy general framework in the Turkish legal system is essential to ensure compliance and avoid penalties.
1. Constitutional Basis
Article 20 of the Turkish Constitution guarantees the right to protection of personal data. It states:
- Everyone has the right to demand the protection of their personal data.
- This includes being informed, accessing, correcting, and requesting deletion of data.
- The collection, processing, and use of personal data must be based on the individual’s explicit consent or legal authorization.
This constitutional guarantee aligns Turkey with international human rights standards.
2. Law on the Protection of Personal Data (KVKK)
The KVKK No. 6698 is the primary legislation regulating data privacy in Turkey. Its structure is largely inspired by the EU Data Protection Directive (95/46/EC), and later developments show convergence with the GDPR, though some differences remain.
Key Principles
The KVKK requires that personal data be:
- Processed lawfully and fairly (hukuka ve dürüstlük kurallarına uygun işlenme),
- Accurate and up-to-date,
- Collected for specific, explicit, and legitimate purposes,
- Relevant and limited to what is necessary,
- Stored for only as long as necessary.
Lawful Bases for Processing
Data processing is lawful when:
- Explicit consent of the data subject exists,
- Required by law,
- Necessary to protect life or physical integrity,
- Related to a contract,
- Required for compliance with legal obligations,
- Related to legitimate interests, provided fundamental rights are not harmed.
3. Sensitive Data (Özel Nitelikli Veriler)
The KVKK places special restrictions on processing sensitive personal data, such as:
- Race, ethnic origin, political opinion, religion, sect,
- Health data, biometric and genetic data,
- Sexual life, criminal convictions, and security measures.
Such data can only be processed with explicit consent or under strict legal grounds (e.g., for health services, occupational safety).
4. Data Controllers and Data Processors
- Data Controller (Veri Sorumlusu): The person or entity that determines the purposes and means of processing data.
- Data Processor (Veri İşleyen): The person or entity that processes data on behalf of the controller.
Both must comply with KVKK obligations, such as registration, technical and organizational measures, and responding to data subjects’ rights.
5. Rights of Data Subjects
Individuals (data subjects) enjoy broad rights under the KVKK, including the right to:
- Learn whether their data is being processed,
- Access their data,
- Correct inaccurate or incomplete data,
- Request deletion or anonymization,
- Object to unfavorable results based on automated processing,
- Seek compensation for damages from unlawful processing.
Requests must be answered by data controllers within 30 days.
6. Data Transfers
Domestic Transfers
Permitted under lawful grounds similar to processing conditions.
Cross-Border Transfers
Personal data may only be transferred abroad if:
- The data subject gives explicit consent, or
- Adequate protection exists in the recipient country, or
- The Turkish Data Protection Authority (Kişisel Verileri Koruma Kurumu – KVKK Kurumu) grants approval.
This requirement makes international data transfers a sensitive compliance issue for multinational companies in Turkey.
7. Data Protection Authority
The Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) oversees enforcement of the KVKK. Its duties include:
- Issuing secondary legislation and guidelines,
- Supervising compliance through audits,
- Investigating complaints,
- Imposing administrative fines,
- Raising public awareness.
The Authority is independent but has close ties to the Ministry of Justice.
8. Sanctions and Penalties
Non-compliance with KVKK can result in significant administrative fines, ranging from thousands to millions of Turkish liras, depending on the violation. Criminal liability may also arise for unlawful data processing, especially under the Turkish Penal Code (TCK Arts. 135–140).
Examples of violations include:
- Processing data without consent,
- Failure to register with the Data Controllers’ Registry (VERBİS),
- Failure to notify data breaches,
- Unlawful transfer of sensitive data.
9. Sectoral Regulations
Apart from the KVKK, special rules apply in certain sectors:
- Banking: Banking Law requires strict confidentiality of customer data.
- Health: Health data enjoys extra protection under both KVKK and Ministry of Health regulations.
- Telecommunications: Operators must safeguard communications data under Electronic Communications Law.
10. Practice and Compliance
In practice, businesses operating in Turkey must:
- Register with the VERBİS system if thresholds are met,
- Draft privacy policies and consent forms,
- Train employees on data protection,
- Implement technical and organizational safeguards (encryption, access control),
- Establish internal procedures for handling data subject requests.
Foreign companies with subsidiaries in Turkey must ensure alignment between local KVKK compliance and global data protection policies.
Conclusion
The Data Privacy in the Turkish Legal System establishes a secure framework protecting individuals and imposing obligations on businesses. With the KVKK, constitutional safeguards, and regulatory enforcement, Turkey ensures that privacy is respected while allowing economic and technological development. For foreign companies, strict adherence to data privacy in the Turkish legal system is key to smooth business operations.
Yanıt yok