INSIGHTS
In The Know.

  • Home
  • Insights
  • Checklist for Compliance of Turkish Data Protection Law

Search by

Checklist for Compliance of Turkish Data Protection Law

October 2022 – We have prepared this checklist for data controllers that would like to audit themselves to determine how they generally comply with Turkish Data Protection Law numbered 6698[1] (the "DP Law") and the decisions of the Turkish Data Protection Board (the “Board”).

Have you registered with the Data Controllers’ Registry System?

Under the Regulation on Data Controllers’ Registry[2], foreign data controllers are required to be registered with the Data Controllers’ Registry System (“VERBIS”) established and operated by the Board. In this respect; the following data controllers are required to register with VERBIS:

  • data controllers having more than 50 employees in a year;
  • data controllers with a total annual balance sheet amount of more than TRL 25 million;
  • data controllers residing abroad;
  • data controllers whose main activity is processing sensitive data, even if they have less than 50 employees in a year and their total annual balance sheet amount is less than TRL 25 million; and
  • public institutions and organisations.

According to Article 5 of the Regulation on the Data Controllers’ Registry, data controllers are obliged to prepare a personal data inventory and declare their processing activity to the VERBIS interface based on this personal data inventory. In case of changes to the information declared in the VERBIS interface, data controllers must update the VERBIS interface within seven days. In case of a violation of this obligation, the Board may impose an administrative fine that ranges from TL 53,572 to TL 2,678,863 for the year 2022.

Do you fulfil your obligation to inform data subjects?

According to Article 10 of the DP Law, data controllers are obliged to inform their data subjects. According to Article 4 of the Communiqué on the Obligation to Inform[3], the text of the obligation to inform is required to include the following:

  1. the identity of the data controller and, if any, its representative;
  2. the purpose for which personal data will be processed;
  3. to whom and for what purpose personal data could be transferred;
  4. the method and legal basis for collecting personal data; and
  5. other rights of the data subject listed in Article 11 of the DP Law.

Data controllers must fulfil this obligation in all cases where personal data is processed. If a data controller processes personal data on the basis of explicit consent, the explicit consent of the data subjects must be obtained after fulfilling this obligation to inform.

In case of a violation of the obligation to inform, the Board may impose an administrative fine ranging from TL 13,391 to TL 267,883 per violation for the year 2022.

Do you process personal data in accordance with the DP Law?

Data controllers need to adhere to the fundamental principles of processing of personal data as follows:

  • they must operate lawfully and fairly;
  • the personal data processed must be accurate and kept up to date where necessary;
  • personal data must be processed for specified, explicit and legitimate purposes;
  • the processing of personal data must be relevant, limited and proportionate to the purposes for which it is processed; and
  • personal data must be stored for the period laid down by the relevant legislation or the period required for the purpose for which the personal data is processed.

In addition, data controllers need a legal basis to process personal data. The main legal basis is the explicit consent of the data subjects. If a data controller has another legal basis stipulated under the DP Law, such data controllers no longer need to obtain explicit consent of data subjects. In this respect, data controllers need to make an assessment for each data processing activity to determine if there is another legal basis other than obtaining explicit consent.

In case of unlawful data processing activity, the Board may impose an administrative fine ranging from TL 40,179 to TL 2,678,863 per violation for the year 2022.

Have you taken adequate technical and administrative measures?

According to Article 12 of the DP Law, data controllers are obliged to ensure data security and to take adequate technical and organisational measures in this regard. Data controllers need to determine these adequate measures according to their needs. In this respect, guidelines and decisions are instructive for data controllers.

In case of failure to take adequate measurements that the Board has set in its decisions and guidelines, the Board may impose an administrative fine ranging from TL 40,179 to TL 2,678,863 per violation as per Article 18 of the DP Law.

Do you have compulsory policies?

Data Retention Policy: Data controllers that are obliged to register with VERBIS are also required to determine the data storage period and create a data retention policy under the Regulation on Erasure, Destruction or Anonymisation of Personal Data[4].

Policy on the Processing of Sensitive Data: According to the Board’s decision numbered 2018/10, data controllers that process sensitive data are obliged to determine a separate policy and procedure that is related to the security of sensitive data and to have specific rules that are manageable and sustainable.

Data Breach Intervention Plan: According to the Board’s decision numbered 2019/10, data controllers must have a data breach intervention plan.

In case of violation of the obligation to ensure data security, the Board may impose an administrative fine ranging from TL 40,179 to TL 2,678,863 per violation as per Article 18 of the DP Law.

Do you transfer personal data outside of Turkey?

Cross-border data flows are regulated under Article 9 of the DP Law as well as by the decisions of the Board. Accordingly, data controllers may transfer personal data abroad only if:

  • the data subject has provided its explicit consent;
  • both the exporting data controller located in Turkey and the importing party located outside of Turkey provide a written undertaking to adequately protect the data and obtain an approval from the Personal Data Protection Board; or
  • the third country to which the data is transferred provides adequate protection for personal data. However, the Board to date has not provided the list of safe countries that provide adequate protection.

In case of a violation of cross-border data flows rules, the Board may impose an administrative fine ranging from TL 40,179 to TL 2,678,863 for the year 2022. In addition, the Board may also instruct a data controller to cease the transfer of personal data outside of Turkey.

Do you process personal data through cookies?

On 20 June 2022, the Board published guidelines on the use of cookies to collect personal data and the use of personal data on online environments such as websites, mobile applications, smartphones, and tablets. In this respect, data controllers are required to comply with the instructions determined under the guidelines. For detailed information, please see our article here.

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com

_________________________

[1] Published in the Official Gazette No.29677 and dated 7 April 2016

[2] Published in the Official Gazette No.30286 and dated 30 December 2017

[3] Published in the Official Gazette No.30356 and dated 10 March 2018

[4] Published in the Official Gazette No. 30224 and dated 28 October 2017