View more from News & Articles or Primerus Weekly

Introduction

The Code on Protection of Personal Data No: 6698 has been published at Official Gazette of Turkey and put into force on April 7, 2016.

Afterwards; for the effective implementation of the said Code, the ensuing secondary legislations have been adopted and put into force, respectively;

• Regulation on Erasure, Destruction, and Anonymization of Personal Data, dated October 28, 2017,

• Regulation on Data Controller Registry, dated December 30, 2017

• Working Procedures and Conditions of Personal Data Protection Council, dated November 16, 2017.

With the enactment of the Code and establishment of Personal Data Protection Council, now the Administration has legal basis and started to impose “administrative fines”, in addition to criminal sanctions which have already been rendered by the Judiciary for a while.

Legal Frame

With an amendment made in Turkish Constitution on September 12, 2010, principles on protection of personal data have been incorporated into Turkish Constitution. Accordingly, ... Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law...”1

With an effort to carry out the task of adoption of the law, entrusted by explicit provision of Turkish Constitution, the Turkish National Assembly has adopted The Code on Protection of Personal Data No: 6698 which simply sets out General Principles, Conditions for Processing of Personal Data, Erasure, Destruction, and Anonymization of Personal Data, and Felonies and Misdemeanors in case of any breach of the law.

Basically, in enacting the Code on Protection of Personal Data No: 6698, Turkish Parliament has taken into account Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on “the protection of individuals with regard to

1

Article 20/3 of Turkish Constitution

the processing of personal data and on the free movement of such data” and transposed it into Turkish legislation in the form of a Code.

However, in the meantime, with an aim to provide more control over the personal data and improve the protection online, European Data Protection Regulation

2

repealing Directive 95/46/EC has been adopted and put into force across the European Union as of 25 May 2018, therefore it is fair to expect some slight changes in Turkish legislation on data protection in upcoming days to comply with acquis communautaire of European Union.

In addition to legal provisions set out in Turkish Constitution and afterwards at Code on Protection of Personal Data No: 6698, certain changes have also been incorporated and added to the proper sections of Turkish Criminal Code to ensure both civil and criminal aspects of data protection concept are harmonized. So, after enactment of new Turkish Criminal Code No: 5237 in 2004, provisions with regard to privacy of personal life and protection of personal data have been set forth in the text.

Pursuant to Article 135 of Turkish Criminal Code, the heading of which is “Recording Personal Data”, a person who illegally records personal data will be subject to imprisonment one year up to three years. Turkish Criminal Code also sets out the aggravating factors of the crime, which means if the personal data to be recorded in defiance of the law is related to race, ethnic origin, political and philosophical views, sexual life, health, membership of a trade-union of the persons then the sentence to be imposed pursuant to foregoing paragraph shall be increased as much as one-half of original imprisonment.

When it comes to illegal obtaining, transfer and dissemination of personal data, Article 136 of the Code stipulates between two years up to four years of imprisonment sanction.

Finally, under the heading of failure to delete and destruction of personal data beyond the period legally allowed, the punishment shall be between one year up to two years of imprisonment, and as an aggravating factor, if the subject matter of the crime is a data the destruction of which is required by Criminal Procedure Law, then the sentence imposed shall be increased up to one-half of original time.3

2

Regulation (EU) 2016/679 of the European Parliament and of the Councilof 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

3

Article 138 of Turkish Criminal Code

As a side note, in most of the personal data related criminal investigations, the prosecutors act on their own motion rather than upon receipt of a criminal complaint filed by the third parties.

Sanctions Stipulated at Code on Protection of Personal Data

Under Chapter 5, “Felonies and Misdemeanor” subsection of Law on Protection of Personal Data No: 6698, there is a reference to pertinent sections of Turkish Criminal Code No: 5237 with regard to criminal proceeding in the occurrence of certain infringement with protection of personal data concept. 4 So we will leave the discussions on the criminal investigation aspect to the analysis made supra on Turkish Criminal Code, and move forward with Misdemeanor aspect of any defiance with the law.

As said, Law on Protection of Personal Data also envisages certain administrative fines, and we hereby provide the type of each breach and its corresponding fine for ease of reference.

ACT 1:

Failure of Data Controller to carry out the duty to inform the person whose data is being collected and processed about the purpose of such collection, to whom such data might be disclosed and other requirements within the meaning of Article 10 of Code on Protection of Personal Data. The fine to be imposed will be between 5.000 TL- 100.000 TL.

ACT 2:

Failure of Data Controller to take necessary technical and administrative steps to ensure data security, such as; avoiding illegal processing of personal data or illegal access to personal data within the meaning of Article 12 of Code on Protection of Personal Data. The fine to be imposed will be between 15.000 TL- 1.000.000 TL.

ACT 3:

Failure to implement Protection of Personal Data Council’s requests which is acting based on complaint of third parties or on its own motion; such as failure to procure and submit information relevant to pending investigation, failure to take corrective

4

Article 17 of Law on Protection of Personal Data No: 6698

measures to avoid violation of the law, et cetera, within the meaning of Article 15 of Code on Protection of Personal Data. The fine to be imposed will be between 25.000 TL- 1.000.000 TL.

ACT 4:

Failure to meet the obligation to register with Data Controller Registration Office maintained under Institution of Protection of Personal Data and notification to the same Institution before starting to process the personal data within the meaning Article 16 of Law on Protection of Personal Data. of A. The fine to be imposed will be between 20.000 TL- 1.000.000 TL.

Conclusion

Even if newly established, the Protection of Personal Data Council has received quite amount of complaint from the sectors ranging from banking finance, telecommunication to health and insurance industries, and has started to issue administrative fines within the limits permitted by Code.

Considering the fact that the Council might issue up to one million TL of administrative fine based on the type of violation, and there might be some unpleasant criminal consequences, companies operating in Turkey must be particularly careful and make the necessary adaptation in their data processing structure to comply with the law.

Cumhuriyet Street. Gezi Apartment. No:9 5.th Floor Taksim 34437 İstanbul- Turkey Phone: +(90 212) 238 10 65 Fax: + ( 90 212) 238 08 10 E-mail: info@yamaner.av.tr web- page: www.yamaner.av.tr