Personal Data Protection And Compliance Procedures Under Turkish Regulations



6698 numbered Personal Data Protection Code (“Code”) came into force in Turkey as of April 7, 2016 and set forth many obligations for Data Controllers. Mentioned Code were regulated in line with European Union Directive 95/46/EC to protect the personal data of individuals and controlling the movement of such data. In this article, we will highlight the important obligations and possible sanctions provided by Code and come up with the step plan which is crucial to be fulfilled in order to complete the compliance transactions.


Following definitions have great importance for better understanding of Code;

i. Personal Data : shall mean any information relating to an identified or identifiable natural person ("Data Subject") where Customer is the Controller; an identifiable natural person is a person who can be identified, directly or indirectly with the use of additional information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
ii. Data Subject : Shall mean the owners of Personal Data

iii. Sensitive Personal Data : Shall mean the Personal Data including the race, ethnicity, political opinion, health status, sexual orientation, criminal background and memberships.

iv. Data Controller : Shall mean the real or legal entities which determines the purposes of processing Personal Data.
v. Data Processor : Shall mean the real or legal entities who is processing the Personal Data through the power vested by the Data Controller.

In accordance with the explanations above, all information collected from the Employees shall be considered as “Personal Data.” Companies shall be accepted as the “Data Controller” and shall appoint a “Data Processor” for compliance with the Code.

General requirements which shall be fulfilled for the Data Protection Compliance are as follows;

i.    Data Subjects shall be informed about the Personal Data Protection,
ii.   In principle, Data Controller shall obtain the explicit consent of the Data Subjects for collecting, processing the Personal Data.
iii.  Data Controller shall be registered to Data Protection Council which were established in accordance with the article 3/g of the Code.
iv.  In principle, Data Controller shall obtain the explicit consent of Data Subjects for transmitting the Personal Data to the abroad.
v.   Personal Data shall be categorized and shall be removed, anonymized or destroyed if required.
vi.  Policy for collecting, removing and destroying the Personal Data shall be created.
vii. Existing personal data must become compliant in the required time frame.


In a nutshell, our Data Protection Legal Check-up aims to assess and establish compliance by:

i.   Determining what personal data is collected, stored and processed within the Company.
ii.  Clarifying what personal data you are permitted collect, store, share or possibly sell/lease, and how you should go about this – highlighting your rights and obligations.

iii. Determining who is responsible for data processing within the Company.
iv. Assessing whether you comply with all the legal/compliance requirements (some of which can be contradictory with each other).
v.  Advising on changes to existing internal or external processes, as well as implementing new procedures.
vi. Identifying the risks for negligence or violations of legal requirements.
vii. Advising on and implementing the relevant laws and regulations, designed to govern the transfer of personal data to affiliates abroad.

i.  Criminal Consequences; In accordance with the Code, Data Controllers might be sentenced to prison between two years and four years. (For each data breach)
ii. Administrative Consequences; In accordance with the Code, Data Controllers might be sentenced to pay penalty at the amount between 5.000,00 TL and 1.000.000,00 TL. (For each data breach)

1. Data Inventory Survey:
Kick-off presentation for creating awareness on data protection compliance within the Organization

Understand whose personal data is collected, stored, processed by the Organization.

Understand where personal data is located, both manually and electronically.

Guidance for the preparation of the Data Inventory by the Organization to detail personal data processes, personal data categories, purpose of processing, where the data is located, transfer to third parties, cross-border transfers, security measures, retention period.

Holding meetings with each of the Departments once the draft data inventory is prepared and one round revision of the data processing channels within the draft data inventory

Identify and review existing data protection related policies and procedures within the Organization.
2. Legal Risk Analysis:
Identify laws and regulations applicable to the Organization's data processes.

Identify key data protection risk areas in accordance with the relevant laws and regulations.

Report on data protection compliance requirements, ramifications and recommendations.
3. Implementation
Establish Data Protection Policy and Data Anonymization and Deletion Policy to foster a compliant culture in the organization, which includes the: Data protection roles and responsibilities within the organization.

Establishment of data protection committee and appointment of data protection representative/officer (if requested by the Client), as well as determining their duties and responsibilities.

Activities required to ensure compliance.

Draft tailor detailed Data inventory management procedure with an understanding of the organization’s business needs and data protection requirements.

Draft Personal Data Impact Assessment Form to be filled out by the employees before initiating a new project involving data processing.

Draft tailor detailed information notices and explicit consent where necessary for relevant data subject group.

Draft annexes for the employment agreement concerning personal data.

Draft data protection related clauses, or amendment protocols.

Draft data subject application form and sample answers.
4. Training:

Creating awareness of data protection requirements within the organization.

Train all levels of staff via a range of different training modules, including do’s and don’ts, based on their requirements, as well as data protection policies and procedures.

Should you have any queries and/or remarks, please do not hesitate to contact us at any time.

Kind Regards,
Att. Selman BALTACI
0216 519 20 00