Data Protection and Privacy in Turkey
As European Union’s data protection regulations date far back to 1995, Turkey recently initiated its legislative efforts and newly enacted Turkish Data Protection Law which primarily follows the EU Directive 95/46/EC. Expectedly, it is highly criticized in data protection in Turkey that Law is unreasonably based on the Directive rather than the EU Regulation 2016/679 (“GDPR“) which repealed the Directive and introduced new regulations in data protection. However, we may be optimistic and count this at least as a flare for awareness.
The Turkish Personal Data Board
As the deadline for the compliance has passed in 2018 April, The Turkish Board is quite active in imposing administrative fines to the companies. Recently, the Board released a brief summary of its recent cases in which the Board ruled several administrative monetary fines based on;
- Late notification of the violation,
- Conditioning the explicit consent to the performance of the service,
- Breach of data minimisation principle,
- Not responding to the data subject within the time period determined by the Law,
- Not fulfilling the request of the data subject regarding the erasure of the personal data,
- The absence of administrative and technical measures to ensure the required level of data security,
- Breach of the general data protection principles,
- Unlawful sharing of personal data
In addition, in Turkey, a new communique has been published in order to clarify the procedures of obligation to inform. Although it can be claimed that it mainly follows the footsteps of GDPR, there is a significant diversion.
Affects of GPDR on Turkish Data Protection
Finally, it is worth to mention that GDPR expands the territorial scope of the EU Law. With this regard, companies who target the EU residents should keep in the mind that they may fall into scope of the GDPR even if they conduct a business in Turkey/non-EU country. As an example, if a Turkish estate agency advertised a summerhouse, which is located in south part of Turkey, in euro currency and German language, we may say that the target audience is EU-residents, hence GDPR may apply this case as well. To sum up, there are many grey areas in the practice of Data Protection Law in Turkey and firms require comprehensive legal assistance in order to avoid unforeseen sanctions.