n today’s world, our personal information, which goes beyond our name, surname, and birthdate and includes data such as our ethnic background and blood type, is no longer considered private. We are required to share our personal data when shopping, signing up for a website, opening a bank account, starting a job, enrolling in a course, or even ordering food. In an age where information is so easily accessible and disseminated, the privacy of personal life and the protection of personal data are of vital importance worldwide. In Turkey, the Law on the Protection of Personal Data, which came into effect in 2016, introduced comprehensive and important regulations.
First and foremost, any information that identifies or can identify a specific individual is considered “personal data.” Any process related to these data, such as obtaining, recording, storing, maintaining, altering, reorganizing, disclosing, transferring, taking over, making them available, or classifying them, is defined as “processing of personal data” under the Law on the Protection of Personal Data. According to this law, the explicit consent of the relevant individual is required for the processing of personal data. However, in cases where it is allowed by laws, where it is necessary to protect the life and physical integrity of individuals who cannot express their consent, where it is mandatory to establish a contract, or where it is necessary for data controllers to fulfill their legal obligations, personal data can be processed without the explicit consent of individuals.
The law does not specify how the explicit consent of individuals should be obtained, but it is recommended to obtain consent in writing for the sake of evidence.
Under the law, individuals or institutions that obtain personal data are defined as “data controllers.” Data controllers are obligated to inform the individuals concerned about their identity, the purpose of processing personal data, to whom and for what purpose the processed data will be transferred, the method of collecting personal data, and the legal basis for processing. Failure to comply with this obligation can result in fines ranging from 5,000 TL to 100,000 TL for data controllers.
The most crucial responsibility imposed on data controllers is related to the security of data. Data controllers who fail to provide adequate security for personal data processing or access can face fines ranging from 15,000 TL to 1,000,000 TL.
Everyone has the right to learn whether their personal data has been processed, the purpose of processing, whether the data is being used for its intended purpose, the recipients of the data, and to request the correction, deletion, or destruction of the data if it is inaccurate or incomplete. Individuals who have suffered damage due to the processing of their personal data also have the right to claim compensation for their damages.
The deadline for compliance with the law was April 7, 2018. The Personal Data Protection Board, established under the Law on the Protection of Personal Data, acts as an intermediary between data controllers and data subjects. The publicly accessible Data Controllers Registry, which is maintained under the supervision of the Board, is another significant innovation introduced by the law.
Almost all natural and legal persons, including employers and individuals involved in commercial activities, are required to register with the Data Controllers Registry before processing personal data. Personal data processed before the Law on the Protection of Personal Data came into effect must be brought into compliance with the law within two years from the date of publication, which is April 7, 2018. Accordingly, all personal data obtained without the explicit consent of individuals before the publication date of the law, which is April 7, 2016, must be deleted and destroyed. Otherwise, the penalties stipulated by the law will be enforced.
However, personal data obtained legally before the publication date of the law will be considered legally obtained if no objection is raised within one year from the date of acquisition. It is essential to note that the definition of “legally obtained” is not clear in the law, and this provision may require interpretation.