What Are Turkey’s Challenges With Data Privacy?
Compliance with Turkey’s ‘DP Law’ requires several challenging criteria to be met in order to ensure the lawful transfer of personal data.
In this feature, HHK partner Batu Kınıkoğlu explores these conditions and how they are expected to develop as Turkey brings the law more in line with GDPR. What should firms with Turkish operations keep in mind?
What are the key acts and regulations governing data protection in Turkey?
The Law on the Protection of Personal Data No. 6698 (DP Law) is the most significant law in Turkey on the protection of personal data. Enacted in 2016, the DP Law is mostly based on the EU Directive 95/46/EC. Before the DP Law was enacted, in 2010, the Turkish Constitution was amended, and protection of personal data was enshrined as a right in Article 20 of the Constitution. Unlawful processing, transfer, and acquisition of personal data are regulated as crimes in the Turkish Penal Code, carrying prison sentences of up to eight years.
There are also sectoral regulations, which include terms on data protection, most notably in the areas of electronic communications (involving internet traffic and location data), eCommerce (involving electronic commercial communications) and banking (involving customers’ private data).
What major challenges have data privacy matters presented to the Turkish corporate and legal sectors in the past decade?
Since the DP Law was the first general law on data protection in Turkey, knowhow and awareness of data privacy among public and business was fairly limited during the early days of its enactment. The transition period envisaged in the Law further complicated the matter. The fact that some terms of the Law came into effect immediately with the enactment of the Law, such as terms on data processing principles and lawfulness of processing, made it challenging for many companies to comply with the Law, especially in the early days.
Over the six years since the enactment of the DP Law, knowhow and awareness of data privacy have increased. Furthermore, the Personal Data Protection Authority was established in 2017 and has been preparing secondary regulations and guidelines, which have helped companies comply with the Law. However, several areas remain as perplexing for data controllers and data processors in Turkey. Among these problems, the most problematic issue relates to transfer of personal data abroad.
According to the DP Law, personal data of data subjects in Turkey can be transferred abroad only on three conditions: 1) if the data subject provided their explicit consent for the transfer of their personal data; 2) if the transfer is made to a country which was deemed “safe” by the Turkish Personal Data Protection Authority because they provide an adequate level of data protection; 3) if the data controller in Turkey and the data controller/processor abroad sign the standard contractual clauses published by the Turkish Authority or prepare binding corporate rules, and get the Authority’s approval for the transfer. Currently, all three options remain as challenging for data controllers in Turkey.
Over the six years since the enactment of the DP Law, knowhow and awareness of data privacy have increased.
Because explicit consent must be freely given, data controllers cannot compel data subjects to give their consent for the transfer of their personal data abroad. This means that data controllers must create alternative methods to store personal data of data subjects who do not wish for their data to be transferred abroad, locally. Also, since the Turkish Data Protection Authority has not yet published the list of safe countries that provide an adequate level of data protection, the second option does not work in practice either.
This leaves the third option, signing the standard contractual clauses of the Authority and getting their permission, as the only viable option to transfer personal data abroad. However, the strict examination of the Authority and the vast amount of additional information that is required to be submitted with the agreement, such as information security policies and procedures, meant that only a few data controllers were able to receive this permission as of now.
Turkey currently plans to change the DP Law to conform with the GDPR. I hope that after this change, data controllers in Turkey will have more options for transferring data abroad, such as codes of conduct, certification, performance of a contract, or even compelling legitimate interests of the data controller in certain limited situations.
How have these challenges differed for domestic and foreign corporations?
While one of the biggest challenges for Turkish corporations was the lack of knowhow and awareness during the early days of the DP Law, foreign corporations, especially European companies, were familiar with privacy regulations due to the decades-old privacy regulations such as the 95/46/EC Directive and the related national laws.
However, most of these foreign corporations were not aware of the overarching framework of the DP Law. The DP Law does not have specific articles on the territorial scope of the Law such as Article 3 of the GDPR. The Turkish Data Protection Authority states that data controllers must comply with the DP Law if they process personal data of data subjects in Turkey, regardless of where they are established. With no clear criteria such as the establishment or targeting/monitoring criteria envisaged in the GDPR, any data controller processing personal data of a data subject in Turkey can fall within the scope of the DP Law and the jurisdiction of the Turkish Data Protection Authority.
This has several consequences for data controllers established abroad. First, any data controller processing personal data of data subjects in Turkey must register to the data controllers’ registry called VERBIS, which is managed by the Turkish Data Protection Authority. These companies must appoint a representative, which must be a legal entity established in Turkey or a Turkish citizen. The Turkish Authority has the power to issue administrative fines to companies for failing to register to the registry. Second, in the case of a data incident, these companies must notify the Data Protection Authority within 72 hours if the data of data subjects in Turkey have been breached. Because the Turkish Authority can act ex-officio and investigate any data incident without the notification of the data controller, there have been cases where the Turkish Authority issued administrative fines to foreign data controllers both for the data incident involving data subjects in Turkey and not dully notifying the Authority about the incident in time.
What do you see in the future of data privacy in Turkey? What challenges will have to be overcome for organisations both domestically and internationally?
Data privacy regulations provide both challenges and opportunities for corporations in Turkey. Six years after the enactment of the first general data protection law in Turkey, corporations have built up the necessary knowhow and continue to create awareness among their employees and business partners. We see companies re-think their business models to cope with the digital age, and the only way they can bet realise the value of data is if they acquire and process personal data lawfully in the first place. I do not think that principles such as privacy must necessarily create a barrier for organisations to best utilise the data they process. Corporations can transform into data-driven organisations and respect the related data privacy principles at the same time. The past years have shown us that this respect can even be used as a competitive advantage.
Batu Kınıkoğlu, Partner
Koşuyolu Mah. Koşuyolu Cad. No:64/2 34718 Kadıköy/İstanbul
Tel: +90 216-807-1445
Batu Kınıkoğlu is a partner at Hamzaoğlu Hamzaoğlu Kınıkoğlu Attorney Partnership (HHK). He advises clients on a wide range of issues including data protection, information privacy, cybersecurity, fintech and telecommunications law. His expertise also includes copyright law and open-source software licensing. He is a Legal 500 Recommended Lawyer in the IT & Telecoms and Intellectual Property practice areas and was selected as a Global Leader and a Thought Leader in Data Privacy & Protection by Who’s Who Legal. He is also a lecturer at Sabancı University and Istanbul Bilgi University, teaching graduate courses on European Data Protection Law and Cybersecurity Law.
HHK is an Istanbul-based law firm specialising in technology law, helping its clients transform their companies in line with the challenges and opportunities brought by technology and the digital world. Working across sectors and with a variety of clients ranging from innovative startups to large multinational corporations, HHK has been selected as a leading firm by Legal 500 in the IT & Telecoms category every year since its establishment.