Turkey: Actions to consider under The Data Protection Law in order to avoid fines of up to TRY 1 Million

As of 7 October 2016, the Law No. 6698 on Protection of Personal Data (“Data Protection Law” or “DPA”) shall be fully effective. The referenced date is remarkable in terms of the fines and criminal penalties that are applicable under the DPA.

Following on from our previous article on the merits of the DPA from 7 April 2016, you can find rules and principles below, regarding Article 32 of the Data Protection Law. The Data Protection Law was published on 7 April 2016 and there is also a six (6) months transition period to ensure the principles deriving from the DPA are complied with. The additional content is as follows:

• transfer of personal data, and the rights of the data subject;
• applications to data controllers, submitting complaints to the Personal Data Protection Board and the procedures and principles of review after a complaint has been made;
• formation of a Data Controllers’ Registry; and
• fines and criminal penalties.

Fines of up to TRY 1,000,000 and / or criminal penalties are now in force

Real or legal persons not complying with the DPA may, on the grounds of the Article 32 of the DPA, face administrative fines of between TRY 5,000 to TRY 1,000,000 and criminal penalties that may lead to imprisonment. In addition to this, those who fail to erase or anonymise personal data may face imprisonment as per the Turkish Criminal Law.

Recommended practices to prevent administrative and criminal fines

Firstly, when transferring data the explicit consent of the person whose data is being processed must be obtained. Secondly, the data controller must inform the person whose data has been obtained of their rights:

a) inform the person concerned that they have a right to know whether or not their data is being processed;

b) if requested by the person concerned, make information if personal data related to the person concerned has been processed;

c) provide information as to why the personal data is being processed and whether or not such data has been processed correctly;

d) provide information on third persons within or outside the country to whom personal data is transferred;

e) if requested by the person concerned, inform him or her if personal data has been processed inaccurately and if this has been corrected;

f) if requested by the person concerned, inform him or her about the erasure or destruction of personal data;

g) if requested by the person concerned, notify third parties to whom the personal data has been transferred of operations carried out within the meaning of sub-paragraphs (d) and (e);

h) inform the person concerned that he or she has a right to object to any conclusion acquired from an analysis of the processed data by automated systems which may have an adverse effect on him or herself;

i) inform the person concerned that he or her has a right to request compensation for the damages incurred as a result of an unlawful act of personal data processing.

Lastly, the secondary legislation for the smooth implantation of the DPA is not ready and in force, meaning the relevant data protection authorities have yet to be established. Therefore, for the companies’ viewpoint, there might be uncertainties with respect to implication of the DPA. In order to comply with the DPA, it is recommended that companies have data privacy officer(s) and/or an outside counsel who shall carry out supervising, auditing and assisting tasks in the company to ensure they comply with the DPL and its secondary legislations. Said officer or counsel may supervise operations regarding personal data by, for example, inserting the items (a)(i) to listed above in the customer or HR agreements, or under the company web sites, or by incorporating referenced principles into their internal policies.