Turkey: New decision of the Turkish Data Protection Authority


On 22 December 2020, the Turkish Data Protection Authority published a new decision, numbered 2020/966 ("Decision"), which highlights the importance of the general principles that personal data processed must be accurate and up-to-date. The Decision also outlines the responsibilities of data controllers in implementing these general principles.


According to Article 4 of the Data Protection Law No. 6698, the following principles must be observed when processing personal data.

  • Lawfulness and fairness;

  • Accuracy and ensuring that all data is up to date:

  • That the processing is for specified, explicit and legitimate purposes;

  • That the processing is relevant, limited and proportionate to the legitimate purposes; and

  • That the data is retained for the period specified in the relevant legislation or for the period required as part of the legitimate purpose of the processing.

The Turkish Data Protection Authority noted in the Decision that data controllers operating in sectors such as e-commerce, transport, telecommunications, tourism, etc. frequently require individuals to disclose contact information (e.g. phone numbers or email addresses) via documents such as vouchers, receipts, booking information. As a result, contact information collected by controllers can sometimes be incorrect or out of date. This could cause pecuniary or non-pecuniary damage to the data subject and violate the rights of a third person, especially as it creates the possibility of processing personal data relating to a non-relevant person.

In this context, the Decision emphasises that the data controller has an active duty of care and that it is crucial to verify that personal data is accurate and up to date. The Decision states that in order to ensure the accuracy and timeliness of the data, the channels for collecting personal data must be clearly defined. In addition, reasonable measures must be taken to avoid harm to the data owner due to the inaccuracy of personal data. One such measure could be sending verification codes or links to phone numbers and email addresses.

In this way, the Turkish Data Protection Authority aims to prevent inaccurate data from being stored, which could result in the data controllers sending invoices, receipts, etc. to wrong parties and save all parties from unnecessary harm.

The Decision also cites Article 12 of the Data Protection Law No. 6698 as a basis for data controllers to take the technical and organisational measures mentioned above.

For more information on this new Decision of the Turkish Data Protection Authority and its implementation, please contact your regular CMS source or our local CMS expert Dr. Döne Yalçın or Sinan Abra.