Privacy Law at Turkey
In Turkey, privacy laws are primarily concerned with protecting personal data and the right to privacy. The key legislation governing privacy and personal data protection is the Personal Data Protection Law (KVKK - Law No. 6698). Below is an overview of privacy laws in Turkey:
1. Constitutional Protection of Privacy
The Constitution of Turkey includes provisions to protect the right to privacy:
Article 20 guarantees the right to privacy and personal data protection. It states that everyone has the right to demand the protection of their private life and personal data, with restrictions only in cases of necessity as prescribed by law.
2. Personal Data Protection Law (KVKK - Law No. 6698)
The Personal Data Protection Law (KVKK), enacted in 2016, is the cornerstone of privacy law in Turkey. It governs the processing of personal data, including its collection, storage, and use. Some of the main aspects of the law include:
Scope: The law applies to anyone who processes personal data, whether in the public or private sector, including both Turkish and foreign entities operating in Turkey.
Personal Data: The law defines personal data as any information that can be used to identify a person, such as names, identification numbers, location data, and more sensitive information like health and biometric data.
3. Principles of Personal Data Processing
KVKK sets out fundamental principles that must be followed when processing personal data:
Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent.
Purpose limitation: Data should be collected for specific, legitimate purposes and not processed beyond that purpose.
Data minimization: Only the data necessary for the purpose should be collected and processed.
Accuracy: Data should be accurate and up to date.
Storage limitation: Data should not be kept longer than necessary.
Security: Appropriate measures must be taken to protect personal data from unauthorized access or disclosure.
4. Rights of Data Subjects
Individuals in Turkey have several rights under the KVKK, similar to the rights under the General Data Protection Regulation (GDPR) in the EU:
Right to access: Individuals can request information about the processing of their data.
Right to rectification: Individuals can ask for their inaccurate or incomplete data to be corrected.
Right to erasure (right to be forgotten): In some cases, individuals can request that their personal data be deleted.
Right to object: Individuals can object to the processing of their data, particularly for marketing or profiling purposes.
Right to data portability: Individuals can request their personal data in a structured, commonly used format and transmit it to another data controller.
5. Data Protection Authority (DPA)
Turkey’s data protection authority, known as the Personal Data Protection Authority (KVKK Authority), was established to oversee the enforcement of the KVKK and ensure compliance with the law. The KVKK Authority is responsible for:
Monitoring compliance: Ensuring that businesses and other entities comply with the law.
Investigating complaints: Investigating complaints from individuals regarding violations of their privacy rights.
Issuing sanctions: The Authority can issue fines or sanctions for non-compliance.
6. Data Security and Breach Notification
Data Controllers: The KVKK requires data controllers (organizations or individuals who control the data) to implement security measures to protect personal data from unauthorized access, disclosure, or destruction.
Breach Notification: In the event of a data breach that compromises personal data, the data controller must notify both the data subjects and the Personal Data Protection Authority within 72 hours.
7. Cross-Border Data Transfers
International Transfers: The KVKK places restrictions on the transfer of personal data outside of Turkey. Personal data may be transferred to foreign countries if those countries provide an adequate level of data protection or if explicit consent is obtained from the data subject.
If the destination country does not offer adequate protection, organizations may be required to put in place additional safeguards, such as standard contractual clauses, to ensure the protection of personal data.
8. Processing Sensitive Data
The KVKK outlines stricter rules for processing sensitive personal data, such as:
Health data
Religious beliefs
Political opinions
Sexual orientation
Sensitive data can only be processed under more limited circumstances, typically requiring explicit consent from the data subject.
9. Penalties for Non-Compliance
Non-compliance with the KVKK can result in substantial penalties. The penalties can vary depending on the nature and severity of the violation, and can include:
Fines: Organizations found in violation of the law can be fined. Fines can range from TRY 5,000 to TRY 1 million (or higher depending on the circumstances).
Sanctions: The Personal Data Protection Authority can also impose other administrative sanctions, including public warnings and restrictions on processing.
10. Other Relevant Legislation
In addition to the KVKK, there are other laws in Turkey that touch on privacy and data protection, including:
Law No. 5651: Governs internet regulations, including restrictions on content and the protection of personal data in the online environment.
Telecommunications Law (Law No. 5809): This law includes provisions related to the interception and surveillance of communications, which impact privacy.
11. GDPR Alignment
While Turkey’s Personal Data Protection Law (KVKK) shares many similarities with the European Union’s General Data Protection Regulation (GDPR), there are differences. However, Turkey has expressed interest in aligning its data protection laws more closely with the GDPR to facilitate international data transfers and economic integration with the EU.
Conclusion
Turkey has established a robust legal framework for protecting personal data through the KVKK, which is designed to safeguard privacy rights while allowing for the lawful processing of personal data. Enforcement by the Personal Data Protection Authority ensures that businesses and public entities comply with these regulations. However, as data protection laws and technology continue to evolve, the regulatory landscape in Turkey may adapt to stay in line with international standards like the GDPR.
RELATED Blog
0 comments