🇹🇷 Turkey
Informations
Extracts :
Extract :
"
Both the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Law on Protection of Personal Data No. 6698 ('LPPD') apply to data controllers and data processors, and the definitions for these concepts are similar. While the GDPR applies to natural persons regardless of their nationality, the LPPD applies to natural persons and data originating from Turkey, regardless of whether they are located in Turkey or abroad. Furthermore, both the GDPR and the LPPD apply to legal persons, including both public and private bodies."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extract :
There is not definition of the data subject that makes reference that a citizen outside the jurisdiction are considered as personal data
2021
Reference :
Data transfer regulations | DataGuidance
Data transfer regulation - TUR
Extracts :
Extract :
"The LPPD does not explicitly refer the nationality or place of residence of data subjects. Instead, it broadly applies to 'natural persons whose personal data are processed'."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extract :
"The LPPD does not explicitly refer the nationality or place of residence of data subjects. Instead, it broadly applies to 'natural persons whose personal data are processed'."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
No mention of the subject rignt related to Legal entities
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There is not a definition of data subject that makes reference that a legal entity is coinsidered as personal data
2021
Reference :
Data transfer regulations | DataGuidance
Data transfer regulation - TUR
Extracts :
Extract :
"In relation to extraterritorial scope, it is accepted that the LPPD applies to the processing of personal data of data subjects lo- cated in Turkey, regardless of the location of the data con- troller/data processor (i.e. lo- cated in or outside of Turkey)."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Data controller: means a real person or entity who determines the intended purposes and means of
processing personal data. Data controllers are responsible for establishing and administering data registry systems.
Data processor: means a real person or entity processing data with the authorisation of the data controller.
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
The Law applies to data controllers, thus making data controllers liable for the activities of processing
and transfer of personal data under their control. Furthermore, where data controllers utilise the services of third-party data processors, the Law dictates that they remain jointly liable for establishing all of
the technical and administrative measures required to ensure the safeguarding of the personal data
and to prevent any unlawful access or processing of said data.
2021
Reference :
Data transfer regulations | DataGuidance
Data transfer regulation - TUR
Extracts :
Extract :
"In relation to extraterritorial scope, it is accepted that the LPPD applies to the processing of personal data of data subjects lo- cated in Turkey, regardless of the location of the data con- troller/data processor (i.e. lo- cated in or outside of Turkey)."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Special Category Data - The DPDP Act does not contain any provisions on special category data."
2023
Reference :
Decrypting India's New Data Protection Law: Key Insights and Lessons Learned
Information on India's DPDP act | Bird&Bird
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Special categories of personal data: 'special categories of personal data' receive extra protection. This includes information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, appearance, memberships of unions, associations, or foundations, as well as information about health, sexual life, criminal records, or punitive measures, as well as biometric and genetic data."
2023
Reference :
Turkey Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Turkey Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"As per the Data Protection Law, public interest is not a legal basis to process personal data of a data subject without obtaining their explicit consent. However, the Board considers public interest as a criterion while evaluating limits of independent press and the balance between the right to privacy and right to freedom of expression."
2023
Reference :
Turkey Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The LPPD provides for the possibility of administrative, monetary penalties to be issued by the supervisory authorities in cases of non-compliance."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Administrative fines ranging between TRY 9,834 (approx. €930) and TRY 1,966,862 (approx. €187.000) will apply for breaches of the LPPD."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
Does not exist as per present time.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"According to the Turkish Criminal Code No. 5237:
Unlawful collection of personal data may be punished with imprisonment between 1 year up to 3 years (between 1.5 and 4.5 years if the issue relates to certain type of sensitive personal data).
Unlawful transfer, acquisition or distribution of personal data may be punished with imprisonment between 2 years up to 4 years (between 4 and 8 years if the issue relates to records about sexual assault or child abuse cases).
Infringement of the obligation to delete or anonymize personal data under the Data Protection Law is also subject to the Turkish Criminal Code and may be punished with imprisonment between 1 year up to 2 years (between 2 and 4 years if the issue relates to personal data that should be disposed of per the Turkish Criminal Procedure Law)."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is no information on this anywhere.
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 28 of the PDPA: If an injury suffered by the victim is a non-pecuniary damage, he or she may request an appropriate amount of monetary compensation; if the injury suffered by the victim is damage to his or her reputation, the victim may request appropriate corrective measures to restore his or her reputation.
The right of claim referred to in Paragraph 2 above may not be transferred or inherited. However, this does not apply to the circumstances where monetary compensation has been agreed upon in a contract or a claim therefor has been filed with the court."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TWN
Extracts :
Extract :
"According to the Turkish Criminal Code No. 5237:
Unlawful collection of personal data may be punished with imprisonment between 1 year up to 3 years (between 1.5 and 4.5 years if the issue relates to certain type of sensitive personal data).
Unlawful transfer, acquisition or distribution of personal data may be punished with imprisonment between 2 years up to 4 years (between 4 and 8 years if the issue relates to records about sexual assault or child abuse cases).
Infringement of the obligation to delete or anonymize personal data under the Data Protection Law is also subject to the Turkish Criminal Code and may be punished with imprisonment between 1 year up to 2 years (between 2 and 4 years if the issue relates to personal data that should be disposed of per the Turkish Criminal Procedure Law)."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Data Protection Impact Assessment ('DPIA') is not mandatory under the Data Protection Law."
2023
Reference :
Turkey Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The PDPA and the Enforcement Rules do not explicitly refer to anonymised data."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Article 12 of the PDPA: If any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or nongovernment agency, the data subject shall be notified via appropriate means after the relevant facts have been clarified."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"The PDPA and the Enforcement Rules do not explicitly require the notification of data breaches to authority."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"The PDPA and the Enforcement Rules do not address notification of data breaches by entities acting on behalf of commissioning agencies."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The DPL does not specifically stipulate right to object to processing. Under the DPL, data subjects have the right to apply to data Controllers on all matters concerning application of the DPL and the right to complain to the Board, as described below. By virtue of these general provisions, data subjects may object to unlawful processing."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"The PDPL does not include a right to data portability.
However, the Authority has developed this right following a complaint. In decision numbered 2018/131 of the Authority, a legal entity applied to the data controller and requested to transfer the personal data of a data subject. After the data controller rejected this request, the legal entity has complained to the Authority. The Authority considered this portability request to be within the scope of the right to access personal data but rejected the complaint since it was made by a legal entity and not the data subject."
2022
Reference :
Data Protection in different countries | Linklaters
Database for comparing other databases for the same information on data protection
Link to reference Extracts :
Extract :
"Yes. Article 11(g), Law on the Protection of Personal Data No. 6698 (7 April 2016)."
2022
Reference :
Data Subject Rights | ThompsonReuters
Compilation of information on data subject rights in different countries
Extracts :
Extract :
"8.1. Right to be informed
Regardless of the legal basis of data processing, data controllers are obliged to inform the data subjects
when collecting personal data in respect of the minimum mandatory content outlined below (Article 10
of the Data Protection Law):
• the identity of the data controller and its representative, if any;
• the purpose of personal data processing;
• the recipients to whom the personal data can be transferred, and the purpose of the transfer;
• the methods and legal reasons of collection of personal data; and
• the data subject's rights under Article 11 of the Data Protection Law."
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The KVKK's guidance on children's data is similar to the practices for processing children's data under the GDPR. The GDPR requires data controllers processing the personal data of children under a certain age (which depends on the practices of each EU Member State, and can be between 13 and 16 years) based on consent to initially obtain the parent's or legal guardian's explicit consent. Data controllers must also take technical measures to verify the data subjects' ages and prepare privacy notices suitable for children.
As mentioned above, the KVKK provides similar explanations on the processing of children's personal data, stating that data controllers must send privacy notices and explicit consent forms to the parents/legal guardians when necessary and take the necessary measures to ensure data security."
2021
Reference :
Turkey: Provisions for the protection of children's data
Information on Turkey's regulation on children data protection | DataGuidance
Link to reference Extracts :
Extract :
"8.2. Right to access
Data subjects are entitled to request the following from the data controller (Article 11 of the Data
Protection Law):
• information about whether their personal data has been processed;
• if personal data has been processed, the information about such data and processing;
• information about the purpose for the data processing and whether the data was used for this
purpose;
• information about the identities of natural or legal persons whom the data is transferred"
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
In accordance with the principles of lawful data processing activity, personal data is only processed
when it is accurate and kept up to date. In line with such principle, data subjects are entitled to request
for rectification from the data controllers, in case of contrary practice."
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
Data controllers are obliged to erase, destruct, or anonymise the personal data ex officio or upon the demand
of the data subject, in the event that the reasons for which it was processed are no longer valid
(Article 7 of the Data Protection Law)."
2021
Reference :
Turkey Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"As per Article 5 of the Draft Regulation, the Regulation prohibits the cross-border transfer of traffic and location data due to national security reasons."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The PDPA and the Enforcement Rules do not address consultation with authorities for risk assessments."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Although the PDPA does not provide for the appointment of a DPO, the PDPA and Enforcement Rules provide that government and non-government agencies should assign personnel, in certain circumstances, for the security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed, or disclosed."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Although the PDPA does not provide for the appointment of a DPO, the PDPA and Enforcement Rules provide that government and non-government agencies should assign personnel, in certain circumstances, for the security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed, or disclosed."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"There is no explicit requirement to appoint a DPO.
However, Article 18 of the PDPA states the government agency in possession of personal data files shall assign dedicated personnel to implement security and maintenance measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
In addition, Article 12(1) of the Enforcement Rules provides that 'proper security and maintenance measures' may include allocating management personnel and reasonable resources."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"The PDPA and the Enforcement Rules do not refer to group appointments of dedicated personnel."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The PDPA and the Enforcement Rules do not explicitly provide exemption to the above notification requirement."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
"The concept of 'data processing records' is not defined under the Data Protection Law. It is expected that such a concept will be adopted in the following amendments within the scope of the GDPR harmonizationtion process."
2023
Reference :
Turkey Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The following categories of data controllers are exempt from having to register with the VERBİS:
!"data controllers employing less than 50 employees and with an annual balance less than TRY 25 million (ap- prox. €2.4 million) (unless the data controller's main business activity is processing special categories of per- sonal data);
!"data controllers processing personal data through non-automatic means, provided the processing is part of a data filing system;
Upgrad Now !
!"public notaries; !"associations; .... "
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
There is nothing specific in the regulation outlined (for example, see https://odprivacy.com/use-of-cookies-in-turkish-data-protection-law/).
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Competition Authority (Rekabet Kurumu) | Regulator | Under the government authority | 1994 | |
| Capital Markets Board of Turkey (SPK) | Regulator | Under the government authority | 1981 | |
| Information and Communication Technologies Authority (BTK) | Regulator | Independant agency | 2000 | |
| Ministry of Trade | Regulator | Ministry | 2011 | |
| Ministry of Industry and Technology | Regulator | Ministry | 1984 | |
| Personal Data Protection Authority (KVKK) | KVKK | Regulator | Govt authority/ministry | 2017 |
| Central Bank of Turkey (CBRT) | CBRT | Regulator | Under the government authority | 1930 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Law on Protection of Personal Data No. 6698 (LPPD) | General privacy/data protection law | 2016 | Active | 2016 |