Turkish Personal Data Protection Act entered into force on March 24, 2016 and was published in Turkish Official Gazette dated April 7, 2016. The act defines the personal data as any information relating to an identified or identifiable natural person. Pursuant to the Act, personal data shall not be registered without the permission of the natural person except for the cases determined in Article 6 of the Act. Furthermore, the Act foresees the same legal sanctions in the Turkish Penal Code for the crimes against data protection. However, the Act applies to all persons in Turkey regardless of citizenship.

Example: surveys that will involve collecting PIIs of foreigners should be conducted only after applying to local DGMM directorate, explaining the justification for the study, and receiving their permission.

What constitutes PII?

Any information related to an individual is PII, provided that such information can be associated with him/her. e.g.: photos, fingerprints, ID card, age, religious or political affiliation, medical history, phone number, vehicle plate number, passport number, IP address, e-mail address, hobbies, etc.

In Article 3 of The Law titled “Definitions”, personal data has been defined as:

“any kind of information regarding an identified or identifiable real person”

In Constitutional Court rulings, PII is expressed as “all sorts of information relating to a person as long as his/her identity is certain or determinable.” In this context, not only “name, surname, birth date” and any other information which reveal only the identity of a person but also “phone number, motor vehicle plate number, social security number, passport number, resume, photo, image and audio records, fingerprints, IP address, e-mail address, hobbies, choices, individuals interacted with, group memberships, marital information, health information and any other data that makes an individual certain or identifiable directly or indirectly” have been defined as personal data.

Example: an anonymous survey may not necessarily constitute PII, because the data collected may not be linked to any single person.

Personal data of special nature (Restricted PII)

According to the Law, personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are personal data of special nature. Without prejudice to the exceptions in the Law, these data cannot be processed without explicit consent of the individual.

Data Controllers Registry

Individuals and legal entities who process personal data are required to register with the Data Controllers Registry prior to commencing processing personal data. The Board of Protection of Personal Data (KVKK) may set forth exemptions to the obligation to register with the Data Controllers Registry. The Board has published several such decisions regarding exemptions.

Legal Sanctions

Articles 135 to 140 of the Turkish Penal Code were cited by the Article 17 titled ”Crimes” of the Turkish Data Protection Act. According to these rules, crimes and penal sanctions relating to personal data regulatinos are as follows:

Criminal ActSanction
Recording PII unlawfullyImprisonment for 1 to 3 years
Recording prohibited PII unlawfullyImprisonment for 1.5 to 4.5 years
Exporting or obtaining PII unlawfullyImprisonment for 2 to 4 years
Failing to delete personal dataImprisonment for 1 to 2 years

As per Article 18 titled ”Misconducts” of the Turkish Data Protection Act, misdemeanors and their sanctions are determined as follows:

(figures are subject to change each year)
Breach of the duty to informTRY-5,000 to TRY-100,000
Breach of the obligations related to data securityTRY-15,000 to TRY-1,000,000
Failure to comply with the decisions of the KVKK BoardTRY-25,000 to TRY-1,000,000
Breach of the obligation of registration and notificationTRY-20,000 to TRY-1,000,000