After almost a decade of legislative struggles, on March 24 2016, the Turkish Parliament finally adopted the Law on the Protection of Personal Data (the "New Law"). The New Law is Turkey's first specific set of parliamentary level rules addressing data protection concerns in all sectors.
It continues to be a big year from a data protection perspective for Turkish citizens and corporations alike. As explained in an earlier post, the month of February saw the much anticipated ratification of the Council of Europe's 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data. This ratification had signaled that data protection was high on the Turkish Parliament's agenda, and now with the adoption of the New Law, Turkey finally has a set of rules that reflects, to a large extent, the EU Data Protection Directive (95/46/EC).
When Will The New Rules Enter Into Force?
The Law on the Protection of Personal Data will enter into force once it is published in the Official Gazette (expected in the next few weeks). While some of the rules will take effect immediately (such as general rules on processing personal data), others will become effective only after a transitional period to give organisations time to come into compliance with the newly introduced rules and standards. For example, cross-border transfer rules will only enter into force six months after the New Law's publication.
The New Law sheds light on significant ambiguities and fills in legal gaps. Most notably, it:
- defines concepts like "personal data," "sensitive data," "explicit consent" and "data controller";
- lists the legitimate purposes for data processing;
- regulates the international transfer of personal data;
- imposes rules on data controllers regarding retention periods and standards;
- provides rights for data subjects; and
- establishes a Data Protection Authority to act as the regulator.
The New Law does not contain clear rules on its territorial scope which will likely create some challenges for multinationals.
The New Law is a major step in aligning Turkey's legislative framework with that of the EU and is expected to have significant implications for businesses. Organisations would be prudent to study the new requirements and conduct audits to identify and fill compliance gaps. As the New Law introduces significant sanctions, organisations would also be advised to monitor on an ongoing basis their compliance with the New Law and any secondary regulations to be issued in the future by the regulator.
While the New Law largely reflects the requirements under the current EU Data Protection Directive, it does not reflect the data protection rules and requirements that will be introduced by the incoming European General Data Protection Regulation ("GDPR"). This has been discussed in the Turkish Parliament prior to the adoption of the New Law and has been widely criticized especially by the opposition parties. However, no change has been made to this effect. Taking into account the GDPR's complex and detailed structure, refraining from adopting a similar approach in Turkey at this stage may be appropriate. Over time, amendments to the law or secondary legislation may be adopted in order to align the New Law with the GDPR.