Turkish Personal Data Protection Law numbered 6698 dated 24/3/2016 has inured by being promulgated in the official gazette. This Code imposes that Personal Data shall not be processed without explicit consent of the data subject except for conditions indicated in the Code. The Code defines “processing of personal data” as any operation which is performed upon personal data such as recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking. The Code sets forth the adaptation period until 07/04/2018 by provisional clause-1. According to this provision, Personal data processed before the date of publication of this Code, shall be brought in compliance with provisions of this Code. Personal data that are found to be inconsistent with the provisions of this Code shall be deleted, destroyed or anonymized immediately. However the consents that were legally received prior to publication of this Code, shall be deemed as legal in the absence of any reverse expression within one year.
As is known, the adaptation period was consummated, therefore each personal data which has been already processed shall be in compliance with Turkish Personal Data Protection Law. In this respect, Since determining the consents that were legally received prior to publication of this Code as legal, there is no need other declaration of intents of data subjects. Consequently, If data subjects have not expressed any reverse statement within one year as of the date of publication of this Code, these personal data do not need to be deleted or destroyed.
By consummation of the adaptation period, penalties and administrative fines will acquire currency. Henceforth data controllers will be held responsible for processing of personal data. Sanctions change depend on kind of unlawful act. Turkish Personal Data Protection Law impose that Turkish Criminal Law numbered 5237 shall be implemented on crimes regarding personal data. Hence, in case of unlawful act, a prison sentence up to 4 years can be verdicted. Beside that misdemeanours were regulated in the Code and in case of violation of responsibilities imposed by Turkish Personal Data Protection Law, administrative fines varying between 5.000 TRY and 1.000.000 TRY can be implemented.
It should be stated that General Data Protection Regulations (GDPR) has inured by the date of 25/05/2018 in European Union Member Countries. GDPR has significant importance for Turkey. Despite the fact that Turkey is not a member of European Union but If a data subject is citizen of a European Union Member Country, data controllers such as firms and institutions in Turkey shall act in compliance with GDPR. There are further regulations and rights in GDPR which have not been regulated in Turkish Personal Data Protection Law such as increased responsibility of data controller, the right to oblivion, increased sanctions regarding to administrative fines, data portability and so on. Therefore, data controllers must take these regulations into account in order to prevent potential punishments.
To sum up, conducting crimes regarding to personal data around the World, oblige governments to impose regulations in question. The fact that these regulations are fairly new requires a period of adaptation.Now, the adaptation period is over, As a result, every data controller must be aware of these rules and act accordingly.
Legal Intern / Erkam Haşim BULUT