Practical Guide: Data protection compliance in Turkey

Regardless of the legal basis of data processing, data controllers are obliged to inform the data subjects when collecting personal data in respect of the minimum mandatory content outlined below (Article 10 of the Data Protection Law):

• the identity of the data controller and its representative (the latter when necessary);
• the purpose of personal data processing;
• the recipients to whom the personal data is transferred, that it will be transferred abroad and where, and the purpose of the transfer;
• the methods and legal reasons of collection of personal data; and
• the data subject's rights under Article 11 of the Data Protection Law.

This is usually done in the form of a privacy policy on webpages or delivered through digital communication or physical paper as well as other various notices prior to the data processing being carried out.

In general, all kind of processing including transfers of personal data without the explicit consent of the data subject is only allowed under following exceptions:

The application for data transfer abroad is currently somewhat problematic. All of the applications are currently being examined on a case-by-case basis. 

The biggest difference between the KVKK and the GDPR is the obligation data controllers face under the KVKK to register at VERBIS, the TDPA’s Data Controllers Registry Information System. VERBIS registration is free and mandatory for all data controllers before they begin processing the data of Turkish residents. Once registered, data controllers are expected to record the data processing activities they engage in.

Due to the complex nature of the VERBIS registration process, the deadline for it has been pushed back twice already, with the TDPA finally extending it to 31 December 2021 for all controllers.

There are several exemptions to VERBIS registration, however these do not apply to data controllers domiciled outside of Turkey.

During registration, data controllers will also be required to submit a Data Processing Inventory that identifies the categories of data subjects, the types of data they process, its purpose, their legal basis, and the technical and administrative measures that an organization is taking to comply with the KVKK.

The data processing inventory for all data processed in Turkey must include at least the following information:

• identifying information (including the address of the data controller or its representative);
• data categories;
• purpose of the data processing;
• data subject groups;
• recipient or recipient groups to which the data may be transferred;
• information on whether the relevant data category is transferred abroad;
• data security measures taken; and
• the maximum time period for processing personal data.

According to Article 12 of the Data Protection Law, data controllers are obliged to:

• prevent unlawful processing of personal data;
• prevent unlawful access to personal data; and
• ensure the retention of personal data.

The controller shall take all necessary technical and organisational measures for providing an appropriate level of security in order to fulfil these obligations.

The data controllers must take all necessary technical and organisational measures to provide appropriate data security. The Personal Data Security Guide regarding technical and administrative measures published by the Board in January 2018 and the guideline for technical and administrative measures to be taken by the public authorities and key infrastructure organisations published by the Digital Transformation Office in July 2020 can be taken as references while complying with the obligation on data security measures.

In addition to these sources, the Board's decision numbered 2018/10 must be taken into account with regards to the processing of special categories of personal data. The Board declared with this decision that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasised the importance of implementing measures which had previously been determined in the Personal Data Security Guide. As a result, data controllers must ensure that adequate safeguards are in place when processing special categories of personal data.

If a natural or legal person processes personal data on behalf of the controller, the controller and these individuals are jointly responsible for implementing the appropriate precautions. As a result, data processors must likewise take steps to maintain data security. As a result, if the data controller's company's records are stored by an accounting firm (data processor), the controller and the accounting firm are jointly responsible for implementing the data processing measures outlined in the first paragraph.

If the processed data is collected by third parties via unlawful methods, data controllers must notify the data subject and the Board as soon as possible. The Board may, if required, publicize the breach on its official website or by other means it deems appropriate.

The KVKK has published the Board decision numbered 2019/10 dated 24 January 2019 and numbered 2019/10 regarding the notification procedures and principles related to personal data breach. According to this decision:

• data controller shall notify the Board without delay and within 72 hours at the latest from the date he/she learns of such breach. After identifying the persons affected by the data breach, the data controller shall promptly notify the related persons by appropriate methods;
• in the event that data controller cannot notify the Board within 72 hours for good cause he/she should explain the reasons which caused the delay to the Board with the notification to be made; and
• data controllers are obliged to use the document attached to such decision (only available in Turkish here).

As required by the principle of purpose limitation, personal data must only be kept for the reason for which it is processed. Data controllers shall comply with the periods foreseen in the legislation for the relevant personal data.

The data controller is required to take the following administrative and technical measures in this regard:

• establishing personal data retention and erasure policies and principles;
• determining storage periods as well as technical and administrative measures to be used in storage;
• and ensuring that personal data is stored in accordance with these principles.

The details of the erasure, destruction, and anonymization process is governed by the DDA Regulation. In addition, a Guide on Erasure, Destruction, or Anonymisation of Personal Data has been prepared by the Board (only available in Turkish here), in order to clarify the implementation to this respect. It should also be mentioned that data controllers which are required to be registered with the Registry must draft a data storage and extermination policy. The mandatory content of the policy has been envisaged under the aforementioned regulation. Data controllers are obliged to publish their policy/procedures related to data retention and extermination.

The Data Protection Law does not introduce the idea of data processor agreements. However, when a third-party data processor is involved in data processing, the data controllers and data processors will share responsibility for data security (Article 12 of the Data Protection Law). To guarantee that third party data processors comply with data protection regulations, data controllers must sign data processing agreements.

Furthermore, to ensure the proper flow of personal data processing, the data controller and the data processor should contractually regulate the authorization granted to the data processors, as well as the limits of the authorization, the technical details of the processing activity, and the principles and rules that must be followed by the data processors.

The data controller is also be obliged to be audited regarding its data security. The controller shall be obliged to conduct necessary auditions or have them conducted in his own institution or organization, with the aim of implementing the provisions of this Law. The controller can conduct this audition by himself or through a third party.