(1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.
Personal Data Protection Law
*This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.
Chapter 1 (Art. 1 - 3) — Purpose, Scope and Definitions
(1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.
(1) For the purposes of this Law:
- a) “Explicit consent” means freely given, specific and informed consent,
- b) “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
- c) “President” means President of the Personal Data Protection Authority,
- ç) “Data subject” (natural person concerned) means the natural person, whose personal data are processed,
- d) “Personal data” means any information relating to an identified or identifiable natural person,
- e) “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
- f) “Board” means the Personal Data Protection Board,
- g) “Authority” means the Personal Data Protection Authority,
- ğ) “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
- h) “Data filing system” means the system where personal data are processed by being structured according to specific criteria,
- ı) “Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
Chapter 2 (Art. 4 - 9) — Processing of Personal Data
(1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.
(2) The following principles shall be complied within the processing of personal data:
- a) Lawfulness and fairness
- b) Being accurate and kept up to date where necessary.
- c) Being processed for specified, explicit and legitimate purposes.
- ç) Being relevant, limited and proportionate to the purposes for which they are processed.
- d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
(1) Personal data shall not be processed without explicit consent of the data subject.
(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
- a) It is expressly provided for by the laws.
- b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
- c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
- d) Personal data have been made public by the data subject himself/herself.
- e) Data processing is necessary for the establishment, exercise or protection of any right.
- f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.
(2) (Repealed: 2/3/2024- Art. 7499/33)
(3) (Amended: 2/3/2024- Art. 7499/33) It is prohibited to process special categories of personal data. However, such processing is permitted under the following conditions:
- a) Data subject has given his/her explicit consent,
- b) It is explicitly provided by laws,
- c) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
- ç) It relates to personal data that have been made public by the data subject, and processing is in consistent with data subject’s intention to make such data public,
- d) It is necessary for the establishment, exercise or protection of any right,
- e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health-care services by persons subject to legal obligation of confidentiality or by competent public institutions and organizations,
- f) It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
- g) It relates to the current or former members and affiliates of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, or to individuals who are in regular contact with these organizations, provided that such processing complies with the applicable legislation governing these organizations and their objectives, is limited to the organizations’ fields of activity, and does not involve disclosure of data to third parties.
(4) Adequate measures, as determined by the Board, shall also be implemented in the processing of special categories of personal data.
(1) Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.
(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.
(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.
(1) Personal data shall not be transferred without explicit consent of the data subject.
(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:
- a) the second paragraph of Article 5,
- b) the third paragraph of Article 6, provided that sufficient measures are taken.
(3) The Provisions of other laws relating to transfer of personal data are reserved.
(Amended: 2/3/2024- Art. 7499/34)
(1) Personal data may be transferred abroad by data controllers and data processors provided that one of the conditions set out in Article 5 and Article 6 is met and there is an adequacy decision regarding the country, sectors within that country, or international organizations to which the transfer will be made.
(2) The adequacy decision shall be issued by the Board and published in the Official Gazette. When deemed necessary, the Board may seek the opinion of relevant institutions and organizations. The adequacy decision shall be assessed at least every four years. Based on the assessment or in other circumstances it deems necessary, the Board may amend, suspend, or revoke the adequacy decision with prospective effect.
(3) When issuing an adequacy decision, the following elements shall be primarily taken into account:
- a) The reciprocity status concerning the transfer of personal data between Türkiye and the country, sectors within that country, or international organizations to which personal data will be transferred,
- b) The relevant legislation and practices of the country to which the personal data will be transferred, and the rules governing the international organization receiving the data transfer,
- c) The existence of an independent and effective data protection authority in the country to which personal data will be transferred or to which the international organization is subject, as well as the availability of administrative and judicial remedies,
- ç) Whether the country or international organization to which personal data will be transferred is a party to international conventions or a member of international organizations concerning personal data protection.
- d) The membership status of the country or international organization to which personal data will be transferred, in global or regional organizations to which Türkiye is a member.
- e) International conventions to which Türkiye is a party.
(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Article 5 and Article 6 is met and data subjects retain enforceable rights and effective legal remedies in the country to which the transfer is to be made, provided that one of the following appropriate safeguards is ensured:
- a) The existence of an agreement, which is not classified as an international convention, between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations with public institution status in Türkiye, and the Board’s approval for the transfer;
- b) The existence of binding corporate rules approved by the Board containing provisions on personal data protection, which the companies within a group of undertakings engaged in joint economic activities are obliged to comply with;
- c) The existence of a standard contract published by the Board, containing information such as data categories, purposes of the data transfer, recipients and recipient groups, technical and organizational measures to be taken by the data importer, and additional measures for special categories of personal data;
- ç) The existence of a written commitment containing provisions to ensure adequate protection, and the Board’s approval for the transfer;
(5) The standard contract shall be notified to the Authority by the data controller or data processor within five business days following its signature.
(6) In the absence of an adequacy decision and where one of the appropriate safeguards specified paragraph four cannot be ensured, data controllers and data processors may transfer personal data abroad only under one of the circumstances specified below, provided that such transfer is incidental:
- a) The data subject has given explicit consent to the transfer, provided that he/she has been informed of the potential risks involved;
- b) The transfer is necessary for the performance of a contract between the data subject and data controller, or for the implementation of pre-contractual measures taken at the request of the data subject;
- c) The transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject;
- ç) The transfer is necessary for an overriding public interest;
- d) The transfer of personal data is necessary for the establishment, exercise, or protection of any right;
- e) Transfer of personal data is necessary for the protection of life or physical integrity of a person himself/herself or of any other person, who is unable to provide consent due to physical disability or whose consent is not deemed legally valid;
- f) The transfer is made from a publicly accessible registry or a registry accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are met, and that the person with a legitimate interest has requested the transfer.
(7) The provisions in subparagraphs (a), (b), and (c) of the sixth paragraph shall not apply to public law activities of public institutions and organizations.
(8) Data controllers and data processors shall ensure that the safeguards established under this Law, as well as the provisions of this Article, also apply to onward transfers of personal data that have been transferred abroad and transfers to international organizations.
(9) Without prejudice to international convention provisions, personal data may be transferred abroad only with the approval of the Board and after obtaining the opinion of the relevant public institution or organization, in cases where the interest of Türkiye or the data subject would be seriously harmed.
(10) Provisions of other laws concerning the transfer of personal data abroad are reserved.
(11) The procedures and principles for the implementation of this Article shall be regulated by a By-Law.
Chapter 3 (Art. 10 - 12) — Rights and Obligations
(1) At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:
- a) the identity of the data controller and of its representative, if any,
- b) the purpose of processing of personal data;
- c) to whom and for which purposes the processed personal data may be transferred,
- ç) the method and legal basis of collection of personal data,
- d) other rights referred to in Article 11.
(1) Each person has the right to request to the data controller about him/her;
- a) to learn whether his/her personal data are processed or not,
- b) to demand for information as to if his/her personal data have been processed,
- c) to learn the purpose of the processing of his/her personal data and whether these personal
- data are used in compliance with the purpose,
- ç) to know the third parties to whom his personal data are transferred in country or abroad,
- d) to request the rectification of the incomplete or inaccurate data, if any,
- e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
- f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
- g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
- ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.
(1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
- a) preventing unlawful processing of personal data,
- b) preventing unlawful access to personal data,
- c) ensuring protection of personal data.
(2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.
(3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law.
(4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office.
(5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.
Chapter 4 (Art. 13 - 16) — Request, Complaint and Data Controllers’ Registry
(1) The data subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Board.
(2) The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees may be charged in the tariff determined by the Board.
(3) The data controller shall act on the request or refuse it together with justified grounds and communicate its response to the data subject in writing or by electronic means. In case the demand in the request is accepted, it shall be fulfilled by the data controller. If the request is made due to fault of the data controller, the fee is refunded to data subject.
(1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the data controller, or within sixty days as of the request date, in any case.
(2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.
(3) The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved.
(1) The Board shall carry out the necessary examination on the matters falling within its task upon complaint or ex officio where it has learnt about the alleged infringement.
(2) The notices and complaints not meeting conditions pursuant to Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.
(3) Except for the information and documents having the status of state secret, the data controller shall send the information and documents demanded by the Board related to the subject of examination within fifteen days, and shall enable, where necessary, on-the-spot examination.
(4) Upon complaint, the Board examines the demand and gives an answer to the data subjects. In case it is not responded in sixty days from the date of complaint the demand shall be deemed refused.
(5) As a result of the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification,
(6) As a result of the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall take a resolution on this matter and publishes this resolution. Prior to taking the resolution, the Board may also receive the opinions of the relevant institutions and organisations, if needed.
(7) The Board may decide to stop the processing of personal data or transfer of personal data abroad in the case damages which are difficult or impossible to compensate for, and in the event of explicit infringement of the law.
(1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available.
(2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.
(3) Application for registration with the Data Controllers’ Registry shall be made with a notification including:
- a) The identity and address of the data controller and of its representative, if any,
- b) The purpose for which the personal data will be processed,
- c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons,
- ç) The recipients or groups of recipients to whom the personal data may be transferred,
- d) The personal data which are envisaged to be transferred abroad,
- e) The measures taken concerning the security of personal data.
- f) The maximum storage period necessary for the purpose for which personal data are processed.
(4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency
(5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law.
Chapter 5 (Art. 17 - 18) — Crimes and Misdemeanours
(1) Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.
(2) Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of the Law No. 5237.
1) For the purposes of this Law;
- a) An administrative fine of 5.000 to 100.000 TL shall be imposed on those who fail to fulfil the obligation to inform as stipulated in Article 10;
- b) An administrative fine of 15.000 to 1.000.000 TL shall be imposed on those who fail to fulfil the obligations related to data security as stipulated in Article 12;
- c) An administrative fine of 25.000 to 1.000.000 TL shall be imposed on those who fail to comply with the decisions issued by the Board as stipulated in Article 15;
- ç) An administrative fine of 20.000 to 1.000.000 TL shall be imposed on those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification as stipulated in Article 16;
- d) (Added: 2/3/2024- Art. 7499/35) An administrative fine of 50.000 to 1.000.000 TL shall be imposed on those who fail to fulfil the obligation to notify as stipulated in Article 9(5).
(2) (Amended: 2/3/2024- Art. 7499/35) The administrative fines provided for in subparagraphs (a), (b), (c) and (ç) of the first paragraph shall be imposed on the data controller; the fine stipulated in subparagraph (d) shall be imposed on the data controller or on natural persons and legal persons governed by private law that process data.
(3) (Added: 2/3/2024- Art. 7499/35) Administrative fines imposed by the Board may be appealed in administrative courts.
(4) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations, and the professional organizations with public institution status, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organizations and those employed in the professional organizations with public institution status upon the notice of the Board, and the result shall reported to the Board.
Chapter 7 (Art. 28 - 33) — Miscellaneous
(1) The provisions of this Law shall not be applied in the following cases where:
- a) personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
- b) personal data are processed for official statistics and provided that they are being anonymized for the purposes for such as research, planning and statistics.
- (c) personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
- (ç) personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.
- (d) personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.
(2) Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller's obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers’ Registry shall not be applied in the following cases where personal data processing:
- a) is necessary for the prevention of committing a crime or for crime investigation.
- b) is carried out on the data which are made public by the data subject himself/herself.
- c) is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,
- ç) is necessary for protection economic and financial interests of State related to budget, tax and financial matters.
(1) The budget of the Authority shall be prepared and adopted in accordance with procedures and principles provided for in the Law No. 5018.
(2) The revenues of the Authority are as follows;
- a) Treasury grants from the general budget.
- b) The revenues from the movable and immovable properties of the Authority.
- c) Donations and grants received.
- ç) The revenues from the utilization of the revenues.
- d) Other revenues.
(1) (It is related to the Law No. 5018 and dated 10/12/2003 and inserted therein)
(2) – (5) (It is related to the Law No. 5237 and dated 26/9/2004 and inserted therein)
(6) (It is related to the Law No. 3359 and dated 7/5/1987 and inserted therein)
(7) (It is related to the– Organization and Responsibilities of Ministry of Health and its Associated Institutions – Decree Law No 663 and dated 11/10/2011 and inserted herein)
(1) By-laws related to the implementation of this Law shall be brought into force by the Authority.
Transitional Provisions
(1) For the purposes of this Law;
- a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months as of the date of its publication.
- b) Other Articles shall enter into force on the date of its publication.
(1) The provisions of this law shall be enforced by the Council of Ministers.