Turkish KVKK Legal Text

Quick Access

Personal Data Protection Law
By-Laws

Personal Data Protection Law

Chapter 1 (Art. 1 - 3) — Purpose, Scope and Definitions

Article 1– Purpose
Article 2– Scope
Article 3– Definitions

Chapter 2 (Art. 4 - 9) — Processing of Personal Data

Article 4– General Principles
Article 5– Conditions for processing personal data
Article 6– Conditions for processing of special categories of personal data
Article 7– Erasure, destruction or anonymization of personal data
Article 8– Transfer of personal data
Article 9– Transfer of personal data abroad

Chapter 3 (Art. 10 - 12) — Rights and Obligations

Article 10– Obligation of Data Controller to Inform
Article 11– Rights of The Data Subject
Article 12– Obligations concerning data security

Chapter 4 (Art. 13 - 16) — Request, Complaint and Data Controllers’ Registry

Article 13– Request to the Data Controller
Article 14– Complaint to the Board
Article 15– Procedures and principles of the examination ex officio (on its own initiative) or upon complaint
Article 16– Data Controllers’ Registry

Chapter 5 (Art. 17 - 18) — Crimes and Misdemeanours

Article 17– Crimes
Article 18– Misdemeanours

Chapter 6 (Art. 19 - 27) — The Personal Data Protection Authority and its Organization

Article 19– The Personal Data Protection Authority
Article 20– Duties of the Authority
Article 21– Personal Data Protection Board
Article 22– Duties and powers of the Board
Article 23– Working Principles of the Board
Article 24– The President
Article 25– Composition and Duties of the Presidency
Article 26– The Personal Data Protection Experts and the Assistant Experts
Article 27– Provisions on the Personnel and Personnel Rights

Chapter 7 (Art. 28 - 33) — Miscellaneous

Article 28– Exemptions
Article 29– The Budget and the Revenues of the Authority
Article 30– Amended and Added Provisions
Article 31– By-law
Article 32– Entry into force
Article 33– Enforcement

Transitional Provisions

Article Provisional Article 1– Provisional Article 1
Article Provisional Article 2– Provisional Article 2
Article Provisional Article 3– Provisional Article 3

By-Laws

By-Law On Data Controllers Registry

Chapter 1 (Art. 1 - 4) — Purpose, Scope, Legal Basis and Definitions

Article 1– Purpose
Article 2– Scope
Article 3– Legal Basis
Article 4– Definitions

Chapter 2 (Art. 5 - 7) — Establishment, Management, Supervision of the Registry and Access to the Registry

Article 5– Principle, rules and procedures
Article 6– Establishment, Management and Supervision of the Registry
Article 7– Access to Registry

Chapter 3 (Art. 8 - 14) — Beginning of Registration Obligation, Information to be entered into VERBIS, Registration Application, Renewal and Erasure of Registration

Article 8– Beginning of Registration Obligation
Article 9– Information to be entered within the scope of registration obligation
Article 10– Application for Registration
Article 11– Obligations of the data controller, representative of the data controller and contact person
Article 12– Communication
Article 13– Changes in Registry records
Article 14– Erasure of Registry records

Chapter 4 (Art. 15 - 16) — Exemptions from Registration Obligation

Article 15– Cases of exemptions
Article 16– Derogation criteria

Chapter 5 (Art. 17 - 20) — Miscellaneous

Article 17– Administrative sanction
Article 18– Clarifying the Doubts
Article 19– Entry into force
Article 20– Enforcement

By-Law on Erasure, Destruction or Anonymization of Personal Data

Chapter 1 (Art.1 - 4) — Purpose, Scope, Legal Basis and Definitions

Article 1– Purpose
Article 2– Scope
Article 3– Legal Basis
Article 4– Definitions

Chapter 2 (Art.5 - 6) — Personal Data Storage and Disposal Policy

Article 5– Principles regarding the Personal Data Storage and Disposal Policy
Article 6– Scope of personal data storage and disposal policy

Chapter 3 (Art.7 - 12) — Erasure, Destruction and Anonymization of Personal Data

Article 7– Erasure, Destruction and Anonymization of Personal Data
Article 8– Erasure of personal data
Article 9– Destruction of personal data
Article 10– Anonymization of personal data
Article 11– Time periods for ex officio erasure, destruction and anonymization of personal data
Article 12– Time period for erasure and destruction of personal data upon request of data subject

Chapter 4 (Art.13 - 15) — Miscellaneous and Final Provisions

Article 13– Clarifying Doubts
Article 14– Entry into force
Article 15– Enforcement

By-Law On The Procedures And Principles For The Transfer Of Personal Data Abroad

Chapter 1 (Art. 1 - 4) — Initial Provisions

Article 1– Purpose
Article 2– Scope
Article 3– Basis
Article 4– Definitions

Chapter 2 (Art. 5 - 7) — General Provisions

Article 5– Transfer of personal data abroad
Article 6– Procedures for transferring personal data abroad
Article 7– Transfer of personal data abroad by the processor

Chapter 3 (Art. 8 - 9) — Transfers on the Basis of an Adequacy Decision

Article 8– Adequacy decision
Article 9– Review of the adequacy decision

Chapter 4 (Art. 10 - 15) — Transfers Based on Appropriate Safeguards

Article 10– Means of providing safeguards
Article 11– Providing appropriate safeguards with non-international agreements
Article 12– Providing appropriate safeguards with binding corporate rules
Article 13– Elements to be found in binding corporate rules
Article 14– Providing appropriate safeguards with standard contract
Article 15– Providing appropriate safeguards with a commitment letter

Chapter 5 (Art. 16) — Exceptional Transfers

Article 16– Exceptional transfer cases

Chapter 6 (Art. 17 - 19) — Miscellaneous and Final Provisions

Article 17– Resolution of Doubts
Article 18– Entry into Force
Article 19– Enforcement

Personal Data Protection Law

*This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.

Chapter 1 (Art. 1 - 3) — Purpose, Scope and Definitions

Article 1

Purpose

(1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.

Article 2

Scope

(1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.

Article 3

Definitions

(1) For the purposes of this Law:

a) “Explicit consent” means freely given, specific and informed consent,
b) “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
c) “President” means President of the Personal Data Protection Authority,
ç) “Data subject” (natural person concerned) means the natural person, whose personal data are processed,
d) “Personal data” means any information relating to an identified or identifiable natural person,
e) “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
f) “Board” means the Personal Data Protection Board,
g) “Authority” means the Personal Data Protection Authority,
ğ) “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
h) “Data filing system” means the system where personal data are processed by being structured according to specific criteria,
ı) “Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

Chapter 2 (Art. 4 - 9) — Processing of Personal Data

Article 4

General Principles

(1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and fairness
b) Being accurate and kept up to date where necessary.
c) Being processed for specified, explicit and legitimate purposes.
ç) Being relevant, limited and proportionate to the purposes for which they are processed.
d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Article 5

Conditions for processing personal data

(1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself/herself.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Article 6

Conditions for processing of special categories of personal data

(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

(2) (Repealed: 2/3/2024- Art. 7499/33)

(3) (Amended: 2/3/2024- Art. 7499/33) It is prohibited to process special categories of personal data. However, such processing is permitted under the following conditions:

a) Data subject has given his/her explicit consent,
b) It is explicitly provided by laws,
c) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
ç) It relates to personal data that have been made public by the data subject, and processing is in consistent with data subject’s intention to make such data public,
d) It is necessary for the establishment, exercise or protection of any right,
e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health-care services by persons subject to legal obligation of confidentiality or by competent public institutions and organizations,
f) It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
g) It relates to the current or former members and affiliates of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, or to individuals who are in regular contact with these organizations, provided that such processing complies with the applicable legislation governing these organizations and their objectives, is limited to the organizations’ fields of activity, and does not involve disclosure of data to third parties.

(4) Adequate measures, as determined by the Board, shall also be implemented in the processing of special categories of personal data.

Article 7

Erasure, destruction or anonymization of personal data

(1) Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.

(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.

(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.

Article 8

Transfer of personal data

(1) Personal data shall not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:

a) the second paragraph of Article 5,
b) the third paragraph of Article 6, provided that sufficient measures are taken.

(3) The Provisions of other laws relating to transfer of personal data are reserved.

Article 9

Transfer of personal data abroad

(Amended: 2/3/2024- Art. 7499/34)

(1) Personal data may be transferred abroad by data controllers and data processors provided that one of the conditions set out in Article 5 and Article 6 is met and there is an adequacy decision regarding the country, sectors within that country, or international organizations to which the transfer will be made.

(2) The adequacy decision shall be issued by the Board and published in the Official Gazette. When deemed necessary, the Board may seek the opinion of relevant institutions and organizations. The adequacy decision shall be assessed at least every four years. Based on the assessment or in other circumstances it deems necessary, the Board may amend, suspend, or revoke the adequacy decision with prospective effect.

(3) When issuing an adequacy decision, the following elements shall be primarily taken into account:

a) The reciprocity status concerning the transfer of personal data between Türkiye and the country, sectors within that country, or international organizations to which personal data will be transferred,
b) The relevant legislation and practices of the country to which the personal data will be transferred, and the rules governing the international organization receiving the data transfer,
c) The existence of an independent and effective data protection authority in the country to which personal data will be transferred or to which the international organization is subject, as well as the availability of administrative and judicial remedies,
ç) Whether the country or international organization to which personal data will be transferred is a party to international conventions or a member of international organizations concerning personal data protection.
d) The membership status of the country or international organization to which personal data will be transferred, in global or regional organizations to which Türkiye is a member.
e) International conventions to which Türkiye is a party.

(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Article 5 and Article 6 is met and data subjects retain enforceable rights and effective legal remedies in the country to which the transfer is to be made, provided that one of the following appropriate safeguards is ensured:

a) The existence of an agreement, which is not classified as an international convention, between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations with public institution status in Türkiye, and the Board’s approval for the transfer;
b) The existence of binding corporate rules approved by the Board containing provisions on personal data protection, which the companies within a group of undertakings engaged in joint economic activities are obliged to comply with;
c) The existence of a standard contract published by the Board, containing information such as data categories, purposes of the data transfer, recipients and recipient groups, technical and organizational measures to be taken by the data importer, and additional measures for special categories of personal data;
ç) The existence of a written commitment containing provisions to ensure adequate protection, and the Board’s approval for the transfer;

(5) The standard contract shall be notified to the Authority by the data controller or data processor within five business days following its signature.

(6) In the absence of an adequacy decision and where one of the appropriate safeguards specified paragraph four cannot be ensured, data controllers and data processors may transfer personal data abroad only under one of the circumstances specified below, provided that such transfer is incidental:

a) The data subject has given explicit consent to the transfer, provided that he/she has been informed of the potential risks involved;
b) The transfer is necessary for the performance of a contract between the data subject and data controller, or for the implementation of pre-contractual measures taken at the request of the data subject;
c) The transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject;
ç) The transfer is necessary for an overriding public interest;
d) The transfer of personal data is necessary for the establishment, exercise, or protection of any right;
e) Transfer of personal data is necessary for the protection of life or physical integrity of a person himself/herself or of any other person, who is unable to provide consent due to physical disability or whose consent is not deemed legally valid;
f) The transfer is made from a publicly accessible registry or a registry accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are met, and that the person with a legitimate interest has requested the transfer.

(7) The provisions in subparagraphs (a), (b), and (c) of the sixth paragraph shall not apply to public law activities of public institutions and organizations.

(8) Data controllers and data processors shall ensure that the safeguards established under this Law, as well as the provisions of this Article, also apply to onward transfers of personal data that have been transferred abroad and transfers to international organizations.

(9) Without prejudice to international convention provisions, personal data may be transferred abroad only with the approval of the Board and after obtaining the opinion of the relevant public institution or organization, in cases where the interest of Türkiye or the data subject would be seriously harmed.

(10) Provisions of other laws concerning the transfer of personal data abroad are reserved.

(11) The procedures and principles for the implementation of this Article shall be regulated by a By-Law.

Chapter 3 (Art. 10 - 12) — Rights and Obligations

Article 10

Obligation of Data Controller to Inform

(1) At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:

a) the identity of the data controller and of its representative, if any,
b) the purpose of processing of personal data;
c) to whom and for which purposes the processed personal data may be transferred,
ç) the method and legal basis of collection of personal data,
d) other rights referred to in Article 11.

Article 11

Rights of The Data Subject

(1) Each person has the right to request to the data controller about him/her;

a) to learn whether his/her personal data are processed or not,
b) to demand for information as to if his/her personal data have been processed,
c) to learn the purpose of the processing of his/her personal data and whether these personal
data are used in compliance with the purpose,
ç) to know the third parties to whom his personal data are transferred in country or abroad,
d) to request the rectification of the incomplete or inaccurate data, if any,
e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

Article 12

Obligations concerning data security

(1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:

a) preventing unlawful processing of personal data,
b) preventing unlawful access to personal data,
c) ensuring protection of personal data.

(2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.

(3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law.

(4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office.

(5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.

Chapter 4 (Art. 13 - 16) — Request, Complaint and Data Controllers’ Registry

Article 13

Request to the Data Controller

(1) The data subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Board.

(2) The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees may be charged in the tariff determined by the Board.

(3) The data controller shall act on the request or refuse it together with justified grounds and communicate its response to the data subject in writing or by electronic means. In case the demand in the request is accepted, it shall be fulfilled by the data controller. If the request is made due to fault of the data controller, the fee is refunded to data subject.

Article 14

Complaint to the Board

(1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the data controller, or within sixty days as of the request date, in any case.

(2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.

(3) The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved.

Article 15

Procedures and principles of the examination ex officio (on its own initiative) or upon complaint

(1) The Board shall carry out the necessary examination on the matters falling within its task upon complaint or ex officio where it has learnt about the alleged infringement.

(2) The notices and complaints not meeting conditions pursuant to Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.

(3) Except for the information and documents having the status of state secret, the data controller shall send the information and documents demanded by the Board related to the subject of examination within fifteen days, and shall enable, where necessary, on-the-spot examination.

(4) Upon complaint, the Board examines the demand and gives an answer to the data subjects. In case it is not responded in sixty days from the date of complaint the demand shall be deemed refused.

(5) As a result of the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification,

(6) As a result of the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall take a resolution on this matter and publishes this resolution. Prior to taking the resolution, the Board may also receive the opinions of the relevant institutions and organisations, if needed.

(7) The Board may decide to stop the processing of personal data or transfer of personal data abroad in the case damages which are difficult or impossible to compensate for, and in the event of explicit infringement of the law.

Article 16

Data Controllers’ Registry

(1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available.

(2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.

(3) Application for registration with the Data Controllers’ Registry shall be made with a notification including:

a) The identity and address of the data controller and of its representative, if any,
b) The purpose for which the personal data will be processed,
c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons,
ç) The recipients or groups of recipients to whom the personal data may be transferred,
d) The personal data which are envisaged to be transferred abroad,
e) The measures taken concerning the security of personal data.
f) The maximum storage period necessary for the purpose for which personal data are processed.

(4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency

(5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law.

Chapter 5 (Art. 17 - 18) — Crimes and Misdemeanours

Article 17

Crimes

(1) Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.

(2) Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of the Law No. 5237.

Article 18

Misdemeanours

1) For the purposes of this Law;

a) An administrative fine of 5.000 to 100.000 TL shall be imposed on those who fail to fulfil the obligation to inform as stipulated in Article 10;
b) An administrative fine of 15.000 to 1.000.000 TL shall be imposed on those who fail to fulfil the obligations related to data security as stipulated in Article 12;
c) An administrative fine of 25.000 to 1.000.000 TL shall be imposed on those who fail to comply with the decisions issued by the Board as stipulated in Article 15;
ç) An administrative fine of 20.000 to 1.000.000 TL shall be imposed on those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification as stipulated in Article 16;
d) (Added: 2/3/2024- Art. 7499/35) An administrative fine of 50.000 to 1.000.000 TL shall be imposed on those who fail to fulfil the obligation to notify as stipulated in Article 9(5).

(2) (Amended: 2/3/2024- Art. 7499/35) The administrative fines provided for in subparagraphs (a), (b), (c) and (ç) of the first paragraph shall be imposed on the data controller; the fine stipulated in subparagraph (d) shall be imposed on the data controller or on natural persons and legal persons governed by private law that process data.

(3) (Added: 2/3/2024- Art. 7499/35) Administrative fines imposed by the Board may be appealed in administrative courts.

(4) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations, and the professional organizations with public institution status, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organizations and those employed in the professional organizations with public institution status upon the notice of the Board, and the result shall reported to the Board.

Chapter 6 (Art. 19 - 27) — The Personal Data Protection Authority and its Organization

Article 19

The Personal Data Protection Authority

(1) Personal Data Protection Authority, which is a public legal entity and has administrative and financial autonomy, has been established to carry out duties conferred on it under this Law.

(2) The Authority is affiliated to the Minister assigned by the President of the Republic.

(3) The Headquarters of the Authority is in Ankara.

(4) The Authority is composed of the Board and the Presidency. Decision making body of the Authority is the Board.

Article 20

Duties of the Authority

(1) The duties of the Authority are as follows;

(a) to follow the latest developments in the legislation and practices, make evaluations and recommendations, conduct researches and investigations or have them conducted, within its field of duty.
(b) to cooperate with public institutions and organisations, non-governmental organizations, professional associations or universities within its field of duty, if needed.
(c) to follow and evaluate the latest international developments on personal data; and within its field of duty cooperate with international organisations and participate in the meetings
(ç) to transmit the annual activity report to the Presidency of the Republic of Türkiye , the Committee on Human Rights Inquiry of Grand National Assembly of Türkiye .
(d) to carry out other duties provided by laws.

Article 21

Personal Data Protection Board

(1) The Board shall perform and exercise the duties and powers conferred on it under this law and other legislation, independently and under its own responsibility. No body, authority, office or person shall give orders and instructions, recommendations or suggestions to the Board on matters falling within the scope of its duties and powers.

(2) The Board consists of nine members. Five members of the Board shall be elected by the Grand National Assembly of Türkiye ; four members shall be elected by the President of the Republic of Türkiye .

(3) The following conditions shall be met to be a member of the Board:

a) to have knowledge and experience on the issues in the field of duty of the Authority.
b) to have the necessary qualifications specified in points (1), (4), (5), (6) and (7) of sub-paragraph (A) of first paragraph of Article 48 of the Civil Servants Law No. 657 of 14/7/1965.
c) Not being a member of any political party.
ç) Having a bachelor degree of at least four years.
d) (Repealed: 2/7/2018 – Decree Law – Article 703/163)

(4) (Obsolete: 2/7/2018 – Decree Law – Article 703/163)

(5) The Grand National Assembly of Türkiye shall elect the Board members on the basis of the following procedure:

a) Persons twice as many as the number of members to be determined in proportion to the number of deputies of political party groups shall be nominated for election and the members of the Board shall be elected by the Plenary of the Grand National Assembly of Türkiye from among these candidates on the basis of the number of deputies allocated to each political party. However, no negotiation shall be held and no decision shall be taken at political party groups regarding whom to vote for in the elections to be held in the Grand National Assembly of Türkiye.
b) The election of the members of the Board shall be made within ten days after the nomination and announcement of the candidates. The unified ballot lists for candidates nominated by political party groups shall be issued in separate list. Votes shall be cast by marking the specific place across the names of the candidates. Votes given more than the number of members to be elected to the Board from the quota of political party groups determined in accordance with the second paragraph shall be deemed invalid.
c) Provided that the quorum of decision is ensured, candidates who have the most of the votes for the number of vacancies shall be deemed to have been elected.
ç) The election for the renewal of the members shall be held two months before the expiration of their term of office; should there be a vacancy in the membership positions for any reason, there shall be an election within one month as of the date of vacancy; or if the date of vacancy coincides with the recess of the Grand National Assembly of Türkiye , the election shall take place within one month from the end of the recess, by employing the same procedure. During these elections, the allocation of the vacant membership positions to the political party groups shall be made by considering the number of the elected members from the political party groups’ quotas in the first election and the current proportions of the political party groups.

(6) Forty-five days before the expiration of the term of office or in case of expiration of term of office by any reason of the members elected by the President of the Republic of Türkiye (…), the Authority shall notify the Presidency of the Republic of Türkiye of the situation in fifteen days (…). A new election shall take place one month before the expiration of term of office of the members. Should there be a vacancy in these memberships before the expiration of term of office, there shall be an election within fifteen days as of the date of notification.

(7) The Board shall elect the Head and the Second Head of the Board among its members. The Head of the Board is also the President of the Authority.

(8) Term of office of the Board members is four years. Members may be re-elected after expiration of their term of office. The person who is elected for the position of the member whose post ends before the expiration of his or her term of office for any reason, shall serve the remaining period.

(9) Members of the Board shall take the following oath before the First Presidency Board of the Court of Cassation: "I do solemnly swear on my honour and on my dignity that I will carry out my duties with absolute impartiality, correctness, fairness and with sense of justice in line with the Constitution and the relevant legislation." Application to Court of Cassation for oath taking is deemed to be one of the pressing matters.

(10) Unless provided for by a specific law, the members shall not assume any public or private tasks other than those related with carrying out their official duties in the Board; shall not act as executives in associations, foundations, cooperatives and in similar bodies; shall not engage in commercial activities, shall not engage in self-employment, shall not act as arbitrators and expert witnesses. However, Board members may prepare scientific publications, give lectures and attend conferences provided that these will not hinder their primary duties, and may receive copyrights and fees associated with those.

(11) Investigations into the claims about the crimes allegedly committed by the members in connection with their duties shall be conducted as per the Law No. 4483 of 2/12/1999 on Adjudication of Public Servants and Other Public Employees, and permission for investigation shall be granted by the President of Türkiye.

(12) Provisions of the Law No. 657 shall be applied to disciplinary investigations and prosecutions about the members of the Board.

(13) Members shall not be removed from their office by any reason before the expiration of their term of office. However, members of the Board may be removed from office by the Board decision if:

a) it is found out subsequently that they do not meet the conditions required for their election,
b) the conviction for the crimes, which is rendered for crimes committed by them in connection with their duties, is finalised.
c) it is ascertained with a medical board report that they will not be able to fulfil their duties,
ç) it is ascertained that they have been absent from work for fifteen consecutive days or for a total of thirty days within a year, without legitimate permission and excuse.
d) it is ascertained that they fail to attend three Board meetings in one month and ten Board meetings in one year without any permission and excuse.

(14) Those who are appointed as the members of the Board shall be removed from their previous posts during their term of office in the Board. On the condition that they do not fail to meet the requirements of being employed as a civil servant, those who are assigned as Board members whilst on duty shall be appointed to posts that are appropriate for their vested positions and titles in one month, in case their term of office ends or they express their will to resign and lodge an application in this regard to their former institution within thirty days. Until the assignment, Authority shall continue to make any payment they are vested with. Until they take another post or take up another employment, Authority shall continue to make the payment of those who are appointed as Board members despite not being public servants and whose term of office terminated as stated hereinabove; and the payments to be made under this scope shall not exceed three months. With regard to personal and other rights, terms spent in the Authority shall be deemed to have spent in the previous institutions or organisations.

Article 22

Duties and powers of the Board

(1) Duties and powers of the Board are as follows:

a) to ensure that the personal data are processed in compliance with fundamental rights and freedoms.
b) to conclude the complaints of those who claim that their rights with regard to personal data protection have been violated.
c) to examine whether the personal data are processed in compliance with the laws, upon complaint, or ex officio where it learns about the alleged violation, and to take temporary measures, if necessary.
ç) to determine the adequate measures which are necessary for the processing of special categories of personal data.
d) to ensure that Data Controllers’ Registry is maintained.
e) to carry out regulatory acts on the matters concerning the Board’s field of duty and operation of the Authority.
f) to carry out regulatory act to determine obligations related to data security
g) to carry out regulatory acts on the matters concerning duties, powers and responsibilities of the data controller and of its representative.
ğ) to decide on the imposition of administrative sanctions provided for in this Law.
h) to deliver its opinion about draft legislation prepared by other institutions or organizations that contain provisions on personal data.
ı) to conclude the Strategic Plan of the Authority; to determine the purpose, objectives, service quality standards and performance criteria of the Authority.
i) to discuss and decide on Strategic Plan and the budget proposal of the Authority which are prepared in compliance with its purposes and objectives.
j) to approve and publish the draft reports on the performance, financial situation, annual activities and other matters related with the Authority.
k) to discuss and decide on the recommendations as regards the purchase, sale and lease of immovable properties.
l) to carry out other tasks provided for by laws.

Article 23

Working Principles of the Board

(1) President shall determine the dates and agenda of the meetings. The President may summon the Board for an extraordinary meeting, if necessary.

(2) The Board shall convene at least with six members, including the President, and shall take decisions by simple majority of its total members. Members of the Board shall not cast abstaining vote.

(3) Members shall not attend and cast vote in meetings, which concern issues regarding themselves, their relatives by blood up to third degree and relatives by affinity of marriage up to second degree, their adopted children and their spouses even if the marriage has ended.

(4) Members of the Board shall not disclose the secrets they have learned concerning the relevant persons and third parties during their work to anyone other than legally authorized bodies, neither shall they use such secrets for their benefits. This obligation shall continue even after the end of their term of office.

(5) The issues debated in the Board shall be recorded in the minutes. The decisions and the grounds for the counter vote, if any, shall be written within 15 days at the latest. The Board shall release the decisions to the public, it deems necessary.

(6) Unless otherwise agreed, debates at the Board meetings are confidential.

(7) The Working procedures and principles of the Board and the writing procedure of the decisions and other issues shall be regulated through a by-law.

Article 24

The President

(1) The President, who is the highest-level official of the Authority, as the Head of both the Authority and the Board, organises and conducts the services of the Authority in accordance with the legislation, Authority’s purpose and policies, Strategic Plan, performance criteria and service quality standards, and , ensures coordination between service units.

(2) The President is responsible for the general management and representation of the Authority. This responsibility entails the duties and powers concerning regulation, execution, inspection, evaluation of Authority’s work and, its announcement to the public, when necessary.

(3) The duties of the President are as follows;

a) to chair the Board's meetings.
b) to ensure the notification of Board decisions and public announcement of these when deemed necessary by the Board, and to monitor their implementation.
c) to appoint Vice President, Heads of Departments and Authority’s personnel.
ç) to finalize the recommendations communicated by service units and submit them to the Board.
d) to ensure the implementation of the Strategic Plan and to establish the human resources and working policies in line with service quality standards.
e) to prepare the annual budget and financial tables of the Authority in line with the determined strategies, annual purposes and objectives.
f) to ensure coordination between the Board and service units to have them work incoherent, efficient, disciplined and well-ordered manner.
g) to maintain the relations of the Authority with other institutions.
ğ) to determine the scope of the duties and powers of the personnel authorized to sign on behalf of the President.
h) to carry out other duties related to the management and operation of the Authority

(4) The Second President is entitled to act on behalf of the President in his/her absence.

Article 25

Composition and Duties of the Presidency

(1) The Presidency is composed of Vice President and service units. The Presidency shall fulfil the duties listed in paragraph four through the service units which are organized as departments. The number of departments shall not be more than seven.

(2) One Vice President shall be appointed by the President in order to assist him/her in his/her administrative duties.

(3) The Vice President and Heads of Departments shall be appointed by the President among those who have a bachelor degree of at least 4 year program and served in the public institutions for at least ten years.

(4) The duties of the Presidency are as follows,

a) to maintain the Data Controllers’ Registry.
b) to carry out clerical services for the Authority and the Board.
c) to represent the Authority through attorneys-at-law at the proceedings and enforcement proceedings to which the Authority is a party; to follow up such proceedings or have them followed up and carry out the legal services.
ç) to carry out personnel-related services of the Board members and Authority’s personnel.
d) to perform the duties referred to in laws with regard to financial services and strategy development units.
e) to ensure that the information systems are established and used in order to carry operations of the Authority.
f) to draft reports on the annual activities of the Authority or on other issues which are deemed needed, and submit them to the Board.
g) to draft the Strategic Plan of the Authority.
ğ) to determine the personnel policy of the Authority, prepare and implement the education and career-based plans for the personnel.
h) to carry out the appointment, transfer, discipline, performance, promotion, retirement and other similar procedures regarding the personnel.
ı) to determine the ethical principles for the personnel and provide necessary training.
i)to carry out the services with regard to purchasing, leasing, maintenance, repair, construction, archive, health and social issues and similar ones within the framework of the Public Financial Management and Control Law No. 5018 of 10/12/2003.
j) to keep record of the movable and immovable properties of the Authority
k) to fulfil other duties conferred by the Board or the President.

(5) Service units and their working procedures and principles shall be laid down through a by-law which is brought into force by President of the Republic of Türkiye in compliance with the field of activity, duties and powers stated in the Law upon Authority’s proposal.

Article 26

The Personal Data Protection Experts and the Assistant Experts

(1) The Personal Data Protection Experts and the Assistant Experts may be recruited by the Authority. The experts and assistant experts who are appointed as Personal Data Protection Expert within the framework of additional Article 41 of the Law No. 657 shall receive one extra grade for once only.

Article 27

Provisions on the Personnel and Personnel Rights

(1) Personnel of the Authority shall be subject to the Law No. 657, excluding the matters regulated through this Law.

(2) Head and members of the Board and personnel of the Authority shall receive remunerations determined to be paid to the precedent personnel, within the scope of financial and social rights, as per Additional Article 11 of the Decree Law No. 375 of 27/6/1989, within the framework of the same procedures and principles applicable. Among the remunerations paid to the precedent personnel, those which are exempt from taxes and other legal deductions shall also be exempt from taxes and deductions as per the Law.

(3) Head and members of the Board and personnel of the Authority are subject to the sub-paragraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 of 31/5/2006. Head and members of the Board and personnel of the Authority shall be considered equal with the precedent personnel in terms of retirement rights. Among the personnel who were appointed as Head and members of the Board when insured under sub-paragraph (c) of the first paragraph of Article 4 of the Law No. 5510, terms of office in these duties shall be considered while ascertaining acquired rights, pensions, grades and steps of those whose term of office ends or who express their will to resign. The relevant term of office of those who fall within the scope of Provisional Article 4 of the Law No. 5510 while on duty, shall be deemed as the period for which position and representation compensation should be paid. Removal from previous institutions and organisations of those who were appointed as Head and members of the Board when insured under sub-paragraph (a) of the first paragraph of Article 4 of the Law No. 5510, shall not entail receiving a severance pay or termination pay. In such a case, term of office qualified for a severance pay or redundancy payment, shall be added to the service periods spent as Head and member of the Board, and accepted as the period for which a retirement bonus.

(4) Civil servants working in public administrations attached to the centralized government, social security institutions, local administrations, administrations attached to local administrations, local administrative unions, revolving fund enterprises, funds established with laws, public entities, organizations more than 50% of whose capital belongs to public, public economic enterprises, state-owned economic enterprises, and associations and establishments attached to these, as well as other public officials may be seconded to the Authority upon the consent of their own institution, judges and public prosecutors may be seconded upon their consent provided that their salaries, allowances, any increases thereof, compensations and other social and financial rights and aids are paid by their own institution. Requests of the Authority in this regard shall be concluded with priority by the related institutions and organizations. Personnel assigned accordingly shall be deemed on paid leave. During this leave, rights of the personnel and their connection with civil service shall be maintained, this period of leave shall be taken into account in promotions and retirement, and they shall be promoted in due time without any need to further action. Periods spent in the Authority by those assigned under this Article shall be deemed to have been spent in their own institutions. Number of the personnel assigned accordingly shall not exceed ten per cent of the total number of posts for Personal Data Protection Experts and Personal Data Protection Assistant Experts, and the term of assignment shall not exceed two years. However, when deemed necessary, this term may be extended in one-year periods.

(5) Titles and numbers of posts regarding the personnel to be employed in the Authority are presented in the annexed Table (I). Changes in titles and grade; addition of new titles and annulment of vacant posts shall be made upon the decision of the Board, provided that it shall not exceed the total number of posts, and shall be limited with the titles in the annexed tables of the Decree Law No. 190 on the General Posts and Procedures, dated 13/12/1983.

Chapter 7 (Art. 28 - 33) — Miscellaneous

Article 28

Exemptions

(1) The provisions of this Law shall not be applied in the following cases where:

a) personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
b) personal data are processed for official statistics and provided that they are being anonymized for the purposes for such as research, planning and statistics.
(c) personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
(ç) personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.
(d) personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

(2) Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller's obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers’ Registry shall not be applied in the following cases where personal data processing:

a) is necessary for the prevention of committing a crime or for crime investigation.
b) is carried out on the data which are made public by the data subject himself/herself.
c) is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,
ç) is necessary for protection economic and financial interests of State related to budget, tax and financial matters.

Article 29

The Budget and the Revenues of the Authority

(1) The budget of the Authority shall be prepared and adopted in accordance with procedures and principles provided for in the Law No. 5018.

(2) The revenues of the Authority are as follows;

a) Treasury grants from the general budget.
b) The revenues from the movable and immovable properties of the Authority.
c) Donations and grants received.
ç) The revenues from the utilization of the revenues.
d) Other revenues.

Article 30

Amended and Added Provisions

(1) (It is related to the Law No. 5018 and dated 10/12/2003 and inserted therein)

(2) – (5) (It is related to the Law No. 5237 and dated 26/9/2004 and inserted therein)

(6) (It is related to the Law No. 3359 and dated 7/5/1987 and inserted therein)

(7) (It is related to the– Organization and Responsibilities of Ministry of Health and its Associated Institutions – Decree Law No 663 and dated 11/10/2011 and inserted herein)

Article 31

By-law

(1) By-laws related to the implementation of this Law shall be brought into force by the Authority.

Transitional Provisions

Provisional Article 1

(1) The members of the Board shall be elected and the organizational structure of the Presidency shall be established within six months following the date of publication of this Law, as per the procedure stipulated in Article 21.

(2) Data controllers are obliged to register with the Data Controllers’ Registry within the time specified and announced by the Board.

(3) The personal data that were processed before the publication date of this Law shall be rendered compatible with the provisions of this Law within two years as of its date of publication. The personal data which are found to be not complying with the provisions of this Law shall be immediately erased, destructed or anonymized. However, consents duly taken before the publication date of this Law shall be deemed compatible with the provisions of this Law, unless no declaration of intent is made to the contrary within one year.

(4) The by-laws provided for by this Law shall be brought into force within one year as of the date of publication of this Law.

(5) A high-level executive, to ensure coordination with regard to the implementation of the Law in public institutions and organisations, shall be appointed and notified to the Presidency within one year as of the date of publication of this Law.

(6) The term of office for the first elected President, the Second President, and two members who are determined by ballot, shall be six years; this period shall be four years for the remaining five members.

(7) Until the budget of the Authority is allocated;

a) The expenditures of the Authority shall be reimbursed by the budget of the office of the Prime Minister.
b) All necessary support services such as the premises, equipment, furnishing and the hardware shall be provided by the office of the Prime Minister in order for the Authority to fulfil its duties.

(8) The clerical services of the Authority shall be carried out by the office of the Prime Minister until the service units of the Authority has become fully functional.

Provisional Article 2

(Added:28/11/2017 – Article 7061/120)

(1) Those who are graduated from 4-year degree program from faculties of political sciences, economics and administrative sciences, faculty of law and business administration or the departments of electronics or electrical and electronic engineering, electronic and communication engineering, computer engineering, information systems engineering of faculty of engineering in Türkiye or abroad whose accreditation have been recognized by Council of Higher Education; and who have served for more than two years excluding annual leaves at positions indicated in sub-paragraph (11) of paragraph (A) of “Common Terms” Article 36 of the Law No 657 which requires occupational qualification test and on-the-job training and lecturers, having taken minimum 70 points at Foreign Language Placement Test and who are younger than 40 year old may be assigned as Personal Data Protection Expert. Number of personnel to be assigned in regard may not exceed fifteen.

Provisional Article 3

(Added: 2/3/2024- Art. 7499/36)

(1) The first paragraph of Article 9, as it existed before the amendment introduced by the law, shall remain in effect until 1/9/2024, alongside the amended version that entered into force.

(2) Applications pending before the criminal judgeships of peace as of 1/6/2024 shall continue to be processed by these judgeships.

Article 32

Entry into force

(1) For the purposes of this Law;

a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months as of the date of its publication.
b) Other Articles shall enter into force on the date of its publication.

Article 33

Enforcement

(1) The provisions of this law shall be enforced by the Council of Ministers.

By-Laws

By-Law On Data Controllers Registry

* This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.

Chapter 1 (Art. 1 - 4) — Purpose, Scope, Legal Basis and Definitions

Article 1

Purpose

(1) The purpose of this By-law is to determine and ensure the implementation of procedures and principles related to the establishment and management of Data Controllers’ Registry to be kept publicly available by Presidency under supervision of the Board pursuant to Personal Data Protection Law No. 6698 of 24/3/2016 and envisaged records to be entered into Data Controllers’ Registry.

Article 2

Scope

(1) This By-law shall apply to natural and legal persons who determine the purposes and means of personal data processing and are responsible for establishment and management of the data filing system.

Article 3

Legal Basis

(1) This By-law has been prepared on the basis of Article 16(5) and subparagraphs (d) and (e) of Article 22(1) of Law No. 6698.

Article 4

Definitions

(1) For the purposes of this By-law:

a) “Recipient group” means category of natural and legal persons to which the personal data are transferred by the data controller,
b) “President” means the President of Personal Data Protection Authority,
c) “Presidency” means the Presidency of Personal Data Protection Authority,
ç) (Amended: OG (Official Gazette) – 28/4/2019-30758) “Contact person” means the natural person notified by the data controller which is natural and legal person established in Türkiye and by representative who represents the data controller which is natural and legal person not established in Türkiye during the registration with the Registry for communicating with the Authority relating to obligations within the scope of the Law and secondary legislation to be prepared in accordance with this Law,
d) “Law” means the Personal Data Protection Law No. 6698,
e) “Registration” means the notification made by data controllers who are obliged to register, in accordance with procedures and principles determined by this By-law.
f) “Obligation to register” means the obligation relating to registration to be fulfilled pursuant to the By-law,
g) “Registered e-mail address (KEP)” means the qualified form of electronic mail which provides legal evidence for the use of it, including sending and delivering of electronic messages,
ğ) “Personal data” means any information relating to an identified or identifiable natural person,
h) (Amended: OG-28/4/2019-30758) “Personal data processing inventory” means the inventory which are detailed by explanations of the followings; personal data processing operations performed by data controllers according to their business processes, purposes and legal basis of personal data processing, data category, recipient group, maximum storage period which is formed relating to the group of person subject to data and necessary for the purpose for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken relating to data security.
ı) “Personal data storage and disposal policy” means the policy which data controllers issue as a basis for erasure, destruction and anonymization of personal data and the determination of maximum storage period for the purpose for which personal data are processed.
i) “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
j) “Board” means the Personal Data Protection Board,
k) “Authority” means the Personal Data Protection Authority,
l) “Registry” means Data Controllers’ Registry kept by the Presidency,
m) “Category of Data” means group of personal data related to group(s) of persons subject to data that are classified in accordance with their common features,
n) “Group of persons subject to the data” means category of the data subject whose personal data are processed by data controllers,
o) “Data Controllers’ Registry Information System (VERBIS)” means information system that is accessible through the Internet, established and managed by the Presidency, that data controllers will use for the registration with the Registry and the other operations related to the Registry,
ö) “Data controller” means the natural or legal person who determines the purpose and means of processing of personal data and is responsible for establishment and management of the data filing system,
p) (Amended: OG-28/4/2019-30758) “Representative of the data controller” means the legal person established in Türkiye or the natural person who is citizen of Republic of Türkiye , minimum authorized to represent data controllers which are not established in Türkiye within the scope of the issues specified in the third paragraph of Article 11 of this By-law,

(2) For the definitions not included in this By-law, the definitions in the Law shall apply.

Chapter 2 (Art. 5 - 7) — Establishment, Management, Supervision of the Registry and Access to the Registry

Article 5

Principle, rules and procedures

(1) Following principles, rules and procedures shall be applied in establishment, management and supervision of the Registry:

a) Data controllers are obliged to register with the Registry prior to the start of data processing.
b) Data controllers not established in Türkiye are obliged to register with the Registry by their representatives prior to the start of data processing.
c) The Registry shall be kept publicly available. Board is authorized to determine the scope of this principle and derogations provided that the principle of making publicly available is ensured.
ç) (Amended: OG-28/4/2019-30758) Data controllers under registration obligation are obliged to prepare Personal Data Processing Inventory. The information to be entered in the application for the Registry is prepared based on Personal Data Processing Inventory.
d) The information entered into the Registry based on personal data processing inventory and published in the Registry, shall be the basis for the obligation to inform for data controllers referred to in Article 10 of the Law, responses to the request of concerned data subjects referred to in Article 13 of the Law and the determination of the scope of explicit consent to be given by data subjects.
e) Data controllers shall be responsible for the information entered into the Registry and published in the Registry to be complete, accurate, up-to-date and lawful. Registration of the data controllers with the Registry shall not remove the other obligations under the Law.
f) Without prejudice to the conditions specified in Article 28 of the Law, the Board may provide derogation from the obligation to register for the data controllers meeting certain conditions on the basis of the objective criteria specified in Article 16 of the By-law. This derogation shall not remove the obligations of those data controllers under the Law.
g) The operations relating to the Registry shall be carried out by data controllers through VERBIS.
ğ) (Amendment: OG-28/4/2019-30758) – (1) Maximum storage period necessary for the purpose of processing of personal data entered by data controllers into the Registry and published in the Registry shall be basis for erasure, destruction and anonymization obligations of data controllers specified in Article 7 of the Law.

Article 6

Establishment, Management and Supervision of the Registry

(1) Registry is established by Presidency. Presidency, for the establishment, management, protection of the Registry and maintaining it up-to-date, shall take necessary technical and organizational measures to establish and to operate VERBIS.

(2) Responsible department for establishment and management of the Registry is Department of Data Management.

(3) Supervision of the Registry is carried out by the Board. Activity report which has been prepared by Department of Data Management once a three month and whose scope determined by the Board, shall be transmitted to the Board.

Article 7

Access to Registry

(1) The Presidency shall make current information in the Registry publicly available by the appropriate means to be determined pursuant to Board decisions.

(2) Among the information given in the Registry, the following shall be disclosed to the public:

a) (Amendment: OG-28/4/2019-30758) The data controller, representative of the data controller, if any, address and KEP (Registered E-Mail) address, if taken,
b) The purposes for which the personal data will be processed,
c) Group(s) of persons subject to the data and data categories relating to those persons,
ç) Recipients and recipient groups to whom personal data may be transferred,
d) Personal data which are envisaged to be transferred to foreign countries,
e) Registration date and expiration date of the registration.
f) Measures taken for the security of personal data,
g) Maximum storage period necessary for the purposes for which personal data are processed.

Chapter 3 (Art. 8 - 14) — Beginning of Registration Obligation, Information to be entered into VERBIS, Registration Application, Renewal and Erasure of Registration

Article 8

Beginning of Registration Obligation

(1) Data controllers shall fulfil the obligation to register with the Registry prior to the start of data processing.

(2) If the data controllers, who are not under the registration obligation, become obliged to register later, they shall register with the Registry within thirty days following their entry into the obligation.

(3) Data controllers, who are obliged to register with the Registry, may request additional time for fulfilling their registration obligation from the Authority in cases where they cannot fulfil their obligation to register due to any technical, legal or actual impossibility on the condition that apply to the Authority in writing with justifiable grounds in not later than 7 work days. Authority may give additional time only once, not exceeding thirty days in any case.

Article 9

Information to be entered within the scope of registration obligation

(1) Registration Application to the Registry includes the following information:

a) The information included in the application form determined by the Board relating to the identity and address of the data controller, representative of the data controller, if any and contact person,
b) The purposes for which the personal data will be processed,
c) The explanations about group(s) of persons subject to the data as well as about the data categories belonging to these people,
ç) The recipients or groups of recipients to whom personal data may be transferred,
d) The personal data which are envisaged to be transferred abroad,
e) Measures taken as referred to in Article 12 of the Law and in accordance with the criteria determined by the Board,
f) Maximum storage period of personal data laid down by the legislation or for the purposes for which personal data are processed,

2) Information to be entered into the Registry by data controllers pursuant to subparagraphs (b), (c), (ç) and (d) of the first paragraph; shall be transmitted through VERBIS to the Registry based on Personal Data Processing Inventory by using headings given in VERBIS.

(3) Information to be entered into the Registry by data controllers pursuant to subparagraph (e) of the first paragraph shall be transmitted through VERBIS to the Registry in the manner that cover the issues specified in the Article 12 of the Law by using headings given in VERBIS.

(4) Information relating to the maximum storage period laid down by the legislation or for the purposes for which personal data are processed relating to the personal data to be entered into the Registry by data controllers pursuant to the subparagraph (f) of the first paragraph, shall be entered into the Registry by matching them with data categories. Maximum storage period necessary for the purposes of processing of data categories entered into the Registry by the data controller may differ from the period envisaged in the legislation. In such cases, if maximum storage period is envisaged in the legislation, this period shall be entered into the Registry, if not envisaged, the longest storage period of this category shall be entered into the Registry. While determining the maximum storage period required for purposes for which personal data are processed, following issues shall be taken into account:

a) The period generally accepted in the sector in which the data controller operates within the scope of purposes for processing relevant data category,
b) The period that requires processing of personal data in the relevant data category and to continue legal relationship with the data subject,
c) The period to be valid for the legitimate interest to be obtained by the data controller in accordance with lawfulness and fairness, depending on the purpose of processing relevant data category,
ç) The period in which the risks, costs and responsibilities arising from the storage of the relevant data category depending on the purpose of processing shall continue legally,
d) Whether maximum storage period to be determined is appropriate to keep the relevant data category accurate and up-to-date where necessary,
e) Time period in which the data controller is obliged to retain personal data given in the relevant data category pursuant to its legal obligation,
f) Period of limitation determined by the data controller for assertion of a right relating to personal data in the relevant data category.

(5) Data controllers shall issue a personal data storage and disposal policy for defining maximum storage period of personal data for the purposes of processing, complying with this period indicated in personal data processing inventory and tracking whether these periods are exceeded or not and shall ensure the implementation of such policy.

(6) In cases where headings and contents given in VERBIS do not cover operations of the data controller and the information to be entered into the Registry, the data controller shall complete its registration by entering such information into “Others” section in VERBIS which is provided for such cases.

Article 10

Application for Registration

(1) Data controllers shall be deemed to have fulfilled its registration obligation by entering the information specified in Article 9 into VERBIS.

(2) Data controllers, who have been given additional time by the Authority pursuant to third paragraph of Article 8, are obliged to complete registration before this time expires.

Article 11

Obligations of the data controller, representative of the data controller and contact person

(1) Legal persons are themselves the data controllers for the legal persons. The data controller obligations of legal persons established in Türkiye under the Law are fulfilled by capacity of competent to represent and bind the legal person or the person(s) specified in the relevant legislation pursuant to provisions of the relevant legislation. Competent representative may assign one or more persons for its obligations to be fulfilled for the implementation of the Law. This assignment does not remove the responsibilities of legal person pursuant to the provisions of the Law.

(2) Representatives of data controllers not established in Türkiye shall submit certified copy of decision for the designation of a representative to be taken its competent or person to the Authority during application.

(3) Decision of designation for representative of the data controller shall be arranged to cover at least the following points:

a) to receive or accept notifications and correspondence made by the Authority on behalf of the data controller,
b) to transmit the demands made by the Authority to the data controller and to submit the responses of the data controller to the Authority,
c) to receive and transmit requests to be made by data subjects pursuant to first paragraph of the Article 13 of the Law on behalf of the data controller, in case no other principle has been determined by the Board.
ç) to transmit the response of the data controller to the data subjects pursuant to third paragraph of Article 13 of the Law, in case no other principle has been determined by the Board,
d) to perform operations relating to the Registry on behalf of the data controller.

4) (Amendment: OG-28/4/2019-30758), Data controllers established in Türkiye and representatives of data controllers not established in Türkiye shall enter contact person information into the Registry at the time of registration. Contact person is not authorized to represent data controllers in accordance with the provisions of the Law and the By-law.

5) (Amendment: OG-28/4/2019-30758) Contact person in the public institutions shall be head of department or higher executive to be assigned by the coordinating high level executive for the aim of communication with the Authority.

Article 12

Communication

(1) Related to the implementation of the Law, the Authority shall use following means of communications with data controllers:

a) For legal persons established in Türkiye; identity, address or KEP (registered e-mail address) address notified to the Registry,
b) For natural persons settled in Türkiye; identity, address or KEP address notified to the Registry,
c) For data controllers not established in Türkiye; representative of the data controller notified to the Registry.

Article 13

Changes in Registry records

(1) (Amendment: OG-28/4/2019-30758) In case of any change in the Registry records, data controllers shall notify the Authority through VERBIS within seven days of the date of change.

Article 14

Erasure of Registry records

(1) The data controller shall apply to the Authority relating to the erasure of their Registry records through VERBIS.

(2) If the obligation to register is relieved or terminated, Registry records shall be erased. These records shall be accessible in case of any request however they are kept in a manner that no changes can be made.

(3) Erasure of registry records does not relieve the data controller of the obligations during the period in which it is registered.

Chapter 4 (Art. 15 - 16) — Exemptions from Registration Obligation

Article 15

Cases of exemptions

(1) In respect of the following personal data processing activities, data controllers are not obliged to register and notify these activities to the Registry:

a) Data processing is necessary for the prevention of committing a crime or for crime investigation.
b) Processing the data which are made public by the data subject himself/herself.
c) Data processing is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and competent public institutions and organizations and by the public professional organizations, in accordance with the power conferred on them by the law,
ç) Data processing is necessary for protection economic and financial interests of State related to budgetary, tax and financial matters.

Article 16

Derogation criteria

(1) The Board may provide derogation from registration obligation by considering following criteria:

a) The nature of personal data.
b) The quantity of personal data.
c) The purpose of processing of personal data.
ç) The field of activity where personal data are processed.
d) Transferring personal data to third parties.
e) The fact that the processing of data is laid down in the laws.
f) Storage period of personal data.
g) Group of persons subject to the data or categories of data.
ğ) (Annex: OG-28/4/2019-30758) The information of annual number of employees or annual financial balance sheet of the data controller.

(2) Board has the authority to take decisions in order to determine principles and procedures of implementation and the scope of exemptions determined in the framework of criteria listed in the first paragraph. Board shall announce such decisions to public via appropriate means of communication.

Chapter 5 (Art. 17 - 20) — Miscellaneous

Article 17

Administrative sanction

(1) Administrative fine referred to in sub-paragraph (ç) of Article 18(1) of the Law shall be imposed on data controllers who act contrary to the obligation to register and notify.

(2) In the event that the action to contrary to the obligation to register and notify is committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.

Article 18

Clarifying the Doubts

(1) The Board is authorised to clarify the doubts and recover disruptions to occur during the implementation of this By-law, to direct the implementation, to determine the principles and standards and make necessary arrangements to ensure the unity of implementation, to demand any type of information and documentation in this regard and to take a decision within the framework of the relevant legislation on matters which are not included in this By-law.

Article 19

Entry into force

(1) This By-law enters into force on 1/1/2018.

Article 20

Enforcement

(1) The President shall enforce the provisions of this By-law.

By-Law on Erasure, Destruction or Anonymization of Personal Data

* This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.

Chapter 1 (Art.1 - 4) — Purpose, Scope, Legal Basis and Definitions

Article 1

Purpose

(1) The purpose of this By-Law is to determine principles and procedures regarding erasure, destruction and anonymization of personal data processed wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.

Article 2

Scope

(1) Provisions of this By-Law shall apply to data controllers in accordance with Article 7 of the Personal Data Protection Law No. 6698 and of 24/03/2016.

Article 3

Legal Basis

(1) This By-Law is issued on the basis of Article 7(3) and sub-paragraph (e) of Article 22(1) of Personal Data Protection Law No. 6698.

Article 4

Definitions

(1) For the purposes of this By-Law:

a) “Recipient group” means category of natural or legal persons to which the personal data are transferred by the data controller,
b) “User concerned” means persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data,
c) “Disposal” means erasure, destruction or anonymization of personal data,
ç) “Law”: Personal Data Protection Law No. 6698 and of 24/3/2016,
d) “Recording medium” means any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means which provided that form part of a data filing system,
e) (Amendment:OG-28/4/2019-30758) “Personal data processing inventory” means the inventory which are detailed by explanations of the followings: personal data processing activities of data controllers according to their business processes; purposes and legal ground of personal data processing; data category; maximum data storage period required for the purposes formed relating to the recipient group to whom the data are transferred and with data subject groups, and for personal data processing; personal data envisaged to be transferred to foreign countries; and measures taken relating to the data security,
f) “Personal data storage and disposal policy” means the policy which data controllers issues as a basis for erasure, destruction and anonymization of personal data and determination of maximum storage period for the purpose for which personal data are processed,
g) “Board” means Personal Data Protection Board,
ğ) “Periodic Disposal” means the erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist,
h) “Registry” means Data Controllers’ Registry kept by Personal Data Protection Authority,
ı) “Data filing system” means the filing system where personal data are processed by being structured according to specific criteria,
i) “Data Controller” means the natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system,

(2) For the definitions not included in this By-Law, the definitions in the Law shall apply.

Chapter 2 (Art.5 - 6) — Personal Data Storage and Disposal Policy

Article 5

Principles regarding the Personal Data Storage and Disposal Policy

(1) Pursuant to Article 16 of the Law; data controllers who are obliged to register with Data Controllers’ Registry system shall issue personal data storage and disposal policy in accordance with personal data processing inventory.

(2) To issue personal data storage and disposal policy shall not mean that personal data are stored, erased, destructed or anonymized in accordance with the Law and the By-Law.

(3) For data controllers who are not obliged to issue personal data storage and disposal policy, the obligation of storage, erasure, destruction or anonymization of personal data shall continue pursuant to the Law and By-Law.

Article 6

Scope of personal data storage and disposal policy

(1) Personal data storage and disposal policy shall at least include the following:

a) Purpose of issuing personal data storage and disposal policy,
b) Recording medium arranged in accordance with personal data storage and disposal policy,
c) Definitions of technical and legal terms indicated in personal data storage and disposal policy,
ç) Explanations relating to legal, technical or other reasons requiring storage and disposal of personal data
d) Technical and organizational measures taken against unlawful processing of and access to personal data and for storing personal data securely,
e) Technical and organizational measures taken for lawful disposal of personal data,
f) Definitions of titles, units and tasks of those who are involved in personal data storage and disposal processes
g) Table that shows storage and disposal periods,
ğ) Time period for periodic disposal,
h) Any alterations being made in the current personal data storage and disposal policy, if any.

Chapter 3 (Art.7 - 12) — Erasure, Destruction and Anonymization of Personal Data

Article 7

Erasure, Destruction and Anonymization of Personal Data

(1) Personal data shall be erased, destructed or anonymized by the controller ex officio (by its own initiative) or upon the request of the data subject, in the event that all of the conditions for processing laid down in Article 5 and Article 6 of the Law no longer exist.

(2) It is mandatory to act in accordance with general principles of Article 4 of the Law, technical and organizational measures to be taken within the scope of Article 12, provisions of the relevant legislation, Board decisions and personal data storage and disposal policy in erasure, destruction and anonymization of personal data.

(3) All operations relating to erasure, destruction and anonymization of personal data shall be recorded and those records shall be stored for minimum three years excluding other legal obligations.

(4) (Amendment: OG-28/4/2019-30758) The data controller is obliged to describe the methods used for the erasure, destruction and anonymization operations of personal data in the relevant policies and procedures.

(5) Unless otherwise decided by the Board, the data controller may choose one of the appropriate methods for periodic erasure, destruction or anonymization of personal data ex officio. Upon request of data subject, the data controller may choose appropriate method with justified grounds.

Article 8

Erasure of personal data

(1) Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means.

(2) The data controller is obliged to take necessary technical and organizational measures required for ensuring erased data to be inaccessible and non-reusable for its users concerned.

Article 9

Destruction of personal data

(1) Destruction is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone, by no means.

(2) The data controller is obliged to take any type of technical and organizational measures required for ensuring destruction of personal data.

Article 10

Anonymization of personal data

(1) Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

(2) To anonymize the personal data, personal data shall be rendered impossible to relate to identified or identifiable person, even through using appropriate techniques in respect of the recording medium and relevant field of activity, such as recovery of data by the data controller, recipient or recipient groups and matching data with other data.

(3) The data controller is obliged to take any type of technical and organizational measures required for ensuring anonymization of personal data.

Article 11

Time periods for ex officio erasure, destruction and anonymization of personal data

(1) The data controller, who has issued data storage and disposal policy, shall erase, destruct or anonymize the personal data in the first periodic disposal process following the date when obligation of erasure, destruction or anonymization of personal data arises.

(2) Time interval for periodic disposal shall be defined in personal data storage and disposal policy by the data controller. This time interval cannot exceed six months in any case.

(3) Data controllers who are not obliged to issue personal data storage and disposal policy, shall erase, destruct or anonymize personal data within three months following the date for obligation of erasure, destruction or anonymization of personal data arises.

(4) Board may shorten the durations specified in this Article in the case of irreparable or impossible damages, and in the event of explicit infringement of the law.

Article 12

Time period for erasure and destruction of personal data upon request of data subject

(1) (Amendment- OG-28/4/2019-30758) When the data subject requests erasure or destruction of his/her personal data from the data controller, pursuant to Article 11 and 13 of the Law;

a) In the event that all of the conditions for the processing no longer exist; the data controller shall erase, destruct or anonymize the mentioned personal data which are subject to the request. The data controller shall act on the request of the data subject at the latest within thirty days and inform the data subject.

b) In the event that all of the conditions for the processing no longer exist and the personal data which are subject to the request have been transferred to any third party; the data controller shall notify the third party of such request and ensure the performance of necessary operations by the third party within the scope of this By-Law.

c) In the event that all of the conditions for the processing have not disappeared completely, the request may be rejected by the data controller in accordance with the Article 13(3) of the Law together with its justified grounds and such rejection shall be communicated to the data subject in writing or by electronic means at the latest within thirty days.

Chapter 4 (Art.13 - 15) — Miscellaneous and Final Provisions

Article 13

Clarifying Doubts

(1) The Board is authorised to clarify the doubts and recover disruptions to occur during the implementation of this By-Law, to direct the implementation, to determine the principles and standards and make necessary arrangements to ensure the unity of implementation, to demand any type of information and documentation in this regard and to take a decision within the framework of the relevant legislation on matters which are not included in this By-Law.

Article 14

Entry into force

(1) This By-Law shall enter into force on 1/1/2018.

Article 15

Enforcement

(1) The President of Personal Data Protection Authority shall enforce the provision of this By-Law.

By-Law On The Procedures And Principles For The Transfer Of Personal Data Abroad

*This is a courtesy translation without binding nature. In the event of any discrepancies, the original Turkish text shall prevail.

Chapter 1 (Art. 1 - 4) — Initial Provisions

Article 1

Purpose

(1) The purpose of this By-Law is to establish the procedures and principles regarding the implementation of Article 9 of the Personal Data Protection Law No. 6698 dated 24/03/2016, which regulates the transfer of personal data abroad.

Article 2

Scope

(1) The provisions of this By-Law shall apply to data controllers and data processors involved in the transfer of personal data abroad in accordance with Article 9 of the Law No. 6698.

Article 3

Basis

(1) This By-Law is issued pursuant to Article 9(11) and Article 22(1)(e) of the Law No. 6698.

Article 4

Definitions

(1) For the purposes of this By-Law, the following definitions shall apply:

a) President: The President of the Personal Data Protection Authority;
b) Data subject: A natural person whose personal data is processed;
c) Law: The Personal Data Protection Law No. 6698 dated 24/3/2016;
ç) Personal data: Any information relating to an identified or identifiable natural person;
d) Processing of personal data: Any operation which is performed on personal data, wholly or partially, by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof;
e) Transfer of personal data abroad: The transmission of personal data from a data controller or data processor under the Law No.6698 to a data controller or data processor established abroad, or making such data accessible to them by any other means;
f) Board: The Personal Data Protection Board;
g) Authority: The Personal Data Protection Authority;
ğ) Data exporter: A data controller or data processor transferring personal data abroad;
h) Data importer: A data controller or data processor in a foreign country receiving personal data from the data exporter;
ı) Data processor: A natural or legal person who processes personal data on behalf of the data controller upon its authorisation;
i) Data controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

(2) For the definitions not covered in this By-Law, the definitions provided in the Law and relevant legislation shall apply.

Chapter 2 (Art. 5 - 7) — General Provisions

Article 5

Transfer of personal data abroad

(1) Personal data may only be transferred abroad by the controller and the processor in accordance with the procedures and principles set forth in the Law and this ByLaw. In cases where personal data is transferred by the processor, the instructions from the controller shall also be complied with.

(2) The provision of the first paragraph shall also apply to onward transfers of personal data that has been transferred abroad, and transfers to international organisations.

(3) The provisions of other laws concerning the transfer of personal data abroad are reserved.

Article 6

Procedures for transferring personal data abroad

(1) Personal data may be transferred abroad by controllers and processors under one of the conditions specified in Article 5 and Article 6 of the Law, and in the event of the following circumstances:

a) An adequacy decision has been issued regarding the country, sectors within that country, or international organisations to which the transfer is to be made;
b) In the absence of an adequacy decision, one of the appropriate safeguards specified in Article 10 is provided by the parties, on the condition that data subject rights and effective legal remedies for data subjects are also available in the country receiving the transfer.

(2) In the absence of an adequacy decision and where the parties cannot provide one of the appropriate safeguards specified in Article 10, personal data may be transferred abroad by controllers and processors only under one of the exceptional circumstances specified in Article 16, provided that such transfer is incidental.

(3) Without prejudice to the provisions of international conventions, personal data may only be transferred abroad with the permission of the Board by obtaining the opinion of the relevant public institution or organisation, in cases where the interests of Türkiye or the data subject would be seriously harmed.

Article 7

Transfer of personal data abroad by the processor

(1) In cases where personal data is transferred abroad by the processor, the processor shall act within the purpose and scope established by the controller, on behalf of the controller, and in accordance with the controller’s instructions. The processor shall implement all necessary technical and organisational measures to ensure an appropriate level of security, corresponding to the nature of personal data, in order to prevent unlawful processing of personal data, unlawful access to personal data, and to ensure protection of personal data.

(2) The transfer of personal data abroad by the processor shall not relieve the controller of its responsibility to comply with the procedures and principles, and to ensure the necessary safeguards stipulated in the Law and this By-Law. The controller shall be obliged to ensure that the technical and organisational measures specified in the first paragraph are implemented by the processor.

(3) If the processor is obliged to notify the standard contract pursuant to the Article 14(5), the processor shall fulfil this notification obligation independently of any instructions from the controller.

Chapter 3 (Art. 8 - 9) — Transfers on the Basis of an Adequacy Decision

Article 8

Adequacy decision

(1) The Board may decide that a country, one and more sectors within that country, or an international organisation offers an adequate level of protection with respect to the transfer of personal data abroad. When assessing the adequacy of the level of protection, the following elements shall be taken into account:

a) The reciprocity status concerning the transfer of personal data between Türkiye and the country, sectors within that country, or international organisations to which the data will be transferred;
b) The relevant legislation and practices of the country receiving the data transfer, and the rules governing the international organisation receiving the data transfer;
c) The existence of an independent and effective data protection authority in the country or to which an international organisation is subject, as well as the availability of administrative and judicial redress for the data subjects;
ç) The status of being a party to relevant international conventions on personal data protection or membership in international organisations by the country or international organisation to which the personal data will be transferred;
d) The membership status of the country or international organisation receiving the data transfer in global or regional organisations that Türkiye is a member of;
e) The international conventions to which Türkiye is a party.

(2) The Board shall be authorised to determine additional factors beyond those specified in the first paragraph.

(3) If the Board deems it necessary in its assessment regarding the adequacy decision, it may seek the opinions of relevant institutions and organisations.

(4) Adequacy decisions issued by the Board shall be published in the Official Gazette and on the Authority’s website.

Article 9

Review of the adequacy decision

(1) The adequacy decision shall be re-evaluated at least every four years. The adequacy decision in question shall explicitly specify the re-evaluation periods. If, following the re-evaluation, the Board determines that the relevant country, one or more sectors within the country, or the international organisation no longer provides an adequate level of protection, it may amend, suspend, or revoke its decision with prospective effect.

(2) The Board may, without being restricted by the re-evaluation period specified in the first paragraph, review the adequacy decision at any time if it deems it necessary and may amend, suspend, or revoke the decision with prospective effect.

(3) The Board may consult with the competent authorities of the relevant country or international organisation to remedy the circumstances that led to the amendment, suspension, or revocation of the adequacy decision pursuant to first and second paragraphs.

(4) The decisions concerning the amendment, suspension, or revocation of the adequacy decision shall be published in the Official Gazette and on the Authority’s website.

Chapter 4 (Art. 10 - 15) — Transfers Based on Appropriate Safeguards

Article 10

Means of providing safeguards

(1) In the absence of an adequacy decision, personal data may be transferred abroad on the condition that one of the conditions specified in Article 5 and Article 6 of the Law exists, and that data subject rights and effective legal remedies for data subjects are also available in the country receiving the transfer, but only where one of the following appropriate safeguards is provided by the parties involved in the transfer:

a) The existence of an agreement, which is not classified as an international convention, between public institutions and organisations, or professional organisations with public institution status in Türkiye and public institutions, organisations, or international organisations abroad, along with approval for the transfer by the Board;
b) The existence of binding corporate rules, containing provisions on personal data protection, which the companies within a group of undertakings engaged in joint economic activities are required to comply with, and which have been approved by the Board;
c) The existence of a standard contract which is published by the Board, containing information such as data categories, purposes of the data transfer, recipients and recipient groups, technical and organisational measures to be implemented by the data importer, and additional measures for sensitive personal data,
ç) The existence of a written commitment containing provisions to ensure adequate protections, and approval for the transfer by the Board.

Article 11

Providing appropriate safeguards with non-international agreements

(1) Appropriate safeguards may be provided by provisions to be inserted into agreements, not classified as an international convention, for the transfer of personal data between public institutions and organisations, or professional organisations with public institution status in Türkiye, and public institutions, organisations, or international organisations abroad. The agreement shall be concluded between the parties to the personal data transfer.

(2) The Board’s opinion shall be sought during the negotiation process of the agreement.

(3) The provisions on personal data protection included in the agreement shall specifically address the following:

a) The purpose, scope, nature, and legal basis of the personal data transfer;
b) Definitions of key concepts in accordance with the Law and relevant legislation;
c) A commitment to comply with the general principles outlined in Article 4 of the Law,
ç) Procedures and principles for providing information to data subjects about the agreement and the personal data transfer to be carried out under that agreement;
d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
g) Restrictions on the onward transfer of personal data; ğ) A redress mechanism available to data subjects in the event of a breach of the data protection provisions to be included in the agreement;
h) An auditing mechanism to ensure compliance with the data protection provisions to be included the agreement;
ı) A provision granting the data exporter the right to suspend the data transfer and terminate the agreement if the data importer cannot comply with the data protection provisions to be included in the agreement;
i) A commitment from the data importer, upon termination or expiration of the agreement, to either return the personal data transferred, including all backups, to the data exporter or to completely destroy such data, at the choice of the data exporter;

(4) To transfer the personal data abroad based on the agreement, the data exporter shall apply to the Board for permission. As part of the application, the final version of the agreement text and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. The transfer of personal data may only commence after the Board has granted the permission.

Article 12

Providing appropriate safeguards with binding corporate rules

(1) Appropriate safeguards may be provided through binding corporate rules for the protection of personal data, which the companies within the group of undertakings engaged in joint economic activity are obliged to comply with. To transfer personal data abroad based on binding corporate rules, an application for approval shall be submitted to the Board.

(2) As part of the application, the text of the binding corporate rules and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. If any document submitted for the application is in a foreign language, a notarised translation shall be attached to the application. If the binding corporate rules are also prepared in a foreign language, the Turkish text shall prevail.

(3) In approving the binding corporate rules, the Board shall consider the following:

a) The binding corporate rules are legally binding and enforceable for each relevant member within the group of undertakings engaged in joint economic activity, including their employees;
b) The binding corporate rules include a commitment to ensure enforceable data subject rights;
c) The binding corporate rules contain at least the elements specified in Article 13.

(4) The transfer of personal data may only commence after the Board has approved the binding corporate rules.

Article 13

Elements to be found in binding corporate rules

(1) Binding corporate rules shall include at least the following elements:

a) The organisational structure and contact details for each member of the group of undertakings engaged in a joint economic activity;
b) Information regarding the data transfers under binding corporate rules, in particular the categories of personal data, processing activity and its purposes, data subject group or groups, and identification of country or countries receiving data transfer,
c) A commitment confirming that binding corporate rules are legally binding both within the internal relations and external legal interactions of the group of undertakings engaged in a joint economic activity;
ç) Data protection measures such as compliance with the general principles outlined in Article 4 of the Law, conditions for processing personal data, sensitive personal data, technical and organisational measures for ensuring data security, adequate measures for processing sensitive personal data, and restrictions on onward data transfers;
d) A commitment to ensure that data subjects whose personal data is transferred can exercise of their rights specified in Article 11 of the Law and their right to lodge a complaint with the Board in accordance with the procedures and principles outlined in Article 14 of the Law, along with the existence of the procedures and principles for the exercise of these rights;
e) A commitment that, in the event of a breach of the binding corporate rules by any member not established in Türkiye, a controller and/or processor established in Türkiye will assume liability for the breach;
f) Explanations on how the data subjects will be informed about matters related to the binding corporate rules, in particular on the provisions referred to in subparagraphs (ç), (d) and (e), as well as the information provided to the data subjects within the scope of the obligation to inform under Article 10 of the Law;
g) Explanations on the training to be provided to employees on the protection of personal data;
ğ) The tasks of the persons or entities in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, including their role in responding to the requests of the data subjects;
h) The mechanisms for auditing and verifying compliance with the binding corporate rules within the group of undertakings, in particular data protection audits and methods for ensuring corrective actions to protect the rights of the data subjects, and a commitment that such results will be communicated to the person or entity referred to in subparagraph (ğ) and to the board of the controlling company within the relevant group of undertakings, and to the Board upon request;
ı) The mechanisms for reporting and recording changes to the binding corporate rules and reporting those changes to the Board;
i) The obligation to cooperate with the Authority to ensure compliance with the binding corporate rules by the members of the group of undertakings, in particular the submission of the results from the audit and verification activities referred to in subparagraph (h);
j) With respect to personal data to be transferred under the binding corporate rules, a commitment by the members of the group of undertakings that there is no national regulation in the country or countries receiving the data transfer that contradicts the guarantees provided by the binding corporate rules, and mechanisms to notify the Board in case of a legislative change which likely to have a substantial adverse effect on these guarantees;
k) A commitment to provide appropriate data protection training to personnel having permanent or regular access to personal data;

(2) The Board shall be authorised to determine additional requirements beyond those specified in the first paragraph. The documents required for the application of binding corporate rules shall be determined by the Board.

Article 14

Providing appropriate safeguards with standard contract

(1) Appropriate safeguards may be provided through a standard contract, which includes elements such as data categories, purposes of data transfer, recipient and recipient groups, technical and organisational measures to be implemented by the data importer, additional measures, and additional measures for sensitive personal data.

(2) The standard contract shall be determined and announced by the Board.

(3) The standard contract text shall be used without any modifications. In the event the standard contract is also concluded in a foreign language, the Turkish text shall prevail.

(4) The standard contract shall be concluded between the parties involved in the personal data transfer. It shall be signed by the parties to the transfer, or by persons authorised to represent and sign on behalf of the parties.

(5) The standard contract, after finalisation of the signatures, shall be notified to the Authority within five business days, either physically, through a registered electronic mail (KEP) address, or via other methods specified by the Board. The parties to the transfer may designate in the standard contract which party will fulfil the notification obligation. If no such agreement is made, the data exporter shall be responsible for notifying the Board.

(6) The notification shall include documents certifying that the signatories are authorised, along with notarised translations of any foreign language documents.

(7) If the standard contract text announced by the Board is modified, or if one or both parties to the transfer lack valid signatures in the standard contract, the Board shall conduct an examination in accordance with Article 15 of the Law.

(8) In the event of any change to the parties involved in the standard contract, or modifications to the information and explanations it contains, or if the standard contract is expired, the Board shall be notified in accordance with the procedure outlined in paragraph five.

Article 15

Providing appropriate safeguards with a commitment letter

(1) Appropriate safeguards for the protection of personal data may be provided through provisions included in a written commitment letter to be concluded between the parties involved in the transfer.

(2) The provisions related to the protection of personal data in the commitment letter shall specifically include the following:

a) The purpose, scope, nature, and legal basis of the personal data transfer;
b) Definitions of key concepts in accordance with the Law and relevant legislation;
c) A commitment to comply with the general principles specified in Article 4 of the Law;
ç) Procedures and principles for informing data subjects about the commitment letter and the personal data transfer to be made under its scope;
d) A commitment to ensure that data subjects whose personal data has been transferred can exercise their rights as specified in Article 11 of the Law, and procedures and principles regarding the requests to be made for the use of these rights;
e) A commitment to implement all necessary technical and organisational measures to ensure appropriate level of security;
f) A commitment to implement adequate measures as determined by the Board for the transfer of sensitive data;
g) Restrictions on the onward transfers of personal data;
ğ) A redress mechanism available to data subjects in the event of a breach of the commitment letter;
h) A commitment by the data importer to comply with the Board’s decisions and opinions regarding the processing of personal data subject to the transfer;
ı) A provision stating that there is no national regulation that will cause the data importer to fail to comply with the commitment letter, and a commitment to notify the data exporter as soon as possible of any potential legislative changes that may lead to such a failure, and in such a case the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
i) A provision confirming that if the data importer fails to ensure compliance with the commitment letter, the data exporter shall have the right to suspend the data transfer and terminate the commitment letter;
j) A commitment that if the commitment letter is terminated or its term expires, the data importer shall, at the choice of the data exporter, either return the personal data with its backups to the data exporter or completely destroy the personal data;
k) A commitment confirming that the commitment letter is subject to Turkish law and, in case of a dispute, Turkish courts shall have jurisdiction, and that the data importer agrees to recognise the jurisdiction of Turkish courts.

(3) To transfer personal data abroad based on the commitment letter, data exporter shall apply to the Board for permission. As part of the application, the commitment text and any other information and documents necessary for the Board’s evaluation shall be submitted to the Board. If the commitment is also concluded in a foreign language, the Turkish text shall prevail. The transfer of personal data may only commence after the Board has granted permission.

Chapter 5 (Art. 16) — Exceptional Transfers

Article 16

Exceptional transfer cases

(1) In the absence of an adequacy decision and where the parties cannot provide one of the appropriate safeguards specified in Article 10, personal data may be transferred abroad only under one of the exceptional circumstances specified in the second paragraph, provided that such transfer is incidental. Transfers that are not regular, occur only once or a few times, do not have a continues nature, and are not part of the ordinary course of business shall be considered incidental.

(2) Exceptional cases for the transfer of personal data are as follows:

a) The data subject has given explicit consent to the transfer, provided that he/she has been informed of the potential risks involved;
b) The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures implemented at the data subject's request;
c) The transfer is necessary for the establishment or performance of a contract between the controller and another natural or legal person, carried out in the interest of the data subject;
ç) The transfer is necessary for a substantial public interest;
d) The transfer of personal data is necessary for the establishment, exercise, or protection of any right;
e) Transfer of personal data is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid;
f) The transfer is made from a registry that is open to public or accessible to persons with legitimate interest, provided that the conditions for accessing the registry under relevant legislation are fulfilled, and that the person with a legitimate interest has requested the transfer.

(3) For transfers under subparagraph (f) of the second paragraph, the following procedures and principles shall be observed:

a) The transfer shall not include all personal data or categories of personal data contained within the registries;
b) Transfers from registries accessible to persons with legitimate interests shall only be made to those persons or upon their request.

(4) The provisions in subparagraphs (a), (b), and (c) of the second paragraph shall not apply to the activities of public law activities of public institutions and organisations.

Chapter 6 (Art. 17 - 19) — Miscellaneous and Final Provisions

Article 17

Resolution of Doubts

(1) The Board shall be authorised to resolve any ambiguities that may arise in the implementation of this By-Law and to make decisions on matters not specifically addressed within herein, in accordance with the relevant legislation.

Article 18

Entry into Force

(1) This By-Law shall enter into force on the date of its publication.

Article 19

Enforcement

(1) The President of the Personal Data Protection Authority shall be responsible for executing the provisions of this By-Law.

Gizlilik, Yapay Zekâ ve Dijital Yönetişim Uyumunu Etkili ve Güvenli Şekilde Yönetin

Turkish KVKK Legal Text

Quick Access

Table of Contents

Personal Data Protection Law

Chapter 1 (Art. 1 - 3) — Purpose, Scope and Definitions

Chapter 2 (Art. 4 - 9) — Processing of Personal Data

Chapter 3 (Art. 10 - 12) — Rights and Obligations

Chapter 4 (Art. 13 - 16) — Request, Complaint and Data Controllers’ Registry

Chapter 5 (Art. 17 - 18) — Crimes and Misdemeanours

Chapter 6 (Art. 19 - 27) — The Personal Data Protection Authority and its Organization

Chapter 7 (Art. 28 - 33) — Miscellaneous

Transitional Provisions

By-Laws

By-Law On Data Controllers Registry

Chapter 1 (Art. 1 - 4) — Purpose, Scope, Legal Basis and Definitions

Chapter 2 (Art. 5 - 7) — Establishment, Management, Supervision of the Registry and Access to the Registry

Chapter 3 (Art. 8 - 14) — Beginning of Registration Obligation, Information to be entered into VERBIS, Registration Application, Renewal and Erasure of Registration

Chapter 4 (Art. 15 - 16) — Exemptions from Registration Obligation

Chapter 5 (Art. 17 - 20) — Miscellaneous

By-Law on Erasure, Destruction or Anonymization of Personal Data

Chapter 1 (Art.1 - 4) — Purpose, Scope, Legal Basis and Definitions

Chapter 2 (Art.5 - 6) — Personal Data Storage and Disposal Policy

Chapter 3 (Art.7 - 12) — Erasure, Destruction and Anonymization of Personal Data

Chapter 4 (Art.13 - 15) — Miscellaneous and Final Provisions

By-Law On The Procedures And Principles For The Transfer Of Personal Data Abroad

Chapter 1 (Art. 1 - 4) — Initial Provisions

Chapter 2 (Art. 5 - 7) — General Provisions

Chapter 3 (Art. 8 - 9) — Transfers on the Basis of an Adequacy Decision

Chapter 4 (Art. 10 - 15) — Transfers Based on Appropriate Safeguards

Chapter 5 (Art. 16) — Exceptional Transfers

Chapter 6 (Art. 17 - 19) — Miscellaneous and Final Provisions