PERSONAL DATA PROTECTION LAW
Law Number : 6698
Accepted Date: 24/3/2016
Published in the R. Newspaper: Date: 7/4/2016 Issue: 29677
Published Code: Arrangement: 5 Volume: 57
Purpose, Scope and Definitions
ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.
ARTICLE 2- (1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.
ARTICLE 3- (1) In the implementation of this Law;
a) Explicit consent: Consent on a specific subject, based on information and expressed with free will,
b) Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,
c) Chairman: Chairman of the Personal Data Protection Authority,
ç) Relevant person: The real person whose personal data is processed,
d) Personal data: Any information relating to an identified or identifiable natural person,
e) Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system. All kinds of operations carried out on the data such as bringing, classifying or preventing its use,
f) Board: Personal Data Protection Board,
g) Institution: Personal Data Protection Authority,
ğ) Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
h) Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
ı) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
Processing of Personal Data
ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws.
(2) The following principles must be complied with in the processing of personal data:
a) Compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and restrained with the purpose for which they are processed.
d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
Terms of processing personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the person concerned.
(2) In case of existence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
a) It is clearly stipulated in the laws.
b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized.
c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) The person concerned has been made public by himself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Conditions for the processing of special categories of personal data
ARTICLE 6- (1) Data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. biometric and genetic data are special quality personal data.
(2) Processing of sensitive personal data without the explicit consent of the person concerned is prohibited.
(3) Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned, can be processed.
(4) In the processing of sensitive personal data, it is also obligatory to take adequate measures determined by the Board.
Deletion, destruction or anonymization of personal data
ARTICLE 7- (1) Personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of this Law and other relevant laws.
(2) Provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.
(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the person concerned.
(2) Personal data;
a) In the second paragraph of Article 5,
b) Provided that adequate measures are taken, in the third paragraph of Article 6,
In case of existence of one of the conditions specified, it can be transferred without seeking the explicit consent of the person concerned.
(3) Provisions in other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
(2) Personal data, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6, and in the foreign country to which the personal data will be transferred;
a) The availability of adequate protection,
b) In the absence of adequate protection, data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and the Board has permission,
may be transferred abroad without seeking the explicit consent of the person concerned, provided that the
(3) Countries with adequate protection are determined and announced by the Board.
(4) The Board shall determine whether there is sufficient protection in the foreign country and whether a permit will be granted pursuant to subparagraph (b) of the second paragraph;
a) International conventions to which Turkey is a party,
b) The reciprocity of data transfer between the country requesting personal data and Turkey,
c) Regarding each concrete personal data transfer, the nature of the personal data, the purpose and duration of its processing,
ç) The relevant legislation and practice of the country to which the personal data will be transferred,
d) Measures undertaken by the data controller in the country to which personal data will be transferred,
and, if needed, by taking the opinion of the relevant institutions and organizations.
(5) Personal data may be transferred abroad with the permission of the Board, only after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the person concerned would be seriously harmed, without prejudice to the provisions of international conventions.
(6) Provisions in other laws regarding the transfer of personal data abroad are reserved.
Rights and Obligations
The obligation to inform the data controller
ARTICLE 10- (1) During the acquisition of personal data, the data controller or the person authorized by him, to the relevant persons;
a) Identity of the data controller and its representative, if any,
b) For what purpose the personal data will be processed,
c) To whom and for what purpose the processed personal data can be transferred,
ç) Method and legal reason for collecting personal data,
d) Other rights listed in Article 11,
responsible for providing information.
Rights of the person concerned
ARTICLE 11- (1) Everyone, by applying to the data controller;
a) Learning whether personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred in the country or abroad,
d) Requesting correction of personal data in case of incomplete or incorrect processing,
e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
g) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
ğ) To request the compensation of the damage in case of loss due to unlawful processing of personal data,
Obligations regarding data security
ARTICLE 12- (1) Data controller;
a) To prevent the unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the protection of personal data,
must take all necessary technical and administrative measures to ensure the appropriate level of security for the purpose.