CHAPTER I
PURPOSE, SCOPE, AND DEFINITONS
Purpose
ARTICLE 1 – (1) The purpose of this Law is to protect the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.
Scope
ARTICLE 2 – (1) The provisions of this Law shall apply to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.
Definitions
ARTICLE 3 – (1) In practice of this Law, the terms used herein shall have the following meanings:
ç) Data subject : Natural person whose personal data are processed;
ğ) Data processor: Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller;
ı) Data controller: Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
CHAPTER II
PROCESSING OF PERSONAL DATA
General Principles
ARTICLE 4 – (1) Personal data shall only be processed in accordance with the procedures and principles set forth by this Law or other laws.
(2) The below principles shall be complied with when processing personal data:
ç) Being relevant, limited and proportionate to the purposes for which data are processed;
Conditions for Processing of Personal Data
ARTICLE 5 – (1) Personal data shall not be processed without obtaining the explicit consent of the data subject.
(2) Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:
ç) It is necessary for compliance with a legal obligation which the controller is subject to;
Conditions for Processing of Special Categories of Personal Data
ARTICLE 6 – (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.
(2) It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject.
(3) Personal data indicated in paragraph 1, other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
(4) It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.
Deletion, Destruction, and Anonymization of Personal Data
ARTICLE 7 – (1) Personal data that is processed in accordance with this Law or relevant other laws shall be deleted, destroyed or anonymised either ex officio or upon request by the data subject in case the reasons necessitating their processing cease to exist.
(2) Provisions of other laws relating to deletion, destruction, and anonymization of personal data are reserved.
(3) Procedures and principles relating to deletion, destruction and anonymization of personal data shall be set forth by a regulation.
Transfer of Personal Data
ARTICLE 8 – (1) Personal data shall not be transferred without obtaining the explicit consent of the data subject.
(2) Personal data may be transferred without obtaining the explicit consent of the data subject if one of the conditions set forth under the following exists:
(3) Provisions of other laws relating to the transfer of personal data are reserved.
Transfer of Personal Data Abroad
ARTICLE 9 – (1) Personal data shall not be transferred abroad without obtaining the explicit consent of the data subject.
(2) Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of the conditions set forth in the second paragraph of article 5 or third paragraph of article 6 is present and
(3) The countries where an adequate level of protection exist shall be declared by the Board.
(4) The Board shall decide whether there is adequate level of protection in a foreign country and whether approval will be granted in terms of indent (b) of the second paragraph by evaluating
ç) Relevant legislation and practice of the country to whom personal data will be transferred,
and if it requires, by obtaining the opinion of relevant public institutions and organizations.
(5) Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations.
(6) Provisions of other laws relating to the transfer of personal data abroad are reserved.
CHAPTER III
RIGHTS AND OBLIGATIONS
Data Controller’s Obligation to Inform
ARTICLE 10 – (1) Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to
ç) The method and legal cause of collection of personal data,
Rights of Data Subject
ARTICLE 11 – (1) Everyone, in connection with herself/himself, has the right to;
ç) Know the third parties in the country or abroad to whom personal data have been transferred;
ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data
by applying to the data controller.
Obligations Regarding Data Security
ARTICLE 12 – (1) Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to
(2) In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph.
(3) The data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of this Law.
(4) Data controller and persons who process data shall not disclose and misuse personal data they learned contrary to the provisions of this Law. This obligation shall continue after leaving office.
(5) In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.
CHAPTER IV
APPLICATION, COMPLAINT, DATA CONTROLLERS' REGISTRY
Application to Data Controller
ARTICLE 13 – (1) The data subject shall convey her/his requests relating to the enforcement of this Law to the data controller in writing or by other means designated by the Board.
(2) The data controller shall conclude the requests included in the application free of charge and as soon as possible considering the nature of the request and within 30 days at the latest. However, in case the operation necessitates a separate cost, the fee in the tariff designated by the Board may be collected.
(3) The data controller shall accept the request or reject it by explaining the reason and notify the data subject of its reply in writing or electronically. In case the request included in the application is accepted, it shall be fulfilled by the data controller accordingly. In case the request is resulted from the fault of the data controller, the collected fee shall be returned to the data subject.
Complaint to the Board
ARTICLE 14 – (1) In case the application is rejected, replied insufficiently, or not replied in due time; the data subject may file a complaint with the Board within 30 days following the date he/she learns the reply of the data controller and in any event, within 60 days following the date of application.
(2) Complaint remedy cannot be applied to without exhausting the application remedy set forth under article 13.
(3) Compensation rights of the ones whose personal rights are violated are reserved.
Procedures and Principles of Inspection Ex Officio or upon Complaint
ARTICLE 15 – (1) The Board shall conduct necessary inspection within the scope of its remit either ex officio in case it learns the allegation of a violation or upon complaint.
(2) Notices and complaints which do not meet the conditions set forth under the 6th article of The Law on the Exercise of the Right to Petition numbered 3071 and dated 1/11/1984 shall not be inspected.
(3) Except for the information and documents that constitute state secrets; data controller shall submit the information and documents requested by the Board related to its subject of inspection in 15 days and if necessary, provide for examining on-site.
(4) Upon complaint, the Board inspects the request and replies to those concerned. If not replied within sixty days following the date of the complaint, the request shall be deemed to be rejected.
(5) As a result of the inspection conducted either ex officio or upon complaint, in case it is understood that a violation exists, the Board decides that the illegalities it identified shall be eliminated by the data controller and serves it to those concerned. This decision shall be fulfilled accordingly without delay and within 30 days at the latest as from the notice.
(6) As a result of the inspection conducted either ex officio or upon complaint, in case it is determined that the violation is prevalent, the Board shall adopt a resolution and publish it. The Board, if necessary before adopting the resolution, may obtain the opinion of relevant public institutions and organizations.
(7) In case serious or irreparable losses occur and illegality clearly exists, the Board may decide processing of data or transfer of data abroad to be ceased.
Data Controllers' Registry
ARTICLE 16 – (1) Under the supervision of the Board, Data Controllers Registry shall be kept by the Presidency in a publicly available manner.
(2) Natural or legal persons who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.
(3) Registry application to the Data Controllers Registry shall be made with a notification including the following matters:
ç) Recipient or groups of recipients to whom personal data may be transferred.
(4) Changes to the information provided as per the third paragraph shall be immediately reported to the Board.
(5) Other procedures and principles relating to the Data Controllers Registry shall be regulated by a regulation.
CHAPTER V
CRIMES AND MISDEMEANOURS
Crimes
ARTICLE 17 – (1) With respect to crimes relating to personal data, provisions of articles 135 to 140 of Turkish Criminal Code dated 26/9/2004 and numbered 5237 shall apply.
(2) Ones who do not delete or anonymise personal data contrary to article 7 of this Law shall be punished in accordance with article 138 of the Law numbered 5237.
Misdemeanours
ARTICLE 18 – (1) To the ones who do not fulfil
ç) Obligation to register with the Data Controllers Registry and notification stipulated by article 16 of this Law, an administrative fine of 20.000 Turkish liras to 1.000.000 Turkish liras
shall be imposed.
(2) Administrative fines envisaged by this article shall apply to natural persons and private law legal persons who are data controllers.
(3) In case the acts listed in the first paragraph are conducted within public institutions and organizations or professional organisations with public institution status, upon notification of the Board, disciplinary action shall be taken with regard to the officers and other public officials who serve under the relevant public institution or organization and the ones who serve under the professional organisations with public institution status, and the result shall be reported to the Board.
CHAPTER VI3
PERSONAL DATA PROTECTION AUTHORITY AND ORGANISATION
Personal Data Protection Authority
ARTICLE 19 – (1) Personal Data Protection Authority which has administrative and financial autonomy and public legal personality has been established in order to perform the duties stipulated by this Law.
(2) The Authority is affiliated with the Prime Minister's Office.
(3) The headquarters of the Authority is in Ankara.
(4) The Authority is comprised of the Board and the Presidency. The Board serves as the decision-making body of the Authority.
Duties of the Authority
ARTICLE 20- (1) The duties of the Authority are as follows:
ç) Presenting the annual activity report to the Presidency, the Committee on Human Rights Inquiry of the Grand National Assembly of Turkey and to the Prime Minister's Office.
Personal Data Protection Board
ARTICLE 21 - (1) The Board shall independently perform and use its duties and powers provided in this Law and the other laws under its own responsibility. No body, authority, institution or person can give orders or instructions, recommendations or suggestions on the matters which fall within the scope of its authority.
(2) The Board shall be comprised of nine members. Five members of the Board shall be elected by the Grand National Assembly of Turkey, two members by the Presidency and two members by the Council of Ministers.
(3) The following conditions shall be required for the membership of this Board:
ç) Having received at least four-year higher education at the level of bachelor degree,
(4) Those who will be elected as the member of the Board shall be asked to give consent. Attention shall be attached to the pluralist representation of those who have knowledge and experience on the matters which fall within the scope of authority of the Board.
(5) The Grand National Assembly of Turkey shall follow the procedure below while electing members to the Board:
ç) In case of vacancy in the membership for any reason two months before the end of office of the members, new members shall be elected under the same procedure within one month following the date on which the position falls vacant or, if the Grand National Assembly of Turkey is at recess, following the end of the recess. In these elections, the number of the members designated from the quota of the political party groups in the first election and the current proportion of the political party groups shall be taken into account in the distribution of the vacant membership to the political party groups.
(6) In cases where the office of one of the members elected by the President or the Council of Ministers ends forty-five days earlier or the office ends for any reason, it shall be notified by the Authority to the Prime Minister's Office within fifteen days, for its submittal to the President's Office or the Council of Ministers. New members shall be elected one month before the end of office of current members. In cases where the position falls vacant before the end of office within the scope of these memberships, the elections shall be held within fifteen days following the notification.
(7) The Board shall elect the President and the Second President among its members. The President of the Board is also the president of the Authority.
(8) The term of office of the members of the Board is four years. The member whose term ends can be re-elected. The person who replaces a member whose term of office ends for any reason without fulfilling his/her office shall complete the rest of the term.
(9) The selected members shall swear the following oath before the First Presidency of the Court of Cassation: "I swear on my honour and dignity that I will perform my duty in accordance with the Constitution and the laws and within the understanding of full impartiality, honesty, fairness and justice.” The application for oath to the Court of Cassation is deemed among prompt actions.
(10) The members of the Board cannot assume any official or private duty apart from the performance of the official duties in the Board as long as it is not prescribed in a special law; nor can they manage an association, foundation, cooperative or similar entities, engage in trade, conduct independent business activities or serve as arbitrator or expert. However, the members of the Board can make scientific publications, give lectures and conferences in a way that will not hinder their fundamental duties and can be paid for the lectures and conferences within the scope of the copyrights arising from them.
(11) The investigations regarding the crimes which are allegedly committed by the members because of their duties shall be conducted in accordance with the Law No. 4483 dated 2/12/1999 on the Trial of State Employees and Other Civil Servants and the permission for these investigations shall be granted by the Prime Minister.
(12) The provisions of the Law No. 657 shall apply in the disciplinary investigation and prosecution to be conducted with respect to the members of the Board.
(13) The office of the members of the Board cannot be terminated without expiry of the mentioned term of office. The membership of the Board members shall be terminated upon the decision of the Board in cases where;
ç) it is verified that they have not continued to serve successively for fifteen days without permission and excuse or for thirty days in total in one year,
(14) Those who are elected as the members of the Board shall be discharged from their previous positions in the Board. Those who are elected as members while serving as state officials shall be appointed to an appropriate cadre by the competent authority within one month in cases where their term of office ends or they apply to the previous institution within thirty days provided that they do not lose the requirements to serve as state officials. The Board shall continue to make any kind of payment that these persons receive until they are appointed. For those who are elected as members while they have not served in a public institution and whose office ends as prescribed above, the Board shall continue to make any kind of payment they receive until they start to serve in any other duty or job and the payment that the Board will make to those whose membership ends as such cannot be provided for more than three months. The term of office of these persons in the Authority shall be deemed to have been served in the previous institutions or organizations in terms of the personal and other rights entitled to them.
Duties and powers of the Board
ARTICLE 22- (1) The duties and powers of the Board are as follows:
ç) Determining the adequate measures required for the processing of special categories of personal data.
ğ) Deciding on the administrative sanctions prescribed by this Law.
ı) Taking a final decision on the strategic plan, determining the objectives and goals, the service quality standards and the performance criteria.
Rules of procedures of the Board
ARTICLE 23 - (1) The President shall set the meeting dates and agenda of the Board. The President can summon the Board for an extraordinary meeting in necessary cases.
(2) The Board shall convene with at least six members including the President and shall take decisions by absolute majority of the total number of members. The members of the Board cannot abstain from voting.
(3) The Board members cannot attend the meetings or voting regarding the matters which concern themselves, their third degree blood relatives and second degree relatives by marriage, their adopted children and their spouses even though the bonds of matrimony between them does not exist any longer.
(4) The Board members cannot impart any secret that they learn with respect to the concerning persons and third persons during their works to anyone other than lawfully competent authorities or use it in favour of themselves.
(5) Minutes shall be written regarding the issues deliberated in the Board. Decisions and, if any, justification of dissenting votes shall be written within fifteen days at the latest following the date of decision. The Board shall announce the decisions to the public if it deems necessary.
(6) The deliberations in the Board meetings shall be kept confidential unless decided otherwise.
(7) The working procedures and principles of the Board, the writing of decisions and other issues shall be regulated under a by-law.
President
ARTICLE 24 - (1) The President shall be the highest official in the Authority in his/her capacity as the President of the Board and Authority and shall arrange, carry out the services of the Authority in accordance with the legislation, the objectives and policies of the Authority, its strategic plan, performance criteria and service quality standards and shall ensure coordination between the service units.
(2) The President shall be responsible for the general management and representation of the Authority. This responsibility shall cover the duties and powers of organizing, carrying out, inspecting, evaluating the works of the Authority and announcing them to the public when necessary.
(3) The duties of the President are as follows:
ç) Giving a final form to the proposals coming from the service units and presenting them to the Board.
ğ) Determining the duties and scope of authority of the competent personnel who are entitled to sign on behalf of the President of the Authority.
(4) The Second President shall act for the President in the absence of the President of the Authority.
Establishment and duties of the Presidency
ARTICLE 25 - (1) The Presidency shall be composed of Deputy President and service units. The Presidency shall perform the duties enumerated under the fourth paragraph through the service units organized as departments. The number of departments cannot be more than seven.
(2) A Deputy President shall be appointed to assist the President in his duties under the Authority.
(3) The Deputy President and heads of departments shall be appointed by the President, among the persons who are graduates from at least a four-year higher education institution and who have carried out public service for ten years.
(4) The duties of the Presidency are as follows:
ç) Carrying out the personnel affairs of the Board members and those who serve in the Authority.
ğ) Setting out the personnel policy of the Authority, preparing and implementing the career and training plans of the personnel.
ı) Setting out the ethical rules to be followed by the personnel and providing necessary training.
(5) The service units and the working procedures and principles of these units shall be regulated by the by-law enacted by the decision of the Council of Ministers upon the proposal of the Authority, in accordance with the scope of authority, duties and powers of the service units stipulated under this Law.
Specialists and assistant specialists on Personal Data Protection
ARTICLE 26 - (1) Specialists on Personal Data Protection and Assistant Specialists on Personal Data Protection can be employed in the Authority. The degrees of those who are appointed as Specialists on Personal Data Protection within the framework of the additional article 41 of the Law No. 657 shall be increased for one time only.
Provisions relating to the personnel and their personal rights
ARTICLE 27 - (1) The personnel of the Authority shall be subjected to the Law No. 657, apart from the issues regulated by this Law.
(2) The payments shall be made to the president and members of the Board and the personnel of the Authority in the same procedure and principles as the payments made to the exemplified personnel within the scope of the financial and social rights, under the additional article 11 of the Decree Law No. 375 dated 27/6/1989. Those who are not subjected to taxes or another legal deduction from the payments made to the exemplified personnel shall not be subjected to any tax or deduction under this Law.
(3) The president and members of the Board and the personnel of the Authority shall be subjected to the provisions of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 dated 31/5/2006 on Social Security and General Health Insurance. The president and members of the Board and the personnel of the Authority shall be deemed equal to the exemplified personnel in terms of pension rights. The term of office of those whose office expires or those who
request for resignation among those who are appointed as president and members of the Board while they are covered by an insurance policy within the scope of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 shall be taken into account while determining the salaries, degrees and levels as their vested rights. The term of office of those who fall within the scope of the provisional article 4 of the Law No. 5510 during such office shall be evaluated as the period during which the executive compensation and representative compensation should be paid. For those who are appointed as the President and members of the Board while they are insured in the public institutions and organizations, within the scope of the subparagraph (a) of the first paragraph under Article 4 of the Law No. 5510, their discharge from the previous institutions and organizations shall not require any seniority or termination indemnity. The term of office of those who are in this situation for which seniority or termination indemnity should be paid shall be combined with their term of office in the past as the President and member of the Board and this total term shall be considered for the payment of gratuity.
(4) The civil servants and other state officials serving in public agencies under the central administration, social security institutions, local administrations, the agencies under local administrations, local administrative units, institutions with the circulating capital, funds established by law, organizations with public legal personality, organizations with over half the capital which belongs to the public, public economic enterprises and public economic organizations and the partnerships and entities affiliated with them can be temporarily assigned in the Authority provided that their institution pay the salary, allowance, any kind of salary increase and indemnity as well as other financial and social rights and assistance with the consent of the mentioned institutions. The requests of the Authority on this matter shall be finalized primarily by the relevant institutions and organizations. The personnel who are assigned as such shall be deemed to be on paid leave from their institutions. The civil service, relevance and rights of this personnel shall continue as long as they are on leave and this term shall be taken into account in their promotion and retirement process. Their promotion shall be conducted in time, without necessitating any other action. The term of service of those who are assigned under this article shall be deemed to have served in their own institutions. Those who are assigned as such cannot exceed 10% of the total cadre number of Specialists and Assistant Specialists on Personal Data Protection and the assignment cannot exceed two years. However, this term may be extended for a period of one year if necessary.
(5) The titles and numbers of the personnel to be employed in the Authority are shown on Table (I). Titles or degrees shall be changed, new titles shall be added and vacant positions shall be cancelled upon the decision of the Board, provided that it is limited to the titles listed on the tables annexed to the Decree Law No. 190 dated 13/12/1983 on General Cadre and Procedure, not exceeding the total number of personnel.
CHAPTER VII
MISCELLANEOUS PROVISIONS
Exceptions
ARTICLE 28 – (1) Provisions of this Law shall not be applied in the following cases:
ç) Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.
(2) On the condition of being relevant and proportionate to the purpose and general principles of this Law, article 10 which regulates the obligation of the data controller to inform; except for right to request compensation, article 11 which regulates the rights of the data subject; and article 16 which regulates the obligation to register with the Data Controllers Registry shall not apply in the following cases:
ç) Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.
Institution's budget and revenues
Article 29 - (1) The budget of the Institution is prepared and accepted in accordance with the procedures and principles determined in the Law No. 5018.
(2) The revenues of the institution are as follows:
a) Treasury aids to be made from the general budget.
b) Revenues from movable and immovable properties belonging to the Institution.
c) Donations and aids received.
ç) Incomes from the evaluation of their income.
d) Other income.
Amended and added provisions
ARTICLE 30 - (1) (It is related to the Law No. 5018 of 10/12/2003 and has been replaced.)
(2) to (5) - (Related to Law No. 5237 of 26/9/2004 and has been replaced.)
(6) (It is related to the Health Services Basic Law No. 3359 dated 7/5/1987 and has been replaced.)
(7) (Related to the Decree-Law on the Organization and Duties of the Ministry of Health and Affiliated Institutions, dated 11/10/2011 and numbered 663.)
Regulation
ARTICLE 31 – (1) Regulations related to the application of this Law shall be brought into force by the Authority.
Transitional Provisions
TEMPORARY ARTICLE 1 – (1) Within six months following publication of this Law, the members of the Board shall be elected in accordance with the procedure set forth under article 21 and the Presidency organisation shall be constituted.
(2) Data controllers are obligated to register with the Data Controllers Registry within the term designated and announced by the Board.
(3) Personal data that is processed before the date of publication of this Law shall be rendered compliant within two years following the date of publication of this Law. Personal data that is determined to be contrary to the provisions of this Law shall be immediately deleted, destroyed, or anonymised. However, the consents that are lawfully obtained before the date of publication of this Law shall be deemed lawful in terms of this Law8 , provided that no declaration of intention to the contrary is made within one year.
(4) The regulations prescribed in this Law shall be brought into force within one year following the date of publication of this Law.
(5) A senior executive who is to provide coordination of the application of this Law in public institutions and organizations shall be determined and reported to the Presidency within one year following the date of publication of this Law.
(6) The first elected President, second President and two members who are to be determined by draw shall serve for six years, and other five members for four years.
(7) Until a budget is allocated to the Authority;
(8) Until the service units of the Authority enter into service, secretariat services shall be provided by the Prime ministry.
Effectiveness
ARTICLE 32 – (1) This Law’s
Enforcement
ARTICLE 33 – (1) Provisions of this Law shall be enforced by the Council of Ministers.