Skip to Main Content
Main Menu

Turkish Personal Data Protection Law (PDPL)

The Turkish Personal Data Protection Law (PDPL) is a core legislative act regulating data protection in Turkey. The PDPL is a step towards harmonizing Turkish legislation with EU legislation, and has a similar framework to Directive 95/46/EC, the GDPR and Directive (EU) 2106/680.

Are you subject to the Turkey PDPL?

The Turkish PDPL applies to natural or legal persons whose personal data is processed and or natural or legal persons who process such data either through automatic or non-automatic means.

There is no distinction between private corporations and public authorities in the Law and it does not have a territorial scope (meaning databases and servers storing Turkish data do not need to be located in Turkey). The Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.

Obligations & Rights under the Turkey PDPL

Individual Rights & Requests

Individuals have the right to request the following from the data controller: information about whether their personal data has been processed and about the identities of natural or legal persons whom the data is transferred to; correction in case personal data are processed incompletely or inaccurately; deletion or destruction of personal data; object to any negative consequence of their data being analyzed exclusively through automated systems; and compensation where an individual suffers any damage due to the illegal processing of their data.

Policies & Notices

The data controller or the person it authorized is required to inform the individuals about the following when collecting their personal data: (a) identity of the data controller and if any, its representative, (b) purposes for which personal data is processed, (c) persons to whom processed personal data might be transferred and purposes of the transfer (d) method and legal basis for the collection of personal data, (e) individual rights set forth under PDPL.


Personal data shall not be processed without obtaining the explicit consent of the data subject.

Data Security

The data controller is required to take all necessary technical and organizational measures for providing an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and safeguard personal data.


Guide to Data Inventory and Mapping for GDPR & CCPA Compliance

One of the most important steps to design and build a data privacy program is to create a data inventory of all of the business processes within an organization.

Achieve compliance


  • What does the “Turkish PDPL” refer to?

    The Turkish Personal Data Protection Law or “PDPL” is a comprehensive piece of legislation designed to safeguard individuals’ personal information privacy in Turkey. The law also plays a critical role in protecting employees’ personal information, as employers typically process, store, and share a substantial amount of personal data about their employees. It became effective on April 7th 2016.

  • What is personal information and sensitive personal information?

    Personal information is any information relating to an identified or identifiable natural person. Examples include a first and last name, email address, or phone number.

    Sensitive personal information also known as “special categories of personal data” means data relating to race, ethnic origin, political opinions; philosophical beliefs; religion, sect or other beliefs; appearance and dressing; membership of association, foundation or trade-union; health; sexual life; criminal conviction and security measures; and biometrics and genetics.

  • What are the breach notification requirements?

    Under the Turkey PDPL, the data controller shall notify the data subject and the data protection authorities of such a situation as soon as possible. The data protection authority, if necessary, may declare such a situation on its website or by other means which it deems appropriate.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top