Regulation

Turkish Personal Data Protection Law (PDPL)

The Turkish Personal Data Protection Law (PDPL) is a core legislative act regulating data protection in Turkey. The PDPL is a step towards harmonizing Turkish legislation with EU legislation, and has a similar framework to Directive 95/46/EC, the GDPR and Directive (EU) 2106/680.

Are you subject to the Turkey PDPL?

The Turkish PDPL applies to natural or legal persons whose personal data is processed and or natural or legal persons who process such data either through automatic or non-automatic means.

There is no distinction between private corporations and public authorities in the Law and it does not have a territorial scope (meaning databases and servers storing Turkish data do not need to be located in Turkey). The Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.

Obligations & Rights under the Turkey PDPL

Individual Rights & Requests

Individuals have the right to request the following from the data controller: information about whether their personal data has been processed and about the identities of natural or legal persons whom the data is transferred to; correction in case personal data are processed incompletely or inaccurately; deletion or destruction of personal data; object to any negative consequence of their data being analyzed exclusively through automated systems; and compensation where an individual suffers any damage due to the illegal processing of their data.

Policies & Notices

The data controller or the person it authorized is required to inform the individuals about the following when collecting their personal data: (a) identity of the data controller and if any, its representative, (b) purposes for which personal data is processed, (c) persons to whom processed personal data might be transferred and purposes of the transfer (d) method and legal basis for the collection of personal data, (e) individual rights set forth under PDPL.

Consent

Personal data shall not be processed without obtaining the explicit consent of the data subject.

Data Security

The data controller is required to take all necessary technical and organizational measures for providing an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and safeguard personal data.

Whitepaper

Guide to Data Inventory and Mapping for GDPR & CCPA Compliance

One of the most important steps to design and build a data privacy program is to create a data inventory of all of the business processes within an organization.

Learn More

Achieve compliance

Data Inventory Hub & Risk Profile

Complete and maintain a data inventory

Automate with a Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.

Assessment Manager

Mitigate risks

Use pre-built DPIAs and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

Individual Rights Manager

Exercising individual rights

Enjoy Data Subject Request (DSR) automation with TrustArc’s Individual Rights Manager. Easily operationalize individual rights according to specific jurisdictions, leverage automated workflows to save time, and keep an audit trail of requests/actions.

FAQs

What does the “Turkish PDPL” refer to?

The Turkish Personal Data Protection Law or “PDPL” is a comprehensive piece of legislation designed to safeguard individuals’ personal information privacy in Turkey. The law also plays a critical role in protecting employees’ personal information, as employers typically process, store, and share a substantial amount of personal data about their employees. It became effective on April 7th 2016.
What is personal information and sensitive personal information?

Personal information is any information relating to an identified or identifiable natural person. Examples include a first and last name, email address, or phone number.

Sensitive personal information also known as “special categories of personal data” means data relating to race, ethnic origin, political opinions; philosophical beliefs; religion, sect or other beliefs; appearance and dressing; membership of association, foundation or trade-union; health; sexual life; criminal conviction and security measures; and biometrics and genetics.
What are the breach notification requirements?

Under the Turkey PDPL, the data controller shall notify the data subject and the data protection authorities of such a situation as soon as possible. The data protection authority, if necessary, may declare such a situation on its website or by other means which it deems appropriate.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.