top of page



The Law on Protection of Personal Data w. no 6698 (“Turkish DP Law”) was published in the Official Gazette in April 7, 2016, only a week earlier of the approval of the GDPR by the EU Parliament on April 14, 2016. Therefore, the Turkish DP Law has been overshadowed by the GDPR and most multinational companies that are in Turkey or process data collected from Turkey had difficulty in focusing their attention on the local Turkish DP Law compliance.


Turkish DP Law is very important for all companies that are conducting any business in Turkey and non-compliance with the Law may result in administrative fines and imprisonment of up to 4 years. The Turkish DP Law also has extraterritorial application therefore the Law shall be applied to those that collect data from Turkey.


Below are a few practical compliance steps for i) data controllers that are located in Turkey and, ii) data controllers that are not located in Turkey but collect and process personal data from Turkey.


Data Controllers Located in Turkey


Under the Turkish DP Law Article 12, all data controllers are required to carry out necessary audits and compliance steps to ensure compliance with the provisions of the Turkish DP Law. Therefore, the first step is to start a Data Protection Compliance Program to understand what data is being collected, processed and transferred, understand the internal policies and practices applied to personal data and transform the practices and policies to be in compliant with the Turkish DP Law.


While the key of compliance is to make sure that personal data is being processed in line with the data processing principles and in compliance with any of the lawful basis’ under the DP Law, there are certain practical steps that can help with the initial compliance efforts.


Under Turkish DP Law, all data controllers are required to;


  1. Draft a Personal Data Inventory – An inventory consisting of the following information;


  • Data subject category,

  • Personal data category,

  • Purpose of processing,

  • International transfers (if any),

  • Measures to safeguard data security, and

  • Maximum data retention times.


   2. Draft a Privacy Notice to be given to data subjects at the time of data collection – Notice shall include the following information;


  • Identity of the data controller (or its representative),

  • Purpose of data processing,

  • Third parties that will receive personal data and purpose of transfer,

  • Method of data collection and legal basis, and

  • Data subject rights.


  3. Draft a Personal Data Retention and Destruction Policy – A policy consisting of the following information; * Please note that this rule only applies to data controllers that are not given an exemption by the DPA for registration with the Data Controllers’ Registry


  • Purpose of preparing the personal data retention and destruction policy,

  • Recording mediums regulated by the Policy,

  • Definitions of legal and technical terms contained in the Policy,

  • Legal, technical or other grounds requiring the retention and destruction of personal data,

  • Technical and administrative measures taken to safeguard personal data safely and to prevent illegal processing and access to personal data,

  • Technical and administrative measures taken to ensure that personal data are destroyed in accordance with law,

  • Titles, units and job descriptions of those involved in the retention and destruction processes,

  • The table showing the retention and destruction periods,

  • Periodic destruction times,

  • changes to the current policy if the current personal data retention and destruction policy has been updated,


  4. Register with the Data Controllers’ Registry – Data controllers that are not provided and exemption by the Data Protection Authority are required to register with the Data Controllers’ Registry by providing the following information; * Please note that this requirement is not in place yet as of May 07, 2018. Further, the Data Protection Authority did not yet decide on any exemption to this rule.


  • The information specified within the application form, the content of which shall be determined by the Authority, in respect of identity and address details of the data controller, the data controller representative, if any, and the contact person,

  • The designated purposes, for which the personal data will be processed,

  • The descriptions and remarks about the subject person group(s) and the data categories of such persons,

  • The recipients or recipient groups, to whom the personal data may be transferred,

  • The personal data, which are contemplated to be transferred to foreign countries,

  • The precautions, which are contemplated to be taken by Article 12 of the Law, and are taken in accordance with the criteria identified and set forth by the DPA,

  • The maximum period of retention of personal data as prescribed by the applicable regulations or as necessary for the relevant purpose of processing.


Data Controllers That Are Not Located in Turkey


Data Controllers that are not located in Turkey but collect data from Turkey or process personal data collected from Turkey are required to take steps given in points 1 to 4 above. In addition to those requirements, Data Controllers that are not located in Turkey are required to appoint a representative in Turkey to handle the local communication in Turkey. In practice, multinational companies chose to appoint their outside counsel - a lawyer with a proxy.


As mentioned above, these are only practical steps that can be taken to help with the compliance efforts however it should be noted that compliance is a long and bumpy road and working with a local legal specialist is always a better option.


bottom of page