top of page

Purpose, Scope and Definitions
 -  (1)  The  purpose  of  this  Law  is  to  protect  fundamental  rights  andfreedoms of people, particularly the right to privacy, with respect to processing of personal data  and  to  set  forth  obligations,  principles  and  procedures  which  shall  be  binding  upon natural or legal persons who process personal data.

 (1) The provisions of this  Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry  system, through non-automatic means.

(1) For the purposes of this Law the following definitions shall apply:
a) Explicit consent: freely given, specific and informed consent,

b)  Anonymizing:  rendering  personal  data  impossible  to  link  with  an  identified  or identifiable natural person, even through matching them with other data,
c) President: President of the Personal Data Protection Authority,

ç) Data subject: the natural person, whose personal data is processed,
d)  Personal  data:  all  the  information  relating  to  an  identified  or  identifiable  natural person,
e) Processing of personal data: any operation performed upon personal data such  as collection,  recording,  storage,  retention,  alteration,  re-organization,  disclosure,  transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,
f) Board: the Personal Data Protection Board,

g) Authority: the Personal Data Protection Authority,
ğ) Processor: the natural or legal person who processes personal data on behalf of the controller upon his authorization,

h) Data registry system: the registry system which the personal data is registered into through being structured according to certain criteria,

ı)  Controller:  the  natural  or  legal  person  who  determines  the  purpose  and  means  of  processing personal  data  and  is  responsible  for establishing and  managing the  data  registry system.


Processing of Personal Data

General principles

ARTICLE  4  -  (1)  Personal  data  may  only  be  processed  in  compliance  with  the procedures 
and principles set forth in this Law and other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and conformity with rules of bona fides.

b) Accuracy and being up to date, where necessary.

c) Being processed for specific, explicit and legitimate purposes.

ç) Being relevant with, limited to and proportionate to the purposes for which they are processed.

d)  Being  retained  for  the  period  of  time  stipulated  by  relevant  legislation  or  the purpose for which they are processed.


Conditions for processing of personal data

ARTICLE 5- (1) Personal data  cannot be processed without the explicit consent of the data subject.
(2) Personal data  may be processed  without seeking the  explicit consent  of the  data subject only in cases where one of the following conditions is met:
a) it is clearly provided for by the laws.
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
c) processing of personal data belonging to  the parties of a  contract,  is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
ç) it is mandatory for the controller to be able to perform his legal obligations.
d) the data concerned is made available to the public by the data subject himself.
e)  data  processing is  mandatory for  the  establishment,  exercise  or  protection  of  any right.
f)  it  is  mandatory  for  the  legitimate  interests  of  the  controller,  provided  that  this processing shall not violate the fundamental rights and freedoms of the data subject.


Conditions for processing of personal data of special nature (sensitive personal data)

ARTICLE  6-  (1)  Personal  data  relating to  the  race,  ethnic  origin,  political  opinion, philosophical  belief,  religion,  sect  or  other  belief,  clothing,  membership  to  associations, foundations  or  trade-unions,  health,  sexual  life,  convictions  and  security measures,  and  the biometric and genetic data are deemed to be personal data of special nature.

(2)  It  is  prohibited  to  process  the  personal  data  of  special  nature  without  explicit consent of the data subject.

(3) Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed,  without  seeking  explicit  consent  of  the  data  subject,  by  any  person  or  authorised  public institutions  and  organizations  that  have   confidentiality  obligation,  for  the  
purposes  of protection  of  public  health,  operation  of  preventive  medicine,  medical  diagnosis,  treatment and  nursing  services,  planning  and  management  of  health-care  services as  well  as  their financing.

(4)  It  is  stipulated  that  adequate  measures  determined  by  the  Board  are  also  taken while processing the personal data of special nature.


Erasure, destruction or anonymizing of personal data

ARTICLE 7- (1) Despite being processed under the provisions of this Law and other related  laws,  personal  data  shall  be  erased,  destructed  or  anonymized  by  the  controller,  ex officio or upon demand by the data subject, upon disappearance of reasons which require the process.

(2)  Provisions  of  other  laws  concerning  the  erasure,  destruction  or  anonymizing  of personal data are reserved.

(3) Procedures and principles for the erasure, destruction or anonymizing of personal data shall be laid down through a by-law.


Transfer of personal data

ARTICLE 8- (1) Personal data cannot be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of  data subject upon the existence of one of the conditions provided for in:
a) the second paragraph of Article 5,
b) the third paragraph of Article 6, provided that sufficient measures are taken.

(3) Provisions of other laws concerning transfer of personal data are reserved.


Transfer of personal data abroad

ARTICLE 9- (1) Personal data cannot be transferred abroad without explicit consent of the data subject.

(2)  Personal  data  may  be  transferred  abroad  without  explicit  consent  of  the  data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that;
(a)  sufficient  protection  is  provided  in  the  foreign  country  where  the  data  is  to  be transferred,
(b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where  sufficient protection is not provided.
(3)  The  Board  determines  and  announces  the  countries  where  sufficient  level  of protection is provided.

(4) The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised under the sub-paragraph (b) of second paragraph,  by  evaluating  the  followings  and  by  receiving  the  opinions  of  related  public institutions and organizations, where necessary:
a) the international conventions to which Turkey is a party,
b) the state of reciprocity concerning data transfer between the requesting country and Turkey,
c)  the  nature  of  the  data,  the  purpose  and  duration  of  processing  regarding  each concrete, individual case of data transfer,
ç) the relevant legislation and its implementation  in the country to which the personal data is to be transferred,
d) the measures guaranteed by the controller in the country to which the personal data is to be transferred,

(5)  In  cases  where  interest  of  Turkey  or  the  data  subject  will  seriously  be  harmed, personal data, without prejudice to the provisions of international agreements,  may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.

(6)  Provisions  of  other  laws  concerning  the  transfer  of  personal  data  abroad  are reserved.

Rights and Obligations Obligation of Controller to Inform

ARTICLE 10- (1) Whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following:

a) the identity of the controller and of his representative, if any,
b) the purpose of data processing;
c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data,

d) other rights referred to in Article 11.


The Rights of Data Subject

ARTICLE 11- (1) Each person has the right to apply to the controller and
a) to learn whether his personal data are processed or not,
b) to request information if his personal data are processed,
c) to learn the purpose of his data processing and whether this data is used for intended purposes,
ç) to know the third parties to whom his personal data is transferred at home or abroad,
d) to request the rectification of the incomplete or inaccurate data, if any,
e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7,
f)  to  request  notification  of  the  operations  carried  out  in  compliance  with  sub- paragraphs (d) and (e) to third parties to whom his personal data has been transferred,
g) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject,
ğ) to request compensation for the damage arising from the unlawful processing of his personal data.


Obligations concerning data security

ARTICLE  12-  (1)  The  controllers  are  obliged  to  take  all  necessary  technical  and administrative measures to provide a sufficient level of security in order to:
a) prevent unlawful processing of personal data,
b) prevent unlawful access to personal data,
c) ensure the retention of personal data.

(2) In case of the processing of personal data by a natural or legal person on behalf of the  controller,  the  controller  shall  jointly  be  responsible  with  these  persons  for  taking  the measures laid down in the first paragraph.

(3)  The  controller  shall  be  obliged  to  conduct  necessary  inspections,  or  have  them conducted in his own institution or organization, with the aim of implementing the provisions of this Law.

(4) The controllers and processors shall not disclose the personal data that they learned to  anyone  in  breach  of  this  Law,  neither  shall  they  use  such  data  for  purposes  other  than processing. This obligation shall continue even after the end of their term.

(5) In case the processed data are collected by other parties through unlawful methods, the  controller  shall  notify  the  data  subject  and  the  Board  within  the  shortest  time.  Where necessary,  the  Board  may  announce  such  breach  at  its  official  website  or  through  other methods it deems appropriate.




Application, Complaint and Registry Application to the Controller
 (1)  The  data  subject  shall  lodge  an  application  in  writing  to  the controller about his demands concerning the implementation of this Law or via other methods specified by the Board.

(2) The data controller shall conclude the demands involved in the applications within the shortest time possible depending on the nature of the demand and within thirty days at the latest and free of charge. However if the action in question incurs another cost, the price set by the Board may be collected.

(3) The data controller shall accept the application or decline it on justified grounds and communicate its response to data subject in writing or in electronic media. If the demand involved in the application found admissible, it shall be indulged by the data controller. Data subject  shall  be  reimbursed  for  the  application  fee  provided  that  the  application  has  been lodged due to a mistake made by the controller.

Complaint to the Board

ARTICLE 14- (1) If the application is declined, the response is found unsatisfactory or the response is not given in due time, the data subject may file a complaint with the Board within thirty days as of he learns about the response of the controller, or within sixty days as of the 
application date, in any case.

(2)  A  complaint  cannot  be  filed  before  exhausting  the  remedy  of  application  to  the controller under Article 13.

(3) The right to compensation under general provisions of those whose personal rights are violated is reserved.


Procedures and principles of examination ex officio or upon complaint  

ARTICLE  15-  (1)  The  Board  shall  make  the  necessary  examination  in  the  matters falling within its scope of work upon complaint or ex officio, where it learnt about the alleged violation.

(2) The notices and complaints not meeting the requirements laid down in Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.

(3)  Except  for  the  information  and  documents  having  the  status  of  state  secret,  the controller shall be obliged to communicate within fifteen days the information and documents related to the subject of examination which the Board has requested, and shall enable, where 
necessary, on-the-spot examination.

(4) The  Board  shall  finalise  the  examination  upon  complaint  and  give  an  answer  to data subjects. In case the Board fails to answer the data subject’s application in sixty days as of the application date, it is deemed rejected.

(5) Following the examination made upon complaint or ex officio, in cases where it is understood   that   an   infringement   exists,   the   Board   shall   decide   that   the   identified infringements  shall  be  remedied  by the  relevant  controller  and  notify this  decision  to  all  it may concern. This decision shall be implemented without delay and within thirty days after the notification at the latest,

(6) Following the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall adopt and publish a resolution in  this  regard.  Before  adopting  the  resolution,  the  Board  may  also  refer  to  the  opinions  of 
related institutions and organisations, if needed.

(7)  The  Board  may  decide  that  processing  of  data  or  its  transfer  abroad  should  be stopped if such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful.

Registry of Controllers

ARTICLE  16-  (1)  The  Presidency  shall  maintain  a  publicly  accessible  Registry of Controllers under the supervision of the Board.

(2) Natural or legal persons who process personal data shall be obliged to enrol in the Registry of Data Controllers before proceeding with data processing. However, by taking into account  the  objective  criteria  set  by  the  Board  such  as  the  nature  and  quantity  of  the  data processed, the legal requirement for data processing, or transferring the data to third parties, the  Board  may  provide  exception  to  the  obligation  of  enrolment  in  the  Registry  of  Data Controllers.

(3) Application for enrolling in the Registry of Data Controllers shall be made with a notification including:
a) identity and address of the controller and of his representative, if any,
b) purposes for which the personal data will be processed,
c)  explanations  about  group(s)  of  personal  data  subjects  as  well  as  about  the  data categories belonging to these people,
ç) recipients or groups of recipients to whom the personal data may be transferred,
d) personal data which is envisaged to be transferred abroad,
e) measures taken for the security of personal data.
(f)  maximum  period  of  time  required  for  the  purpose  of  the  processing  of  personal data.

(4)  Any  changes  in  the  information  provided  under  the  third  paragraph  shall  be immediately notified to the Presidency

(5) Other procedures and principles governing the Registry of Data Controllers shall be laid down through a by-law.



Crimes and Misdemeanours


ARTICLE  17-  (1)  Articles  135-140  of  Turkish  Penal  Code  No.  5237  of  26/9/2004 shall apply in terms of the crimes concerning personal data.

(2) Those who fail to erase or anonymize personal data in breach of Article 7 herein shall be punished under Article 138 of the Law No. 5237.


ARTICLE 18- (1) For the purposes of this Law;
a) those who fail to comply with obligation to inform provided for in Article 10 herein shall be required to pay an administrative fine of 5.000 to 100.000 TL,
b) those who fail to comply with obligations related to data security provided for in Article 12 herein shall be required to pay an administrative fine of 15.000 to 1.000.000 TL,
c) those who fail to comply with the decisions issued by the Board under Article 15 herein shall be required to pay an administrative fine of 25.000 to 1.000.000 TL,
ç)  those  who  fail  to  meet  the  obligations  for  enrolling  in  the  Registry  of  Data Controllers and making a notification as provided for in Article 16 herein shall be required to pay an administrative fine of 20.000 to 1.000.000 TL.

(2) The administrative fines listed in this article shall be applicable to natural persons and private law legal persons who are controllers.

(3)  Should  the  acts  listed  in  the  first  paragraph  be  committed  within  the  public institutions and organizations as well as professional associations having the status of public institution,  disciplinary  procedures  shall  be  applied  to  the  civil  servants  and  other  public officers employed in the relevant public institutions and organisations and those employed in the professional associations having the status of public institution upon a notice by the Board and the result is communicated to the Board.


Personal Data Protection Authority and its Organization Personal Data Protection Authority

ARTICLE  19-  (1)  Personal  Data  Protection  Authority which  is  a  public  law  body with  public  law  legal  personality  having  administrative  and  financial  autonomy  has  been established to carry out duties provided by this Law

(2) The Authority is affiliated to the office of the Prime Minister

(3) The Headquarters of the Authority is in Ankara

(4)  The  Authority  is  composed  of  the  Board  and  the  Presidency.  Decision  making body of the Authority is the Board.

Duties of the Authority

ARTICLE 20 - (1) The duties of the Authority are as follows;
(a) to follow the latest developments in the legislation and practices, make evaluations and  recommendations,  conduct  researches  and  analyses  or  have  them  conducted  within  its field of duty.
(b)  to  cooperate  with   public  institutions  and  organisations,  NGOs,   professional associations or universities within its field of duty, if needed.
(c) to follow and evaluate the latest international developments on personal data; and within  its  field  of  duty  cooperate  with  international  organisations  and  participate  to  the meetings
(ç)  to  submit  its  annual  activity  report  to  the  office  of  the  President  of  Turkish Republic, the Committee on Human Rights Inquiry of Grand National Assembly of Turkey and office of the Prime Minister.
(d) to carry out other duties provided by laws.

Personal Data Protection Board

ARTICLE  21  -  (1)  The  Board  shall  perform  and  exercise  the  duties  and  powers conferred on it by this law and other laws, independently and under its own responsibility. No body,  authority,  office  or  person  shall  give  orders  and  instructions,  recommendations  or suggestions to the Board on matters falling within the scope of its duties and powers.

(2)  The  Board  is  composed  of  nine  members.  Five  members  of  the  Board  shall  be elected  by  the  Grand  National  Assembly  of  Turkey,  two  members  shall  be  elected  by  the President of Turkey and two members shall be elected by the Council of Ministers.

(3) The following conditions shall be met in order to be elected for the Board:
a) Being informed on and being experienced in the issues falling within Authority’s field of duty.
b) Complying with the requirements set forth in points (1), (4), (5), (6) and (7) of sub- paragraph  (A)  of  first  paragraph  of  Article  48  of  the  Public  Servants  Law  No.  657  of 14/7/1965.
c) Not being a member of any political party.
ç) Having been graduated from at least a four-year graduate program.
d)  Having  been  employed  in  public  institutions  and  organisations,  international organisations, non-governmental organisations, or professional associations having the status of public institution or in the private sector for at least ten years in total.,

(4) Those who are elected for the membership should express their consent. Elections are held so as to pluralistical representation of those who are informed on and experienced in the issues falling within Authority’s field of duty.

(5) Board members shall be elected by the Grand National Assembly of Turkey on the basis of the following procedure:
a) Persons twice as many as the number of members to be determined in proportion to the  number  of  deputies  of  political  party  groups  shall  be  nominated  for  election  and  the members of the Board shall be elected by the Plenary of the Grand National Assembly from among  these  
candidates  on  the  basis  of  the  number  of  deputies  allocated  to  each  political party. However, political party groups shall not negotiate or decide whom to vote for in the elections to be held in the Grand National Assembly of Turkey.
b)  The  Board  members  shall  be  elected  within  ten  days  after  the  designation  and announcement of the candidates. For the candidates designated by the political party groups, a composite ballot in the form of separate lists shall be prepared. Voting shall be cast by ticking 
of  the  specific  space  across  the  names  of  the  candidates.  The  votes  casted  more  than  the numbers  of  the  members  to  be  elected  for  the  Board  from  the  political  party  quotas, determined in accordance with paragraph two, shall be deemed invalid.
c) Provided that the quorum is ensured, candidates the number of whom corresponds to  the  number  of  vacancies  and  who  take  most  of  the  votes  shall  be  deemed  to  have  been elected.
ç) The election for the renewal of the members shall be held two months before the expiration  of  their  term  of  office;  should  there  be  a  vacancy  in  the  memberships  for  any reason, there shall be an election within one month as of the date of vacancy; or if the date of vacancy 
coincides  with  the  recess  of  the  Grand  National  Assembly of  Turkey.  the  election shall  take  place  within  one  month  from  the  end  of  the  recess,  by  employing  the  same procedure. During these elections, the  allocation  of the vacant memberships  to the political 
party  groups  shall  be  made  by  considering  the  number  of  the  elected  members  from  the political party groups’ quotas in the first election and the current proportions of the political party groups.

(6) Forty-five days before the expiration of the term of office or in case of expiration of  term  of  office  by  any  reason  of  the  members  elected  by the  President  of  Turkey or  the Council of Ministers, the Authority shall notify the situation in fifteen days to the office of the Prime Minister so as to be submitted to the office of the President of Turkey or the Council of Ministers; A new election shall take place one month before the expiration of term of office of the members. Should there be a vacancy in these memberships before the expiration of term of office, there shall be an election within fifteen days as of the date of notification.

(7) The Board shall designate the Head and the Second Head of the Board among its members. The Head of the Board is also the President of the Authority.

(8) Term of office of the Board members is four years. Members may be re-elected after  expiration  of  their  term  of  office.  The  person  who  is  elected  instead  of  the  member whose post ends before the expiration of his/her term of office for any reason, shall complete the remaining term of office.

(9) Members of the Board shall take the following oath before  Court of Cassation’s Board of First Presidency: "I do solemnly swear on my honour and on my dignity that I will carry out my duties with absolute impartiality, bona fides, fairness and with sense of justice in line with the Constitution and the relevant legislation." Application to Court of Cassation for oath taking is deemed to be one of the pressing matters.

(10) Unless provided for by a specific law, the members shall not assume any public or private tasks other than those related with carrying out their official duties in the Board; shall  not  act  as  executives  in  associations,  foundations,  cooperatives  and  in  similar  bodies; shall not engage in commercial activities, shall not engage in self-employment, shall not act as arbitrators   and   expert   witnesses.   However,   Board   members   may  prepare   scientific publications, give lectures and attend conferences so as not to hinder their primary duties, and may receive copyrights and fees associated with those.

(11)  Investigations  into  the  claims  about  the  crimes  allegedly  committed  by  the members  in  connection  with  their  duties  shall  be  conducted  as  per  the  Law  No.  4483  of 2/12/1999 on Adjudication of Public Servants and Other Public Employees, and permission for investigation shall be granted by the Prime Minister.

(12)  Provisions  of  the  Law  No.  657  shall  apply  to  disciplinary  investigations  and prosecutions about the members of the Board.

(13)  Members  shall  not  be  removed  from  their  office  by  any  reason  before  the expiration  of  their  term  of  office.  However,  members  of  the  Board  may  be  removed  from office by the Board decision if:
a) it is found out subsequently that they do not meet the conditions required for their election,
b)  the  verdict,  which  is  rendered  for  crimes  committed  by them  in  connection  with their duties, becomes final
c) a medical report is issued by board of health to certify that they are not suitable for office,
ç) it is ascertained that they were absent from work for fifteen consecutive days or for a total of thirty days within a year, without legitimate permission and excuse.
d) it is ascertained that they fail to attend three Board meetings in one month and ten Board meetings in one year without any permission and excuse.​

(14)  Those  who  are  appointed  as  the  members  of  the  Board  shall  be  removed  from their previous posts during their term of office in the Board. On the condition that they do not fail to meet the requirements of being employed as a civil servant, those who are assigned as Board members whilst on duty shall be appointed to posts that are appropriate for their vested positions and titles in one month, in case their term of office ends or they express their will to resign  and  lodge  an  application  in  this  regard  to  their  former  institution  within  thirty days. 
Until  the  assignment,  Authority  shall  continue  to  make  any  payment  they  are  vested  with. Until they take another post or take up another employment, Authority shall continue to make the payment of those who are appointed as Board members despite not being public servants and  
whose  term  of  office  terminated  as  stated  hereinabove;  and  the  payments  to  be  made under  this  scope  shall  not  exceed  three  months.  With  regard  to  personal  and  other  rights, terms  spent  in  the  Authority  shall  be  deemed  to  have  spent  in  the  previous  institutions  or organisations.


Duties and powers of the Board

ARTICLE 22 - (1) Duties and powers of the Board are as follows:

a) to ensure that the personal data are processed in compliance with fundamental rights and freedoms.
b)  to  conclude  the  complaints  of  those  claiming  that  their  rights  with  regard  to personal data protection have been violated.
c) to examine whether the personal data are processed in compliance with the laws, upon  complaint,  or  ex  officio  where  it  learnt  about  the  alleged  violation,  and  to  take temporary measures, if necessary.
ç) to determine the adequate measures which are necessary for the processing of the data of special nature.
d) to ensure that Registry of Controllers is maintained.
e)  to  draft  regulatory  acts  on  the  matters  concerning  the  Board’s  field  of  duty  and operation of the Authority.
f) to draft regulatory acts in order to lay out the liabilities concerning data security.
g) to draft regulatory acts on the matters concerning duties, powers and responsibilities of the Controller and of his representative.
ğ) to decide on the administrative sanctions provided for in this Law.
h)   to   deliver   its   opinion   about   the   legislation   drafted   by  other   institutions   or organizations that contain provisions on personal data.
ı) to conclude the Strategic Plan of the  Authority; to determine the purpose, targets, service quality standards and performance criteria of the Authority.
i)  to  discuss  and  decide  on  Strategic  Plan  and  the  budget  proposal  of  the  Authority which are prepared in compliance with its purposes and targets.
j)  to  approve  and  publish  the  draft  reports  on  the  performance,  financial  situation, annual activities and other matters related with the Authority.
k)  to  discuss  and  decide  on  the  recommendations  as  regards  the  purchase,  sale  and lease of immovable properties.
l) to carry out other tasks provided for by laws.


Working Principles of the Board

ARTICLE  23  -  (1) Head  of  the  Board  shall  determine  the  dates  and  agenda  of  the meetings. The Board may be called for an extraordinary meeting by the Head, if necessary.

(2)  The  Board  shall  convene  at  least  with  six  members,  including  the  Head  of  the Board,  and  shall  take  decisions  by  simple  majority  of  its  total  members.  Members  of  the Board shall not cast abstaining vote.

(3)  Members  shall  not  attend  and  cast  vote  in  meetings,  which  concern  issues regarding themselves, their relatives by blood up to third degree and relatives by affinity of marriage up to second degree, their adopted children and their spouses even if the marriage has ended.

(4) Members of the Board shall not disclose the secrets they learned as to data subjects and  third  parties  during  their  work  to  anyone  other  than  legally  authorized  bodies,  neither shall they use such secrets for their benefits. This obligation shall apply even after the end of their term of office.

(5) The outcome of the agenda of the Board shall be written down. The decisions and dissenting  opinions,  if  any,  shall  be  written  within  15  days  at  the  latest.  The  Board  shall announce to public the decisions it deems necessary.

(6) The meetings of the Board are confidential unless decided otherwise

(7) Working procedures and principles of the Board and the writing procedure of the decisions and other issues shall be laid down through a by-law.

The President

ARTICLE 24 - (1) The President, as the head of both the Authority and the Board, is the  highest-level  official  of  the  Authority,  and  organises  and  conducts  the  services  of  the Authority in accordance with the legislation, Authority’s purpose and policies, Strategic Plan, performance criteria and service quality standards, and , ensures coordination between service units, as well.

(2) The President is responsible for the general management and representation of the Authority. This responsibility entails the duties and powers concerning regulation, execution, inspection,  evaluation  of  Authority’s  work  and,  its  announcement  to  the  public,  when necessary.

(3) The duties of the President are as follows;
a) to chair the Board's meetings.
b)  to  ensure  the  notification  of  Board  decisions  and  public  announcement  of  these when deemed necessary by the Board, and to monitor their implementation.
c) to appoint Deputy President, Heads of Departments and Authority’s personnel.
ç) to finalize the recommendations communicated by service units and submit them to the Board.
d)  to  ensure   the  implementation  of  the  Strategic  Plan  and  to  establish  the  human resources and working policies in line with service quality standards.
e) to prepare the annual budget and financial tables of the Authority in line with the determined strategies, annual purposes and targets.
f) to ensure coordination in order for the Board and service units to work in harmony in an efficient, disciplined and well-ordered manner.
g) to maintain the relations of the Authority with other institutions.
ğ) to determine the scope of the duties and powers  of the personnel  authorized to sign on behalf of the President.
h) to carry out  other duties related to the management and operation  of the Authority

(4) The Second President is entitled to act on behalf of the President in his absence.

Composition and Duties of the Presidency

ARTICLE  25  -  (1)  The  Presidency  is  composed  of  Deputy  President  and  service units. The Presidency shall fulfill the duties listed in paragraph four through the service units which  are  organized  as  departments.  The  number  of  departments  shall  not  be  more  than seven.

(2) A Deputy President shall be appointed by the President in order to assist him in his administrative duties.

(3)  The  Deputy  President  and  Heads  of  Departments  shall  be  appointed  by  the President among those who have been graduated from at least a four-year higher education institution and worked in the public institutions for at least ten years.

(4) The duties of the Presidency are as follows,
a) to maintain the Registry of Controllers.
b) to carry out clerical services for the Authority and the Board.
c)   to   represent   the   Authority   through   lawyers   at   the   lawsuits   and   execution proceedings  to  which  the  Authority  is  a  party;  to  follow  up  such   lawsuits  or  have  them followed up and carry out the legal services.
ç)  to  carry  out  personnel-related  services  of  the  Board  members  and  Authority’s personnel.
d) to perform the duties foreseen by laws with regard to financial services and strategy development units.
e) to ensure that the information systems are established and used in order to carry out acts and actions of the Authority.
f) to draft reports on the annual activities of the Authority or on other issues which are deemed necessary, and submit them to the Board.
g) to draft the Strategic Plan of the Authority.
ğ)  to  determine  the  personnel  policy  of  the  Authority,  prepare  and  implement  the education and career-based plans for the personnel.
h)   to   carry   out   the   appointment,   transfer,   discipline,   performance,   promotion, retirement and other similar procedures regarding the personnel.
ı) to determine the ethical principles for the personnel and give necessary training.
i)  to  carry  out  the  services  with  regard  to  purchasing,  leasing,  maintenance,  repair, construction, archive, health and social issues and similar ones within the framework of the Public Financial Management and Control Law No. 5018 of 10/12/2003.
j) to keep record of the movable and immovable property of the Authority
k) to fulfill other duties conferred on it by the Board or the President.

(5)  Service  units  and  their  working  procedures  and  principles  shall  be  laid  down through  a  by-law  which  is  put  into  force  by  the  Council  of  Ministers  upon  Authority’s proposal drafted as per the field of activity, duties and powers stated in the Law herein.

The Personal Data Protection Experts and the Assistant Experts

ARTICLE 26 - (1) The Personal Data Protection Experts and the Assistant Experts may be  recruited  by the  Authority.  The  experts  and  assistant  experts  who  are  appointed  as Personal Data Protection Expert within the framework of additional Article 41 of the Law No. 657 shall receive one extra grade for once only.


Provisions on the Personnel and Personnel Rights

ARTICLE 27- (1) Personnel of the Authority shall be subject to the  Law No. 657, excluding the matters regulated through the Law herein.

(2)  Head  and  members  of  the  Board  and  personnel  of  the  Authority  shall  receive remunerations determined to be paid to the precedent personnel, within the scope of financialand social rights, as per Additional Article 11 of the Decree Law No. 375 of 27/6/1989, within the framework of the same procedures and principles applicable. Among the remunerations paid to the precedent personnel, those which are exempt from taxes and other legal deductions shall also be exempt from taxes and deductions as per the Law herein.

(3) Head and members of the Board and personnel of the Authority are subject to the sub-paragraph  (c)  of  the  first  paragraph  of  Article  4  of  the  Social  Insurance  and  Universal Health Insurance Law No. 5510 of 31/5/2006. Head and members of the Board and personnel of the Authority shall be considered equal with the precedent personnel in terms of retirement rights. Among the personnel who were appointed as Head and members of the Board when insured under sub-paragraph (c) of the first paragraph of Article 4 of the Law No. 5510, terms of office in these duties shall be considered while ascertaining acquired rights, salaries, grades and steps of those whose term of office ends or who express their will to resign. The relevant term of office of those who fall within the scope of Provisional Article 4 of the Law No. 5510 while  on  duty,  shall  be  deemed   as  the  period  for  which  position  and  representation compensation should be paid. Removal from previous institutions and organisations of those who were appointed as Head and members of the Board when insured under sub-paragraph(a)  of  the  first  paragraph  of  Article  4  of  the  Law  No.  5510,  shall  not  entail  receiving  a severance pay or termination pay. In such a case, term of office qualified for a severance pay or termination pay, shall be added to the service periods spent as Head and member of the Board, and accepted as the period for which a retirement bonus.

(4)  Civil  servants  working  in  public  administrations  attached  to  the  centralized government,  social  security  institutions,  local  administrations,  administrations  attached  to local   administrations,   local   administrative   unions,   revolving   fund   enterprises,   funds established with laws, public entities, organizations more than 50% of whose capital belongs to  public,  public  economic  enterprises,  state-owned  economic  enterprises,  and  associations and establishments attached to these, as well as other public officials may be seconded to the Authority upon the consent of their own institution, provided that their salaries, allowances, any increases thereof, compensations and other social and financial rights and aids are paid by their own institution. Requests of the Authority in this regard shall be concluded with priority by the related institutions and organizations. Personnel assigned accordingly shall be deemed on paid leave. During this leave, rights of the personnel and their connection with civil service shall be  maintained,  this  period  of  leave  shall  be  taken  into  account  in  promotions  and retirement, and they shall be promoted in due time without any need to further action. Periods spent in the Authority by those assigned under this Article shall be deemed to have been spent in their own institutions. Number of the personnel assigned accordingly shall not exceed ten per cent of the total number of posts for Personal Data Protection Experts and Personal Data Protection  Assistant  Experts,  and  the  term  of  assignment  shall  not  exceed  two  years. However, when deemed necessary, this term may be extended in one-year periods.

(5)  Titles  and  numbers  of  posts  regarding  the  personnel  to  be  employed  in  the Authority are presented in the annexed Table (I). Changes in titles and grade; addition of new titles and annulment of vacant posts shall be realized upon the decision of the Board, provided that it shall not exceed the total number of posts, and shall be limited with the titles in the annexed  tables  of  the  Decree  Law  No.  190  on  the  General  Posts  and  Procedures,  dated 13/12/1983.



ARTICLE  28  (1)  The provisions  of  this  Law  shall  not  be  applied  in  the  following cases where:
a) personal data is processed by natural persons within the scope of  purely personal activities  of  the  data  subject  or  of  family  members  living  together  with  him  in  the  same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
b)  personal  data  is  processed  for  the  purpose  of  official  statistics  and  for  research, planning and statistical purposes after having been anonymized.
(c) personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public  security,  public  order,  economic  security,  right  to  privacy or  personal  rights  are  not 
violated or they are processed so as not to constitute a crime.
(ç)   personal   data   is   processed   within   the   scope   of   preventive,   protective   and intelligence activities carried out by public institutions and organizations duly authorised and assigned  to    maintain  national  defence,  national  security,  public  security,  public  order 
 or economic security.
(d)  personal  data  is  processed  by  judicial  authorities  or  execution  authorities  with regard to investigation, prosecution, criminal proceedings or execution proceedings.

(2)  Provided  that  it  is  in  compliance  with  and  proportionate  to  the  purpose  and fundamental  principles  of  this  Law,  Article  10  regarding  the  data  controller's  obligation  to inform,  Article  11  regarding  the  rights  of  the  data  subject,  excluding  the  right  to  demand compensation, and Article 16 regarding the requirement of enrolling in the Registry of Data Controllers shall not be applied in the following cases where personal data 
a) is required for the prevention of a crime or crime investigation.
b) is carried out on the data which is made public by the data subject himself.
c)  is  required  for  inspection  or  regulatory  duties  and  disciplinary  investigation  and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in 
accordance with the power conferred on them by the law,
ç) is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.

The Budget and the Revenues of the Authority

ARTICLE 29 - (1) The budget of the Authority shall be prepared and adopted in accordance with procedures and principles provided for in the Law No. 5018.

(2) The revenues of the Authority are as follows;

a) Treasury grants from the general budget.
b) The revenues from the movable and immovable properties of the Authority.

c) Donations and grants received.
ç) The revenues from the utilization of the revenues.
d) Other revenues.


Amended and Inserted Provisions

ARTICLE 30 - (1) The following line was inserted into the Table (III) attached to the Law No. 5018:
“10) Personal Data Protection Authority”

(2) The phrase “Any person” in the second paragraph of Article 135 of the Law No. 5237  was  amended  as  “Any  personal  data,  any  person”;  and  the  phrase  “Any  person  who records the information as personal data shall be punished according to the provisions of the above subsection.” as “the punishment to be given in accordance with the first paragraph is aggravated by half more.”

(3) The expression “children” in third paragraph of Article 226 of the Law No. 5237 was amended as “children, symbolic images of children or persons with a juvenile image”

(4) The expression “and” in first paragraph of Article 243 of the Law No. 5237 was amended as “or”, and the following paragraph was added.
“(4) Person  who, by employing technical means,  illegally monitors the data transfer carried out within an information system or between information systems without entering in the system, shall be punished with imprisonment from one year to three years”

(5) The following Article was inserted to follow Article 245 of the Law No.5237: “Prohibited device or programmes” Article 245/A- In case a device, computer programme, password or other security code are produced to commit the crimes inscribed exclusively within this Part and those that may be  committed  by using  information  system  as  a  means,  the  person  who  produces,  imports, dispatches,  transfers,  stores,  accepts,  sells,  supplies,  purchases,  lends  another  person  or possesses  these  shall  be  punished  with  imprisonment  from  one  to  three  years  and  with  a punitive fine up to five thousand days”

(6)  Sub-paragraph  (f)  of  the  first  paragraph  of  Article  3  of  the  Health Services Fundamental Law No 3359 of 7/5/1987 was amended as follows:
“f) With  the  aim  of  tracking the  medical  condition  of  everybody and  to  ensure that healthcare services are carried out in a more effective and rapid way, Ministry of Health and its associated institutions shall establish the required registration and notification system. This system may also be established in electronic environment in line with the e-State practices. To this end, a nationwide information system may be established by the Ministry of Health.”

(7)  Article  47  of  the  Decree  Law  No  663  of  11/10/2011  on  the  Organization  and Duties of the Ministry of Health and its Associated Institutions was amended as follows:
“ARTICLE 47- (1) Of those applying to the public or private health organizations and health  professionals  to  receive  health  service,  personal  data  provided  compulsorily  as  a requirement of health service or provided in relation with the service they received may be processed.
(2)  The  Ministry  may  process  the  data  obtained  within  the  framework  of  the  first paragraph  in  order  to  provide  the  health  services,  protect  the  public  health,  maintain  the services of preventive medicine, medical diagnosis, treatment and care, and to plan the health services and calculate their cost. This data shall not be transferred except for the conditions stipulated under the Law on the Protection of Personal Data.
(3) The Ministry shall establish a system that will enable the  persons themselves or any  third  person  authorized  by  them  to  access  the  personal  data  gathered  and  processed pursuant to the second paragraph,
(4) Standards relating to the security and reliability of the systems established as per the  third  paragraph  shall  be  determined  by  the  Ministry  in  compliance  with  the  principles determined  by  the  Personal  Data  Protection  Board.  The  Ministry  shall  take  the  necessary measures  to  ensure  the  security  of  the  personal  health  data  obtained  pursuant  to  the  Law herein. To this end, the Ministry shall establish a security system enabling the supervision of the official and the purpose of using the registered data in the system.
(5) Public institutions and organizations, natural persons and legal entities under the private  law  employing  health  personnel  shall  be  obliged  to  inform  the  Ministry  about  the personnel employed and the personnel movements.
(6) Other matters relating to the processing and security of personal health data and the implementation of the Article herein shall be governed through a by-law to be put into force by the Ministry.”​


ARTICLE 31 (1) By-laws related to the implementation of this Law shall be put into force by the 

Transitional Provisions

PROVISIONAL ARTICLE (1) The members of the Board shall be selected and the organizational structure of the Presidency shall be established within six months following the date of publication of this Law, as per the procedure stipulated in Article 21.

(2) Data controllers are obliged to enrol in the Registry of Data Controllers within the time specified and announced by the Board.

(3) The personal data that were processed before the publication date of this Law shall be  rendered  compatible  with  the  provisions  of  this  Law  within  two  years  as  of  its  date  of publication. The personal data which are found to be in breach of the provisions of this Law shall be immediately erased, destroyed or anonymized. However, consents duly taken before the publication date of this Law shall be deemed compatible with the provisions of this Law, unless no declaration of intent is made to the contrary within one year.

(4) The by-laws provided for by this Law shall be put into force within one year as of the date of publication of this Law.

(5) A high-level executive, to ensure coordination with regard to the implementation of  the  Law  in  public  institutions  and  organisations,  shall  be  appointed  and  notified  to  the Presidency within one year as of the date of publication of this Law.

(6) The term  of  office for  the  first  elected  President,  the  Deputy President,  and  two members who are determined by ballot, shall be six years; this period shall be four years for the remaining five members.

(7) Until the budget of the Authority is allocated;
a) The expenditures of the Authority shall be reimbursed by the budget of the office of the Prime Minister.
b) All necessary support services such as the premises, equipment, furnishing and the hardware shall be provided by the office of the Prime Minister in order for the Authority to fulfill its duties.

(8) The clerical services of the Authority shall be carried out by the office of the Prime Minister  until the service units of the Authority has become fully functional.

Entry into force

ARTICLE 32 - (1) For the purposes of this Law;
a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months as of the date of its publication.
b) Other Articles shall enter into force on the date of its publication.


ARTICLE  33  – (1)  The provisions  of  this law shall  be  enforced  by the  Council  of  Ministers.

*This translated text is taken from the Data Protection Board's website at 


bottom of page