Our Latest Blogs

Posted By: ADAM Global | 18 Oct 2016

Protection of Personal Data in Turkey

imagesThe Protection of Personal Data (in Turkish, “Kişisel Verilerin Korunması Kanunu”) (“CPPD”) had come into force on 7 April 2016. However, the effective date of some of its articles concerning the transfer of data inland and abroad (articles 8 and 9), the rights of data owners (the individuals whose personal data is processed) (article 11), appeal and complaint procedures (articles 13, 14, 15) and registration to Data Controllers’ Registry (article 16), administrative fines and crimes (article 17 and 18) were postponed for six months. Accordingly, they have come into force on 7 October 2016.


In this respect, all real and legal persons processing personal data fully or partially, automatically or through non-automatic means as a part of any data recording system shall integrate their systems to the legal requirements set forth in the CPPD without any delay; otherwise, administrative fines in significant amounts (as detailed below) may be imposed and the provisions of articles 135 to 140 of the Turkish Criminal Code numbered 5237 foreseeing imprisonment may be applied.



  • Under the scope of the obligation of the Data Controller to give information to the Relevant Individuals (article 10 of the CPPD) (in Turkish, “Veri sorumlusunun aydınlatma yükümlülüğü”), an informative document/ text that may be titled “Our Confidentiality Policy” or “Information About Protection of Personal Data” etc. (in Turkish, “Gizlilik Politikamız” veya “Kişisel Verilerin Korunmasi Hakkinda Bilgilendirme” vb.) shall be prepared for the individuals whose personal data is processed. This informative document/text shall include all the issues specifically set forth in the CPPD and it shall be conveyed to the real persons whose personal data is processed through various means of communication; g. website, social media accounts, e-mail, by delivering a printed document during retail sales from the shops or via courier to the clients, agents and dealers etc.
  • Express consent of the relevant individual shall be obtained in writing regarding processing, transferring and storing of personal data. Also the personal data that has been obtained and processed before the effective date of the CPPD should be adapted to the provisions of the said Code within two years as from the date of its publication, e. until 7 April 2018.
  • Although the CPPD provides some exceptions for the requirement of express consent, these exceptions should be reviewed and evaluated carefully in order to refrain from any possible administrative fines and commitment of offense.
  • Following the establishment of Data Controllers’ Registry, the data controllers (in Turkish “Veri Sorumlusu”) shall be registered at the said Registry.
  • Transferring data inland and abroad also requires express consent of the relevant individual whose personal data is transferred. This necessity of express consent may be excluded under certain conditions set forth in the CPPD. However, similarly with the exceptions provided for processing the data (referred in above article 3), these exceptions and their procedures should carefully be reviewed and evaluated.
  • The data controller is always under the obligation of taking all reasonable legal and technical measures to prevent illegal processing of and access to personal data and also to ensure safe storing of the same.
  • As per article 18 of the CPPD, the individuals not fulfilling the obligation to give information (referred to in paragraph 1 above) may be imposed to a fine from TRY 5,000 (approximately equal to Euro 1,470) up to TRY 100,000 (approximately equal to Euro 29,400).
  • The individuals not fulfilling the technical and legal obligations related with data security (briefly referred to in paragraph 6 above) in accordance with article 12 of the CPPD may be imposed to a fine from TRY 15,000 (approximately equal to Euro 4,400) up to TRY 1,000,000 (approximately equal to Euro 294,000) .
  • The individuals acting contrary to the obligation of registration to the Data Controllers’ Registry (referred to in paragraph 4 above) may be imposed to a fine from TRY 20,000 (approximately equal to Euro 5,800) up to TRY 1,000,000 (approximately equal to Euro 294,000).
  • The individuals not acting in accordance with the decisions of the Committee of Protecting Personal Data (in Turkish “Kişisel Verileri Koruma Kurulu”) may be imposed to a fine from TRY 20,000 (approximately equal to Euro 5,800) up to TRY 1,000,000 (approximately equal to Euro 294,000).
  • Further to the above administrative fines, in some cases, provisions of articles 135 to 140 of the Turkish Criminal Code numbered 5237 foreseeing imprisonment for real persons (including the board members of legal entities) may be applied.

Concerning the administrative fines, besides integrating your company’s system to the requirements of the CPPD, we may also suggest you to contract a Data Protection Insurance.


The regulations on the implementation of the CPPD are also expected to be issued by the authorities until 7 April 2017 (temporary article 1, paragraph 4 of the CPPD).


In the light of our brief explanations above, we would be pleased:

  1. to make a study on the needs and legal responsibilities of your Company related with the protection of personal data;
  2. to prepare an informative document/ text specifically designed for your Company;
  3. to determine a road map in accordance with the specific needs of your Company on how to get express consent of the individuals whose personal data is processed and also, how to adapt personal data that was obtained and processed before the effective date of the CPPD;
  4. to review all relevant contracts and documents (g. employment contracts, sale and purchase contracts signed with the clients, the agents, the dealers, data files of the clients or the employees or the dealers) and to make the necessary amendments;
  5. to provide you with more detailed information about the legal obligations of your Company and the board members;
  6. to study on the procedure specifically designed for your Company, which should be followed henceforth in order to meet the legal requirements of your Company on protection of personal data.

Should you need any assistance in respect of the above-mentioned study and work, please do not hesitate to Didier CAILLIAU <>




About the author

Annual Global Members Conference 2018

November 23 - 25