On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.
Key provisions of the law include the following:
- With limited exceptions, express consent is required to process personal data, defined as any information relating to an identified or identifiable living individual; or sensitive data, defined as personal data of a sensitive nature, including information relating to racial or ethnic origin, political opinions, religious beliefs, health, sexual life, criminal records, punitive measures and biometric data.
- A legislative structure that includes a Data Protection Authority and a Data Controller Board.
- Before actively processing data, data controllers must register with the Data Controller Registry (which will be established within six months of the law becoming effective).
- Organizations and individuals that collect or store personal data must implement certain technical and administrative measures to protect data.
- Data controllers are required to notify the newly-established Data Controller Board in the event of a data breach.
- The Data Protection Authority will have the authority to impose fines of up to €300,000 and prison sentences of up to four years.
Once the law becomes effective, it will immediately apply to newly collected data, and data collectors will have two years to become compliant with respect to information collected prior to the law’s adoption.