You can find the details of our company policy and information text regarding the Law on Protection of Personal Data on this page.
ARTICLE 1 - (1) The purpose of this Law is to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.
ARTICLE 2 - (1) The provisions of this Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
ARTICLE 3 - (1) For the purposes of this Law the following definitions shall apply: a) Explicit consent: freely given, specific and informed consent, b) Anonymizing: rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data, c) President: President of the Personal Data Protection Authority, ç) Data subject: the natural person, whose personal data is processed, d) Personal data: all the information relating to an identified or identifiable natural person, e) Processing of personal data: any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means, f) Board: the Personal Data Protection Board, g) Authority: the Personal Data Protection Authority, ğ) Processor: the natural or legal person who processes personal data on behalf of the controller upon his authorization, h) Data registry system: the registry system which the personal data is registered into through being structured according to certain criteria, 2 ı) Controller: the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
ARTICLE 4 - (1) Personal data may only be processed in compliance with the procedures and principles set forth in this Law and other laws. (2) The following principles shall be complied within the processing of personal data: a) Lawfulness and conformity with rules of bona fides. b) Accuracy and being up to date, where necessary. c) Being processed for specific, explicit and legitimate purposes. ç) Being relevant with, limited to and proportionate to the purposes for which they are processed. d) Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the data subject. (2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: a) it is clearly provided for by the laws. b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid. c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract. ç) it is mandatory for the controller to be able to perform his legal obligations. d) the data concerned is made available to the public by the data subject himself. e) data processing is mandatory for the establishment, exercise or protection of any right. f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
- ARTICLE 6- (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature
- (2) It is prohibited to process the personal data of special nature without explicit consent of the data subject.,
- (3) Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. ,
-(4) It is stipulated that adequate measures determined by the Board are also taken while processing the personal data of special nature.
ARTICLE 7- (1) Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process.
(2) Provisions of other laws concerning the erasure, destruction or anonymizing of personal data are reserved.
(3) Procedures and principles for the erasure, destruction or anonymizing of personal data shall be laid down through a by-law.
ARTICLE 8- (1) Personal data cannot be transferred without explicit consent of the data subject. (2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken. (3) Provisions of other laws concerning transfer of personal data are reserved
ARTICLE 9- (1) Personal data cannot be transferred abroad without explicit consent of the data subject. (2) Personal data may be transferred abroad without explicit consent of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exist and that; (a) sufficient protection is provided in the foreign country where the data is to be transferred, (b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided. (3) The Board determines and announces the countries where sufficient level of protection is provided. (4) The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of related public institutions and organizations, where necessary: a) the international conventions to which Turkey is a party, b) the state of reciprocity concerning data transfer between the requesting country and Turkey, c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer, ç) the relevant legislation and its implementation in the country to which the personal data is to be transferred, d) the measures guaranteed by the controller in the country to which the personal data is to be transferred, (5) In cases where interest of Turkey or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations. (6) Provisions of other laws concerning the transfer of personal data abroad are reserved.
ARTICLE 10- (1) Whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data, d) other rights referred to in Article 11.
ARTICLE 11- (1) Each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, ç) to know the third parties to whom his personal data is transferred at home or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, f) to request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred, g) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject, ğ) to request compensation for the damage arising from the unlawful processing of his personal data.
ARTICLE 12- (1) The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to: a) prevent unlawful processing of personal data, b) prevent unlawful access to personal data, c) ensure the retention of personal data. (2) In case of the processing of personal data by a natural or legal person on behalf of the controller, the controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph. (3) The controller shall be obliged to conduct necessary inspections, or have them conducted in his own institution or organization, with the aim of implementing the provisions of this Law. (4) The controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term. (5) In case the processed data are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.
Application to the Controller
ARTICLE 13- (1) The data subject shall lodge an application in writing to the controller about his demands concerning the implementation of this Law or via other methods specified by the Board. (2) The data controller shall conclude the demands involved in the applications within the shortest time possible depending on the nature of the demand and within thirty days at the latest and free of charge. However if the action in question incurs another cost, the price set by the Board may be collected. (3) The data controller shall accept the application or decline it on justified grounds and communicate its response to data subject in writing or in electronic media. If the demand involved in the application found admissible, it shall be indulged by the data controller. Data subject shall be reimbursed for the application fee provided that the application has been lodged due to a mistake made by the controller.
Complaint to the Board
ARTICLE 14- (1) If the application is declined, the response is found unsatisfactory or the response is not given in due time, the data subject may file a complaint with the Board within thirty days as of he learns about the response of the controller, or within sixty days as of the application date, in any case. (2) A complaint cannot be filed before exhausting the remedy of application to the controller under Article 13. (3) The right to compensation under general provisions of those whose personal rights are violated is reserved
(4) The Board shall finalise the examination upon complaint and give an answer to data subjects. In case the Board fails to answer the data subject’s application in sixty days as of the application date, it is deemed rejected. (5) Following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant controller and notify this decision to all it may concern. This decision shall be implemented without delay and within thirty days after the notification at the latest, (6) Following the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall adopt and publish a resolution in this regard. Before adopting the resolution, the Board may also refer to the opinions of related institutions and organisations, if needed. (7) The Board may decide that processing of data or its transfer abroad should be stopped if such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful.
ARTICLE 16- (1) The Presidency shall maintain a publicly accessible Registry of Controllers under the supervision of the Board. (2) Natural or legal persons who process personal data shall be obliged to enrol in the Registry of Data Controllers before proceeding with data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, the legal requirement for data processing, or transferring the data to third parties, the Board may provide exception to the obligation of enrolment in the Registry of Data Controllers. (3) Application for enrolling in the Registry of Data Controllers shall be made with a notification including: a) identity and address of the controller and of his representative, if any, b) purposes for which the personal data will be processed, c) explanations about group(s) of personal data subjects as well as about the data categories belonging to these people, ç) recipients or groups of recipients to whom the personal data may be transferred, d) personal data which is envisaged to be transferred abroad, e) measures taken for the security of personal data. (f) maximum period of time required for the purpose of the processing of personal data. (4) Any changes in the information provided under the third paragraph shall be immediately notified to the Presidency (5) Other procedures and principles governing the Registry of Data Controllers shall be laid down through a by-law.
ARTICLE 27- (1) Personnel of the Authority shall be subject to the Law No. 657, excluding the matters regulated through the Law herein. (2) Head and members of the Board and personnel of the Authority shall receive remunerations determined to be paid to the precedent personnel, within the scope of financial 15 and social rights, as per Additional Article 11 of the Decree Law No. 375 of 27/6/1989, within the framework of the same procedures and principles applicable. Among the remunerations paid to the precedent personnel, those which are exempt from taxes and other legal deductions shall also be exempt from taxes and deductions as per the Law herein. (3) Head and members of the Board and personnel of the Authority are subject to the sub-paragraph (c) of the first paragraph of Article 4 of the Social Insurance and Universal Health Insurance Law No. 5510 of 31/5/2006. Head and members of the Board and personnel of the Authority shall be considered equal with the precedent personnel in terms of retirement rights. Among the personnel who were appointed as Head and members of the Board when insured under sub-paragraph (c) of the first paragraph of Article 4 of the Law No. 5510, terms of office in these duties shall be considered while ascertaining acquired rights, salaries, grades and steps of those whose term of office ends or who express their will to resign. The relevant term of office of those who fall within the scope of Provisional Article 4 of the Law No. 5510 while on duty, shall be deemed as the period for which position and representation compensation should be paid. Removal from previous institutions and organisations of those who were appointed as Head and members of the Board when insured under sub-paragraph (a) of the first paragraph of Article 4 of the Law No. 5510, shall not entail receiving a severance pay or termination pay. In such a case, term of office qualified for a severance pay or termination pay, shall be added to the service periods spent as Head and member of the Board, and accepted as the period for which a retirement bonus. (4) Civil servants working in public administrations attached to the centralized government, social security institutions, local administrations, administrations attached to local administrations, local administrative unions, revolving fund enterprises, funds established with laws, public entities, organizations more than 50% of whose capital belongs to public, public economic enterprises, state-owned economic enterprises, and associations and establishments attached to these, as well as other public officials may be seconded to the Authority upon the consent of their own institution, provided that their salaries, allowances, any increases thereof, compensations and other social and financial rights and aids are paid by their own institution. Requests of the Authority in this regard shall be concluded with priority by the related institutions and organizations. Personnel assigned accordingly shall be deemed on paid leave. During this leave, rights of the personnel and their connection with civil service shall be maintained, this period of leave shall be taken into account in promotions and retirement, and they shall be promoted in due time without any need to further action. Periods spent in the Authority by those assigned under this Article shall be deemed to have been spent in their own institutions. Number of the personnel assigned accordingly shall not exceed ten per cent of the total number of posts for Personal Data Protection Experts and Personal Data Protection Assistant Experts, and the term of assignment shall not exceed two years. However, when deemed necessary, this term may be extended in one-year periods. (5) Titles and numbers of posts regarding the personnel to be employed in the Authority are presented in the annexed Table (I). Changes in titles and grade; addition of new titles and annulment of vacant posts shall be realized upon the decision of the Board, provided that it shall not exceed the total number of posts, and shall be limited with the titles in the annexed tables of the Decree Law No. 190 on the General Posts and Procedures, dated 13/12/1983.
ARTICLE 28 (1) The provisions of this Law shall not be applied in the following cases where: a) personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with. b) personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized. (c) personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime. (ç) personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security. (d) personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings. (2) Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller's obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to demand compensation, and Article 16 regarding the requirement of enrolling in the Registry of Data Controllers shall not be applied in the following cases where personal data processing: a) is required for the prevention of a crime or crime investigation. b) is carried out on the data which is made public by the data subject himself. c) is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law, ç) is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.
ARTICLE 29 - (1) The budget of the Authority shall be prepared and adopted in accordance with procedures and principles provided for in the Law No. 5018. (2) The revenues of the Authority are as follows; a) Treasury grants from the general budget. b) The revenues from the movable and immovable properties of the Authority. 17 c) Donations and grants received. ç) The revenues from the utilization of the revenues. d) Other revenues.
ARTICLE 30 - (1) The following line was inserted into the Table (III) attached to the Law No. 5018: “10) Personal Data Protection Authority” (2) The phrase “Any person” in the second paragraph of Article 135 of the Law No. 5237 was amended as “Any personal data, any person”; and the phrase “Any person who records the information as personal data shall be punished according to the provisions of the above subsection.” as “the punishment to be given in accordance with the first paragraph is aggravated by half more.” (3) The expression “children” in third paragraph of Article 226 of the Law No. 5237 was amended as “children, symbolic images of children or persons with a juvenile image” (4) The expression “and” in first paragraph of Article 243 of the Law No. 5237 was amended as “or”, and the following paragraph was added. “(4) Person who, by employing technical means, illegally monitors the data transfer carried out within an information system or between information systems without entering in the system, shall be punished with imprisonment from one year to three years” (5) The following Article was inserted to follow Article 245 of the Law No.5237: “Prohibited device or programmes” Article 245/A- In case a device, computer programme, password or other security code are produced to commit the crimes inscribed exclusively within this Part and those that may be committed by using information system as a means, the person who produces, imports, dispatches, transfers, stores, accepts, sells, supplies, purchases, lends another person or possesses these shall be punished with imprisonment from one to three years and with a punitive fine up to five thousand days” (6) Sub-paragraph (f) of the first paragraph of Article 3 of the Health Services Fundamental Law No 3359 of 7/5/1987 was amended as follows: “f) With the aim of tracking the medical condition of everybody and to ensure that healthcare services are carried out in a more effective and rapid way, Ministry of Health and its associated institutions shall establish the required registration and notification system. This system may also be established in electronic environment in line with the e-State practices. To this end, a nationwide information system may be established by the Ministry of Health.” (7) Article 47 of the Decree Law No 663 of 11/10/2011 on the Organization and Duties of the Ministry of Health and its Associated Institutions was amended as follows: “ARTICLE 47- (1) Of those applying to the public or private health organizations and health professionals to receive health service, personal data provided compulsorily as a requirement of health service or provided in relation with the service they received may be processed. (2) The Ministry may process the data obtained within the framework of the first paragraph in order to provide the health services, protect the public health, maintain the 18 services of preventive medicine, medical diagnosis, treatment and care, and to plan the health services and calculate their cost. This data shall not be transferred except for the conditions stipulated under the Law on the Protection of Personal Data. (3) The Ministry shall establish a system that will enable the persons themselves or any third person authorized by them to access the personal data gathered and processed pursuant to the second paragraph, (4) Standards relating to the security and reliability of the systems established as per the third paragraph shall be determined by the Ministry in compliance with the principles determined by the Personal Data Protection Board. The Ministry shall take the necessary measures to ensure the security of the personal health data obtained pursuant to the Law herein. To this end, the Ministry shall establish a security system enabling the supervision of the official and the purpose of using the registered data in the system. (5) Public institutions and organizations, natural persons and legal entities under the private law employing health personnel shall be obliged to inform the Ministry about the personnel employed and the personnel movements. (6) Other matters relating to the processing and security of personal health data and the implementation of the Article herein shall be governed through a by-law to be put into force by the Ministry.”
(1) The members of the Board shall be selected and the organizational structure of the Presidency shall be established within six months following the date of publication of this Law, as per the procedure stipulated in Article 21. (2) Data controllers are obliged to enrol in the Registry of Data Controllers within the time specified and announced by the Board. (3) The personal data that were processed before the publication date of this Law shall be rendered compatible with the provisions of this Law within two years as of its date of publication. The personal data which are found to be in breach of the provisions of this Law shall be immediately erased, destroyed or anonymized. However, consents duly taken before the publication date of this Law shall be deemed compatible with the provisions of this Law, unless no declaration of intent is made to the contrary within one year. (4) The by-laws provided for by this Law shall be put into force within one year as of the date of publication of this Law. (5) A high-level executive, to ensure coordination with regard to the implementation of the Law in public institutions and organisations, shall be appointed and notified to the Presidency within one year as of the date of publication of this Law. 19 (6) The term of office for the first elected President, the Deputy President, and two members who are determined by ballot, shall be six years; this period shall be four years for the remaining five members. (7) Until the budget of the Authority is allocated; a) The expenditures of the Authority shall be reimbursed by the budget of the office of the Prime Minister. b) All necessary support services such as the premises, equipment, furnishing and the hardware shall be provided by the office of the Prime Minister in order for the Authority to fulfill its duties. (8) The clerical services of the Authority shall be carried out by the office of the Prime Minister until the service units of the Authority has become fully functional.
Kişisel verileriniz; otomatik ya da otomatik olmayan yollarla yazılı, sözlü veya elektronik olarak, Kanun’un 5. ve 6. maddelerinde ve yukarıda belirtilen amaçlar doğrultusunda elde edilmektedir.
(1) For the purposes of this Law; a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force after six months as of the date of its publication. b) Other Articles shall enter into force on the date of its publication.