After a decade of winding its way through the legislative process, Turkey’s new Data Protection Law entered into force on April 7. Although Turkey previously had a few sectoral data protection laws on the books, this is the first time the country has had an omnibus data protection law. Although details remain somewhat scant at this point, this new law deserves the attention of any company that conducts business in Turkey or collects the personal data of customers, employees, or other individuals located in Turkey.
Turkey’s new law is fairly similar to the EU’s data protection regime in many respects, but it also contains a few notable differences. Although an official English translation of the law is not yet available, reliable secondary sources have indicated that some of the notable features of the law are as follows:
- Like the EU Data Directive, the Turkish Data Protection Law distinguishes personal data (meaning information relating to an identified or identifiable person) from sensitive (or special) data, and makes sensitive data subject to additional protections. The Turkish definition of sensitive data largely overlaps with the definition set out in the EU Directive and includes information such as racial or ethnic origin, political opinion, union membership, and data about health or sex life. However, Turkey’s law also categorizes information about a person’s appearance as sensitive data.
- Both personal and sensitive data may not be processed absent the data subject’s express consent, but the law does not clarify what “express consent” means.
- Like the Directive, the law creates a distinction between data controllers and data processors, and assigns certain responsibilities accordingly. Data controllers must register with Turkey’s Data Protection Registry, which will be established by October 7 of this year.
- The law imposes some restrictions on the transfer of personal data outside of Turkey; specifically, the data subject must give express consent for the transfer, and the receiving country must offer sufficient data protection. If the transferee country does not offer sufficient data protection, Turkey’s Data Protection Board must give permission for the transfer. However, companies still have time to ensure that their operations are compliant with these requirements, as these cross-border transfer rules will not go into effect until October 7, 2016.
- In short, the Data Protection Law appears to represent Turkey’s attempt to harmonize its data protection regime with that currently in force in the EU, which Turkey still is striving to join. It remains to be seen how Turkey will enforce the law, and how the various provisions of the law will be interpreted, but in the meantime it is important for any company with Turkish ties to begin familiarizing itself with that country’s new privacy regime.