Compliance of Data Protection Law in Turkey with EU General Data Protection Regulation (GDPR)
According to Turkish law on Data Protection (herein after "Data Protection Law"), there are some similar rules with GDPR, but also several differences with definitions and sanctions under EU General Data Protection Regulation (GDPR).
I. DEFINITIONS
Under Turkish Data Protection Law, the personal data is “any information relating to an identified or identifiable natural person". The below chart shows how wide the extent of personal data is. This is to say that any company that holds any kind of data of its clients and/or employees and/or commercial partners, shall mandatorily comply with the Law.
If your company does not fulfill (even partly) those obligations, your management is facing prison sentences and the company may be subject to administrative fines, that are to be published in a major newsletter, harming the trademark of the company. This risk is accurate and actual. Here are some of those obligations :
- "Personal data must have been obtained with the consent of either person or have been obtained by the presence of one of the reasons for compliance with the law";
- "Before giving consent, the person should be informed about his/her data";
- "Personal data must comply with the law and good faith"
- "Personal data must be accurate and updated when necessary”
Processed for specific, clear and legitimate purposes,
linked to the purpose for which they are intended, limited and measured,
They must be kept for the period of time required for the purpose stipulated in the relevant legislation or for the purposes for which they are conducted.
We emphasize that the person who is responsible for processing those data, shall be appointed in due form by the company, and this shall be reported to those whose data have been processed. A specific and appointed interlocutor in the company shall exclusively receive complaints or requests filed by persons handing over their personal data.
In order to minimize the risks over the company or allow a full compliance with the Law, it is mandatory to prepare a data directory - data flow chart and to determine which data can be reached by who, why and with which procedures.
On the other hand, other type of data are qualified as “privileged personal data”. Those are related to the race of the people, ethnic origin, political opinion, philosophical belief, religion, creed or other beliefs, costume and clothing, associations, foundations or trade union membership, health, sexual life, data relating to security measures and criminal convictions, biometric and genetics. Accordingly, if the company retains privileged personal data, some specific measures shall be implemented by the Board of Personal Data, including the statement of an "explicit consent" by the persons submitting their privileged personal data.
II. WHAT ARE THE SANCTIONS
In case of a violation of personal data privacy, there are three (3) separate sanctions, that are not totally same in EU General Data Protection Regulation (GDPR).
III. WHAT IS THE “DATA PROTECTION COMPLIANCE PROGRAM” ?
We propose to our clients a Data Protection Compliance Program, to audit their company’s data storage, to analyze whether the data are obtained and stored and processed in compliance with the Law. At the end of this audit, we establish a “legal opinion of compliance”, drafted under our professional liabilities, certifying that your company is in compliance with the provisions of the Protection of Personal Data Act, related Regulations, Protection of Individuals Against Automatic Processing of Personal Data, Turkish Commercial Code 6102 and Turkish Penal Code No. 5237.
Our team of lawyer has an expertise and experience rare in Turkey, because our team include a professor having drafted the said Law and our lawyers have practiced those compliance programs for major companies in Turkey.
We ensure our clients that their data are protected, by executing a Confidentiality Agreement, under our Bar Association’s Insurance Policy.
When necessary, we do also assist our clients with the followings :
- Making the required changes to limit the legal and criminal liability of the management and/or board members.
- Amending the company's articles of association and Circular of signatures, allocation of duty related to data gathering/processing ;
- Drafting the internal regulations and/or split of tasks.
- Preparing the task chart for data protection
- Training the employees to be involved in data protection
- Preparation of commitments and confidentiality agreements that define the responsibilities of the employees engaged with the data gathering/processing
- Completion of in-house training
- Control of checks and reports
- Completion of the contracts with third parties in terms of personal data
- Check compliance with EU General Data Protection Regulation (GDPR)
The scope and duration of the Compliance Program depends on the company, from 1 month up to 6 months. We do adapt our proposals and listen to our client’s requirements, to establish an efficient collaboration.
AŞIK & PARTNERS
