Law Number : 6698 Date of Ratification : 24/3/2016 Published in Official Gazette : Date: 7/4/2016 (DD/MM/YYYY) Number: 29677 Published on the Law : Order: 5 Volume Number: 57 FIRST CHAPTER Purpose, Scope and Definitions Purpose ARTICLE 1 – (1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. Scope ARTICLE 2 – (2) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system. Definitions ARTICLE 3 – (1) For the purposes of this Law: “Explicit consent” means freely given, specific and informed consent, “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data, “President” means President of the Personal Data Protection Authority, (ç) “Data subject” (natural person concerned) means the natural person, whose personal data are processed, “Personal data” means any information relating to an identified or identifiable natural person, “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof, “Board” means the Personal Data Protection Board, “Authority” means the Personal Data Protection Authority, (ğ) “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization, “Data filing system” means the system where personal data are processed by being structured according to specific criteria, (ı) “Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. CHAPTER TWO Processing of Personal Data General Principles ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws. (2) The following principles shall be complied within the processing of personal data: a) Lawfulness and fairness b) Being accurate and kept up to date where necessary. c) Being processed for specified, explicit and legitimate purposes. ç) Being relevant, limited and proportionate to the purposes for which they are processed. d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed. Conditions for processing personal data ARTICLE 5 – (1) Personal data shall not be processed without explicit consent of the data subject. (2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: a) It is expressly provided for by the laws. b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid. c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract. ç) It is necessary for compliance with a legal obligation to which the data controller is subject. d) Personal data have been made public by the data subject himself/herself. e) Data processing is necessary for the establishment, exercise or protection of any right. f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. Conditions for processing of Special categories of personal data ARTICLE 6 - (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data (2) It is prohibited to process special categories of personal data without explicit consent of the data subject. (3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. (4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data Erasure, destruction or anonymization of personal data ARTICLE 7 – Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist. (2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved. (3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law. Transfer of personal data ARTICLE 8 - (1) Personal data shall not be transferred without explicit consent of the data subject. (2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken. (3) The Provisions of other laws relating to transfer of personal data are reserved. Transfer of personal data abroad ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject. (2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred; (a) Adequate protection is provided. (b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Board. (3) The Board determines and announces the countries with adequate protection. (4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary: a) the international conventions to which Turkey is a party, b) the state of reciprocity relating to data transfer between the requesting country and Turkey, c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer, ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred, d) the measures committed by the data controller in the country to which the personal data are to be transferred, 5) Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations. 6) The Provisions of other laws relating to the transfer of personal data abroad are reserved. CHAPTER THREE Rights and Obligations Obligation of Data Controller to Inform ARTICLE 10 – (1) At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following: a) the identity of the data controller and of its representative, if any, b) the purpose of processing of personal data; c) to whom and for which purposes the processed personal data may be transferred, ç) the method and legal basis of collection of personal data, d) other rights referred to in Article 11. Rights of The Data Subject ARTICLE 11 – (1) Each person has the right to request to the data controller about him/her; a) to learn whether his/her personal data are processed or not, b) to demand for information as to if his/her personal data have been processed, c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose, ç) to know the third parties to whom his personal data are transferred in country or abroad, d) to request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7, f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred, g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems, ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data. Obligations concerning data security ARTICLE 12- (1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of: a) preventing unlawful processing of personal data, b) preventing unlawful access to personal data, c) ensuring protection of personal data. (2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph. (3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law. (4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office. (5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate. CHAPTER FOUR Request, Complaint and Data Controllers’ Registry Request to the Data Controller ARTICLE 13- (1) The data subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Board. (2) The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees may be charged in the tariff determined by the Board. (3) The data controller shall act on the request or refuse it together with justified grounds and communicate its response to the data subject in writing or by electronic means. In case the demand in the request is accepted, it shall be fulfilled by the data controller. If the request is made due to fault of the data controller, the fee is refunded to data subject. Complaint to the Board ARTICLE 14 - (1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the data controller, or within sixty days as of the request date, in any case. (2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13. (3) The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved. Procedures and principles of the examination ex officio (on its own initiative) or upon complaint ARTICLE 15 - (1) The Board shall carry out the necessary examination on the matters falling within its task upon complaint or ex officio where it has learnt about the alleged infringement. (2) The notices and complaints not meeting conditions pursuant to Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined. (3) Except for the information and documents having the status of state secret, the data controller shall send the information and documents demanded by the Board related to the subject of examination within fifteen days, and shall enable, where necessary, on-the-spot examination. (4) Upon complaint, the Board examines the demand and gives an answer to the data subjects. In case it is not responded in sixty days from the date of complaint the demand shall be deemed refused. (5) As a result of the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification, (6) As a result of the examination made upon complaint or ex officio, in cases where it is determined that the infringement is widespread, the Board shall take a resolution on this matter and publishes this resolution. Prior to taking the resolution, the Board may also receive the opinions of the relevant institutions and organisations, if needed. (7) The Board may decide to stop the processing of personal data or transfer of personal data abroad in the case damages which are difficult or impossible to compensate for, and in the event of explicit infringement of the law. Data Controllers’ Registry ARTICLE 16 - (1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available. (2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry. (3) Application for registration with the Data Controllers’ Registry shall be made with a notification including: a) The identity and address of the data controller and of its representative, if any, b) The purpose for which the personal data will be processed, c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons, ç) The recipients or groups of recipients to whom the personal data may be transferred, d) The personal data which are envisaged to be transferred abroad, e) The measures taken concerning the security of personal data. f) The maximum storage period necessary for the purpose for which personal data are processed. (4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency (5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law. CHAPTER FIVE Crimes and Misdemeanours Crimes ARTICLE 17 - (1) Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data. (2) Those who do not erase or anonymize personal data as contrary to the provision of Article 7 of this Law shall be punished in accordance with Article 138 of the Law No. 5237. Misdemeanours ARTICLE 18 - (1) For the purposes of this Law; a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL, b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL, c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL, ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL. (2) The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers. (3) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board. CHAPTER SIX The Personal Data Protection Authority and its Organization The Personal Data Protection Authority ARTICLE 19 - (1) Personal Data Protection Authority, which is a public legal entity and has administrative and financial autonomy, has been established to carry out duties conferred on it under this Law. (2) The Authority is affiliated to the Minister assigned by the President of the Republic. (3) The Headquarters of the Authority is in Ankara (4) The Authority is composed of the Board and the Presidency. Decision making body of the Authority is the Board. Duties of the Authority ARTICLE 20 - (1) The duties of the Authority are as follows; (a) to follow the latest developments in the legislation and practices, make evaluations and recommendations, conduct researches and investigations or have them conducted, within its field of duty. (b) to cooperate with public institutions and organisations, non-governmental organizations, professional associations or universities within its field of duty, if needed. (c) to follow and evaluate the latest international developments on personal data; and within its field of duty cooperate with international organisations and participate in the meetings (ç) to transmit the annual activity report to the Presidency of the Republic of Turkey, the Committee on Human Rights Inquiry of Grand National Assembly of Turkey. (d) to carry out other duties provided by laws.