Is Turkish Data Protection law similar to EU General Data Protection Regulation (GDPR)
According to Turkish law on Data Protection (herein after "Data Protection Law"), there are some similar rules with GDPR, but also several differences with definitions and sanctions under EU General Data Protection Regulation (GDPR).
I. DEFINITIONS
Under Turkish Data Protection Law, the personal data is “any information relating to an identified or identifiable natural person". The below chart shows how wide the extent of personal data is. This is to say that any company that holds any kind of data of its clients and/or employees and/or commercial partners, shall mandatorily comply with the Law.
If your company does not fulfill (even partly) those obligations, your management is facing prison sentences and the company may be subject to administrative fines, that are to be published in a major newsletter, harming the trademark of the company. This risk is accurate and actual. Here are some of those obligations :
- "Personal data must have been obtained with the consent of either person or have been obtained by the presence of one of the reasons for compliance with the law";
- "Before giving consent, the person should be informed about his/her data";
- "Personal data must comply with the law and good faith"
- "Personal data must be accurate and updated when necessary”
Processed for specific, clear and legitimate purposes,
linked to the purpose for which they are intended, limited and measured,
They must be kept for the period of time required for the purpose stipulated in the relevant legislation or for the purposes for which they are conducted.
We emphasize that the person who is responsible for processing those data, shall be appointed in due form by the company, and this shall be reported to those whose data have been processed. A specific and appointed interlocutor in the company shall exclusively receive complaints or requests filed by persons handing over their personal data.
In order to minimize the risks over the company or allow a full compliance with the Law, it is mandatory to prepare a data directory - data flow chart and to determine which data can be reached by who, why and with which procedures.
On the other hand, other type of data are qualified as “privileged personal data”. Those are related to the race of the people, ethnic origin, political opinion, philosophical belief, religion, creed or other beliefs, costume and clothing, associations, foundations or trade union membership, health, sexual life, data relating to security measures and criminal convictions, biometric and genetics. Accordingly, if the company retains privileged personal data, some specific measures shall be implemented by the Board of Personal Data, including the statement of an "explicit consent" by the persons submitting their privileged personal data.
II. WHAT ARE THE SANCTIONS
In case of a violation of personal data privacy, there are three (3) separate sanctions, that are not totally same in EU General Data Protection Regulation (GDPR).