Skip to Main Content
Main Menu
Regulation

Turkish Personal Data Protection Law (PDPL)

The Turkish Personal Data Protection Law (PDPL) is a core legislative act regulating data protection in Turkey. The PDPL is a step towards harmonizing Turkish legislation with EU legislation, and has a similar framework to Directive 95/46/EC, the GDPR and Directive (EU) 2106/680.

Are you subject to the Turkey PDPL?

The Turkish PDPL applies to natural or legal persons whose personal data is processed and or natural or legal persons who process such data either through automatic or non-automatic means.

There is no distinction between private corporations and public authorities in the Law and it does not have a territorial scope (meaning databases and servers storing Turkish data do not need to be located in Turkey). The Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.

Obligations & Rights under the Turkey PDPL

Individual Rights & Requests

Individuals have the right to request key information from the data controller, including whether their data has been processed and the identities of those to whom it has been transferred. They can also request correction of incomplete or inaccurate data, deletion or destruction of their data, object to negative consequences from automated data analysis, and seek compensation for damages due to illegal processing.

Policies & Notices

When collecting personal data, the data controller or its authorized representative must inform individuals about: (a) the identity of the data controller and if any, its representative, (b) the purposes for which personal data is processed, (c) persons to whom processed personal data might be transferred and purposes of the transfer (d) method and legal basis for the collection of personal data, (e) individual rights set forth under PDPL.

Consent

Personal data shall not be processed without obtaining the explicit consent of the data subject.

Data Security

The data controller is required to implement all necessary technical and organizational measures to provide an appropriate level of security. This includes preventing unlawful processing and access to personal data, thereby safeguarding sensitive information and maintaining its integrity.

Whitepaper

Guide to Data Inventory and Mapping for GDPR & CCPA Compliance

One of the most important steps to design and build a data privacy program is to create a data inventory of all of the business processes within an organization.

Achieve compliance

FAQs

  • What does the “Turkish PDPL” refer to?

    The Turkish Personal Data Protection Law or “PDPL” is a comprehensive piece of legislation designed to safeguard individuals’ personal information privacy in Turkey. The law also plays a critical role in protecting employees’ personal information, as employers typically process, store, and share a substantial amount of personal data about their employees. It became effective on April 7th 2016.

  • What is personal information and sensitive personal information?

    Personal information is any information relating to an identified or identifiable natural person. Examples include a first and last name, email address, or phone number.

    Sensitive personal information also known as “special categories of personal data” means data relating to race, ethnic origin, political opinions; philosophical beliefs; religion, sect or other beliefs; appearance and dressing; membership of association, foundation or trade-union; health; sexual life; criminal conviction and security measures; and biometrics and genetics.

  • What are the breach notification requirements?

    Under the Turkey PDPL, the data controller shall notify the data subject and the data protection authorities of such a situation as soon as possible. The data protection authority, if necessary, may declare such a situation on its website or by other means which it deems appropriate.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top