Ignoring Turkish law on data breaches could put you in prison
Data processors resident outside Turkey whose activities affect Turkey may also need to register by 30 September 2019. Even failing to delete expired data can be punished by one to two years’ imprisonment.
As a candidate state for EU membership, Turkey aligns much of its legal system with EU law, hence its 2016 Law on the Protection of Personal Data (“Turkish Data Protection Law”) is based largely on EU Data Protection Law.
Turkey is keen to attract foreign direct investment, especially in the communications and technology sectors and so an advanced data protection regime is vital. In our increasingly online world, even companies without any physical presence in Turkey may be subject to Turkish Data Protection Law, if their activities have an effect in Turkey.
The 2016 Law allows for administrative fines of up to three percent of a company’s net annual sales to be levied if personal data is stolen, or disclosed without consent. This provides a strong incentive for companies to keep data secure.
Turkish Data Protection Law applies to both sensitive and non-sensitive personal information. Sensitive data is defined in Turkish law as including data relating to a subject’s race, ethnicity, religion, appearance, political views, union membership, health, sexual life and criminal convictions.
According to Turkish Data Protection Law, explicit consent is required to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data and where such processing is necessary to protect the life of the subject.
A registration system for data processors is currently being rolled out in Turkey. Since 1 October 2018, certain data processors must register with Turkey’s Data Controller Registry Information System VERBIS. These include Turkish resident data processors with more than 50 employees or an annual turnover of more than 25 million Turkish Lira. Data processors resident outside Turkey whose activities have an effect in Turkey may also need to register by 30 September 2019.
Data processors have general obligations which include ensuring that data is processed lawfully, for a specific and legitimate purpose, is accurate, up to date and only kept as long as is necessary. Data subjects must be informed of the purpose for which their data will be processed, to whom the data could be transferred and the subject’s rights in relation to the data. Personal data may not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Regulatory approval is required for such transfers where the transfer may harm Turkey or the data subject.
Data processors are legally required to take all necessary technical, procedural and administrative steps to ensure the required level of security. There is an obligation on processors to report a data breach to the Data Protection Authority and to notify the affected subject as soon as possible. The authority can make the data breach public knowledge, if necessary.
Subjects must generally opt in before they are sent commercial communications by electronic means. Every such communication must also provide a simple way to opt out. A significant exception to these general rules in Turkish law is that commercial traders and merchants may be sent commercial communications without their consent having first been obtained.
The sanctions for data breaches in Turkey are not limited to fines and regulatory intervention. The criminal code allows for penalties – including imprisonment – for data breaches. Those illegally collecting personal data can be imprisoned for one to three years. Those who illegally publish or transfer personal data may be imprisoned for two to four years. Penalties increase if the data illegally processed is sensitive. Even failing to delete data lawfully collected after the retention period expires can be punished by one to two years’ imprisonment.
While Turkish Data Protection Law is relatively new, it provides a robust system. Although Turkish data protection regime is largely based on EU law, it does have some unique aspects which businesses operating in Turkey should to be aware of.
Eren Can Ersoy, Senior Associate
This article was published in SC Media