Turkey’s first legislation addressing personal data protection was enacted on April 4th, 2016. Turkish Data Protection Law numbered 6698 (“DP Law”) outlines a similar framework to the European Data Protection Directive 95/46/EC and the secondary legislation in the form of regulations and communications is evolving in line with the General Data Protection Regulation (“GDPR”).

Article 2 of the DP Law states its scope of application. Accordingly, DP Law applies to:

  • natural persons whose personal data are processed
  • natural or legal persons who process such data fully or partially through automatic or non- automatic means only for the process which is part of any data registry system set out in the DP Law.

Apart from GDPR, DP Law does not indicate its territorial scope. That being said, in line with the principle of territoriality and the application of the provisions of Turkish Criminal Code referred by the Article 18 of the DP Law, the DP Law shall apply to all natural and legal persons who process Turkey-originated personal data, regardless of whether they locate in Turkey or abroad.

The DP Law sets out many requirements for data controllers related to processing and transfer of personal data, data security, data retention, data subject rights, obligation to inform, data controllers’ registry etc. and all data controllers including financial institutions, are required to comply with the general rules of DP law in their activities that involve Turkey-originated personal data processing.

*Full content available on DataGuidance.