The six month transition period for certain provisions under Turkey’s new data protection regime ended on 7 October 2016. As a result, penalties and certain obligations for transfering data to third parties and abroad now apply for personal data collected and processed in Turkey.

The Data Protection Law numbered 6698 (“Law”) was published in Official Gazette number 29677 on 7 April 2016, with certain provisions becoming effective six months after that date. Further information about the Law and its implementation can be found here.

Delays in Establishing Government Bodies and Mechanisms

The Law introduced a legislative structure and definition for a national data protection regulator: the Data Protection Authority and Data Protection Board. The Data Protection Authority will include the Data Protection Board and the Board’s President. Once the Board is established, it will then create and maintain the Data Controller Registry.

When the Law was published, it envisioned October 2016 as the deadline for establishing the Data Protection Board and Data Controller Registry. From October 2016, Companies are also technically required to register Data Controllers with the Data Controller Registry.

However, necessary secondary legislation has not been enacted yet. Similarly, neither the Data Protection Board nor Data Controller Registry have been established yet.

To date, only five member of the Data Protection Board have been appointed (via decision number 1129 from the Turkish Parliament on 5 October 2016). The remaining four members are expected to be appointed in the near future.

The Law’s New Obligations Apply Regardless

Despite delays in establishing the government bodies and mechanisms, the Law’s obligations apply regardless. Similarly, criminal offenses and punitive measures now apply for failure to comply with the Law’s obligations.

Therefore, from 7 October 2016, the following obligations apply to persons and companies which deal with personal data:

  • Register with the Data Controller Registry (if and when the Registry is established).
  • Comply with the requirements under Article 8 of the Law regarding data transfers to third parties.
  • Comply with the requirements under Article 9 of the Law regarding data transfers abroad.

Please see this link for the full text of the Law (only available in Turkish).