PERSONAL DATA PROTECTION LAW
Law Number : 6698
Accepted Date: 24/3/2016
Published in the R. Newspaper: Date: 7/4/2016 Issue: 29677
Published Code: Arrangement: 5 Volume: 57
Purpose, Scope and Definitions
ARTICLE 1- (1) The purpose of this Law is to process personal data, especially private life.
to protect the fundamental rights and freedoms of individuals, including privacy, and to process personal data.
to regulate the obligations of natural and legal persons and the procedures and principles to be followed.
ARTICLE 2- (1) The provisions of this Law apply to real persons whose personal data are processed and to
be a part of any data recording system that is fully or partially automated or
It applies to natural and legal persons who operate by non-automatic means, provided that
ARTICLE 3- (1) In the implementation of this Law;
a) Explicit consent: On a specific subject, based on information and free will
b) Anonymization: Personal data cannot be used in any way, even by matching with other data.
making it impossible to be associated with an identified or identifiable natural person,
c) Chairman: Chairman of the Personal Data Protection Authority,
Ã§) Relevant person: The real person whose personal data is processed,
d) Personal data: Any information relating to an identified or identifiable natural person,
e) Processing of personal data: Fully or partially automatic or
obtained by non-automatic means, provided that it is part of any data recording system.
recording, storing, preserving, changing, rearranging,
disclose, transfer, take over, make available, classify or
all kinds of operations performed on the data, such as preventing its use,
f) Board: Personal Data Protection Board,
g) Institution: Personal Data Protection Authority,
Ä) Data processor: Personal data on behalf of the data controller based on the authority given by him.
the real or legal person who operates,
h) Data recording system: Personal data is processed and structured according to certain criteria.
Ä±) Data controller: Data logger, which determines the purposes and means of processing personal data.
The natural or legal person responsible for the establishment and management of the system,
Processing of Personal Data
ARTICLE 4- (1) Personal data can only be processed by the procedures and procedures stipulated in this Law and other laws.
can be processed in accordance with the principles.
(2) The following principles must be complied with in the processing of personal data:
a) Compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
Ã§) Being connected, limited and restrained with the purpose for which they are processed.
d) Keep for the period required by the relevant legislation or for the purpose for which they are processed.
not to be
Terms of processing personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the person concerned.
(2) In the presence of one of the following conditions, without seeking the explicit consent of the person concerned
It is possible to process personal data:
a) It is clearly stipulated in the laws.
b) Those who are unable to express their consent due to actual impossibility or
life or body of the person or another person whose legal validity is not recognized
necessary to preserve its integrity.
c) Provided that it is directly related to the establishment or performance of a contract,
It is necessary to process the personal data of the parties to the contract.
Ã§) It is mandatory for the data controller to fulfill its legal obligation.
d) The person concerned has been made public by himself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Provided that it does not harm the fundamental rights and freedoms of the person concerned, the data controller
data processing is necessary for their legitimate interests.
Conditions for the processing of special categories of personal data
ARTICLE 6- (1) Race, ethnic origin, political thought, philosophical belief, religion, sect
or other beliefs, dress, association, foundation or union membership, health, sexual life,
data on criminal convictions and security measures, as well as biometric and genetic data
qualified personal data.
(2) Processing of sensitive personal data without the explicit consent of the person concerned is prohibited.
(3) Personal data other than health and sexual life listed in the first paragraph,
may be processed without seeking the explicit consent of the person concerned, in the foreseeable circumstances. On health and sexual life
Personal data can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and
execution of care services, planning and management of health services and financing
persons or authorized institutions and organizations under the obligation to keep secrets.
may be processed without seeking the explicit consent of the person concerned.
(4) In the processing of special categories of personal data, sufficient
precautions must be taken.
Deletion, destruction or anonymization of personal data
ARTICLE 7- (1) Processed in accordance with the provisions of this Law and other relevant laws
personal data ex officio in the event that the reasons requiring its processing disappear.
or deleted, destroyed or anonymized by the data controller at the request of the data subject.
(2) Other information regarding the deletion, destruction or anonymization of personal data.
the provisions of the laws are reserved.
(3) Regarding the deletion, destruction or anonymization of personal data
procedures and principles are regulated by regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the person concerned.
(2) Personal data;
a) In the second paragraph of Article 5,
b) Provided that adequate measures are taken, in the third paragraph of Article 6,
In the event that one of the conditions specified is present, without the explicit consent of the person concerned.
(3) Provisions in other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
(2) Personal data, in the second paragraph of Article 5 and the third paragraph of Article 6
the existence of one of the specified conditions and in the foreign country to which the personal data will be transferred;
a) The availability of adequate protection,
b) In the absence of adequate protection, in Turkey and in the relevant foreign country
data controllers must undertake in writing to provide adequate protection and that the permission of the Board must be obtained.
to be found,
may be transferred abroad without seeking the explicit consent of the person concerned, provided that the
(3) Countries with adequate protection are determined and announced by the Board.
(4) The Board determines whether there is sufficient protection in the foreign country and whether the second paragraph (b)
whether it will be allowed pursuant to subparagraph;
a) International conventions to which Turkey is a party,
b) Reciprocity regarding data transfer between the country requesting personal data and Turkey
c) Regarding each concrete personal data transfer, the nature of the personal data and the purpose of the processing
and its duration,
Ã§) The relevant legislation and practice of the country to which the personal data will be transferred,
d) Committed by the data controller in the country to which the personal data will be transferred.
to evaluate and, if needed, the opinion of the relevant institutions and organizations.
(5) Personal data, without prejudice to the provisions of international agreements,
In cases where the interest of the person concerned will be seriously harmed, only the relevant public institution
or by taking the opinion of its institution, with the permission of the Board.
(6) Provisions in other laws regarding the transfer of personal data abroad