Overview of the Legislative Framework
Presently, there is not any specific law or regulation which provides for an overall legal framework for data protection in Turkey. Privacy and data protection rules are stipulated in the Turkish Constitution and in several other main pieces of legislation, such as the Civil Code, the Code of Obligations and the Labour Law. Also, they are scattered in a number of laws and regulations which regulate any particular subjects or sectors, such as banking, credit cards, health industry, etc.
Even though Turkey signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on 28th January, 1981, this Convention has not been enacted to date into Turkish law.
Draft Law on the Protection of Personal Data
The latest Draft Law on the Protection of Personal Data (the “Draft Code”) which has been prepared by the present government as part of the Turkey’s commitment to harmonise its legal framework with that of the EU has been discussed on 14th January, 2015 at the parliamentary Sub-Committee for Adaptation to the EU.
The Draft Law mirrors to some extent the provisions of the EC Directive 95/46/EC of the European Parliament and of the Council (“The EC Directive”). Nevertheless, certain provisions of the Draft Law seem to be significantly different from those of the EC Directive. For instance, the Draft Law foresees that the Council for the Protection of Personal Data shall be linked to the Ministry of Justice. This obviously jeopardises the independent nature of the Council. Furthermore, the Draft Law, when introducing exemptions to its requirements and limitations, refers to the processing of data within the ambit of freedom of press, but seems to omit the processing of data for artistic, literature, historical and scientific purposes.
The Draft Law mainly regulates the general principles regarding processing of personal data, processing conditions, deleting or transferring of personal data, duty of data processors to give information regarding their activity, rights of individuals whose personal data are processed, transferred or deleted as the case may be, to request information or, claim compensation if the act of the processor caused any damage to the data owner. Moreover, it envisages establishment of the Council for the Protection of Personal Data to exercise the powers and fulfill the duties entrusted by the Draft Law.
Sample Pieces of Legislation Related to Data Protection
The general provisions of the laws and regulations that currently apply in respect of personal data protection in Turkey can be summarized as below:
- The Turkish Constitution of 1982
Article 20 of the Turkish Constitution regulates the confidentiality of the private life. Accordingly, everyone has the right to request the protection of his/her personal data, to access to, and request the correction and deletion of his/her personal data, and to be informed whether its data is used lawfully or not.
- Turkish Civil Code No. 4721
The Turkish Civil Code extends legal protection for each individual’s personality, and as such constitutes a key legal basis for protection of personal data. Accordingly, an individual whose personality rights are violated has the right to sue for compensation of its damages before Turkish civil courts.
- Banking Code No. 5411
The Banking Code provides that those bank employees who, by virtue of the position they hold or in the course of the performance of their duties, have access to confidential information about banks or their clientele are prohibited from disclosing such confidential information to any third party, other than the authorities expressly authorized by law. This confidentiality obligation will survive the termination of employment contracts.
- Electronic Communication Law No. 5809 and the underlying regulations
The Electronic Communication Law and the secondary legislation issued thereunder namely, the Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector (“the Regulation”) set forth detailed rules and procedures which any “authorised operator” should respect when processing personal data.
- Labour Law No. 4857
According to the Turkish Labour Law, an employer should use the data about each employee in compliance with the principles of good faith and applicable laws, and should not disclose the information which the employee has a justifiable interest in keeping confidential.
- Criminal Code No. 5237
The Turkish Criminal Code penalises violations of privacy of personal data, such as unlawful recording, delivery and acquisition of personal data and failure to destroy any personal data that was disclosed for a specific purpose within a prescribed period.
- Other sector-specific regulations under Turkish Law
Apart from the rules and regulations referred to above, the other specific laws, regulations and communiqués dealing with data protection issues include Law on Tax Procedure No 213, Debit and Credit Cards Law No. 5464, By-Law on Medical Examination of Body, Genetic Examinations And Designation Of Physical Identities, Electronic Signature Law No. 5070, Law on Regulating Broadcasting on the Internet and Fighting Against Crimes Committed through Internet Broadcasting No. 5651, Law on the Right to Information No. 4982.