This article is correct as of 12th November 2019

LAW ON PROTECTION OF PERSONAL DATA

Law No. 6698

Date of Enactment: 24/03/2016

SECTION ONE

Objective, Scope and Definitions

Objective

ARTICLE 1- (1) The objective of this Law is to protect the fundamental rights and freedoms of individuals, notably the right to privacy, during the course of personal data processing, as well as to regulate the procedure and principles to be complied with by natural and legal persons processing personal data.

Scope

ARTICLE 2- (1) The provisions of this Law apply to the natural persons whose personal data are processed and to natural and legal persons processing such data wholly or partly by automatic means and to the processing otherwise than by automatic means of personal data which form part of a data filing system.

Definitions

ARTICLE 3- (1) For the purposes of this Law;

a) ‘Explicit consent’ means freely given informed indication of consent regarding a specific matter,

b) ‘Rendering anonymous’ means retaining personal data in a form which cannot be associated in any manner, even by means of matching with other data, with an identified or identifiable  natural person,

c) ‘President’ means the President of the Personal Data Protection Authority,

d) ‘Data Subject’ means a natural person whose personal data is processed,

e) ‘Personal Data’ means any information relating to an identified or identifiable natural person,

f) ‘Processing of Personal Data’ means any kind of operation which is performed upon personal data, whether wholly or partly by automatic means or otherwise than by automatic means which form part of a data filing system, such as collection, recording, storage, preservation, alteration, organization, disclosure, transmission, assignment, making available, classification or blocking,

g) ‘Board’ means the Personal Data Protection Board,

h)‘Authority’ means the Personal Data Protection Authority,

i) ‘Data Processor’ means a natural or legal person which processes personal data on behalf of the Data Controller with the authority granted by the Data Controller,

j) ‘Data Filing System’ means a filing system in which personal data are structured and processed according to specific criteria,

k) ‘Data Controller’ means a natural or legal person who determines the purposes and means of the processing of personal data and is liable for the establishment and administration of the data filing system.

SECTION TWO

Processing of Personal Data

General Principles

ARTICLE 4- (1) Personal data may be processed only in accordance with the procedures and principles set out in this Law and other laws.

(2) The following principles must be complied with during the course of personal data processing:

a) Processing personal data fairly and lawfully.

b) Being accurate and, where necessary, up to date.

c) Processing personal data for specified, explicit and legitimate purposes.

d) Being relevant, adequate and not excessive in relation to the purposes for which they are processed.

e) Being kept for the period stipulated by law or for no longer than necessary for the purpose for which they are processed.

Conditions for personal data processing

ARTICLE 5- (1) Personal data may not be processed without explicit consent of the data subject.

(2) Explicit consent of the data subject shall not be required if any of the following conditions are present:

a) If processing is explicitly stipulated by law.

b) If processing is necessary to protect the vital interests and physical integrity of the data subject or of another person where the data subject is physically or legally incapable of giving his consent.

c) If processing of the personal data of the parties of an agreement is necessary provided that such processing is directly related to the establishment or performance of an agreement.

d) If processing is necessary for the Data Controller to perform his legal obligations.

e) If personal data is manifestly made public by the data subject.

f) If processing is necessary for the establishment, exercise or defense of a right.

g) If processing is necessary for the legitimate interests pursued by the Data Controller, provided that the fundamental rights and freedoms of the Data Subject are not damaged.

Conditions for sensitive data processing

ARTICLE 6- (1) Sensitive personal data is personal data revealing race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, foundation or union membership, health, sexual life, data on penal convictions or security measures, as well as biometric and genetic data of a person.

(2) Sensitive personal data may not be processed without explicit consent of the Data Subject.

(3) The personal data referred to in paragraph 1, except for the data regarding health and sexual life, may be processed without explicit consent of the Data Subject in cases stipulated by law. The data regarding health and sexual life may be processed without explicit consent of the data subject by persons under a professional obligation of secrecy or by authorized institutions and organizations for the purposes of protection of public health, preventive medicine, medical diagnosis, the implementation of care or treatment or the management of health care services, planning and administration of health care financing.

(4) Sensitive personal data must be processed according to the adequate measures determined by the Board.

Erasure, destruction or rendering anonymous of personal data

ARTICLE 7- (1) Despite being processed in accordance with the provisions of this Law and other laws, in case the reasons giving rise to processing disappear, the personal data shall be, ex officio or upon the data subject’s request, erased, destroyed or rendered anonymous.

(2) The provisions in other laws regarding the erasure, destruction or rendering anonymous of personal data are reserved.

(3) The procedures and principles regarding the erasure, destruction or rendering anonymous of personal data are arranged by means of regulations.

Transfer of personal data

ARTICLE 8- (1) Personal data may not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without explicit consent of the data subject if any of the conditions referred to in;

a) Paragraph 2 of Article 5,

b) Paragraph 3 of Article 6, provided that adequate measures are taken,

is present.

(3) The provisions in other laws regarding the transfer of personal data are reserved.

International transfer of personal data

ARTICLE 9- (1) Personal data may not be transferred outside the country without explicit consent of the data subject.

(2) Personal data may be transferred outside the country without explicit consent of the data subject if any of the conditions referred to in Paragraph 2 of Article 5 and Paragraph 3 of Article 6 is present and if the following are present in the foreign country to which the personal data shall be transferred:

a) adequate level of protection,

b) in the absence of adequate level of protection, an undertaking in writing given by the data controllers both in Turkey and in the relevant foreign country on adequate level of protection as well as the permission of the Board.

(3) The countries having adequate level of protection are determined and announced by the Board.

(4) The Board determines whether adequate level of protection is available in a foreign country and whether a permission can be granted pursuant to subparagraph (b) of paragraph 2 by assessing the following and, if deemed necessary, by obtaining opinions of relevant institutions and organizations;

a) International agreements which Turkey is a party to,

b) The reciprocity status regarding data transfer between Turkey and the country requesting personal data,

c) Regarding each concrete personal data transfer, the nature of personal data as well as the purpose and duration of processing,

d) The relevant legislation and its implementation in the recipient country,

e) The measures undertaken by the data controller in the recipient country.

(5) Personal data, provided that the provisions of international conventions are reserved, may be transferred outside the country in cases where Turkey or the data subject might face a serious damage of interest only upon permission of the Board based on the opinion of the related governmental institution or organization.

(6) The provisions in other laws regarding the international transfer of personal data are reserved.

SECTION THREE

Rights and Obligations

Data controller’s obligation for providing information

ARTICLE 10- (1) The data controller or the person authorized by it is obliged to provide the data subject with the following information during the course of personal data collection;

a) The identity of the data controller and of its representative, if any,

b) The purposes of the processing of personal data,

c) The recipients of the processed personal data and the purpose of such transfer,

d) The method and legal grounds of personal data collection,

e) Other rights of the data subject referred to in Article 11.

Rights of data subject

ARTICLE 11- (1) Every individual has the right to;

a) Be informed whether or not personal data relating to him/her are being processed,

b) Request information concerning the process, if personal data has been processed,

c) Be informed of the purpose of personal data processing and whether they are used in line with its purposes,

d) Be informed about the third parties in receipt of the personal data inside and outside the country,

e) Request the rectification of the incompletely or inaccurately processed personal data,

f) Request the erasure or destruction of personal data within the framework of the conditions prescribed in Article 7,

g) Request the notification of third parties to whom the personal data are transferred about the  operations conducted pursuant to subparagraphs (e) and (f),

h) object to the result obtained and analyzed by means of exclusively automated systems against his/her interest,

i) Request the compensation of the damages suffered as a result of an unlawful personal data processing.

Obligations related to data safety

ARTICLE 12- (1) The data controller must take all necessary technical and administrative measures in order to provide the adequate level of safety for;

a) Prevention of the unlawful processing of personal data,

b) Prevention of the unlawful access to personal data,

c) Safeguarding personal data.

(2) The data controller shall be jointly liable with the natural or legal persons who processed personal data on behalf of the data controller for taking the measures set out in paragraph 1.

(3) The data controller must conduct or must have conducted, within its institution or organization, the necessary audits for the implementation of such provisions of the Law.

(4) The data controllers and data processors may not disclose the personal data in their possession to third parties unlawfully and may not use for purposes other than data processing. Such obligation continues after such persons complete their duties.

(5) The data controller shall promptly notify the Data Subject and the Board, in case the processed personal data is obtained unlawfully by a third party. The Board, if deemed necessary, may announce such case through its Internet site or by any means appropriate.

SECTION FOUR

Application, Complaints and Data Controller Register

Application to the Data Controller

ARTICLE 13- (1) The data subject may extend his requests regarding the implementation of this Law to the data controller in writing or by means of other methods to be determined by the Board.

(2) The data controller concludes the requests referred to in the application in the shortest time possible or within 30 days at the latest according to the nature of the request. However, in case the transaction requires additional costs, the fees indicated in the tariff determined by the Board may be collected.

(3) The data controller accepts or otherwise declines by justification the request and informs the data subject in writing or in electronic format. In case the request referred to in the application is accepted, the data controller does what is necessary. The collected fee is returned in case the application arises from the fault of data controller.

Complaints to the Board

ARTICLE 14- (1) In case the application is dismissed, the response is found inadequate or the application is not answered within the prescribed period; the data subject may file a complaint before the Board within thirty days following the date of receipt of the data controller’s response and in any case not later than sixty days following the date of application.

(2) The right to complaint may not be resorted to unless the method of application set out in Article 13 is exhausted.

(3) The right to indemnify, according to general provisions, of the individuals whose personal rights have been violated is reserved.

Procedures and principles of investigations to be carried out ex officio or upon complaint

ARTICLE 15- (1) The Board, upon complaint or ex officio, in case an alleged violation has come to be known, carries out the necessary investigation on the issues covered by its area of responsibility.

(2) The notifications or complaints which do not meet the conditions set out in Article 6 of Law No. 3071 on Exercising the Right to Petition dated 1/11/1984 shall not be taken into consideration.

(3) Except for the information and documentation constituting state secrets; the data controller is obliged to send within fifteen days the information and documentation concerning the subject of investigation requested by the Board and, when necessary, to provide the facilities for investigation on-site.

(4) Upon complaint, the Board assesses the claim and responds to the related parties. The claim is deemed to be dismissed if no response is provided within sixty days following the date of complaint.

(5) As a result of the investigation conducted ex officio or upon complaint, in case the existence of violation is confirmed, the Board decides for the removal of illegal contrarieties by the data controller and notifies its decision to the related parties. Such decision must be implemented immediately upon notification and within thirty days at the latest.

(6) As a result of the investigation conducted ex officio or upon complaint, in case the prevalence of the violation is confirmed, the Board renders a resolution and publishes such resolution. The Board, if needed, obtains the opinions of relevant institutions and organizations prior to rendering a resolution.

(7) The Board, in case unrecoverable or irreparable damages arise and explicit illegalities exist, may decide for the data processing or the data transfer to be ceased.

Data Controller Register

ARTICLE 16- (1) Under the supervision of the Board, a public Data Controller Register shall be kept by the Presidency.

(2) The natural and legal persons processing personal data must be registered in the Data Controller Register before starting to process data. However, data controllers may be held exempt from the registration requirement by the Board by taking into consideration the objective criteria to be determined by the Board such as the nature and quantity of the processed personal data, the data processing being required by law or transfer to third parties.

(3) The application for registration in the Data Controller Register shall be made by means of a notification which contains the following:

a) Identity and address of the data controller or its representative, if any.

b) The purpose of personal data processing.

c) Explanations concerning the group(s) of persons subject to data and the data categories of such persons.

d) Recipients or recipient groups to whom the personal data shall be transferred.

e) The personal data considered to be transferred to foreign countries.

f) The measures taken for personal data safety.

g) Maximum time required for the purpose of personal data processing.

(4) The changes in the information provided according to paragraph 3 shall be informed immediately to the Presidency.

(5) Other procedures and principles regarding the Data Controller Register are arranged by means of regulations.

SECTION FIVE

Crimes and Misdemeanors

Crimes

ARTICLE 17- (1) The provisions of Articles 135 to 140 of Turkish Penal Code No. 5237 dated 26/9/2004 apply to the crimes regarding personal data.

(2) The persons who do not erase or render anonymous the personal data as a violation of the provision of Article 7 of this Law shall be punished according to Article 138 of Law No. 5237.

Misdemeanors

ARTICLE 18- (1) The administrative fines prescribed for the violation of this Law shall be as follows:

a) TRY 5,000 to TRY 100,000 to those who do not fulfill the obligation for providing information set out in Article 10;

b) TRY 15,000 to TRY 1,000.000 to those who do not fulfill their obligations with regard to the security set out in Article 12;

c) TRY 25,000 to TRY 1,000,000 to those who do not perform the decisions of the Board pursuant to Article 15;

d) TRY 20,000 to TRY 1,000,000 to those who violate the obligation of registration and notification with respect to the Data Controllers Register set out in Article 16.

(2) The administrative fines prescribed in this article apply to natural persons and private law legal persons that are data controllers.

(3) In case the actions listed in paragraph 1 take place within public institutions and organizations and professional organizations having public institution status, upon the notification by the Board, disciplinary actions shall be taken against the officers and other public officials working at the related public institutions and organizations as well as those working at the professional organizations having public institution status, and the result shall be submitted to the Board.

SECTION SIX

Personal Data Protection Authority and the Organization

Personal Data Protection Authority

ARTICLE 19- (1) For the purpose of performing the duties assigned in this Law, the Personal Data Protection Authority has been established which is a public entity with administrative and financial autonomy.

(2) The Authority is associated with the minister assigned by the President of the Republic of Turkey.

(3) The head office of the Authority is in Ankara.

(4) The Authority comprises the Board and the Presidency. The decision making body of the Authority is the Board.

Duties of the Authority

ARTICLE 20- (1) The duties of the Board are:

a) In respect of its scope of duties, following up implementations and the developments in the legislation, making assessments and proposals, carrying out or having carried out research and examination.

b) If required, collaborating with public institutions and organizations, non-governmental organizations, professional associations or universities concerning the matters within its scope of duties.

c) Following up and assessing international developments with regard to personal data, collaborating with international institutions concerning the matters within its scope of duties, participating in meetings.

d) Submitting the annual report for the attention of the Presidency of the Republic of Turkey, Human Rights Investigation Commission of the Turkish Grand National Assembly.

e) Carrying out other duties assigned by laws.

Personal Data Protection Board

ARTICLE 21- (1) The Board carries out and uses the duties and authority granted to it by this Law and other legislation independently under its own responsibility. No body, office, authority or person may give orders or instructions to or counsel or influence the Board concerning the matters that fall into its scope of duties.

(2) The board consists of nine members. Five members of the board are selected by the Turkish Grand National Assembly, four members of the board are selected by the President of the Republic of Turkey.

(3) The following requirements are sought for membership to the Board:

a) Having information and experience concerning the matters within the scope of duties of the Authority.

b) Having the qualifications set out in the sub clauses (1), (4), (5), (6) and (7) of Clause (A) of paragraph 1 of Article 48 of Public Servants Law No. 657 dated 14/7/1965.

c) Not being a member to any political party.

d) d) Abrogated on July 2, 2018 with Article 163 of the decree law no. 703.

e) Having served not less than ten years in public institutions and organizations, international institutions, non-governmental organizations or professional associations with public institution status or in the private sector.

(4) Abrogated on July 2, 2018 with Article 163 of the decree law no. 703

(5) The Turkish Grand National Assembly selects Board members in the following manner:

(a) For the election, the candidates are nominated in a number two times more than the number of members to be determined according to the ratio of the number of members of political party groups and the Board members are elected by the Turkish Grand National Assembly among such candidates based on the number of members per each political party group. However, in the political party groups, no discussions may be held and no decisions may be made as to whom it must be voted for in the elections to be held in the Turkish Grand National Assembly.

(b) The election of the Board members is made within ten days following the nomination and announcement of the candidates. Split tickets are arranged in separate lists for the candidates nominated by political party groups. Votes are cast by means of marking the specific space designated opposite their names. Votes exceeding the number of members to be selected for the Board from the quota of the political party groups determined according to paragraph 2 shall be declared null and void.

c) The candidates in the number corresponding to the number of vacant membership voted the most in the election are elected, provided that the quorum of decision is present.

d) Two months prior to the expiration of term of office; in case of any vacancy in the memberships, an election is held in the same manner within one month following the date of vacancy or following the end of holiday, if the vacancy status occurs during the holiday period of the Turkish Grand National Assembly. In such elections, the distribution of vacant memberships among the political party groups is made by considering the number of members selected from the political party group quotas in the first election and the current ratio of the political party groups.

(6) Forty five days prior to the expiration of term of office of one of the members selected by the President of the Turkish Republic or in case of termination of office due to any reason, within fifteen days the Authority notifies the situation to the Prime Ministry for submission of such case to the President of the Republic of Turkey.

(7) The board selects a President and a Vice President among its members. The President of the Board is also the President of the Authority.

(8) The term of office of the Board members is four years. The member whose term of office expires may be reelected. The person who is replaced with the member whose term of office terminates due to any reason prior to the expiry of the term completes the remaining term of the predecessor member.

(9) The elected members take oath before the Board of First Presidency of the Supreme Court in the following form: ‘I hereby swear on my honor that I shall perform my duty in accordance with the constitution and the laws, in full impartiality, honesty, fairness and with a sense of justice.’ The application to the Supreme Court for taking the oath is deemed to be an application ex parte.

(10) The Board members, unless allowed by a specific law, may not undertake any official or private duties other than performing their official duties in the Board, may not perform duties as an executive in associations, foundations, cooperatives or similar establishments, may not be involved in commerce, may not carry out self-employment activities, may not render services as an arbitrator and an expert. However, the Board members may publish scientific articles, teach or give lectures provided that such performances do not disturb their fundamental duties and they may collect the royalties as well as the teaching and lecture fees arising from such performances.

(11) Investigations with regard to the crimes allegedly committed by the members in connection with their duties are carried out according to Law No. 4483 on Trials of Officials and Other Civil Servants dated 2/12/1999 and the consent for investigation concerning such issue is granted by the President of the Republic of Turkey.

(12) The provisions of Law No. 657 apply during disciplinary investigation and prosecution against the Board members.

(13) The Board members may not be dismissed from office prior to the expiry of their term. The membership of the members is terminated by a Board resolution in case;

a) It is understood afterwards that they do not comply with the qualifications required to be elected,

b) An imprisonment sentence against them due to crimes they committed in connection with their duties is finalized,

c) It is confirmed by a medical board report that they are not capable of performing their duties,

d) It is ascertained that they have been absent from their duties without permission or excuse and consecutively for fifteen days or for thirty days in total in one year,

e) It is ascertained that they have not participated without permission or excuse in three Board meetings in one month, and ten Board meetings in total in one year.

(14) Those elected for Board membership are disaffiliated from their previous duties during the period they serve in the Board. Those elected for Board membership when they were public servants, provided that they have not lost the requirements for being an official, in case their term of office expires or they request to be released from their duties, they may apply to their previous offices within thirty days upon which they are assigned to a position in accordance with their acquired rights by the competent authority. Until the assignment is actualized, all types of payments such members have been receiving continue to be disbursed by the Authority. Those who had not been working in a public office and elected for membership and later their term of office is terminated in the aforementioned manner, all types of payments such members have been receiving continue to be disbursed by the Authority until they start a new duty or job, and the disbursement by the Authority to those whose memberships are terminated in such manner may not exceed a period of three months. The term of office, employee personal rights and other rights of such members are deemed to have been served in their previous institutions or organizations.

Duties and powers of the Board

ARTICLE 22- (1) The duties and powers of the Board are:

a) Providing the processing of personal data in compliance with fundamental rights and freedoms.

b) Concluding the complaints of those who claim that their rights regarding personal data are violated.

c) Upon complaint or in case an alleged violation has come to be known, investigating whether the personal data have been processed in compliance with the laws regarding the matters within the scope of duties ex officio and taking temporary measures concerning this matter, if necessary.

d) Determining adequate measures required for the processing of Sensitive Personal Data.

e) Keeping the Data Controller Register.

f) Taking the necessary regulatory actions for matters regarding the scope of duties of the Board as well as the operation of the Authority.

g) Taking the necessary regulatory actions in order to determine the obligations regarding data security.

h) Taking the necessary regulatory actions regarding the duty, authority and responsibilities of data controllers and their representatives.

i) Deciding on the administrative sanctions prescribed in this Law.

j) Expressing opinion on the legislation drafts prepared by other institutions and organizations and containing provisions regarding personal data.

k) Concluding the strategic plan of the Authority, setting out the purpose and objectives, the service quality standards and the performance criteria of the Authority.

l) Discussing and concluding the budget proposal prepared in accordance with the strategic plan and the purpose and objectives of the Authority.

m) Approving and publishing the report drafts prepared regarding the performance, financial status and annual activity of the Authority as well as other required matters.

n) Discussing and concluding proposals concerning real estate purchasing, sales and leasing.

o) Carrying out other duties assigned by laws.

Working principles of the Board

ARTICLE 23- (1) Meeting dates and the agenda of the Board are determined by the President. The President may call an extraordinary Board meeting when necessary.

(2) The Board gathers with the attendance of minimum six members including the President and makes decisions with the absolute majority vote of the total number of members. The Board members may not abstain from voting.

(3) Board members may not participate in meetings and votes regarding matters in connection with themselves, blood relatives up to third degree and relatives by marriage up to second degree, their adopted children and their spouses, even though the marriage bond does not exist.

(4) Board members may disclose the secrets of data subjects and third parties which come to be known to them during their work to only authorities allowed by law regarding this matter, and may not use such secrets for their own benefits. Such obligation survives after they retire from office.

(5) Matters discussed by the Board are recorded in the minutes. The decisions and the justifications of opposing votes, if any, are drawn up not later than fifteen days following the date of decision. The Board announces the decisions to the public if deemed required.

(6) Unless otherwise agreed, discussions in Board meetings are kept confidential.

(7) Working procedures and principles of the Board and drawing up of decisions as well as other matters are arranged by means of regulations.

President

ARTICLE 24- (1) The President is the highest official of the Board in his/her capacity as the head of the Board and the Authority and therefore arranges and runs the services of the Board according to legislation as well as the purpose and policy, the strategic plan, performance criteria and service quality standards of the Board and further provides the coordination between the service departments.

(2) The President is liable for general administration and representation of the Authority. Such liability comprises the duty and authority of arranging, performing, supervising, assessing and, if required, announcing to public the Board operations.

(3) Duties of the President are:

a) Presiding the Board meetings.

b) Announcing to public the Board decision notifications and matters deemed necessary by the Board as well as following up the implementations thereof.

c) Assigning the Vice President, heads of departments and the personnel of the Authority.

d) Putting the proposals received from the service departments into final form to be submitted to the Board.

e) Having the strategic plan implemented, and creating human resources and labor policies in line with service quality standards.

f) Preparing the annual budget and financial statements of the Authority according to the designated strategies, annual purposes and objectives.

g) Providing the coordination between the Board and the service departments in order to provide coordinated, effective, disciplined and orderly operation.

h) Managing the relationships between the Authority and other institutions.

i) Specifying the field of duty and authority of the authorized signatories representing the President.

j) Performing other duties regarding the management and operation of the Authority.

(4) The Vice President substitutes the President in his/her absence.

Formation and duties of the Presidency

ARTICLE 25- (1) The Presidency comprises the Vice President and the service departments. The Presidency performs the duties referred to in paragraph 4 through the service departments. The number of the departments may not exceed seven.

(2) A Vice President is assigned by the President for assisting him/her in his/her duties regarding the Authority.

(3) The Vice President and the heads of the departments are assigned by the President among those persons having graduated from a university license program of four years and having served not less than ten years in public institutions and organizations.

(4) Duties of the Presidency are:

a) Keeping the Data Controller Register.

b) Performing the bureau and secretarial operations of the Authority and of the Board.

c) Representing the Authority through attorneys during the actions and executions to which the Authority is a party, following or having followed the actions, supervising legal services.

d) Supervising the employee personal operations of the Board members and the employees of the Authority.

e) Performing the duties assigned by laws to the finance department and strategy development department.

f) Providing the installation and utilization of the IT systems for the works and transactions of the Authority to be performed.

g) Preparing draft reports regarding the annual activities of the Board or other necessary matters and submitting them to the Board.

h) Preparing the draft strategic plan of the Authority.

i) Determining the personnel policy of the Authority, preparing and implementing the career and training schedules of the personnel.

j) Performing personnel transactions such as assignment, transfer, discipline, performance, promotion, retirement and the like.

k) Specifying the codes of conduct to be complied with by the personnel and providing the personnel with the necessary training.

l) Within the framework of Public Finance Management and Control Law No. 5018 dated 10/12/2003, performing the services required by the Authority such as all types of purchasing, leasing, maintenance, repair, production, archive, health, social services and the like.

m) Keeping the records of the movables and immovables owned by the Authority.

n) Performing other duties assigned by the Board or the President.

(5) The service departments and the working procedures and principles of such departments are specified in compliance with the field of activity, duty and authority set out in this Law by means of the regulations entered into force by the decision of the President of the Republic of Turkey upon the Authority’s proposal.

Personal Data Protection Expert and Assistant Experts

ARTICLE 26- (1) Personal Data Protection Experts and Assistant Personal Data Protection Experts may be employed at the Authority. Among these employees, those assigned to Personal Data Protection Expert position within the framework of Supplementary Article 41 of Law No. 657 are promoted with one degree for one time only.

Provisions regarding the personnel and the employee personal rights

ARTICLE 27- (1) The personnel of the Authority are subject to Law No. 657 along with the matters regulated by means of this Law.

(2) Payments to the President and the members of the Board as well as the personnel of the Authority regarding financial and social benefits specified for the precedent personnel pursuant to the Supplementary Article 11 of Decree-Law No. 375 dated 27/6/1989 are made within the framework of the same procedures and principles. Those payments to the precedent personnel exempted from taxes and other legal deductions are also exempted from taxes and other legal deductions according to this Law.

(3) The President and the members of the Board as well as the Authority personnel are subject to the provisions of subparagraph (c) of paragraph 1 of Article 4 of Social Security and General Health Insurance Law No. 5510 dated 31/5/2006. The President and members of the Board as well as the Authority personnel are deemed equivalents of the personnel specified as precedents in terms of pension rights. The term of office of those assigned as the President or members of the Board when they were insured within the scope of subparagraph (c) of paragraph 1 of Article 4 of Law No. 5510 whose assigned duties are terminated or those requesting to resign from such duties is considered during the determination of their acquired rights of salary, degree and level. The term of office of those who remain within the scope of Provisional Article 4 of Law No. 5510 is taken into consideration as the period for which the executive and representation benefits are required to be paid. The dismissal of those assigned as the President and members of the Board when they were insured at the public institutions and organizations within the scope of subparagraph (a) of Article 4 of the Law No. 5510 from their previous institutions and organizations does not require the severance and termination pays to be disbursed to them. The term of office of those in this status for which the severance or termination pay required to be paid is combined with the term of office as the President and member of the Board and such combined period is taken into consideration as the period for which the retirement bonus is paid.

(4) Officials employed at public administrations within the scope of central administration, social security institutions, local administrations, administrations associated with local administrations, local administration unions, circulating capital enterprises, funds established by laws, institutions having public entity nature, institutions more than fifty percent of the capital of which is publicly owned, public economic enterprises and public economic organizations and their subsidiaries and associated institutions as well as other public servants, by the consent of their institutions, - and judges and public prosecutors by their own consent-, may be employed temporarily at the Authority provided that their salaries, allowances, all types of raises and indemnities as well as other financial and social benefits and aids are paid by their institutions. Requests of the Authority in this regard are prioritized by the related institutions and organizations. Personnel assigned in this manner are deemed to be on paid leave from their institutions. The relation of such personnel with their civil service and their employee personal rights continue during their leave, furthermore such periods are taken into consideration when calculating promotions and retirement and their promotions are applied timely without any further transactions required. The periods spent in the Authority by those assigned within the scope of this article are deemed to have been spent in their institutions. The number of those assigned in such manner may not exceed ten percent of the total number of Personal Data Protection Expert and Assistant Personal Data Protection Expert staff and the term of assignment may not exceed two years. However, if required, such period may be extended in one year terms.

(5) The title and number of staff to be employed at the Authority is indicated in the attached table no. (I). In a manner that the total number of staff is not exceeded and provided that it is limited with the staff titles indicated in the tables attached to Decree Law No. 190 Concerning General Staff and Procedure dated 13/12/1983, changes in titles and degrees, adding new titles and cancelling idle positions are performed by means of the decision of the Board.

SECTION SEVEN

Miscellaneous Provisions

Exceptions

ARTICLE 28- (1) The provisions of this Law do not apply in the following conditions:

a) Personal data being processed by natural persons within the scope of the activities regarding himself/herself or family members living in the same household provided that they are not given to third parties and the obligations regarding data safety are observed.

b) Personal data being processed with official statistics for purposes such as research, planning and statistics by means of rendering it anonymous.

c) Personal data being processed for purposes such as art, history, literature or science or within the scope of freedom of speech provided that national defense, national security, public security, public order, economic safety, right of privacy or personal rights are not violated or such acts do not constitute a crime.

d) Personal data being processed within the scope of preventive, protective and intelligence actions carried out by public institutions and organizations authorized by law in order to provide national defense, national security, public security, public order or economic security.

e) Personal data being processed by judicial authority or execution authorities regarding operations such as investigations, prosecutions, judicial proceedings and executions.

(2) Provided that it is in compliance with and proportional to the purpose and basic principles of this Law, Article 10 regulating the information obligation of the data controller, except for the right to claim for compensation of the damages, Article 11 regulating the rights of the data subject and Article 16 regulating the obligation of registration to the Data Controller Register do not apply in the following conditions:

a) When personal data processing is required in order to prevent crimes or for criminal investigation purposes.

b) Processing of personal data which has been made public by the data subject.

c) When personal data processing is required for the auditing and organizing duties to be performed by public institutions and organizations assigned and authorized by law and by professional organizations with public institution status as well as for disciplinary proceedings and prosecutions.

d) As to budget, tax and finance matters, when personal data processing is required for the protection of the economic and financial benefits of the State.

Budget and revenues of the Authority

ARTICLE 29- (1) The budget of the Authority is prepared and accepted according to the procedures and principles set out in Law No. 5018.

(2) The revenues of the Authority are:

a) The treasury grants from the national budget.

b) The revenues generated from the movables and immovables owned by the Authority.

c) Donations and aids received.

d) Revenues generated from making use of the revenues.

e) Other revenues.

Amended and added provisions

ARTICLE 30- (1) The following line is added to Table no. (III) attached to Law No. 5018.

“10) Personal Data Protection Authority”

(2) Regarding paragraph 2 of Article 135 of the Law No. 5237, the expression “of persons” is changed as “of personal data, persons;” the expression “the person recording the information as personal data is punished pursuant to the provision of the aforementioned paragraph” is changed as “the punishment to be inflicted pursuant to paragraph 1 is aggravated by half in case of.”

(3) Regarding paragraph 3 of Article 226 of Law No. 5237, the expression “children” is changed as “children, representative child images or persons in the appearance of a child”.

(4) Regarding paragraph 1 of Article 243 of Law No. 5237, the expression “and” is changed as “or” and the following paragraph is added to the article.

“(4) The person who monitors data transfers within an IT system or between IT systems without entering the system by means of technical tools is sentenced to imprisonment of one to three years.

(5) The following Article 245/A is added after Article 245 of Law No. 5237.

“Prohibited devices or software

ARTICLE 245/A- (1) In case a device, a computer software, password or other security code is developed or generated in order to commit the crimes referred to in this Section as well as other crimes which may be committed by means of using IT systems as tools, the person who produces, imports, delivers, transfers, stores, receives, sells, offers for sale, buys, gives to others or possesses is sentenced to imprisonment from one to three years and imposed a punitive fine up to five thousand days.”

(6) Subparagraph (f) of paragraph 1 of Article 3 of Healthcare Services Fundamental Law No. 3359 dated 7/5/1987 is changed as indicated below.

“f) In order to monitor the medical condition of everyone and for effective and rapid performance of healthcare services, the required registration and information system is established by the Ministry of Health and its subsidiaries. Such system may be established in the electronic environment in a manner compatible with e-State applications. For this purpose, a country-wide IT system may be established by the Ministry of Health in a manner to comprise the subsidiaries as well.”

(7) Article 47 of Decree Law Concerning the Organization and Duties of the Ministry of Health and its Subsidiaries is changed as indicated below.

“ARTICLE 47-(1) The personal data of those who apply to public and private healthcare providers and to healthcare professionals in order to receive healthcare services which they are required to disclose as a necessity of the healthcare service and the personal data regarding the service provided to them may be processed.

(2) For purposes such as providing healthcare services, protecting public health, performing preventive medicine, medical diagnosis, treatment and care services and planning healthcare services and calculating costs, the Ministry may process the data obtained within the scope of paragraph 1. Such data may not be transferred in conditions other than those mentioned in the Personal Data Protection Law.

(3) The Ministry establishes a system which provides data subjects and authorized third parties with access to data collected and processed according to paragraph 2.

(4) The standards regarding the security and reliability of the systems established according to paragraph 3 are specified by the Ministry in compliance with the principles set out by the Personal Data Protection Board. The Ministry takes the measures required for providing the safety of personal medical data collected pursuant to this Law. For this purpose, a safety system is established in order to supervise the users and purpose of use of the information registered in the system.

(5) Public institutions and organizations as well as private law legal and natural persons employing healthcare personnel are obliged to inform the employed personnel and the actions of such personnel to the Ministry.

(6) Other matters concerning the processing and security of personal medical data and the implementation of this Article are arranged by means of the regulations brought into force by the Ministry.”

Regulations

ARTICLE 31- (1) The regulations regarding the implementation of this Law are brought into force by the Authority.

Transitional provisions

PROVISIONAL ARTICLE 1- (1) The members of the Board are selected and the Presidency organization is formed according to the procedure prescribed in Article 21 within six months following the publication date of this Law.

(2) Data controllers must register in the Data Controller Register within the time specified and announced by the Board.

(3) Personal data processed prior to the publication date of this Law shall be brought into conformity with the provisions of this Law within two years following the publication date. Personal data found to be non-compliant with the provisions of this Law are immediately erased, destroyed or rendered anonymous. However, consents lawfully granted prior to the date of publication of this Law are deemed to be in compliance with this Law unless a declaration of intention to the contrary is made within one year.

(4) The regulations prescribed in this Law are entered into force within one year following the publication date of this Law.

(5) Within one year following the date of publication of this Law, a senior executive is determined and notified to the Presidency in order to provide the coordination concerning the implementation of this Law at the public institutions and organizations.

(6) The first elected President, Vice President and two members selected by lot serve for six years; other five members serve for four years.

(7) Until budget allocation;

a) The expenses of the Authority are covered through the budget of the Prime Ministry.

b) All required supporting services such as buildings, tools, instruments, furnishing and equipment are provided by the Prime Ministry for the Authority to perform its services.

(8) The secretariat services shall be provided by the Prime Ministry until the service departments of the Authority become operational.

Commencement

ARTICLE 32- (1) This Law enters into force in the following manner:

a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 enter into force after six months following the date of publication of this Law,

b) The other articles of this Law enter into force on the date of publication.

Execution

ARTICLE 33- (1) The provisions of this Law are executed by the Council of Ministers.

06/04/2016

TABLE NO. (I)

STAFF LIST OF THE PERSONAL DATA PROTECTION AUTHORITY

CLASS

TITLE

DEGREE

TOTAL

GAS

Vice President

1

1

GAS

Head of Department

1

7

GAS

Legal Advisor

1

1

GAS

Legal Advisor

3

3

LS

Attorney at Law

6

4

GAS

Personal Data Protection Expert

5

10

GAS

Personal Data Protection Expert

7

20

GAS

Assistant Personal Data Protection Expert

9

60

GAS

Financial Services Expert

6

2

GAS

Assistant Financial Services Expert

9

2

GAS

Official

5

5

GAS

Official

7

5

GAS

Official

9

5

GAS

Official

11

5

GAS

Official

13

5

GAS

Computer Operator

7

5

GAS

Data Preparation and Control Operator

6

5

GAS

Data Preparation and Control Operator

7

5

GAS

Data Preparation and Control Operator

8

5

GAS

Data Preparation and Control Operator

9

5

GAS

Data Preparation and Control Operator

10

5

GAS

Secretary

5

3

GAS

Secretary

8

7

GAS

Telephone Operator

9

1

GAS

Driver

11

4

TS

Technician

6

3

AS

Assistant Technician

9

2

AS

Janitor

11

10

TOTAL

195

GAS: General Administrative Services

LS: Legal Services

TS: Technical Services

AS: Assisted Services