'Law on the Protection of Personal Data No. 6698', which has been pending for many years in Turkish Law System and entered into force after being published on 7 April 2016, is intended to protect the fundamental rights and freedoms of individuals, especially the privacy of private life in the processing of personal data and to regulate the obligations and rules to be complied with by real person and legal entity in processing personal data.

Except for the exceptions specified in the Law, personal data cannot be processed without the express consent of the person concerned; will not be transferred to third parties and abroad. In case of failure to comply with the articles which is specified in the separate articles of the Law, institutions may be subject to administrative fines. According to the law, imprisonment of 1 to 3 years is sentenced for those who violate personal data. In addition, the person who seizes this data through a violation may be sentenced to imprisonment from 2 to 4 years. Administrative fines may increase from 5,000TRY to 1,000,000TRY, depending on the articles in Law which is not fulfilled.

Personal data are considered as the information entrusted to the institutions and organizations by their original owners. With the Law on the Protection of Personal Data, is audited the use of this data, in terms of institutions which is using personal data. The main question that concerns the institutions is: "What should we do account for personal data we processed?". Institutions that can answer this question will also comply with the Law on the Protection of Personal Data.

At this point, it should be emphasized that protecting data is not prohibiting the use of data. The purpose of this is to ensure that the owner of the data decides for whom and for what purpose the data will be used and to make the data owner's right to request information.

In our age, where information technologies are developing rapidly and official transactions are mostly done in electronic environment, there are many advantages to the processing of personal data. For example, you can get news from an institution that you provide your information on campaign and discount days. However, there is a possibility that your information may be misused. The purpose of the law is to eliminate this possibility. The purpose of this is transparency as the principle of data processing activities. This ensures that the data owner has a say on the data.

Any private information belonging to real persons is personal data. Any information that makes the person identifiable either directly or indirectly is covered by personal data. For examples: the telephone number, the license plate, hobbies , health information...

Special data are sensitive data. Because data on issues such as religious belief, political opinion, association or union membership, criminal convictions, sexual life; when it is learned by others, it may lead to victimization of the person concerned or by giving privilege to the person concerned, it may cause other people to victimization. The person concerned is the person whose activity is related to his/her personal data and is reached as a result of the data processing activity.

The data officer is the person who is responsible for the management of the data by deciding the purpose for which the personal data will be processed and through which channels data processing will be performed. The data officer is the person who determines what to do with the data, so data officer is the person with the highest level of responsibility under the law. The data officer also has the responsibility to compensate for the actions of the lower level data processing processors.

Based on the authorization given by the data officer, the person who performs the data processing activity is the person who processes the data.

Any process such as obtaining, storing, modifying, transferring, or preventing the use of all or part of a personal data manually means the processing of personal data. Storing information of someone else on a hard disk or CD without any further action is a data processing activity.

The Committee, which is the governing body of the Personal Data Protection Agency, established under the Law on the Protection of Personal Data, is obliged to make decisions regarding the protection of personal data. The institution consists of 9 people; In the event of the situations specified in the Law, it is obliged to listen to the complaints, to apply financial sanctions when necessary, to keep the registry of the data responsible. 4 members of the Committee are elected by the President and 5 members are elected among the candidates nominated by the party groups in proportion to the number of members of the political party groups in the Turkish Grand National Assembly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.