Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Turkey’s Law on Protection of Personal Data (LPPD) Overview

By Anas Baig | Reviewed By Omer Imran Malik
Published August 8, 2023 / Updated April 24, 2024

Listen to the content

The world is taking data privacy seriously, and every day, more and more countries are enacting data protection legislation to ensure the protection of personal data. Turkey was one of the first countries to start the trend of legislating data protection. Turkey drafted legislation covering personal data protection on April 07, 2016, called “Law on the Protection of Personal Data No. 6698 (LPPD).” This law is based on the European Union Data Protection Directive 95/46/EC and aims to give data subjects control over their personal data.


Scope of LPPD

  • According to Article 2 of LPPD, this law applies to "natural persons whose personal data are processed, and natural persons or legal persons who process such data fully or partially through automatic or non-automatic means." 
  • It provides a comprehensive framework for the processing and transferring of personal data and its security. 
  • LPPD applies to any organization that collects data or processes data collected from Turkey. Its scope also includes Turkey's entities and any foreign natural or legal entity collecting or processing Turkish-originated data or Turkish data subjects' personal information regardless of their physical location.
Philippines DPA Scope

Key Definitions Under the LPPD

The following definitions mentioned under Article 3 of the LPPD are crucial to understanding the law:

Board

Personal Data Protection Board

Data Subject

A natural person whose personal data is processe

What is CCPA

President

President of the Personal Data Protection Authority

Authority

Personal Data Protection Authority

Personal Data

Information relating to an identifiable or identified natural person

What is CCPA

Explicit consent

Informed, specific, and freely given consent

 

Processor

A natural or legal person who is authorized by the data controller to process personal data on his behalf

Anonymizing

Making personal data impossible to be linked with an identifiable natural person, even through matching them with other data

 

Controller

A natural or legal person  who is responsible for establishing and managing the data registry system and determines the purpose and means of processing personal data

 

What is CCPA

Data registry system

The registry system where the personal data is structurally registered according to predefined criteria

 

Processing of personal data

Any operation performed on personal data, which includes the collection, storage, recording, retention, alteration, disclosure, re-organization, transferring, making retrievable, taking over, classification or preventing the use thereof, partially or fully through automated means or provided that the process is a part of any data registry system, through non-automatic means

Key Principles in Processing of Personal Data

Article 4 of LPPD states that “Personal data may only be processed in compliance with the procedures and principles set forth in this Law and other laws.” Other laws that also parallelly regulate personal data processing in Turkey are the European Union Data Protection Directive 95/46/EC and the Automatic Processing of Personal Data No. 108. Key principles required for the processing of personal data are: 

LAWFULNESS AND CONFORMITY WITH RULES OF BONA FIDES

ACCURATE AND WHERE NECESSARY KEPT UP-TO-DATE

PROCESSED FOR SPECIFIED, EXPLICIT, AND LEGITIMATE PURPOSES

RELEVANT, LIMITED, AND PROPORTIONATE TO THE PURPOSES FOR WHICH THEY ARE PROCESSED

RETAINED FOR THE PERIOD OF TIME DETERMINED BY THE RELEVANT LEGISLATION OR THE PERIOD DEEMED NECESSARY FOR THE PURPOSE OF THE PROCESSING

Conditions of Processing of Personal Data Under LPPD

Although under Article 5(1) of  LPPD, the data subject's explicit consent is mandatory for processing personal data, personal data processing may also be allowed when one of the following conditions are established: 

  • It is clearly provided for by the laws.
  • It is mandatory for the protection of the life or physical integrity of the person or any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
  • Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the conclusion or fulfillment of that contract. 
  • The controller must be able to perform his legal obligations.
  • The data concerned is made available to the public by the data subject himself.
  • Data processing is mandatory for the establishment, exercise, or protection of any right.
  • It is compulsory for the controller's legitimate interests, provided that this processing shall not violate the data subject's fundamental rights and freedoms.

Rights of Data Subjects

Under Article 11 of  LPPD, the law grants rights to data subjects that they can exercise under this law. These rights are as follows:

  • The right to be informed about the processing of their personal data
  • The right to request information if their personal data is processed
  • The right to know the purpose of data processing and whether this data is used for the intended purposes
  • The right to know the third parties to whom their personal data is transferred at home or abroad
  • The right to request the rectification of incomplete or inaccurate data
  • The right to request the erasure of their personal data under the conditions laid down in Article 7 of LPPD
  • The right to object to the processing of personal data exclusively by automated decision-making systems
  • The right to request compensation for the damage arising from the unlawful processing of their personal data.

Obligations of Data Controller

  • Under Article 10 of LPPD, the data controller must inform the data subject in every situation where their data is processed.
  • The data controller must also erase, destroy, or anonymize personal data if the data subject demands it despite the data being processed under LPPD's provisions. In this regard, the Board has issued a Regulation on the Erasure, Destruction, and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224).
  • Destruction and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224).
  • Under Article 13, the data subject may apply in writing to the Controller, demanding the implementation of their rights mentioned in Article 11 of LPPD or through any other means specified by the Board. 
  • According to Article 14 of LPPD, the data subject may file a complaint with the Board within 30 days following the date the data subject becomes aware of the data controller’s response and 60 days of receipt at most. 

Transfer of Personal Data to Third Parties

  • For the transfer of personal data inside Turkey, according to Article 8 of LPPD, personal data can only be transferred with the data subject's explicit consent. To transfer personal data without the data subject's explicit consent, LPPD stipulates the same conditions as mentioned in Articles 5(2) and 6(3) of the LPPD for processing personal data. 
  • Transfer of personal data abroad is permitted if they meet the processing conditions outlined in the KVKK or for special categories of personal data. Additionally, a "qualification decision" must exist for the destination country, specific sectors within the country, or international organizations involved in the transfer.
  • The Personal Data Protection Board will make the qualification decision, which will then be published in the Official Gazette. This decision will be reviewed at least every four years. The Board has the authority to amend, suspend, or withdraw the qualification decision with a prospective effect based on the review or other circumstances it deems necessary.
  • In the absence of an adequacy decision, personal data can still be transferred abroad if the parties offer appropriate safeguards outlined in Article 9(4) of the KVKK provided that one of the conditions for processing personal data or processing special categories of personal data under the KVKK is met. Additionally, it's crucial that the data subject has the chance to exercise their rights and seek effective legal remedies in the country where the transfer is intended.
  • Where there's no adequacy decision, and the specified safeguards can't be provided, data transfers abroad may occur only under one of the situations given in Article 9(6) of KVKK, provided it is not accidental.

Obligations to Register to Data Controllers’ Registry

Under Article 16 of LPPD, natural persons or legal persons who process personal data must enroll in the Data Registry of Controllers before taking any steps to process personal data.  Application for enrolling must be made with a notification containing the following essentials:

  • Identity and address of the controller and of their representative
  • Purposes for which the personal data will be processed
  • Explanations about the group of personal data subjects as well as about the data categories belonging to them
  • Recipients or groups of recipients to whom the personal data may be transferred
  • Personal data which is envisaged to be transferred abroad
  • Measures taken for the security of personal data
  • The maximum period of time required for the purpose of the processing of personal data.

Requirements of Data Security

  • Pursuant to Article 12 of LPPD, it is the responsibility of the Data controller to ensure the retention of personal data, prevention of unlawful processing of personal data, and prevention of unlawful access to personal data.
  • All necessary organizational and technical measures should be taken by the controller to fulfill the obligation stated under LPPD. Turkey has issued a  Personal Data Security Guide to clarify the technical and organisational measures for the secure processing of personal data.

Enforcement

Criminal Penalty

Article 17 of LPPD states that Article 135-140 of Turkish Penal Code No. 5237 of 26/9/2004 shall apply in terms of crimes concerning the personal data and that can be subject to imprisonment.


Fines

Pursuant to Article 18 of the LPPD, the Personal Data Protection Board can impose administrative fines up to TRY 1.000.000 for each incidence of non-compliance. Following non-compliance with the data protection laws can result in:

  • Fine for non-compliance with the information notice requirements
  • Fine for non-compliance with the data security obligations
  • Fine for non-compliance with Data Protection Authority orders/decisions
  • Fine for non-compliance with the Data Controllers' Registry requirements
  • Fine for non-compliance with the notification requirement in case of data transfer through standard contracts.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

What is Egypt’s Data Protection Law

Automating Compliance

Organizations that process and transfer personal data can make compliance with the LPPD a complex task. Compliance can be a very human-intensive process and a costly affair for businesses operating in the Turkish Markets or abroad while still risking the threat of facing liabilities for non-compliance.

SECURITI.ai’s award-winning compliance solution revolves around the concept of PrivacyOps, which uses artificial intelligence, robotic automation and machine learning to provide enterprises with a system that automates the majority of compliance tasks, freeing up crucial resources for other areas of business.

SECURITI.ai helps businesses discover data over a web of internal and external systems, stitch together a data graph to link personal data with each individual, conduct automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more!

SECURITI.ai and its innovative automated mechanisms help businesses comply with the complex requirements of the LPPD with the simple click of a button. To learn how SECURITI.ai can help your business efficiently implement privacy management, request a demo today.


Key Facts

1

The LPPD went into effect on April 7, 2016.

2

The right to data processing and the right to data portability are not applicable under the LPPD.

3

The national data protection authority is the Kiisel Verileri Koruma Kurumu (Personal Data Protection Authority)

4

The LPPD requires controllers to register to the VERBIS, which is the data registry system in Turkey.

5

Administrative fines are increased each year based on the re-evaluation schedules published in the Official Gazette with Tax Procedural Law Communiques.


Frequently Asked Questions (FAQs)

What is the LPPD in Turkey?

The LPPD, or Law on Protection of Personal Data (Kişisel Verilerin Korunması Kanunu - KVKK), is Turkey's data protection law. It governs the processing and protection of personal data within Turkey.

What is the protection of personal data numbered 6698?

The "Protection of Personal Data Numbered 6698" refers to the Turkish Personal Data Protection Law (KVKK), which is Turkey's comprehensive data protection legislation.

What is the right to privacy in Turkey?

The Turkish Constitution protects the right to privacy in Turkey and is further regulated by the Turkish Personal Data Protection Law (KVKK), which outlines the rights and principles related to individuals' personal data.

Is Turkey subject to GDPR?

While Turkey is not an EU member state, it has aligned its data protection laws with GDPR principles. The Turkish Personal Data Protection Law (KVKK) shares similarities with GDPR.

What is the difference between KVKK and GDPR?

KVKK (Turkish Personal Data Protection Law) and GDPR (General Data Protection Regulation) have similarities in terms of protecting individuals' data privacy, but they have differences in terms of specifics and jurisdiction. KVKK applies to Turkey, while GDPR applies to the EU.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

What's
New