Personal Data Protection Law

* In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text will be applicable.

            Law Number                                    : 6698

            Date of Ratification                         : 24/3/2016

            Published in Official Gazette          : Date: 7/4/2016 (DD/MM/YYYY) Number: 29677

            Published on the Law                      : Order: 5       Volume Number: 57


Purpose, Scope and Definitions


ARTICLE 1 – (1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.


ARTICLE 2 – (2) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system. 


Processing of Personal Data

General Principles

ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and fairness

b) Being accurate and kept up to date where necessary.

c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Conditions for processing personal data

ARTICLE 5 – (1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

a) It is expressly provided for by the laws.

b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

ç) It is necessary for compliance with a legal obligation to which the data controller is subject.

d) Personal data have been made public by the data subject himself/herself.

e) Data processing is necessary for the establishment, exercise or protection of any right.

f) Processing of data is necessary for the legitimate interests pursued by the datacontroller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Conditions for processing of Special categories of personal data

Article 6 – (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. 

Erasure, destruction or anonymization of personal data

ARTICLE 7 – Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.

Transfer of personal data

ARTICLE 8 – (1) Personal data shall not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:

a) the second paragraph of Article 5,

b) the third paragraph of Article 6, provided that sufficient measures are taken.

Transfer of personal data abroad

ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Provisions of other laws relating to the transfer of personal data abroad are reserved.


Rights and Obligations

Obligation of Data Controller to Inform

ARTICLE 10 – (1) At the time when personal data are obtained, the datacontroller or the person authorised by it is obliged to inform the data subjects about the following:

a) the identity of thedata controller and of its representative, if any,

b) the purpose of processing of personal data;

c) to whom and for which purposes the processed personal data may be transferred,

ç) the method and legal basis of collection of personal data,

Rights of The Data Subject

ARTICLE 11 – (1) Each person has the right to request to the data controller about him/her;

a) to learn whether his/her personal data are processed or not,

b) to demand for information as to if his/her personal data have been processed,

c) to learn the purpose of the processing of his/her personal data and whether these personal

data are used in compliance with the purpose,

ç) to know the third parties to whom his personal data are transferred in country or abroad,

d) to request the rectification of the incomplete or inaccurate data, if any,

e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

Obligations concerning data security

ARTICLE 12- (1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:

a) preventing unlawful processing of personal data,

b) preventing unlawful access to personal data,

c) ensuring protection of personal data.  


Request, Complaint and Data Controllers’ Registry

Complaint to the Board

ARTICLE 14 – (1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the datacontroller, or within sixty days as of the request date, in any case.

(2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.

(3) The right to compensation, under thegeneral provisions, of those whose personal rights are violated, is reserved.

Procedures and principles of the examination ex officio (on its own initiative) or upon complaint

ARTICLE 15 – (1) The Board shall carry out the necessary examination on the mattersfalling within its task upon complaint or ex officio where it has learnt about the alleged infringement.

(2) The notices and complaints not meeting conditions pursuant to Article 6 of the Law No. 3071 of 1/11/1984 on the Use of Right to Petition shall not be examined.