TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
Transfers Abroad”) and the Guidelines on the Transfer of Personal Data Abroad (“Guidelines on Transfers Abroad”), which largely refer to the European Data Protection Board’s (EDPB) guidelines in interpreting the new cross-border transfer rules. The DP Law establishes a framework by out - lining the general obligations and principles for data processing activities. Its implementation is further supported by secondary legislation and guidelines issued by the Turkish Data Protection Authority (DPA), with key regulations and guide - lines including: • the By-Law on the Deletion, Destruction, or Anonymisation of Personal Data (“By-Law on the Disposal of Personal Data”); • the By-Law on the Registry of Controllers; • the By-Law on Data Transfers Abroad; • the Communique on Principles and Proce - dures to Be Followed in Fulfilment of the Obli - gation to Inform (“Communique on Obligation to Inform”); • the Communique on Principles and Proce - dures for the Request to Controllers; and • Guidelines regarding: (a) processing of special categories of per - sonal data; (b) data transfers abroad; (c) application of administrative offences in terms of time; (d) privacy on mobile applications; (e) processing of genetic data; (f) good practices in the banking sector; (g) cookie, practices; (h) right to be forgotten; (i) processing of biometric data; (j) artificial intelligence (AI); (k) preparing an inventory of personal data processing; (l) fulfilment of the obligation to inform;
(m) technical and organisational measures; (n) deletion, destruction, or anonymisation of personal data; and (o) the concepts of controller and processor. In addition, the DPA adopts resolutions, which are published on the DPA’s website and/or in the Official Gazette. Turkish Criminal Law Certain actions that violate personal data pro - tection are defined as crimes in the Turkish Crim - inal Law (TCrC). The TCrC also outlines criminal sanctions for these violations as follows: • unlawful recording of personal data is subject to imprisonment of one to three years; • unlawful transfer, publication, or acquisition of personal data is subject to imprisonment of two to four years — if these are realised by exploiting the advantages of a profession or art, such actions are subject to imprisonment of three to six years; and • failure to destroy personal data after the retention period set forth in the law has passed is subject to imprisonment of two to six years. The investigation may commence without requiring a complaint (ie, ex officio by public prosecutors). However, there is no established jurisprudence for harmonising criminal sanctions with the DP Law. Turkish Civil Law & Turkish Code of Obligations Personal data is considered a part of personality under Turkish law; as such, it is also protected under the protection of personality rights in the Turkish Civil Law (TCiC). Therefore, an individual whose right to the protection of their personal
476 CHAMBERS.COM
Powered by FlippingBook