parallax background

Deniz Mina Küpana


Law No 6698 On The Protection Of Personal Data And The Precautions That The Companies Should Take In This Respect

The Law on the Protection of Personal Data is effective as April 7th, 2016, on which it is published on the Official Gazette. The Law, filling a significant gap as to processing, transferring and security of personal data, and the sanctions in the cases of failure to comply with obligations thereof, also imposes obligations on individuals and organizations that work with personal data.

The Law defines personal data as the any information regarding any natural entity, whether or not it is identified or identifiable. The preamble of the Law extends the scope of personal data and defines it “Data that is related not only to the name, surname, place and date of birth that may be used to identify individuals, but also to their mental, psychological, physical, cultural, economic, social and similar characteristics.” “Name, phone number, vehicle plate numbers, social security numbers, passport numbers, CVs, images, video and audio records, finger prints, genetic information may be used to identify an individual indirectly, and therefore are personal data.” In other words, when the law is considered with its preamble, definition of personal data becomes wider, and what is to be considered by the companies extends further.

That is, today’s companies process personal data or personal data that is special in nature (such as health, biometric characteristics, memberships, sexual life, race, religion, etc.) for various reasons depending on their field of activity. Therefore, what companies should consider regarding personal data extends due to LPPD, and it is highly significant to pay special attention to this matter. It is possible make a compilation of what is imposed by the Law as follows:

  • One of the important obligations imposed by the Law on PPD is the data record system where as the other is data inspector. Accordingly, companies that process personal data will be responsible as data inspectors for the establishment and management of the data recording system within the company. Also, data inspection companies shall designate a real or legal person as a data processor.


  • In this respect, the law imposes a number of obligations to ensure data security, on data inspector. The data inspector is primarily responsible for preventing unauthorized processing of and access to personal data, and taking technical and administrative precautions to secure such data.


  • Art. 10 of the Law also imposes on the data inspector, an obligation to inform. Accordingly, the data inspector or the person designated thereby is obliged to inform relevant people, on the purpose for which such data will be processed, to whom and for what purpose such the personal data will be transferred, how such data is collected and the legal reasons thereof. On the other hand, everyone, has the right to apply to data inspector, to learn whether any personal information regarding themselves have processed or not, to demand information on such data, to find out whether such data is process for a right purpose, to know the third persons, whether at home or abroad, to whom such data are transferred, and removal and deletion of such data.


  • One of the most important tasks for data inspectors is to ensure the implementation of the provisions of this Law in its own institution or organization, to carry out or to cause the necessary inspections for this purpose, to be carried out.


  • Law No. 6698 formed Personal Data Protection Authority and the Board for Protection of Personal Data, granted it the power to review the records of any companies in violation of the law, ex officio, in case of complaint or allegation of violation. In case of violation of the provisions of this Law, such companies may be sentenced to a punitive fine up to TRY1.000.000. It is also considered a crime as per the Turkish Penal Code and in violation of the regulations of this law, imprisonment from 1 to 4,5 years is proposed.


The law was enacted on April 7th, 2016 and the companies were granted a six month period for compliance. Pursuant to this, it has been stated that companies that do not comply with the conditions proposed in the law and the terms of data processing as of 7.10.2016, shall be imposed various sanctions. Therefore, it is an inevitable for companies to be sensitive in this respect. The measures that companies may take in the light of the aforesaid may be listed as follows;


1.   The first step that should be taken in order to carry out such a process in a reliable way is to create an inventory. That is to say, who, in the company, processes or records personal data, or does any such person transfer such data to any third persons? The first thing to do is to identify such personnel as each personal data a company possesses means a liability for that company, and it is very important to determine the boundaries of such liability and act accordingly. Then, an analysis should be conducted to determined how much of any such personal data is required, or not. Following such analysis, the company will not demand any data that it does not use or that are not required by the laws, any if the company has any such data, they will be deleted.  In that case, as a first step, an inventory should be created in order to determine a road map, and then the process should be managed on this basis. 


2.   After all the analysis, the second step is to determine the needs and responsibilities within the company. As stated above, a data inspector should be designated within the company, a lead-team that will be formed to manage the process within the company, and it will determined which data will be secured, and how, by the lead-team. In this context, the technical infrastructure that is required for the system to function properly, must be built.  Finally, an audit mechanism should be introduced to ensure that the system functions properly, and to minimize potential errors.


3.   As the third step, the data should be classified according to their individual significance. In the light of such an assessment, it is necessary to determine which data will be preserved. That is to say, some data may be known by all employees, whereas some must only be available to a limited number of employees. What needs to be done at this point is to start work by granting minimum authority to employees within the company and to expand the authority as necessary. For instance, should an employee needs only the name or the e-mail address of an individual in connection with his/her work, such an employee should not be provided with the phone number, identification number, etc. of the relevant individual, in other words, the data would be secured by granting the employee an access authorization that is limited to what that employee does.


4.   Another important point that the companies should address is to ensure cyber security. The cyber security is becoming more and more important today, and companies need to invest in the infrastructure required for that. Considering companies, especially in Turkey, it has been found out that security protocols against the cyber attacks are below the standards, and it is a must to invest in this regard. Due to this, many companies are now potential targets of cyber attacks, with the personal data they possess.


In conclusion, the Law No. 6698 on PPD introduced a number of regulations regarding personal data, and processing and storage thereof, and imposes serious sanctions in the cases of failure to comply with those. The concept of personal data has been an important subject in daily life and concerns everyone, and imposes an important obligation on companies that, especially due to their needs, have access to personal data. In this context, the obligations of companies are listed above, and if the companies manage to comply thereto, there will be no problem in terms of data security.