Law on Protection of Personal Data

Law On Protection Of Personal Data

Law Number                         : 6698

Date of Enactment               : 24/3/2016

Published in the Official Gazette: 7/4/2016 - 29677

The English version of this Law is last updated on 31 March 2017

This translation has been produced on the basis of the Turkish version of the Law published on the official legislation website 'http://www.mevzuat.gov.tr' 

 

CHAPTER I

Purpose, Scope and Definitions

Purpose

ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of persons, notably their right to privacy and to set out the obligations of natural and legal persons who process the personal data and the procedures and principles they will follow.

Scope

ARTICLE 2- (1) The provisions of this Law shall apply to the natural persons whose personal data are processed and the natural and legal persons who process  such data wholly or partly by automatic means or by other means provided that they form part of a filing system.

Definitions

ARTICLE 3- (1) Under the implementation of this Law;

a) Explicit consent shall mean any free and informed consent given with respect to a specific issue,

b) Anonymisation shall mean that personal data are retained in a form in which the association of these data with an identified or identifiable natural person is no longer possible, even by linking them with other data,

c) President shall mean the President of the Personal Data Protection Board,

ç) Data subject shall mean a natural person whose personal data are processed,

d) Personal data shall mean any kind of information relating to an identified or identifiable person,  

e) Processing of personal data shall mean any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transmission, retrieval, making available for collection, categorization or blocking its use, wholly or partly by automatic means or by other means provided that they form part of a filing system,

f) Board shall mean the Personal Data Protection Board,

g) Authority shall mean the Personal Data Protection Authority,

ğ) Processor shall mean the natural or legal person who processes personal data based on the authority granted by the controller on his behalf,

h) Data filing system shall mean the filing system in which personal data are  structured and processed according to specific criteria,

ı) Controller shall mean the natural or legal person who determines the  ends and means of the processing of personal data and who is responsible for the establishment and management of the filing system.

CHAPTER II

Processing of Personal Data

General principles

ARTICLE 4- (1) Personal data can be processed only in accordance with the procedures and principles set out by this Law and other laws.

(2) It shall be obligatory to comply with the following principles while processing personal data:

a) Being in conformity with the law and the principle of bona fide,

b) Being accurate and, when necessary, up-to-date,

c) Being processed for specified, explicit and legitimate purposes,

ç) Being relevant, limited and proportionate in relation to the purposes for which they are processed,

d) Being stored for no longer than is provided in the relevant legislation and is necessary for the purposes for which data are processed.

Conditions for processing of personal data

ARTICLE 5- (1) Personal data cannot be processed without explicit consent of the data subject.

(2) Personal data can be processed without explicit consent of the data subject under one of the following conditions:

a) It is expressly provided by the laws.

b) It is obligatory to protect the life or physical integrity of the data subject or of another person who is physically incapable of giving his/her consent or whose consent is not deemed to be legally valid.

c)  It is necessary to process the personal data of the parties to a contract provided that processing is directly related to the conclusion or performance of the contract.

ç) It is obligatory for the controller to be able to fulfil its legal obligation,

d) It is made public by the data subject himself/herself,

e) It is obligatory to process data for the establishment, exercise or protection of a right.

f) It is obligatory to process data for the purposes of the legitimate interests of the controller provided that the processing does not prejudice the fundamental rights and freedoms of the data subject.   

Conditions for processing of special categories of personal data

ARTICLE 6- (1) Data revealing racial, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance or dress, membership of an association, foundation or trade union, health, sex life, conviction and security measures and the biometrics and genetics of persons shall constitute special categories of personal data.

(2) It shall be prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data other than those revealing health and sex life provided in the first paragraph can be processed without explicit consent of the data subject in cases prescribed by the laws. Personal data revealing health and sex life can be processed by persons who are under a legal obligation of secrecy or by competent institutions and organizations without explicit consent of the data subject only for the purposes of protection of public health, preventive medicine, medical diagnosis, provision of care or treatment, planning and management of health services and their financing.

(4) It shall be required to take adequate measures determined by the Board while processing special categories of personal data.

Erasure, destruction and anonymisation of personal data

ARTICLE 7- (1)  Although personal data are processed in accordance with this Law and other relevant provisions of law, they shall be erased, destroyed or rendered anonymous ex officio or upon the request of the data subject in cases where the reasons necessitating their processing cease to exist.

(2) Provisions of other laws relating to erasure, destruction and anonymisation of personal data shall be reserved.

(3) Procedures and principles relating to erasure, destruction or anonymisation of personal data shall be regulated by a by-law.

Transfer of personal data

ARTICLE 8- (1) Personal data cannot be transferred without explicit consent of the data subject.

(2) Personal data can be transferred without explicit consent of the data subject, under one of the following conditions;

a) under the second paragraph of Article 5,

b) under the third paragraph of Article 6, provided that adequate measures are taken.

(3) Provisions of other laws relating to transfer of personal data shall be reserved.

Overseas transfer of personal data

ARTICLE 9- (1) Personal data cannot be transferred overseas without explicit consent of the data subject.

(2) Personal data can be transferred overseas without explicit consent of the data subject under one of the conditions laid down in the second paragraph of Article 5 and the third paragraph of Article 6 and provided that;

a) Adequate level of protection is provided in the foreign country where personal data are to be processed,  

b) In cases where there is not adequate level of protection, the controllers in Turkey and in the relevant foreign country undertake, in writing, to provide adequate level of protection in the foreign country where personal data are to be processed and this is permitted by the Board.

(3) The countries where adequate level of protection is provided shall be determined and declared by the Board.

(4) The Board  shall decide whether adequate level of protection is provided in the foreign country and whether permission will be granted in accordance with the subparagraph (b) of the second paragraph by taking into account;

a) The international agreements to which Turkey is a party,

b) The principle of reciprocality, regarding the transfer of data, between the state requesting the data and Turkey,

c) The nature of personal data and the purpose and period of processing with respect to each present transfer of concrete data,

ç) The legislation relating to the subject in the state to which personal data are to be transferred and the implementation of this legislation,

d) The measures undertaken by the controller in the state to which personal data are to be transferred,

and, when it deems necessary, by having regard to the opinion of the relevant institutions and organizations.

(5) Without prejudice to the provisions of international agreements, personal data can be transferred overseas only by having regard to the opinion of the relevant state institutions and organizations, in cases where the interests of Turkey or the data subject are seriously harmed.

(6) Provisions of other laws relating to overseas transfer of personal data shall be reserved.

CHAPTER III

Rights and Obligations

Controller's obligation to inform

ARTICLE 10- (1) During the collection of personal data, the controller or the person authorised by the former shall be obliged to inform the data subject with respect to;

a) The identity of the controller and, if any, his/her representative,

b) The purposes of processing of personal data,

c) The persons to whom and the purposes for which the data processed can be transferred,

ç) The means and the legal reasons of collection of personal data,

d) The other rights laid down in Article 11.

Rights of data subject

ARTICLE 11- (1) Everyone shall have the right to apply to the controller and;

a) to learn whether personal data relating to them are processed,

b) to request information if personal data relating to them are processed,

c) to learn for what purposes personal data relating to them are processed and whether these data are used in line with these purposes,

ç) to have knowledge of the third persons to whom personal data relating to them are transferred in the country and overseas,

d) to request rectification of personal data relating to them in cases where they are processed incompletely or inaccurately

e) to request erasure or destruction of personal data relating to them within the framework of the conditions set forth in Article 7,

f) to request notification of the third persons to whom personal data relating to them are transferred, with respect to the operations conducted in accordance with the subparagraphs (d) and (e),

g) to object to any result ensuing to their detriment through analysis of personal data processed especially by means of automatic systems,

ğ) to request compensation for damages caused by unlawful processing of personal data.

Obligations regarding data security

ARTICLE 12- (1) The controller shall be obliged to take any kind of necessary technical and administrative measures to ensure the appropriate level of security with the aim of;

a) preventing unlawful processing of personal data,

b) preventing unlawful access to personal data,

c) ensuring that personal data are safeguarded.

(2) The controller shall be responsible for taking the measures laid down in the first paragraph, jointly with another natural or legal person, in cases where personal data are processed by such person on his behalf.

(3) The controller shall be obliged to carry out necessary inspections or have them carried out in order to ensure that the provisions of this Law apply to his own institution or organization.

(4) The controllers and the persons who process data cannot impart the personal data that they learn to another person contrary to the provisions of this Law and cannot use them for the purposes other than those of processing. This liability shall also continue after these persons retire from office.

(5) In cases where the personal data processed are unlawfully collected by other persons, the controller shall notify it to the data subject and the Board at the shortest time. The Board can announce it, when necessary, on its own website or by any other means that it deems appropriate.

CHAPTER IV

Application, Complaint and Controllers' Register

Application to Controller

ARTICLE 13- (1) The data subject shall file his/her requests to the controller, with respect to the implementation of this Law in writing or by other means which can designated by the Board.

(2) The controller shall conclude the requests included in the application, free of charge, considering the nature of the request, within the shortest time and in thirty days at the latest. However, in cases where the operation requires a separate cost, the fee in the tariff designated by the Board can be collected.

(3) The controller shall accept the request or reject it by explaining the reason and send its reply to the data subject in writing or electronically. In cases where it accepts the request in the application, the controller shall do what is necessary. In cases where the application is submitted due to a fault of the controller, the fee collected shall be refunded to the data subject.

Complaint to the Board

ARTICLE 14- (1) In cases where the application is rejected, replied insufficiently or not replied in due time, the data subject can file a complaint to the Board within thirty days following the date when he/she receives the reply of the controller and within sixty days following the date of application in any case.

(2) Complaint cannot be filed without exhausting the remedies in accordance with Article 13.

(3) Right to compensation shall be reserved in accordance with the general provisions, with respect to the persons whose personal rights are violated.

Procedures and principles of review upon complaint or ex officio

ARTICLE 15- (1) The Board shall carry out the necessary review, upon complaint or ex officio when it is informed of the allegation of violation, with regard to the matters which fall within its remit.

(2) Denouncements or complaints which do not meet the conditions set forth in Article 6 of the Law no. 3071 dated 1/11/1984 on the Exercise of the Right to Petition shall not be reviewed.

(3) Except for the information and documents that constitute state secrets, the controller shall be obliged to submit the information and documents demanded by the Board relating to the subject of its review, in 15 days and to provide opportunities for on-site examination when necessary.

(4) The Board shall review the request upon complaint and reply to the relevant persons. The request shall be deemed rejected in cases where no reply is given within sixty days following the date of complaint.

(5) In cases where it is understood that the violation exists after the review carried out either upon complaint or ex officio, the Board shall decide that the unlawful forms of processing confirmed by itself should be removed and shall notify the relevant persons of this decision. This decision shall be fulfilled without delay and within thirty days at the latest following the notification.

(6) As a result of the review carried out upon complaint or ex officio, the Board shall adopt a resolution and publish it in cases where it is determined that the violation is prevalent. The Board can take the opinions of the relevant institutions and organizations before adopting the resolution.

(7) The Board can decide on the stay of the processing of personal data or the overseas transfer of data in case of hardly reparable or irreparable damages or of explicit unlawfulness.

Register of Controllers

ARTICLE 16- (1) Register of Controllers shall be kept in public by the Presidency, under the supervision of the Board.

(2) Natural and legal persons who process personal data shall be obliged to enrol themselves in the Register of Controllers before initiating the processing. However, considering the objective criteria to be designated by the Board such as the nature and number of the personal data processed, whether their processing is based on any law or whether they are transferred to the third persons, the Board can set forth exceptions to the obligation of enrolment in the Register of Controllers.

(3) Application to the Register of Controllers shall be submitted with a notification including the following matters:

a) Identity and address of the controller and, if any,  of his representative,

b) Purposes for which personal data will be processed,

c) Explanations regarding the group and groups of data subjects and data categories of these persons,

ç) A recipient or a group of recipients to whom personal data can be transferred,

d) Personal data which are envisaged to be transferred to foreign countries,

e) Measures taken for the security of personal data,

f) Maximum period necessary for the purposes for which personal data are processed.

(4) Changes to the information provided in the third paragraph shall be immediately reported to the Presidency. 

(5) Other procedures and principles relating to the Register of Controllers shall be regulated by a by-law.

CHAPTER V

Crimes and Misdemeanours

Crimes      

ARTICLE 17- (1) Articles 135 to 140 of Turkish Penal Code No. 5237 dated 26/9/2004 shall apply to the crimes concerning personal data.

(2) Those who do not erase personal data or render them anonymous contrary to Article 7 of this Law shall be punished in accordance with Article 138 of the Code No. 5237.

Misdemeanours

ARTICLE 18- (1) Under this Law, an administrative fine of;

a) 5.000 to 100.000 Turkish liras shall be imposed on those who do not fulfil the obligation to inform stipulated in Article 10,

b) 15.000 to 1.000.000 Turkish liras shall be imposed on those who do not fulfil the obligation regarding data security stipulated in Article 12,

c) 25.000 to 1.000.000 Turkish liras shall be imposed on those who do not fulfil the decisions of the Board as per Article 15,

ç) 20.000 to 1.000.000 Turkish liras shall be imposed on those who act contrary to the obligation of enrolment in the Register of Controllers and of notification as per Article 16.

(2) The administrative fines envisaged by this article shall apply to natural persons and legal persons in private law who act as controllers.

(3) In cases where the acts listed in the first paragraph are conducted in public institutions and organizations or professional organizations with public institution status, actions shall be taken based on disciplinary provisions, upon the notification of the Board, with regard to the civil servants and other public officials under the relevant public institution or organization and to those who serve under the professional organizations with public institution status, and the result of these actions shall be reported to the Board.

CHAPTER VI

Personal Data Protection Authority and Organization

Personal Data Protection Authority

ARTICLE 19- (1) Personal Data Protection Authority which has administrative and financial autonomy and public legal personality has been established in order to perform the duties stipulated by this Law.

(2) The Authority is affiliated with the Prime Minister's Office.

(3) The headquarters of the Authority is in Ankara.

(4) The Authority is comprised of the Board and the Presidency. The Board serves as the decision-making body of the Authority.

Duties of the Authority

ARTICLE 20- (1) The duties of the Authority are as follows:

a) Following the practices and the developments in the legislation, giving evaluations and recommendations, carrying out researches and inspections or having them carried out in this regard, according to its scope of authority.

b) Cooperating with public institutions and organizations, nongovernmental organizations, professional organizations or universities, when necessary, regarding the issues which fall within the scope of its authority.

c) Following and evaluating the international developments concerning personal data, cooperating with international organizations on the matters which fall within the scope of its authority, attending the meetings.

ç) Presenting the annual activity report to the Presidency, the Committee on Human Rights Inquiry of the Grand National Assembly of Turkey and to the Prime Minister's Office.

d) Performing the other duties assigned by laws.

Personal Data Protection Board

ARTICLE 21- (1) The Board shall independently perform and use its duties and powers provided in this Law and the other laws under its own responsibility. No body, authority, institution or person can give orders or instructions, recommendations or suggestions on the matters which fall within the scope of its authority.

(2) The Board shall be comprised of nine members. Five members of the Board shall be elected by the Grand National Assembly of Turkey, two members by the Presidency and two members by the Council of Ministers.

(3) The following conditions shall be required for the membership of this Board:

a) Having knowledge and experience on the matters which fall within the scope of authority of the Board,

b) Having the qualifications stipulated in the subclauses (1), (4), (5), (6) and (7) of the subparagraph (a) under the first paragraph of Article 48 in the Law No. 657 dated  14/7/1965 on Civil Servants,

c) Not being the member of any political party,

ç) Having received at least four-year higher education at the level of bachelor degree,

d) Having served for at least ten years in total in public institutions and organizations, international organizations, nongovernmental organizations or professional organizations with public institution status or in private sector.

(4) Those who will be elected as the member of the Board shall be asked to give consent. Attention shall be attached to the pluralist representation of those who have knowledge and experience on the matters which fall within the scope of authority of the Board.

(5) The Grand National Assembly of Turkey shall follow the procedure below while electing members to the Board:

a) Twice the number of members to be designated in proportion to that of the political party groups shall be nominated for the election and the members of the Board shall be elected among these candidates, by the Plenary of the Grand National Assembly of Turkey, based on the number of members per political party group. However, no deliberation can be held or no decision can be taken in the political party groups regarding who will be voted for in the elections to be held in the Grand National Assembly of Turkey.

b) The members of the Board shall be elected within ten days following the designation and announcement of candidates. A split ticket shall be prepared as separate lists for the candidates nominated by the political party groups. The special place allocated for the names of the candidates shall be marked for voting. The votes casted more than the number of members to be elected to the Board from the quota of the political party groups set under the second paragraph shall be deemed invalid.

c) Candidates who receive the most votes in the election shall be selected based on the number of vacant positions provided that a quorum exists.

ç) In case of vacancy in the membership for any reason two months before the end of office of the members, new members shall be elected under the same procedure within one month following the date on which the position falls vacant or, if the Grand National Assembly of Turkey is at recess, following the end of the recess. In these elections, the number of the members designated from the quota of the political party groups in the first election and the current proportion of the political party groups shall be taken into account in the distribution of the vacant membership to the political party groups.

(6) In cases where the office of one of the members elected by the President or the Council of Ministers ends forty-five days earlier or the office ends for any reason, it shall be notified by the Authority to the Prime Minister's Office within fifteen days, for its submittal to the President's Office or the Council of Ministers. New members shall be elected one month before the end of office of current members. In cases where the position falls vacant before the end of office within the scope of these memberships, the elections shall be held within fifteen days following the notification.

(7) The Board shall elect the President and the Second President among its members. The President of the Board is also the president of the Authority.

(8) The term of office of the members of the Board is four years. The member whose term ends can be re-elected. The person who replaces a member whose term of office ends for any reason without fulfilling his/her office shall complete the rest of the term.

(9) The selected members shall swear the following oath before the First Presidency of the Court of Cassation: "I swear on my honour and dignity that I will perform my duty in accordance with the Constitution and the laws and within the understanding of full impartiality, honesty, fairness and justice.” The application for oath to the Court of Cassation is deemed among prompt actions.

(10) The members of the Board cannot assume any official or private duty apart from the performance of the official duties in the Board as long as it is not prescribed in a special law; nor can they manage an association, foundation, cooperative or similar entities, engage in trade, conduct independent business activities or serve as arbitrator or expert. However, the members of the Board can make scientific publications, give lectures and conferences in a way that will not hinder their fundamental duties and can be paid for the lectures and conferences within the scope of the copyrights arising from them.

 (11) The investigations regarding the crimes which are allegedly committed by the members because of their duties shall be conducted in accordance with the Law No. 4483 dated 2/12/1999 on the Trial of State Employees and Other Civil Servants and the permission for these investigations shall be granted by the Prime Minister.

(12) The provisions of the Law No. 657 shall apply in the disciplinary investigation and prosecution to be conducted with respect to the members of the Board.

(13) The office of the members of the Board cannot be terminated without expiry of the mentioned term of office. The membership of the Board members shall be terminated upon the decision of the Board in cases where;

a) it is later understood that they do not fulfil the necessary requirements for election,

b) the verdict of conviction is finalized for the crimes they have committed because of their duties,

c) it is definitely confirmed through a medical board report that they cannot perform their duties,

ç) it is verified that they have not continued to serve successively for fifteen days without permission and excuse or for thirty days in total in one year,

d) it is verified that they have not attended the Board meetings three times in one month without permission or excuse or ten times in total in one year.

(14) Those who are elected as the members of the Board shall be discharged from their previous positions in the Board. Those who are elected as members while serving as state officials shall be appointed to an appropriate cadre by the competent authority within one month in cases where their term of office ends or they apply to the previous institution within thirty days provided that they do not lose the requirements to serve as state officials. The Board shall continue to make any kind of payment that these persons receive until they are appointed. For those who are elected as members while they have not served in a public institution and whose office ends as prescribed above, the Board shall continue to make any kind of payment they receive until they start to serve in any other duty or job and the payment that the Board will make to those whose membership ends as such cannot be provided for more than three months. The term of office of these persons in the Authority shall be deemed to have been served in the previous institutions or organizations in terms of the personal and other rights entitled to them.

Duties and powers of the Board

ARTICLE 22- (1) The duties and powers of the Board are as follows:

a) Ensuring that personal data are processed in accordance with the fundamental rights and freedoms.

b) Taking a final decision with respect to the complaints that the rights relating to personal data are violated.

c) Reviewing whether personal data are processed in accordance with the laws upon a complaint or ex officio when it is notified of the allegation of violation, regarding the issues which fall within its remit, and taking interim measures in this regard when necessary.

ç) Determining the adequate measures required for the processing of special categories of personal data.

d) Ensuring that the Register of Controllers is kept.

e) Carrying out the necessary regulatory actions in the issues relating to the remit of the Board and the functioning of the Authority.

f) Carrying out the regulatory actions in order to set out the liabilities relating to data security.

g) Carrying out the regulatory actions relating to the duties, powers and responsibilities of the controller and his representative.

ğ) Deciding on the administrative sanctions prescribed by this Law.

h) Expressing opinions on the draft legislation which is prepared by the other institutions and organizations and includes the provisions relating to personal data.

ı) Taking a final decision on the strategic plan, determining the objectives and goals, the service quality standards and the performance criteria.

i) Holding meetings and taking a final decision on the budget proposal prepared in accordance with the strategic plan of the Authority and its objectives and goals.

j) Approving and publishing the draft reports prepared with respect to the performance, financial standing, annual activities of the institution and to necessary matters.

k) Discussing and giving a final decision on the proposals regarding the purchase, sales and renting of immovables.

l) Performing the other duties assigned by law.

Rules of procedures of the Board

ARTICLE 23- (1) The President shall set the meeting dates and agenda of the Board. The President can summon the Board for an extraordinary meeting in necessary cases.

(2) The Board shall convene with at least six members including the President and shall take decisions by absolute majority of the total number of members. The members of the Board cannot abstain from voting.

(3) The Board members cannot attend the meetings or voting regarding the matters which concern themselves, their third degree blood relatives and second degree relatives by marriage, their adopted children and their spouses even though the bonds of matrimony between them does not exist any longer.

(4) The Board members cannot impart any secret that they learn with respect to the concerning persons and third persons during their works to anyone other than lawfully competent authorities or use it in favour of themselves.

(5) Minutes shall be written regarding the issues deliberated in the Board. Decisions and, if any, justification of dissenting votes shall be written within fifteen days at the latest following the date of decision. The Board shall announce the decisions to the public if it deems necessary.

(6) The deliberations in the Board meetings shall be kept confidential unless decided otherwise.

(7) The working procedures and principles of the Board, the writing of decisions and other issues shall be regulated under a by-law.

President

ARTICLE 24- (1) The President shall be the highest official in the Authority in his/her capacity as the President of the Board and Authority and shall arrange, carry out the services of the Authority in accordance with the legislation, the objectives and policies of the Authority, its strategic plan, performance criteria and service quality standards and shall ensure coordination between the service units.

(2) The President shall be responsible for the general management and representation of the Authority. This responsibility shall cover the duties and powers of organizing, carrying out, inspecting, evaluating the works of the Authority and announcing them to the public when necessary.

(3) The duties of the President are as follows:

a) Acting as chairperson in the Board meetings.

b) Ensuring that the Board decisions are notified and some decisions are announced to the public if deemed necessary by the Board and following their implementation.

c) Appointing the Deputy President, heads of departments and the personnel of the Authority.

ç) Giving a final form to the proposals coming from the service units and presenting them to the Board.

d) Ensuring that the strategic plan is implemented, creating the human resources and operation policies.

e) Preparing the annual budget and financial statement of the Authority in accordance with the strategies, annual objectives and goals.

f) Ensuring coordination so that the Board and the service units work conformably, efficiently and in a disciplined and orderly manner.

g) Maintaining the relations of the Authority with the other organizations.

ğ) Determining the duties and scope of authority of the competent personnel who are entitled to sign on behalf of the President of the Authority.

h) Performing the other duties related to the management and functioning of the Authority.

(4) The Second President shall act for the President in the absence of the President of the Authority.

Establishment and duties of the Presidency

ARTICLE 25- (1) The Presidency shall be composed of Deputy President and service units. The Presidency shall perform the duties enumerated under the fourth paragraph through the service units organized as departments. The number of departments cannot be more than seven.

(2) A Deputy President shall  be appointed to assist the President in his duties under the Authority.

(3) The Deputy President and heads of departments shall be appointed by the President, among the persons who are graduates from at least a four-year higher education institution and who have carried out public service for ten years.

(4) The duties of the Presidency are as follows:

a) Keeping the Register of Controllers.

b) Carrying out the bureau and secretariat actions of the Authority and the Board.

c) Representing the Authority by means of lawyers in the cases which the Authority is party to and in execution proceedings, following the cases or having them followed and conducting legal services.

ç) Carrying out the personnel affairs of the Board members and those who serve in the Authority.

d) Performing the duties assigned by law to the departments of financial services and strategy development.

e) Ensuring that an information system is installed and used in order to conduct the affairs and actions of the Authority.

f) Preparing and presenting the draft reports regarding the annual activities of the Board and the necessary matters.

g) Preparing the draft strategic plan of the Authority.  

ğ) Setting out the personnel policy of the Authority, preparing and implementing the career and training plans of the personnel.

h) Carrying out the appointments, transfers, disciplinary actions, performances, promotions, retirements and similar actions of the personnel.

ı) Setting out the ethical rules to be followed by the personnel and providing necessary training.

i) Carrying out any kind of services such as purchase, sales, renting, maintenance, repairing, construction, archive, health as well as social services and similar services necessitated by the Authority under the Public Financial Management and Control Law No. 5018 dated 10/12/2003.

j) Keeping records of the movables and immovables of the Authority.

k) Performing the other duties assigned by the Board or the President.

(5) The service units and the working procedures and principles of these units shall be regulated by the by-law enacted by the decision of the Council of Ministers upon the proposal of the Authority, in accordance with the scope of authority, duties and powers of the service units stipulated under this Law.

Specialists and assistant specialists on Personal Data Protection

ARTICLE 26- (1) Specialists on Personal Data Protection and Assistant Specialists on Personal Data Protection can be employed in the Authority. The degrees of those who are appointed as Specialists on Personal Data Protection within the framework of the additional article 41 of the Law No. 657 shall be increased for one time only.

Provisions relating to the personnel and their personal rights

ARTICLE 27- (1) The personnel of the Authority shall be subjected to the Law No. 657, apart from the issues regulated by this Law.

(2) The payments shall be made to the president and members of the Board and the personnel of the Authority in the same procedure and principles as the payments made to the exemplified personnel within the scope of the financial and social rights, under the additional article 11 of the Decree Law No. 375 dated 27/6/1989. Those who are not subjected to taxes or another legal deduction from the payments made to the exemplified personnel shall not be subjected to any tax or deduction under this Law.

(3) The president and members of the Board and the personnel of the Authority shall be subjected to the provisions of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 dated 31/5/2006 on Social Security and General Health Insurance. The president and members of the Board and the personnel of the Authority shall be deemed equal to the exemplified personnel in terms of pension rights. The term of office of those whose office expires or those who

request for resignation among those who are appointed as president and members of the Board while they are covered by an insurance policy within the scope of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 shall be taken into account while determining the salaries, degrees and levels as their vested rights. The term of office of those who fall within the scope of the provisional article 4 of the Law No. 5510 during such office shall be evaluated as the period during which the executive compensation and representative compensation should be paid. For those who are appointed as the President and members of the Board while they are insured in the public institutions and organizations, within the scope of the subparagraph (a) of the first paragraph under Article 4 of the Law No. 5510, their discharge from the previous institutions and organizations shall not require any seniority or termination indemnity. The term of office of those who are in this situation for which seniority or termination indemnity should be paid shall be combined with their term of office in the past as the President and member of the Board and this total term shall be considered for the payment of gratuity. 

(4) The civil servants and other state officials serving in public agencies under the central administration, social security institutions, local administrations, the agencies under local administrations, local administrative units, institutions with the circulating capital, funds established by law, organizations with public legal personality, organizations with over half the capital which belongs to the public, public economic enterprises and public economic organizations and the partnerships and entities affiliated with them can be temporarily assigned in the Authority provided that their institution pay the salary, allowance, any kind of salary increase and indemnity as well as other financial and social rights and assistance with the consent of the mentioned  institutions. The requests of the Authority on this matter shall be finalized primarily by the relevant institutions and organizations. The personnel who are assigned as such shall be deemed to be on paid leave from their institutions. The civil service, relevance and rights of this personnel shall continue as long as they are on leave and this term shall be taken into account in their promotion and retirement process. Their promotion shall be conducted in time, without necessitating any other action. The term of service of those who are assigned under this article shall be deemed to have served in their own institutions. Those who are assigned as such cannot exceed 10% of the total cadre number of Specialists and Assistant Specialists on Personal Data Protection and the assignment cannot exceed two years. However, this term may be extended for a period of one year if necessary.

(5) The titles and numbers of the personnel to be employed in the Authority are shown on Table (I). Titles or degrees shall be changed, new titles shall be added and vacant positions shall be cancelled upon the decision of the Board, provided that it is limited to the titles listed on the tables annexed to the Decree Law No. 190 dated 13/12/1983 on General Cadre and Procedure, not exceeding the total number of personnel.

CHAPTER VII

Miscellaneous Provisions

Exceptions

ARTICLE 28- (1) The provisions of this Law shall not apply in the following cases:

a) Processing of personal data by natural persons in the course of a merely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties.

b) Processing of personal data for the purposes of official statistics and, through anonymisation, research, planning, statistics etc.

c) Processing of personal data for the purposes of art, history and literature or science, or within the scope of freedom of expression, provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated.

ç) Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.

d) Processing of personal data by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.

(2) On the condition of being relevant and proportionate to the purpose and general principles of this Law,  Article 10 which regulates the obligation of the controller to inform; except for the right to request compensation, Article 11 which regulates the rights of the data subject; and Article 16 which regulates the obligation of enrolment in the Register of Controllers shall not apply in the following cases:

a) Processing of personal data is necessary for the prevention or investigation of a crime.

b) Processing of personal data made public by the data subject herself/himself.

c) Processing of personal data is necessary, deriving from the performance of supervisory or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.

ç) Processing of personal data is necessary for the protection of economic and financial interests of the state related to the budget, tax and financial matters.

Budget and Revenues of the Authority

ARTICLE 29- (1) The budget of the Authority shall be prepared and adopted according to the procedures and principles stipulated in the Law No. 5018.

(2) The revenues of the Authority are as follows:

a) Treasury grants to be made from the general budget.

b) Incomes earned from the movables and immovables of the Authority.

c) Collected donations and grants.

ç) Revenues earned by means of utilization of the revenues.

d) Other revenues.

Amended and Added Provisions

ARTICLE 30- (1) (Replaced concerning the Law No. 5018 dated 10/12/2003.)

(2) to (5) - (Replaced concerning the Code No. 5237 dated 26/9/2004.)

(6) (Replaced concerning the Health Services Fundamental Law  No. 3359 dated 7/5/1987.)

(7) (Replaced concerning the Decree Law No. 663 dated 11/10/2011 Concerning the Organization and Duties of the Ministry of Health and Affiliates.)

By-law

ARTICLE 31- (1) Regulations related to the implementation of this Law shall be brought into force by the Authority.

Transitional Provisions

PROVISIONAL ARTICLE 1- (1) Within six months following publication of this Law, the members of the Board shall be elected in accordance with the procedure set forth under Article 21 and the Presidency organisation shall be constituted.

(2) Controllers shall be obliged to enrol themselves in the Register of Controllers within the term designated and announced by the Board.

(3) Personal data processed before the date of publication of this Law shall be rendered compliant within two years following the date of publication of this Law. Personal data that are deemed contrary to the provisions of this Law shall be immediately erased, destroyed, or rendered anonymous. However, the consents that are lawfully obtained before the date of publication of this Law shall be deemed lawful in terms of this Law, provided that no declaration of intention is made otherwise within one year.

(4) The regulations prescribed in this Law shall be brought into force within one year following the date of publication of this Law.

(5) A senior executive to provide coordination of the implementation of this Law in public institutions and organizations shall be determined and it shall be notified to the Presidency within one year following the date of publication of this Law.

(6) The first elected President, second President and two members to be determined by lots shall serve for six years while other five members shall serve for four years.

(7) Until a budget is allocated to the Authority;

a) Expenses of the Authority shall be disbursed from the budget of Prime Minister's Office.

b) All supplemental services necessary for the Authority to provide its services such as building, vehicle, equipment, furnishings and hardware shall be provided by the Prime Minister's Office.

(8) Until the service units of the Authority enter into service, secretariat services shall be provided by the Prime Minister's Office.

Entry into Force

ARTICLE 32- (1)

a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 of this Law shall enter into force within six months following the date of publication,

b) The other provisions shall enter into force on the date of publication.

Enforcement

ARTICLE 33- (1) Provisions of this Law shall be enforced by the Council of Ministers.

TABLE (I)

LIST OF PERSONNEL OF THE PERSONAL DATA PROTECTION AUTHORITY

CLASS

TITLE

DEGREE

TOTAL

GİH

Deputy President

1

1

GİH

Head of Department

1

7

GİH

Legal Consultant

1

1

GİH

Legal Consultant

3

3

AH

Lawyer

6

4

GİH

Specialist on Personal Data Protection

5

10

GİH

Specialist on Personal Data Protection

7

20

GİH

Assistant Specialist on Personal Data Protection

9

60

GİH

Specialist on Financial Services

6

2

GİH

Assistant Specialist on Financial Services

9

2

GİH

Civil Servant

5

5

GİH

Civil Servant

7

5

GİH

Civil Servant

9

5

GİH

Civil Servant

11

5

GİH

Civil Servant

13

5

GİH

Computer Operator

7

5

GİH

Data Preparation and Control Operator

6

5

GİH

Data Preparation and Control Operator

7

5

GİH

Data Preparation and Control Operator

8

5

GİH

Data Preparation and Control Operator

9

5

GİH

Data Preparation and Control Operator

10

5

GİH

Secretary

5

3

GİH

Secretary

8

7

GİH

Telephone Operator

9

1

GİH

Chauffeur

11

4

TH

Technician

6

3

YH

Assistant Technician

9

2

YH

Servant

11

10

 

TOTAL

 

195

 

Literally translated as "relevant person".

Literally translated as "data recording system".

Judiciary of Turkey