Skip to main content

Data Protection Compliance in Turkey

Begüm Yavuzdoğan Okumuş (TR), Partner of EuroCloud CPC Network

On April 7th 2016, the long awaited Law on the Protection of Personal Data was enacted (the “Law”) in Turkey to regulate process and transfer of personal data. Some of the provisions of the Law entered into force immediately upon its enactment whereas some of them entered into force after six months as of its enactment, and currently the Law is fully in force including a transition period of two years, during which the companies must bring the personal data that has been processed unlawfully prior to the enactment of the Law in compliance with the Law. Otherwise, the Law envisages administrative fines.

As per the Law the members of the Data Protection Authority (“DPA”) have been elected although with some delays, and we are now waiting for the enactment of secondary regulations which were stated to be prepared within one year as of the enactment of the Law. For the time being, neither the DPA has been fully established nor the regulations have been issued and there is confusion as to how to fulfil the obligations stipulated under the Law.

Although the enactment of the Law has created a great awareness particularly among the multinational companies and the companies have started to take actions to bring their activities in line with the Law in Turkey, they need guidance of the DPA and the secondary legislation to be in full compliance. The lack of guidance in legal infrastructure affects the data protection compliance projects particularly in terms of transfer of personal data to abroad, as the exceptions to explicit consent for data transfer, such as determination of countries with sufficient safeguards, requires further regulations and actions of the DPA. In the absence of such regulations, companies struggle with obtaining explicit consent for all data transfers to abroad although there is a possibility that relevant companies can be classified as countries with sufficient safeguards after DPA issues a decision on that.

Notwithstanding with this uncertainty, getting started with the data protection compliance projects is of course advantageous to the companies since such projects consists of very long and detailed processes. In additional to the multinational companies which have started paying attention to data protection issues, local companies are also advised to give due consideration to the compliance with the Law since there is no more excuse for not be compliant in the presence of a fully enforceable law. Accordingly, we recommend all companies

  • to give particular attention and plan their data protection compliance projects asap,
  • to identify their needs and where necessary to obtain services in relation to legal, IT or organizational/ operational aspects of the data protection projects,
  • to create awareness within the company and
  • to closely the watch latest developments in this area.


Article provided by:

  • Begüm Yavuzdoğan Okumuş, Managing Associate, Gun+Partners
  • Selin Başaran Savuran, Associate, Gun+Partners

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.