Data Protection Compliance in Turkey


On April 7th 2016, the long awaited Law on the Protection of Personal Data was enacted (the “Law”) in Turkey to regulate process and transfer of personal data. Some of the provisions of the Law entered into force immediately upon its enactment whereas some of them entered into force after six months as of its enactment, and currently the Law is fully in force including a transition period of two years, during which the companies must bring the personal data that has been processed unlawfully prior to the enactment of the Law in compliance with the Law. Otherwise, the Law envisages administrative fines.

As per the Law the members of the Data Protection Authority (“DPA”) have been elected although with some delays, and we are now waiting for the enactment of secondary regulations which were stated to be prepared within one year as of the enactment of the Law. For the time being, neither the DPA has been fully established nor the regulations have been issued and there is confusion as to how to fulfil the obligations stipulated under the Law.

Although the enactment of the Law has created a great awareness particularly among the multinational companies and the companies have started to take actions to bring their activities in line with the Law in Turkey, they need guidance of the DPA and the secondary legislation to be in full compliance. The lack of guidance in legal infrastructure affects the data protection compliance projects particularly in terms of transfer of personal data to abroad, as the exceptions to explicit consent for data transfer, such as determination of countries with sufficient safeguards, requires further regulations and actions of the DPA. In the absence of such regulations, companies struggle with obtaining explicit consent for all data transfers to abroad although there is a possibility that relevant companies can be classified as countries with sufficient safeguards after DPA issues a decision on that.

Notwithstanding with this uncertainty, getting started with the data protection compliance projects is of course advantageous to the companies since such projects consists of very long and detailed processes. In additional to the multinational companies which have started paying attention to data protection issues, local companies are also advised to give due consideration to the compliance with the Law since there is no more excuse for not be compliant in the presence of a fully enforceable law. Accordingly, we recommend all companies

  • to give particular attention and plan their data protection compliance projects asap,
  • to identify their needs and where necessary to obtain services in relation to legal, IT or organizational/ operational aspects of the data protection projects,
  • to create awareness within the company and
  • to closely the watch latest developments in this area.


Article provided by:

  • Begüm Yavuzdoğan Okumuş, Managing Associate, Gun+Partners
  • Selin Başaran Savuran, Associate, Gun+Partners


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarth,


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.