Data Protection Compliance in Turkey
As per the Law the members of the Data Protection Authority (“DPA”) have been elected although with some delays, and we are now waiting for the enactment of secondary regulations which were stated to be prepared within one year as of the enactment of the Law. For the time being, neither the DPA has been fully established nor the regulations have been issued and there is confusion as to how to fulfil the obligations stipulated under the Law.
Although the enactment of the Law has created a great awareness particularly among the multinational companies and the companies have started to take actions to bring their activities in line with the Law in Turkey, they need guidance of the DPA and the secondary legislation to be in full compliance. The lack of guidance in legal infrastructure affects the data protection compliance projects particularly in terms of transfer of personal data to abroad, as the exceptions to explicit consent for data transfer, such as determination of countries with sufficient safeguards, requires further regulations and actions of the DPA. In the absence of such regulations, companies struggle with obtaining explicit consent for all data transfers to abroad although there is a possibility that relevant companies can be classified as countries with sufficient safeguards after DPA issues a decision on that.
Notwithstanding with this uncertainty, getting started with the data protection compliance projects is of course advantageous to the companies since such projects consists of very long and detailed processes. In additional to the multinational companies which have started paying attention to data protection issues, local companies are also advised to give due consideration to the compliance with the Law since there is no more excuse for not be compliant in the presence of a fully enforceable law. Accordingly, we recommend all companies
- to give particular attention and plan their data protection compliance projects asap,
- to identify their needs and where necessary to obtain services in relation to legal, IT or organizational/ operational aspects of the data protection projects,
- to create awareness within the company and
- to closely the watch latest developments in this area.
Article provided by:
- Begüm Yavuzdoğan Okumuş, Managing Associate, Gun+Partners
- Selin Başaran Savuran, Associate, Gun+Partners