Financial Crime World

Turkey’s Data Protection Law: A Compliance Checklist for Multinational Companies

The Turkish Data Protection Law (Turkish DP Law) was published in April 2016, just a week before the EU’s General Data Protection Regulation (GDPR) came into effect. Despite its significance, many multinational companies operating in Turkey have overlooked the importance of complying with the Turkish DP Law.

Failure to Comply

Failure to comply with the law can result in administrative fines and even imprisonment of up to four years. The law also has extraterritorial application, making it applicable to companies that collect data from Turkey, regardless of their location.

Compliance Checklist for Multinational Companies

=====================================================

To help multinational companies navigate compliance with the Turkish DP Law, here are some practical steps:

For Data Controllers Located in Turkey:

  • Start a Data Protection Compliance Program to understand what data is being collected, processed, and transferred.
  • Draft a Personal Data Inventory containing information such as:
    • Data subject category
    • Personal data category
    • Purpose of processing
    • International transfers (if any)
    • Measures to safeguard data security
    • Maximum data retention times
  • Draft a Privacy Notice to be given to data subjects at the time of data collection, including information such as:
    • Identity of the data controller
    • Purpose of data processing
    • Third parties that will receive personal data
    • Method of data collection and legal basis
    • Data subject rights
  • Draft a Personal Data Retention and Destruction Policy outlining:
    • Reasons for preparing the policy
    • Recording mediums regulated by the policy
    • Definitions of legal and technical terms
    • Grounds requiring retention or destruction of personal data
    • Measures to safeguard personal data
    • Changes to the current policy if updated
  • Register with the Data Controllers’ Registry by providing information such as:
    • Identity and address details of the data controller
    • Designated purposes for processing personal data
    • Descriptions of subject person groups and data categories
    • Recipients of personal data
    • Precautions taken in accordance with Article 12 of the Law
    • Maximum period of retention of personal data

For Data Controllers That Are Not Located in Turkey:

  • Take steps given in points 1 to 4 above.
  • Appoint a representative in Turkey to handle local communication and comply with the Turkish DP Law. Multinational companies often choose to appoint outside counsel or a lawyer with a proxy for this purpose.

Ongoing Compliance

While these practical steps can help multinational companies navigate compliance, it is essential to note that compliance is an ongoing process requiring continuous effort and attention. Working with a local legal specialist is always recommended.