Selin OZBEK CITTONE
Attorney at Law / Managing Partner
28 January 2019
To be honest, protection of our personal data has never been a priority for us Turkish people. We have a very warm culture. We like the physical touch and deeply embrace in each other’s lives. In other countries, this might be considered noisy but with the folks in Turkey, it is considered caring for each other.
When you go to a job interview, for example, people would ask you in which city you were born or the origins of your family, the professions of your family members, whether you live with your family or alone, whether you are married or not, and if you are a woman, even whether you are planning to get married or have kids soon. I know, I know it is crazy! But this has been our normal for so many years.
But now things are changing. Since the enactment of the Turkish Data Protection Law in April 2016, we started to realize that this was kinda insane. But it takes time to change your habits.
That is why celebrating the Data Privacy Day is important for us to realize that what we have been doing in the past was and is actually illegal. 
Turkey enacted the Turkish Data Protection Law (“DPL”) on 7 April 2016 and ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on 2 May 2016. So this is officially the second year that we will be celebrating the Data Privacy Day. Last year, the Turkish Data Protection Authority (“TDPA”) took the lead and issued press releases to remind us of this special day. And this year, they are organizing a big conference on the 28th of January (https://28-Ocak-Veri-Koruma-Gunu).
As many of you already know, DPL was based on EU Directive 95/46/EC (the "Data Protection Directive"), which was repealed and replaced on 25 May 2018 by the General Data Protection Regulation 679/2016 (the "GDPR"). But it would be fair to say that, in many aspects, DPL leans more toward GDPR. This seems to be the approach of the TDPA as well. I will not bore you here with a full comparison between the GDPR and DPL, but I want to highlight just a few problems in the Turkish practice. I suggest you read all the way through, especially if you are a foreign data controller, ie. a controller who is not resident in the Republic of Turkey but have business or clients there.
I hear you say that this is a major problem for processing health data especially for employers. Therefore, one of my wishes for the year 2019 was to at least have an exemption in the DPL for processing employee’s health data by the employer.
Because the list of exemptions announced by the TDPA does not, at least for now, include foreign data controllers, the monetary thresholds or professional exemptions for registry would not apply to controllers residing outside of Turkey. It is worth to emphasize, however, that implications and applicability of extra-territoriality of the DPL may be eventually challenged before Turkish courts by foreign controllers due to lack of any specific provisions in the DPL or lack of any definition related to the scope.
 Just to avoid any misunderstandings, privacy, and protection of personal life was protected under the Turkish Criminal Code since 2005 and was accepted as a constitutional right in the Turkish Constitution since 2010. But due to lack of a specific law, its implementation was very limited until 2016.