Personal Data Protection Law

This information note is about explanation of the determination of persons and entities encumbered with liabilities within the scope of Protection of Personal Data Law Nr. 6698 (“PPDL”) and liabilities of the same.

  1. What is personal data?

In accordance with PPDL, personal data is any data that define the owner of such data and contain any private and general information about its owner. In this context, not only the information that provides identification of an individual such as name, surname, date of birth, place of birth etc. but also the information regarding physical, family, economic, social and other properties of an individual are personal data as well. Name, telephone number, motor vehicle plate number, social security number, IP address, passport number, resume, photographs, health report, criminal record, image and audio records, finger prints, genetic information etc. are personal data due to being identifiable for an individual. Such data consist of data of the customers, personnel, visitors, suppliers, contracted third parties and employees thereof.

  1. What is penalty of breach of PPDL?

The customers receive and process identity, address and contact information of their customers, employees and other persons. Although it is not forbidden to process personal data; any person processing such data in contravention of protection of personal data law may be sentenced to imprisonment up to 6 years, imposed to millions of TRY administrative  fines and exposed to below mentioned indemnities.

Upper and lower limits of the penalties that may be imposed by the Board are as follows.

  • From 5,000 up to 100,000 Turkish Liras for any person who fails to fulfill information notice liability
  • From 15,000 up to 1,000,000 Turkish Liras for any person who fails to fulfill liability for security of data
  • From 25,000 up to 1,000,000 Turkish Liras for any person who fails to fulfill decisions taken by the Board
  • From 20,000 up to 1,000,000 Turkish Liras for any person who acts in contravention of liabilities for information and registration to Registry Information System of Data Controllers.
  1. The commercial entities should particularly perform following within the scope of PPDL;
  1. Registration to Registry Information System of Data Controllers

It is required for companies, the employee number of which is equal to or more than 50 annually and the total financial statement of which is equal to or more than 25 Million TRY, to register to Registry Information System of Data Controllers through VERBIS. Registration to VERBIS can be made through VERBIS interface in the website of the Board. The Data Controllers that have liability of registering to Registry Information System of Data Controllers should prepare Personal Data Processing Inventory first.

  1. To Obtain Express Consent or Have Other Data Processing Conditions

It is required to obtain express consent of the data subject regarding processing of personal data of the data subject as of the first addressing moment.

  1. Giving Information to Data Subject

It is required for the data controllers to prepare information notices during collection of personal data with due diligence in terms of purpose, principle, procedure and method for each data category by determining legal frame.

  1. Deletion, Destroying or Anonymization of Personal Data

The procedure of making personal data impossible to access or to reuse for the users of the personal data. The data controller shall be liable to take any and all measures in order for deleted personal data not to be accessible or reusable for the related users. The Guideline for Deletion, Destroying or Anonymization of Personal Data is prepared by the Board in order to draw attention several subjects to clarify methods for such procedures and to constitute good practice examples.

  1. Transfer of Personal Data Pursuant to Law

It is regulated in the Law that the personal data obtained to be processed according to common principles set forth in the Law may be transferred to third parties by getting express consent of related data subject.

  1. Taking Measures for Security of Data

The data controller shall take any and all technical and administrative measures to ensure suitable security level in order to prevent illegal processing of personal data; to prevent illegal access to personal data; and to provide secured storage of personal data.

The data controller shall be liable to create personal data storage and destroying policy and principles; to determine storage periods as well as technical and administrative measures to be taken; and to provide storage of personal data according to such procedures.

  1. Finalization of Requests of Data Subjects

By applying to the data controller; data subjects have the right to learn whether their personal data are processed or not; to request information if their personal data are processed; to request the rectification of the incomplete or inaccurate data, if any; to request deletion or destroying of any illegal data; to request such procedure to be informed to the third parties to whom their personal data were transferred; to request compensation for the damage arising from the unlawful processing of their personal data.

  1. Processing of Personal Data Pursuant to General Principles

Even if legal grounds for processing of personal data differ, general principles set forth in article 4 of Law apply for all personal data processing activities. 

You can reach the draft texts regarding this matter by making request by calling telephone no.02124650848 or by sending an e-mail to

Atty. Abide Birsen


Yazar : GülelHukuk

Validation error occurred. Please enter the fields and send them back.
Thank you ! Your email has arrived.