September 2018



For further information please contact:

Lara Sezerler
Senior Associate, Istanbul

Seda Karaman
Associate, Istanbul

Ergün Avukatlık Bürosu İstanbul | Levent 199, D: 79/B, Levent
T +90 (212) 280 90 91

Ankara | Next Level, A Blok, D: 33, Çankaya
T +90 (312) 220 30 60



Data Protection Law: Exemptions and Approaching Deadlines

The law numbered 6698 on the Protection of Personal Data (the “Data Protection Law”) providing protection of fundamental rights and freedoms set forth under the Constitution, notably the right to privacy and regulation of the rules with regards to processing of data and data processors’ duties, published in the Official Gazette numbered 29677 on April 7, 2016 and its provisions relating to the Data Controllers’ Registry (the “Registry”) entered into force as of October 7, 2016. The Data Protection Law regulates the principles and procedures for the processing, protection and transfer of personal data of real and legal persons. The Data Protection Law introduced several obligations including fair and lawful processing, protection and transfer of personal data, consent requirement, providing notice of processing, and enrollment with the Data Protection Authority (the “Authority”). As a follow up to the Data Protection Law, the secondary legislation entered into force gradually with the publication of the below in the Official Gazette:

  • the Regulation on Deleting, Destruction and Anonymization of Personal Data on October 28, 2017,
  • the Regulation on Procedures and Principles relating to the Operations of the Data Protection Authority on November 16, 2017;
  • the Regulation on Data Controllers’ Registry on December 30, 2017;
  • the Data Protection Authority Expert Regulation on February 9, 2018;
  • the Communiqué on Compliance with the Procedures and Principles relating to the Obligation to Inform and the Communiqué on Procedures and Principles relating to Applications to the Data Controllers on March 10, 2018;
  • the Regulation on the Organization of Data Protection Authority on April 26, 2018; and
  • the Regulation on Promotion and Change of Title of the Personnel of the Data Protection Authority on May 5, 2018.

As per the applicable legislation, the Authority, established on January 12, 2017, acts as an independent supervisory authority to ensure compliance with the data protection rules specified in the Data Protection Law and the applicable secondary legislation and is authorized to grant exemptions, impose sanctions and precautions as well as administrative fines determined in accordance with the Data Protection Law. The Authority recently announced some of its decisions granting an exemption from the obligation to enroll to the Registry for certain data controllers. To give a brief background, a “data controller” is a real or legal person that determine the objectives and means of processing and that are responsible for the establishment and management of data recording system and is under the obligation to enroll with the Registry once the Registry is opened and in accordance with the below deadlines prior to processing any personal data. Data controllers subject to the obligation to enroll are required to prepare an inventory detailing the personal data processing activities, the processing purposes, processed data categories, information relating to recipient groups and data subject groups.

On April 2, 2018, the Authority adopted a board decision numbered 2018/32, published in the Official Gazette numbered 30422 on May 15, 2018, to exclude:

  • data controllers processing data on a non-automated basis (as part of a data filing system);
  • notaries;
  • non-profit associations, charitable foundations, labor unions;
  • political parties;
  • lawyers; and
  • accountants from the obligation to enroll with the Registry.

Similarly, with its board decisions numbered 2018/68, 2018/75 and 2018/88, published in the Official Gazette numbered 30513 on August 18, 2018, the Authority also excluded the below listed individuals and legal entities, from the obligation to enroll with the Registry:

  • customs brokers and licensed customs brokers;
  • mediators; and
  • companies whose annual number of employees is less than 50 and whose annual financial balance is less than TL 25 million, provided that their main scope of activity does not include processing sensitive personal data (defined as data relating to race, ethnicity, political views, philosophical beliefs, religion, religious denomination or other beliefs, clothing and attire, memberships in associations, charities or trade unions, health condition, sex life, criminal convictions, security measures and biometric and genetic information).

Although the above-listed individuals and legal entities are not required to enroll with the Registry, they shall continue to be subject to other requirements applicable to data controllers under the applicable data privacy legislation. Some of the other obligations of the data controllers include the following:

  • to ensure that personal data is processed lawfully, fairly, accurately and is up-to-date in accordance with the principles set forth under the data protection legislation;
  • to procure that personal data is collected for specific, explicit and legitimate purposes and is not excessive;
  • to obtain explicit consent from data subject prior to processing or transferring their data, subject to certain exceptions provided under the applicable data protection legislation;
  • at the time of obtaining personal data, to provide the data subject information on: (i) the identity of the data controllers or, if any, their representatives, (ii) the purpose of data processing, (iii) the recipients to whom the data can be transferred and the purpose of such transfer, (iv) the method of and the legal grounds for collection of the personal data;
  • to implement all technical and administrative precautions to provide an appropriate level of security for the purposes of preventing unlawful process of and access to personal data and to ensure protection of personal data;
  • to conduct internal or external audits or procure that audits are conducted to ensure appropriate implementation of the data privacy legislation;
  • to notify data owners and the Authority, in the event the personal data was unlawfully obtained by third parties;
  • to respond to any applications made to them by data subjects and if necessary implement precautions in accordance with the applicable legislation; and
  • if the personal data is a sensitive personal data, then the data controller processing such data must also implement strengthened mechanisms to protect the data, as provided under the board decision of the Authority numbered 2018/10 dated January 30, 2018.

The Authority in its board decision numbered 2018/88 and dated July 19, 2018, published in the Official Gazette numbered 30513 on August 18, 2018, correspondingly set the deadlines for fulfilling the obligation to enroll, as follows:

  • The deadline for (i) the data controllers whose annual number of employees is more than 50 or whose annual financial balance is more than TL 25 million and (ii) the real or legal person data controllers which are residing abroad, will begin on October 1, 2018 and end on September 30, 2019.
  • The deadline for the data controllers whose annual number of employees is less than 50 and whose annual financial balance is less than TL 25 million, while their main scope of activity includes processing of sensitive personal data, will begin on October 1, 2018 and end on March 31, 2020.
  • The deadline for data controllers which are public institutions or agencies will begin on April 1, 2019 and end on June 30, 2020.

Failure to comply with the obligation to enroll may result in the imposition of administrative fines for an amount not less than TL 20,000 and up to TL 1 million, as well as any other actions by the Authority. Having said that, as the Authority is authorized under the Data Protection Law, it may choose to introduce additional exemptions before the above mentioned deadlines approach. For any additional exemptions, the Authority will look into certain objective criteria, i.e. the quality and volume of the data, if the data is processed as per an applicable legislation or the probability of transfer to third parties.


This information is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This should not be acted upon in any specific situation without appropriate legal advice. This information is protected by copyright and may not be reproduced or translated without the prior written permission of Ergün Avukatlık Bürosu.