Law on Protection of Personal Data

“The Law on the Protection of Personal Data” numbered 6698 published in the Official Gazette dated April 7, and no. 29677 has come into force at the date of its publication.

Law on Protection of Personal Data

“The Law on the Protection of Personal Data” numbered 6698 published in the Official Gazette dated April 7, and no. 29677 has come into force at the date of its publication.

The purpose of this Law is to protect fundamental rights and freedoms of the people, right to privacy in particular, in processing of personal data, and regulate obligations of natural and legal persons which process personal data and procedures and principles they will comply with.

KVKK Basic Concepts

Open Consent;;
      a. Be Related to a Specific Subject
      b. Consent to Informing
      c. Disclosure by Free Will
Making an Anonymous (Anonymization)
Related person
Personal Data
Processing of Personal Data
      a.Automatic Processing       b.Automatic Processing Data Specialist and Data Processor Data Recording System

KVKK Personal Data Concept

  • Name and surname 
  • Place of birth 
  • Date of birth 
  • Vehicle Plate
  • TC Identification number
  • Passport number
  • E-Mail Address / IP Address
  • Finger print
  • Image and Voice Recordings
  • Resume 
  • All similar data that makes the person identifiable

KVKK Special Qualified Personal Data

  • Religion / Sect
  • Political Thought
  • Philosophical Faith
  • Association / Foundation / Union Membership
  • Race / Ethnicity
  • Health
  • Criminal Sentence Data
  • Security measures
  • Security measures
  • Sexual Life
  • Biometric and Genetic Data

Basic Principles for Processing Personal Data

Article 17 and Article 18 of the Turkish Penal Code No. 5237 on the unlawful processing of personal data (TCK) Article 135 to 140 of the penalties imposed on the imprisonment of imprisonment is envisaged. It is stated in the related article that the lighting, data security, failure to fulfill the decisions of the Board and the failure to fulfill the obligations of registering with the data officers are evaluated within the scope of the misdemeanors and therefore they are bound to the administrative fine.


TCK m.135

Any person who has registered the personal data illegally shall be sentenced to imprisonment for a term of are one year Hukuk up to three years (Changed: 6526 - 21.2.2014 / m.3).

TCK m.136

Kişisel verileri, hukuka aykırı olarak bir başkasına veren, yayan veya ele geçiren kişi, (Değişik ibare: 6526 - 21.2.2014 / m.4) “iki yıldan” dört yıla kadar hapis cezası ile cezalandırılır.

TCK m.138

If the periods set by the laws have passed, those who are obliged to destroy the data in the system do not fulfill their duties (Change: 6526 - 21.2.2014 / m.5), they will be sentenced to in one to two years imprisonment Kan.


Those who fail to fulfill the obligation of lighting shall be fined up to 5.000 Turkish Liras and 100.000 Turkish liras.

For those who fail to fulfill their obligations regarding data security, an administrative fine of TL 15,000 to TL 1,000,000 shall be imposed.

Those who do not fulfill the decisions given by the Board shall be fined an administrative fine of between 25,000 Turkish Liras and 1.000.000 Turkish liras.

Those who violate the obligation to register and report to the Data Officers Registry are fined an administrative fine of 20,000 Turkish Liras to 1,000,000 Turkish liras.

Transitional Provisions of the Law and Enforcement

Provisions relating to the transfer of personal data to third parties and abroad, the rights of the person concerned, the complaint, the review, the records of the data officers, the crimes related to the offenses and misdemeanors Six months after the date of publication of the Law, the other provisions shall enter into force on the date of publication. The regulations to be issued based on this Law shall be put into effect within one year. Personal data processed prior to expiration shall be harmonized or deleted / anonymized within two years following the date of publication.

GDPR (General Data Protection Regulation)

The European Parliament and the Council aimed to protect personal data throughout the European Union with the Directive on Protection of Real Persons and Free Data Traffic during the Processing of Personal Data numbered 1995/46 EC. In this way, the protection of privacy during the processing of personal data was aimed and the circulation of personal data was arranged. This regulation, which is made especially to facilitate the development of the information society and the service sector, is inadequate in the face of rapidly developing technology. Especially in the face of recent developments in cloud technologies, it is inevitable that a new regulation is needed. The tarih General Data Protection Regulation (GDPR) PR, which included a fundamental reform of EU data protection rules as a result of these needs, was approved by the European Parliament on 14 April 2016.

Legal arrangements for the protection of personal data in Turkey April 7, 2016 and dated 29 677 numbered published in the Official Gazette 6698 No. "Law on the Protection of Personal Data" was a critical milestone. 6698 Law No. of GDP is the text prepared under the EU Data Protection Reform Having entered into force in the European Parliament shortly before its adoption, the ICT sector in Turkey can provide information society services especially abroad, increase the business potential of our country in the sectors where the personal data is the main input, cross border data sharing and effective functioning of the judicial cooperation channels. An important step has been taken, but it refers to the Data Protection Directive 95/46 / EC, rather than the current EU regulation of the Law No. 6698, GDPR.

Another reason for a new regulation in the European Union is the access to data and the transfer of data. As a result, it is a concern that the rights of EU citizens will adversely affect their rights.

The policy objectives of the Commission when reviewing the general EU legal framework for the protection of personal data are expressed as follows:

  • Improvement of the EU legal system in order to effectively protect personal data against the challenges of globalization and the use of new technologies,
  • Strengthen individual rights in terms of personal data and also reduce bureaucratic processes to ensure the free flow of personal data within and outside the EU,
  • To provide clarity and consistency to EU law rules on the protection of personal data; the effective and consistent implementation of these rules and the effective protection of personal data in all activities of the Union.

What are the basic changes brought by GDPR?

  • More effective protection of personal data and data owners,
  • Increased responsibilities of data processors and data controllers,
  • It aims to have stronger regulations in terms of application area.

-Harmonization: GDPR is published as a regulation and not as an arrangement. The difference is that; regulations have the ability to be applied directly in the member countries. It does not require any domestic law. The directives set out the main objectives that are expected to be achieved, but leave the methods for achieving these objectives to the internal laws of the member states. The purpose of the regulation, not regulation, is to eliminate the differences arising from domestic law regulations of the Member States and to provide a standard protection. The will of the European Union on this issue is often referred to as ıcı one continent, one law one. In addition, the differences of the User Rights between Member States have been eliminated.

-All Data Processors are held responsible for Data Processing: In Directive 95/46, the only person was utul data controller Veri. Under the regulation introduced by GDPR, any company or individual (including third party sub-service providers, such as cloud service providers), who are not data controllers, will be held responsible for the lawful processing of the data. In this context, it is seen that GDPR provisions are binding on the servers of the cloud service providers that are located outside the EU and continue their processing activities outside the Union countries. High fines imposed by GDPR are binding on these processors.

-The transmission of EU Citizens' Personal Data out of the Union is more strictly regulated: -Particularly when companies such as American-based Google-Apple-Facebook share their user information with the National Security Agency (NSA) in the US, sanctions have been increased.

-Claims for Compensation: GDPR recognizes the right to claim compensation for those who suffer damage.

-The User Rights Information Obligation is on the Data Controller and the area of Open Consent has expanded: Accordingly, it is agreed that no data will be processed without explicit consent before the user has the consent to do so unless the user makes forward. The consent of the processing of personal data should be free, specific, enlightened / intentional, conscious and explicit. Such consent shall be taken for all processing activities carried out for the same purposes or purposes. In addition, in cases where consent is required by electronic means, this request must be clear, concise and in a way that does not preclude the use of the service for which it was used. This results in the expansion of the application of the concept of open consent (strengthened consent in some books).

-With GDPR, penalties have been increased and checks have been tightened: The amount imposed by the GDPR has been increased to significant amounts such as € 200 million or four percent of the service provider's global income (higher than two). Accordingly, data processing and IT producers are obliged to create products and services at a user-friendly level for data protection.

-In case of a high risk of data violations, both the Data Protection Authority and the Data Owner are obliged to notify: In case of violations occurring after the implementation of the regulation, information should be given to the relevant persons or data owners within 72 hours of the determination.

-Right to be Forgotten: One of the biggest innovations brought by GDPR. Under the regulation introduced by GDPR, users can request the deletion of their personal data. The best-known case of this right, which will be described as the demand of the past of the people to be erased from the memory of the society, is described by Spain citizen Mario Costeja Gonzalez in Google Spain and Google Inc. the case against the company. The case of the case in 1998 in a newspaper about the news about the plaintiff Gonzalez removed from the search engine request. The plaintiff argued that the link to the news should be abolished on the grounds that this news about him long ago was no longer ere irrelevant Dav. In this decision, search engines and internet service providers should be considered data controllers. The General Assembly of the Supreme Court of Appeals for the regulation in our law regarding the right to be forgotten, dated 2014 / 4-56E dated 17.06.2015. 2015 / 1679K. should be examined.

CONCLUSION:With the new EU Data Protection Regulation, it is seen that there is a high level of harmony between EU member countries in terms of data protection law and the differences arising from internal law regulations of the members of the Union have been eliminated. Thanks to the said regulation, it is considered that a global competitive advantage will be achieved in the context of a unified, smooth and efficient EU digital market target for Union countries. In this context, it is important to establish a general framework in line with the legislation in our country, especially in the context of secondary regulations to be introduced by the Data Protection Board. When compared to Directive 95/46, GDPR introduced more stringent and comprehensive regulations, in particular in terms of responsibilities, sanctions, personal rights and data protection measures. Innovative approaches such as data mobility and impact assessment as well as security from design should be reflected in Law No. 6698 and implementation, in particular by strengthening deterrence through increased accountability of the data processing parties, defining the right to be forgotten, increasing sanctions on administrative fines.