The Personal Data Protection Law No. 6698, which entered into force in 2016, established Turkey’s dedicated personal data protection framework, which continues to evolve in line with legislative developments, regulatory guidance and increasing alignment with international and EU data protection standards.
We conduct compliance audits for companies processing personal data in Turkey, identifying gaps between current practices and legal requirements.
Data controllers subject to Turkish data protection legislation may be required to register with the Data Controllers Registry Information System, known as VERBIS. This obligation may apply to both Turkish data controllers and foreign data controllers processing personal data within the scope of Turkish law, subject to applicable exemptions and thresholds.
We advise clients on assessing whether a VERBIS registration obligation applies, preparing the required data inventory, managing VERBIS registration and update processes. We also advise foreign data controllers on representative appointment and related registration obligations where applicable.
Cross-border transfers of personal data are subject to specific requirements under Article 9 of the Law. We advise clients on assessing their international data flows and implementing appropriate transfer mechanisms in line with applicable legislation and guidance issued by the Turkish Data Protection Authority.
Our services include reviewing intra-group transfers, international vendor arrangements, cloud-based services, CRM systems, HR platforms, outsourcing structures, and other cross-border processing activities from a Turkish data protection law perspective.
We assist clients in responding to actual or suspected personal data breaches under Turkish data protection legislation.
Our services include assessing notification requirements, preparing notifications to the Turkish Data Protection Authority, advising on communications with affected data subjects where required, coordinating legal strategy during incident response, and supporting post-breach remediation from a legal perspective.
We also assist with the review of internal procedures, documentation, and response protocols following a data breach.
We advise clients on managing requests and complaints submitted by data subjects under Turkish data protection legislation.
Our services include assessing access, correction, deletion, destruction, anonymisation, objection, and other statutory requests, preparing response templates, advising on response timelines, and supporting clients in complaint processes before the Turkish Data Protection Authority.
Certain sectors in Turkey are subject to additional privacy, confidentiality, data retention, localisation, or regulatory obligations in addition to the general data protection framework.
We advise clients operating in regulated sectors, including financial services, healthcare, technology, e-commerce, telecommunications, employment, retail, advertising, and digital platforms, on sector-specific privacy requirements and overlapping compliance obligations.
I. Introduction With its Principle Decision on “Recording Photocopies of the Turkish Identity Cards of Persons Receiving Accommodation…
Read Article →Amendments were made to the Personal Data Protection Law No. 6698 (“Law”) through the Law No. 7499, published…
Read Article →Published in the Official Gazette No. 32487 dated 12.03.2024, Law No. 7499 introduced changes to the Personal Data…
Read Article →Reach out for a confidential consultation on your legal needs.
