Turkey’s Personal Data Protection Law Kişisel Verileri Koruma Kanunu (KVKK) came into force on 7 April 2016.
Explicit consent has been defined as consent that relates to a specified issue, declared by free will and based on information. Explicit consent is required to process personal data.
The Turkish Data Protection Authority (TDPA) was established as a financially and administratively independent supervisory authority in early 2017.
KVKK Requirements for Personal Data Processing
Personal data can be processed in case:
- The data subject has given his explicit consent
- It is explicitly provided for by the laws,
- It is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is legally invalid due to physical disability,
- Processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
- It is mandatory for the controller to fulfil its legal obligations.
- The data is made manifestly public by the data subject.
- Data processing is mandatory for the establishment, exercise or protection of any right.
- It is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects
In case of illegal processing of personal data: 1 up to 3 years sentence to prison, the penalty for sensitive data is increased.
In case of providing or obtaining data illegally: 2 up to 4 years sentence to prison.
In case of non-purging of personal data within the period specified by law: 1 up to 2 years sentence to prison.
KVKK fines cases
KVKK fines Amazon TRY 1,200,000 for consent violations because Amazon’s failures to obtain explicit consent from users for the sending of commercial messages for advertising, campaigns, or promotional purposes as required by Law No. 6563 of 2014 on the Regulation of Electronic Commerce.
KVKK fines bank TRY 210,000 for illegally processing personal data to gain potential customers. The creation of a bank account without the knowledge or consent of an individual using information gained by the bank via a third party.