Turkey’s Personal Data Protection Law Kişisel Verileri Koruma Kanunu (KVKK) came into force on 7 April 2016.
Explicit consent has been defined as consent that relates to a specified issue, declared by free will and based on information. Explicit consent is required to process personal data.
The Turkish Data Protection Authority (TDPA) was established as a financially and administratively independent supervisory authority in early 2017.
Personal data can be processed in case:
In case of illegal processing of personal data: 1 up to 3 years sentence to prison, the penalty for sensitive data is increased.
In case of providing or obtaining data illegally: 2 up to 4 years sentence to prison.
In case of non-purging of personal data within the period specified by law: 1 up to 2 years sentence to prison.
KVKK fines Amazon TRY 1,200,000 for consent violations because Amazon’s failures to obtain explicit consent from users for the sending of commercial messages for advertising, campaigns, or promotional purposes as required by Law No. 6563 of 2014 on the Regulation of Electronic Commerce.
KVKK fines bank TRY 210,000 for illegally processing personal data to gain potential customers. The creation of a bank account without the knowledge or consent of an individual using information gained by the bank via a third party.