{"id":4224,"date":"2024-04-27T06:05:46","date_gmt":"2024-04-27T12:05:46","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=4224"},"modified":"2024-06-03T12:13:57","modified_gmt":"2024-06-03T18:13:57","slug":"pdpl-turkey","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/pdpl-turkey\/","title":{"rendered":"Turkish Personal Data Protection Law (PDPL)"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tRegulation<\/span>\n\t\t\t\t\t\t\t\t\t\t

Turkish Personal Data Protection Law (PDPL)<\/h1>\n\t\t\t\t\t

The Turkish Personal Data Protection Law (PDPL) is a core legislative act regulating data protection in Turkey. The PDPL is a step towards harmonizing Turkish legislation with EU legislation, and has a similar framework to Directive 95\/46\/EC, the GDPR and Directive (EU) 2106\/680.<\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Are you subject to the Turkey PDPL?<\/h2>\n

The Turkish PDPL applies to natural or legal persons whose personal data is processed and or natural or legal persons who process such data either through automatic or non-automatic means.<\/p>\n

There is no distinction between private corporations and public authorities in the Law and it does not have a territorial scope (meaning databases and servers storing Turkish data do not need to be located in Turkey). The Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Turkey or abroad.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Obligations & Rights under the Turkey PDPL<\/h2>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Individual Rights & Requests<\/h4>\n

Individuals have the right to request key information from the data controller, including whether their data has been processed and the identities of those to whom it has been transferred. They can also request correction of incomplete or inaccurate data, deletion or destruction of their data, object to negative consequences from automated data analysis, and seek compensation for damages due to illegal processing.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Policies & Notices<\/h4>\n

When collecting personal data, the data controller or its authorized representative must inform individuals about: (a) the identity of the data controller and if any, its representative, (b) the purposes for which personal data is processed, (c) persons to whom processed personal data might be transferred and purposes of the transfer (d) method and legal basis for the collection of personal data, (e) individual rights set forth under PDPL.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Consent<\/h4>\n

Personal data shall not be processed without obtaining the explicit consent of the data subject.<\/p>\n

<\/h4>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Data Security<\/h4>\n

The data controller is required to implement all necessary technical and organizational measures to provide an appropriate level of security. This includes preventing unlawful processing and access to personal data, thereby safeguarding sensitive information and maintaining its integrity.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWhitepaper<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Guide to Data Inventory and Mapping for GDPR & CCPA Compliance<\/h2>\n\t\t\t\t\t\t

One of the most important steps to design and build a data privacy program is to create a data inventory of all of the business processes within an organization.<\/p>\n\t\t\t\t\t\t