Kişisel Verilerin Korunması.orgKVK

Personal Data Protection Law no. 6698

An unofficial translation of the Personal Data Protection Law no. 6698 of Türkiye.

CHAPTER I

Purpose, Scope, and Definitions

Purpose

ARTICLE 1 - (1) The purpose of this Law is to protect the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.

Scope

ARTICLE 2 - (1) The provisions of this Law shall apply to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.

Definitions

ARTICLE 3 - (1) In practice of this Law, the terms used herein shall have the following meanings:

    a) Explicit Consent: Freely given specific and informed consent;

    b) Anonymization: Rendering personal data by no means identified or identifiable with a natural person even by linking with other data;

    c) President: President of the Board of Protection of Personal Data;

    ç) Data subject: Natural person whose personal data are processed;

    d) Personal Data: Any information relating to an identified or identifiable natural person;

    e) Processing of personal data: Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;

    f) Board: The Board of Protection of Personal Data;

    g) Authority: The Authority of Protection of Personal Data;

    ğ) Data processor: Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller;

    h) Filing system: Any recording system through which personal data are processed by structuring according to specific criteria;

    ı) Data controller: Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.

CHAPTER II

Processing of Personal Data

General Principles

ARTICLE 4 - (1) Personal data shall only be processed in accordance with the procedures and principles set forth by this Law or other laws.

(2) The below principles shall be complied with when processing personal data:

    a) Being in conformity with the law and good faith;

    b) Being accurate and if necessary, up to date;

    c) Being processed for specified, explicit, and legitimate purposes;

    ç) Being relevant, limited and proportionate to the purposes for which data are processed;

    d) Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.

Conditions for Processing of Personal Data

ARTICLE 5 - (1) Personal data shall not be processed without obtaining the explicit consent of the data subject.

(2) Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:

    a) It is expressly permitted by any law;

    b) It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;

    c) It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;

    ç) It is necessary for compliance with a legal obligation which the controller is subject to;

    d) The relevant information is revealed to the public by the data subject herself/himself;

    e) It is necessary for the institution, usage, or protection of a right;

    f) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Conditions for Processing of Special Categories of Personal Data

ARTICLE 6 - (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.

(2) (Abrogated:2/3/2024-7499/33 art.)

(3) (Updated: 2/3/2024-7499/33 art.) The processing of special categories of personal data is prohibited. However, the processing of such data is possible in the following cases:

    a) If the explicit consent of the data subject is obtained,

    b) If it is expressly provided for by law,

    c) If it is necessary for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or of another person,

    ç) If it concerns personal data that has been made public by the data subject and is in accordance with the intention of making it public,

    d) If it is necessary for the establishment, exercise, or protection of a right,

    e) If it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning, management, and financing of health services, by persons or authorized institutions and organizations who are under an obligation of confidentiality,

    f) If it is necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

    g) If it is carried out by foundations, associations, or other non-profit organizations or formations established for political, philosophical, religious, or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity, not disclosed to third parties, and directed at their current or former members and affiliates or persons who are in regular contact with these organizations or formations,

(4) It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.

Deletion, Destruction, and Anonymization of Personal Data

ARTICLE 7 - Personal data that is processed in accordance with this Law or relevant other laws shall be deleted, destroyed or anonymised either ex officio or upon request by the data subject in case the reasons necessitating their processing cease to exist.

(2) Provisions of other laws relating to deletion, destruction, and anonymization of personal data are reserved.

(3) Procedures and principles relating to deletion, destruction and anonymization of personal data shall be set forth by a regulation.

Transfer of Personal Data

ARTICLE 8 - (1) Personal data shall not be transferred without obtaining the explicit consent of the data subject.

(2) Personal data may be transferred without obtaining the explicit consent of the data subject if one of the conditions set forth under the following exists:

    a) The second paragraph of article 5,

    b) On the condition that adequate measures are taken, the third paragraph of article 6.

(3) Provisions of other laws relating to the transfer of personal data are reserved.

Kişisel verilerin yurt dışına aktarılması

ARTICLE 9 - (Updated:2/3/2024-7499/34 art.)

(1) Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 exists and there is an adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made.

(2) The adequacy decision is issued by the Board and published in the Official Gazette. The Board may seek the opinions of relevant institutions and organizations if needed. The adequacy decision is reviewed at least once every four years. The Board may, as a result of the review or in other cases it deems necessary, amend, suspend, or revoke the adequacy decision with prospective effect.

(3) The following matters are primarily taken into account when issuing an adequacy decision:

    a) The existence of reciprocity regarding the transfer of personal data between Türkiye and the country to which the personal data will be transferred, sectors within that country, or international organizations.

    b) The relevant legislation and practices of the country to which the personal data will be transferred, as well as the rules to which the international organization is subject.

    c) The existence of an independent and effective data protection authority in the country to which the personal data will be transferred or in the international organization, and the availability of administrative and judicial remedies.

    ç) Whether the country or international organization to which the personal data will be transferred is a party to international conventions on the protection of personal data or is a member of international organizations.

    d) Whether the country or international organization to which the personal data will be transferred is a member of global or regional organizations of which Türkiye is also a member.

    e) International conventions to which Türkiye is a party.

(4) In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 exists, provided that the data subject has the opportunity to exercise their rights and to have access to effective legal remedies in the country to which the data will be transferred, and if one of the appropriate safeguards listed below is provided by the parties:

    a) The existence of an agreement, which does not qualify as an international treaty, between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations with public institution status in Türkiye, and the Board’s authorization of the transfer.

    b) The existence of binding corporate rules, approved by the Board, that contain provisions on the protection of personal data and are required to be followed by companies within a group of undertakings engaged in joint economic activity.

    c) The existence of a standard contractual clauses, announced by the Board, that includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data.

    ç) The existence of a written undertaking containing provisions ensuring adequate protection and the Board’s authorization of the transfer.

(5) The standard contract clauses must be notified to the Authority by the data controller or data processor within five business days following its execution.

(6) In the absence of an adequacy decision and if none of the appropriate safeguards set forth in the fourth paragraph can be provided, data controllers and data processors may transfer personal data abroad only on an occasional basis and only if one of the following conditions exists:

    a) The data subject has given explicit consent to the transfer, provided that they have been informed about the possible risks.

    b) The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject.

    c) The transfer is necessary for the conclusion or performance of a contract to be made in the interest of the data subject between the data controller and another natural or legal person.

    ç) The transfer is necessary for overriding public interests.

    d) The transfer of personal data is necessary for the establishment, exercise, or protection of a right.

    e) The transfer of personal data is necessary for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or of another person.

    f) The transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions for accessing the register as set forth in the relevant legislation are met and the person with a legitimate interest requests it.

(7) Subparagraphs (a), (b), and (c) of the sixth paragraph do not apply to activities of public institutions and organizations that are subject to public law.

(8) The safeguards provided in this Law and the provisions of this article shall also apply to subsequent transfers of personal data transferred abroad by data controllers and data processors, as well as to transfers to international organizations.

(9) Without prejudice to the provisions of international agreements, in cases where the interests of Türkiye or the data subject would be seriously harmed, personal data may be transferred abroad only with the opinion of the relevant public institution or organization and the permission of the Board.

(10) The provisions of other laws regarding the transfer of personal data abroad are reserved.

(11) The procedures and principles regarding the implementation of this article shall be regulated by regulation.

CHAPTER III

Rights and Obligations

Data Controller’s Obligation to Inform

ARTICLE 10 - (1) Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to

    a) The identity of the data controller and if any, its representative,

    b) The purposes for which personal data will be processed,

    c) The persons to whom processed personal data might be transferred and the purposes for the same,

    ç) The method and legal cause of collection of personal data,

    d) The rights set forth under article 11.

Rights of Data Subject

ARTICLE 11 - (1) Everyone, in connection with herself/himself, has the right to;

    a) Learn whether or not her/his personal data have been processed;

    b) Request information as to processing if her/his data have been processed;

    c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;

    ç) Know the third parties in the country or abroad to whom personal data have been transferred;

    d) Request rectification in case personal data are processed incompletely or inaccurately;

    e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7;

    f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;

    g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;

    ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data

by applying to the data controller.

Obligations Regarding Data Security

ARTICLE 12 - (1) Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to

    a) Prevent unlawful processing of personal data,

    b) Prevent unlawful access to personal data,

    c) Safeguard personal data.

(2) In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph.

(3) The data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of this Law.

(4) Data controller and persons who process data shall not disclose and misuse personal data they learned contrary to the provisions of this Law. This obligation shall continue after leaving office.

(5) In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.

CHAPTER IV

Application, Complaint, and Data Controllers' Registry

Application to Data Controller

ARTICLE 13 - (1) The data subject shall convey her/his requests relating to the enforcement of this Law to the data controller in writing or by other means designated by the Board.

(2) The data controller shall conclude the requests included in the application free of charge and as soon as possible considering the nature of the request and within 30 days at the latest. However, in case the operation necessitates a separate cost, the fee in the tariff designated by the Board may be collected.

(3) The data controller shall accept the request or reject it by explaining the reason and notify the data subject of its reply in writing or electronically. In case the request included in the application is accepted, it shall be fulfilled by the data controller accordingly. In case the request is resulted from the fault of the data controller, the collected fee shall be returned to the data subject.

Complaint to the Board

ARTICLE 14 - (1) In case the application is rejected, replied insufficiently, or not replied in due time; the data subject may file a complaint with the Board within 30 days following the date he/she learns the reply of the data controller and in any event, within 60 days following the date of application.

(2) Complaint remedy cannot be applied to without exhausting the application remedy set forth under article 13.

(3) Compensation rights of the ones whose personal rights are violated are reserved.

Procedures and Principles of Inspection Ex Officio or upon Complaint

ARTICLE 15 - (1) The Board shall conduct necessary inspection within the scope of its remit either ex officio in case it learns the allegation of a violation or upon complaint.

(2) Notices and complaints which do not meet the conditions set forth under the 6th article of The Law on the Exercise of the Right to Petition numbered 3071 and dated 1/11/1984 shall not be inspected.

(3) Except for the information and documents that constitute state secrets; data controller shall submit the information and documents requested by the Board related to its subject of inspection in 15 days and if necessary, provide for examining on-site.

(4) Upon complaint, the Board inspects the request and replies to those concerned. If not replied within sixty days following the date of the complaint, the request shall be deemed to be rejected.

(5) As a result of the inspection conducted either ex officio or upon complaint, in case it is understood that a violation exists, the Board decides that the illegalities it identified shall be eliminated by the data controller and serves it to those concerned. This decision shall be fulfilled accordingly without delay and within 30 days at the latest as from the notice.

(6) As a result of the inspection conducted either ex officio or upon complaint, in case it is determined that the violation is prevalent, the Board shall adopt a resolution and publish it. The Board, if necessary before adopting the resolution, may obtain the opinion of relevant public institutions and organizations.

(7) In case serious or irreparable losses occur and illegality clearly exists, the Board may decide processing of data or transfer of data abroad to be ceased.

Data Controllers' Registry

ARTICLE 16 - (1) Under the supervision of the Board, Data Controllers Registry shall be kept by the Presidency in a publicly available manner.

(2) Natural or legal persons who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.

(3) Registry application to the Data Controllers Registry shall be made with a notification including the following matters:

    a) Identity and address information of the data controller and of the representative thereof, if any.

    b) The purposes for which personal data will be processed.

    c) The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons.

    ç) Recipient or groups of recipients to whom personal data may be transferred.

    d) Personal data which is envisaged to be transferred abroad.

    e) Measures taken for the security of personal data.

    f) The maximum period of time necessitated by the purposes for which personal data are processed.

(4) Changes to the information provided as per the third paragraph shall be immediately reported to the Board.

(5) Other procedures and principles relating to the Data Controllers Registry shall be regulated by a regulation.

CHAPTER V

Crimes and Offenses

Crimes

ARTICLE 17 - (1) With respect to crimes relating to personal data, provisions of articles 135 to 140 of Turkish Criminal Code dated 26/9/2004 and numbered 5237 shall apply.

(2) Ones who do not delete or anonymise personal data contrary to article 7 of this Law shall be punished in accordance with article 138 of the Law numbered 5237.

Offenses

ARTICLE 18 - (1) To the ones who do not fulfil

    a) Obligation to inform stipulated in article 10 of this Law, an administrative fine of 5.000 Turkish liras to 100.000 Turkish liras;

    b) Obligations regarding data security stipulated in article 12 of this Law, an administrative fine of 15.000 Turkish liras to 1.000.000 Turkish liras;

    c) Decisions of the Board as per article 15 of this Law, an administrative fine of 25.000 Turkish liras to 1.000.000 Turkish liras;

    ç) Obligation to register with the Data Controllers Registry and notification stipulated by article 16 of this Law, an administrative fine of 20.000 Turkish liras to 1.000.000 Turkish liras

shall be imposed.

(2) (Updated: 2/3/2024-7499/35 art.) The administrative fines stipulated in subparagraphs (a), (b), (c), and (ç) of the first paragraph shall be imposed on the data controller, while the administrative fine stipulated in subparagraph (d) shall be imposed on the data controller or on natural persons or private law legal entities acting as data processors.

(3) (Added: 2/3/2024-7499/35 art.) Administrative fines imposed by the Board may be challenged by filing a lawsuit before administrative courts.

(4) In cases where the actions listed in the first paragraph are committed within public institutions and organizations or professional organizations having the status of public institutions, upon notification by the Board, disciplinary proceedings shall be initiated in accordance with the relevant disciplinary provisions against civil servants and other public officials working in the relevant public institution or organization, as well as those working in professional organizations having the status of public institutions, and the result shall be reported to the Board.

CHAPTER VI

Personal Data Protection Authority and Organization

Personal Data Protection Authority

ARTICLE 19 - (1) Personal Data Protection Authority which has administrative and financial autonomy and public legal personality has been established in order to perform the duties stipulated by this Law.

(2) The Authority is affiliated with the Prime Minister's Office.

(3) The headquarters of the Authority is in Ankara.

(4) The Authority is comprised of the Board and the Presidency. The Board serves as the decision-making body of the Authority.

Duties of the Authority

ARTICLE 20 - (1) The duties of the Authority are as follows:

    a) Following the practices and the developments in the legislation, giving evaluations and recommendations, carrying out researches and inspections or having them carried out in this regard, according to its scope of authority.

    b) Cooperating with public institutions and organizations, nongovernmental organizations, professional organizations or universities, when necessary, regarding the issues which fall within the scope of its authority.

    c) Following and evaluating the international developments concerning personal data, cooperating with international organizations on the matters which fall within the scope of its authority, attending the meetings.

    ç) Presenting the annual activity report to the Presidency, the Committee on Human Rights Inquiry of the Grand National Assembly of Turkey and to the Prime Minister's Office.

    d) Performing the other duties assigned by laws.

Personal Data Protection Board

ARTICLE 21 - (1) The Board shall independently perform and use its duties and powers provided in this Law and the other laws under its own responsibility. No body, authority, institution or person can give orders or instructions, recommendations or suggestions on the matters which fall within the scope of its authority.

(2) The Board shall be comprised of nine members. Five members of the Board shall be elected by the Grand National Assembly of Turkey, two members by the Presidency and two members by the Council of Ministers.

(3) The following conditions shall be required for the membership of this Board:

    a) Having knowledge and experience on the matters which fall within the scope of authority of the Board,

    b) Having the qualifications stipulated in the subclauses (1), (4), (5), (6) and (7) of the subparagraph (a) under the first paragraph of Article 48 in the Law No. 657 dated 14/7/1965 on Civil Servants,

    c) Not being the member of any political party,

    ç) Having received at least four-year higher education at the level of bachelor degree,

    d) Having served for at least ten years in total in public institutions and organizations, international organizations, nongovernmental organizations or professional organizations with public institution status or in private sector.

(4) (Abrogated: 2/7/2018-KHK-703/163 art.)

(5) The Grand National Assembly of Türkiye shall follow the procedure below while electing members to the Board:

    a) Twice the number of members to be designated in proportion to that of the political party groups shall be nominated for the election and the members of the Board shall be elected among these candidates, by the Plenary of the Grand National Assembly of Turkey, based on the number of members per political party group. However, no deliberation can be held or no decision can be taken in the political party groups regarding who will be voted for in the elections to be held in the Grand National Assembly of Turkey.

    b) The members of the Board shall be elected within ten days following the designation and announcement of candidates. A split ticket shall be prepared as separate lists for the candidates nominated by the political party groups. The special place allocated for the names of the candidates shall be marked for voting. The votes casted more than the number of members to be elected to the Board from the quota of the political party groups set under the second paragraph shall be deemed invalid.

    c) Candidates who receive the most votes in the election shall be selected based on the number of vacant positions provided that a quorum exists.

    ç) In case of vacancy in the membership for any reason two months before the end of office of the members, new members shall be elected under the same procedure within one month following the date on which the position falls vacant or, if the Grand National Assembly of Turkey is at recess, following the end of the recess. In these elections, the number of the members designated from the quota of the political party groups in the first election and the current proportion of the political party groups shall be taken into account in the distribution of the vacant membership to the political party groups.

(6) In the event that the term of office of a member appointed by the President (…) expires in forty-five days or if the office becomes vacant for any reason, the situation shall be notified by the Authority to the Presidency (…)6 within fifteen days. When the term of office of the members is about to expire within one month, a new member shall be elected. In the event of a vacancy in these memberships for any reason before the expiration of the term, an election shall be held within fifteen days from the date of notification.

(7) The Board shall elect a President and a Deputy President from among its members. The President of the Board is also the President of the Authority.

(8) The term of office of the Board members is four years. A member whose term has expired may be re-elected. A person elected to replace a member whose term has ended for any reason before the expiration of the term shall complete the remaining term of the member they replace.

(9) The elected members shall take the following oath before the First Presidency Board of the Court of Cassation: “I swear on my honor and dignity that I will perform my duty in accordance with the Constitution and laws, with complete impartiality, honesty, sense of equity and justice.” Applications to the Court of Cassation for the oath are considered urgent matters.

(10) Unless based on a special law, Board members may not take on any official or private duties other than their official duties on the Board, may not serve as managers in associations, foundations, cooperatives, or similar organizations, may not engage in trade, freelance activities, or act as arbitrators or experts. However, Board members may, provided that it does not interfere with their primary duties, publish for scientific purposes, give lectures and conferences, and receive royalties and fees arising from these activities.

(11) Investigations regarding alleged offenses committed by members due to their duties shall be conducted in accordance with the Law No. 4483 of 2/12/1999 on the Trial of Civil Servants and Other Public Officials, and permission for investigation shall be granted by the President.

(12) In disciplinary investigations and prosecutions to be conducted against Board members, the provisions of Law No. 657 shall apply.

(13) Board members cannot be dismissed from their duties before the expiration of their terms for any reason. However, the membership of a Board member shall be terminated by a Board decision in the following cases:

    a) If it is later determined that they do not meet the qualifications required for election,

    b) If a conviction decision rendered against them for crimes related to their duties becomes final,

    c) If it is definitively determined by a medical board report that they are unable to fulfill their duties,

    ç) If it is determined that they have been absent from duty without permission or excuse for fifteen consecutive days or a total of thirty days in a year,

    d) If it is determined that they have failed to attend a total of three Board meetings within a month or a total of ten Board meetings within a year without permission or excuse,

(14) The previous positions of those elected as Board members shall be terminated for the duration of their service on the Board. Those who were public officials before being elected as members, provided they do not lose the qualifications required for public service, shall be appointed by the competent authority to a position appropriate to their acquired rights within one month, if their term ends or if they request to leave office and apply to their former institution within thirty days. Until the appointment is made, all types of payments they were receiving shall continue to be paid by the Authority. For those who were not working in a public institution and whose membership ends as described above, all types of payments they were receiving shall continue to be paid by the Authority until they start a new job or position, but such payments shall not exceed three months. The periods spent in the Authority by these individuals shall be considered as spent in their previous institutions or organizations in terms of personal and other rights.

Duties and Powers of the Board

ARTICLE 22 - (1) The duties and powers of the Board are as follows:

    a) Ensuring that personal data are processed in accordance with the fundamental rights and freedoms.

    b) Taking a final decision with respect to the complaints that the rights relating to personal data are violated.

    c) Reviewing whether personal data are processed in accordance with the laws upon a complaint or ex officio when it is notified of the allegation of violation, regarding the issues which fall within its remit, and taking interim measures in this regard when necessary.

    ç) Determining the adequate measures required for the processing of special categories of personal data.

    d) Ensuring that the Register of Controllers is kept.

    e) Carrying out the necessary regulatory actions in the issues relating to the remit of the Board and the functioning of the Authority.

    f) Carrying out the regulatory actions in order to set out the liabilities relating to data security.

    g) Carrying out the regulatory actions relating to the duties, powers and responsibilities of the controller and his representative.

    ğ) Deciding on the administrative sanctions prescribed by this Law.

    h) Expressing opinions on the draft legislation which is prepared by the other institutions and organizations and includes the provisions relating to personal data.

    ı) Taking a final decision on the strategic plan, determining the objectives and goals, the service quality standards and the performance criteria.

    i) Holding meetings and taking a final decision on the budget proposal prepared in accordance with the strategic plan of the Authority and its objectives and goals.

    j) Approving and publishing the draft reports prepared with respect to the performance, financial standing, annual activities of the institution and to necessary matters.

    k) Discussing and giving a final decision on the proposals regarding the purchase, sales and renting of immovables.

    l) Performing the other duties assigned by law.

Rules of Procedures of the Board

ARTICLE 23 - (1) The President shall set the meeting dates and agenda of the Board. The President can summon the Board for an extraordinary meeting in necessary cases.

(2) The Board shall convene with at least six members including the President and shall take decisions by absolute majority of the total number of members. The members of the Board cannot abstain from voting.

(3) The Board members cannot attend the meetings or voting regarding the matters which concern themselves, their third degree blood relatives and second degree relatives by marriage, their adopted children and their spouses even though the bonds of matrimony between them does not exist any longer.

(4) The Board members cannot impart any secret that they learn with respect to the concerning persons and third persons during their works to anyone other than lawfully competent authorities or use it in favour of themselves.

(5) Minutes shall be written regarding the issues deliberated in the Board. Decisions and, if any, justification of dissenting votes shall be written within fifteen days at the latest following the date of decision. The Board shall announce the decisions to the public if it deems necessary.

(6) The deliberations in the Board meetings shall be kept confidential unless decided otherwise.

(7) The working procedures and principles of the Board, the writing of decisions and other issues shall be regulated under a by-law.

President

ARTICLE 24 - (1) The President shall be the highest official in the Authority in his/her capacity as the President of the Board and Authority and shall arrange, carry out the services of the Authority in accordance with the legislation, the objectives and policies of the Authority, its strategic plan, performance criteria and service quality standards and shall ensure coordination between the service units.

(2) The President shall be responsible for the general management and representation of the Authority. This responsibility shall cover the duties and powers of organizing, carrying out, inspecting, evaluating the works of the Authority and announcing them to the public when necessary.

(3) The duties of the President are as follows:

    a) Acting as chairperson in the Board meetings.

    b) Ensuring that the Board decisions are notified and some decisions are announced to the public if deemed necessary by the Board and following their implementation.

    c) Appointing the Deputy President, heads of departments and the personnel of the Authority.

    ç) Giving a final form to the proposals coming from the service units and presenting them to the Board.

    d) Ensuring that the strategic plan is implemented, creating the human resources and operation policies.

    e) Preparing the annual budget and financial statement of the Authority in accordance with the strategies, annual objectives and goals.

    f) Ensuring coordination so that the Board and the service units work conformably, efficiently and in a disciplined and orderly manner.

    g) Maintaining the relations of the Authority with the other organizations.

    ğ) Determining the duties and scope of authority of the competent personnel who are entitled to sign on behalf of the President of the Authority.

    h) Performing the other duties related to the management and functioning of the Authority.

(4) The Second President shall act for the President in the absence of the President of the Authority.

Establishment and Duties of the Presidency

ARTICLE 25 - (1) The Presidency shall be composed of Deputy President and service units. The Presidency shall perform the duties enumerated under the fourth paragraph through the service units organized as departments. The number of departments cannot be more than seven.

(2) A Deputy President shall be appointed to assist the President in his duties under the Authority.

(3) The Deputy President and heads of departments shall be appointed by the President, among the persons who are graduates from at least a four-year higher education institution and who have carried out public service for ten years.

(4) The duties of the Presidency are as follows:

    a) Keeping the Register of Controllers.

    b) Carrying out the bureau and secretariat actions of the Authority and the Board.

    c) Representing the Authority by means of lawyers in the cases which the Authority is party to and in execution proceedings, following the cases or having them followed and conducting legal services.

    ç) Carrying out the personnel affairs of the Board members and those who serve in the Authority.

    d) Performing the duties assigned by law to the departments of financial services and strategy development.

    e) Ensuring that an information system is installed and used in order to conduct the affairs and actions of the Authority.

    f) Preparing and presenting the draft reports regarding the annual activities of the Board and the necessary matters.

    g) Preparing the draft strategic plan of the Authority.

    ğ) Setting out the personnel policy of the Authority, preparing and implementing the career and training plans of the personnel.

    h) Carrying out the appointments, transfers, disciplinary actions, performances, promotions, retirements and similar actions of the personnel.

    ı) Setting out the ethical rules to be followed by the personnel and providing necessary training.

    i) Carrying out any kind of services such as purchase, sales, renting, maintenance, repairing, construction, archive, health as well as social services and similar services necessitated by the Authority under the Public Financial Management and Control Law No. 5018 dated 10/12/2003.

    j) Keeping records of the movables and immovables of the Authority.

    k) Performing the other duties assigned by the Board or the President.

(5) The service units and the working procedures and principles of these units shall be regulated by the by-law enacted by the decision of the Council of Ministers upon the proposal of the Authority, in accordance with the scope of authority, duties and powers of the service units stipulated under this Law.

Specialists and Assistant Specialists on Personal Data Protection

ARTICLE 26 - (1) Specialists on Personal Data Protection and Assistant Specialists on Personal Data Protection can be employed in the Authority. The degrees of those who are appointed as Specialists on Personal Data Protection within the framework of the additional article 41 of the Law No. 657 shall be increased for one time only.

Provisions Relating to the Personnel and Their Personal Rights

ARTICLE 27 - (1) The personnel of the Authority shall be subjected to the Law No. 657, apart from the issues regulated by this Law.

(2) The payments shall be made to the president and members of the Board and the personnel of the Authority in the same procedure and principles as the payments made to the exemplified personnel within the scope of the financial and social rights, under the additional article 11 of the Decree Law No. 375 dated 27/6/1989. Those who are not subjected to taxes or another legal deduction from the payments made to the exemplified personnel shall not be subjected to any tax or deduction under this Law.

(3) The president and members of the Board and the personnel of the Authority shall be subjected to the provisions of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 dated 31/5/2006 on Social Security and General Health Insurance. The president and members of the Board and the personnel of the Authority shall be deemed equal to the exemplified personnel in terms of pension rights. The term of office of those whose office expires or those who

request for resignation among those who are appointed as president and members of the Board while they are covered by an insurance policy within the scope of the subparagraph (c) under the first paragraph of Article 4 of the Law No. 5510 shall be taken into account while determining the salaries, degrees and levels as their vested rights. The term of office of those who fall within the scope of the provisional article 4 of the Law No. 5510 during such office shall be evaluated as the period during which the executive compensation and representative compensation should be paid. For those who are appointed as the President and members of the Board while they are insured in the public institutions and organizations, within the scope of the subparagraph (a) of the first paragraph under Article 4 of the Law No. 5510, their discharge from the previous institutions and organizations shall not require any seniority or termination indemnity. The term of office of those who are in this situation for which seniority or termination indemnity should be paid shall be combined with their term of office in the past as the President and member of the Board and this total term shall be considered for the payment of gratuity.

(4) The civil servants and other state officials serving in public agencies under the central administration, social security institutions, local administrations, the agencies under local administrations, local administrative units, institutions with the circulating capital, funds established by law, organizations with public legal personality, organizations with over half the capital which belongs to the public, public economic enterprises and public economic organizations and the partnerships and entities affiliated with them can be temporarily assigned in the Authority provided that their institution pay the salary, allowance, any kind of salary increase and indemnity as well as other financial and social rights and assistance with the consent of the mentioned institutions. The requests of the Authority on this matter shall be finalized primarily by the relevant institutions and organizations. The personnel who are assigned as such shall be deemed to be on paid leave from their institutions. The civil service, relevance and rights of this personnel shall continue as long as they are on leave and this term shall be taken into account in their promotion and retirement process. Their promotion shall be conducted in time, without necessitating any other action. The term of service of those who are assigned under this article shall be deemed to have served in their own institutions. Those who are assigned as such cannot exceed 10% of the total cadre number of Specialists and Assistant Specialists on Personal Data Protection and the assignment cannot exceed two years. However, this term may be extended for a period of one year if necessary.

(5) The titles and numbers of the personnel to be employed in the Authority are shown on Table (I). Titles or degrees shall be changed, new titles shall be added and vacant positions shall be cancelled upon the decision of the Board, provided that it is limited to the titles listed on the tables annexed to the Decree Law No. 190 dated 13/12/1983 on General Cadre and Procedure, not exceeding the total number of personnel.

CHAPTER VII

Miscellaneous Provisions

Exceptions

ARTICLE 28 - (1) Provisions of this Law shall not be applied in the following cases:

    a) Processing of personal data by natural persons in the course of a purely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties.

    b) Processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar.

    c) Processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated.

    ç) Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defence, national security, public safety, public order or economic safety.

    d) Processing of personal data by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.

(2) On the condition of being relevant and proportionate to the purpose and general principles of this Law, article 10 which regulates the obligation of the data controller to inform; except for right to request compensation, article 11 which regulates the rights of the data subject; and article 16 which regulates the obligation to register with the Data Controllers Registry shall not apply in the following cases:

    a) Processing of personal data is necessary for prevention of crime or investigation of a crime.

    b) Processing of personal data revealed to the public by the data subject herself/himself.

    c) Processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.

    ç) Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.

Budget and Revenues of the Authority

ARTICLE 29 - (1) The budget of the Authority shall be prepared and approved in accordance with the procedures and principles set forth in Law No. 5018.

(2) The revenues of the Authority are as follows:

    a) Treasury aids to be provided from the general budget.

    b) Revenues obtained from movable and immovable properties belonging to the Authority.

    c) Donations and aids received.

    ç) Revenues obtained from the evaluation of its own revenues.

    d) Other revenues.

Amended and Added Provisions

ARTICLE 30 - (1) (Related to Law No. 5018 dated 10/12/2003 and incorporated into its place.)

(2) to (5) - (Related to Law No. 5237 dated 26/9/2004 and incorporated into its place.)

(6) (Related to the Fundamental Law on Health Services No. 3359 dated 7/5/1987 and incorporated into its place.)

(7) (Related to the Decree Law No. 663 dated 11/10/2011 on the Organization and Duties of the Ministry of Health and its Affiliated Institutions and incorporated into its place.)

Regulation

MADDE 31 - (1) Regulations related to the application of this Law shall be brought into force by the Authority.

Transitional Provisions

TEMPORARY ARTICLE 1 - (1) Within six months following publication of this Law, the members of the Board shall be elected in accordance with the procedure set forth under article 21 and the Presidency organisation shall be constituted.

(2) Data controllers are obligated to register with the Data Controllers Registry within the term designated and announced by the Board.

(3) Personal data that is processed before the date of publication of this Law shall be rendered compliant within two years following the date of publication of this Law. Personal data that is determined to be contrary to the provisions of this Law shall be immediately deleted, destroyed, or anonymised. However, the consents that are lawfully obtained before the date of publication of this Law shall be deemed lawful in terms of this Law8 , provided that no declaration of intention to the contrary is made within one year.

(4) The regulations prescribed in this Law shall be brought into force within one year following the date of publication of this Law.

(5) A senior executive who is to provide coordination of the application of this Law in public institutions and organizations shall be determined and reported to the Presidency within one year following the date of publication of this Law.

(6) The first elected President, second President and two members who are to be determined by draw shall serve for six years, and other five members for four years.

(7) Until a budget is allocated to the Authority;

    a) Expenses of the Authority shall be disbursed from the budget of Prime ministry.

    b) All supplemental services necessary for the Authority to provide its services such as building, vehicle, equipment, furnishings, and hardware shall be provided by the Prime ministry.

(8) Until the service units of the Authority enter into service, secretariat services shall be provided by the Prime ministry.

TEMPORARY ARTICLE 2 - (Added:28/11/2017-7061/120 art.)

(1) Among those who have graduated from faculties of political sciences, economics and administrative sciences, economics, law, and business administration that provide at least four years of undergraduate education, or from the departments of electronics, electrical-electronics, electronics and communication, computer, or information systems engineering of engineering faculties, or from domestic or foreign higher education institutions whose equivalence to these is accepted by the Council of Higher Education; those who have been appointed to positions in the central organizations of institutions related to the titles specified in subparagraph (11) of paragraph (A) of the "Common Provisions" section of Article 36 of Law No. 657, after passing a special competitive examination for the profession, completing a certain period of in-service training, and passing a special proficiency exam, and who have served in these positions for at least two years excluding periods of unpaid leave, as well as those holding academic staff positions, may be appointed as Personal Data Protection Experts within one year from the effective date of this article, provided that they have scored at least seventy points in the Foreign Language Proficiency Exam and have not reached the age of forty as of the date of appointment. The number of persons to be appointed in this manner shall not exceed fifteen.

TEMPORARY ARTICLE 3 - (Added: 2/3/2024-7499/36 art.)

(1) The first paragraph of Article 9, as it stood before being amended by the Law introducing this article, shall continue to be applied together with the amended version of the article until 1/9/2024.

(2) Applications pending before the criminal judgeships of peace as of 1/6/2024 shall continue to be handled by these judgeships.

Entry into Force

ARTICLE 32 - (1) This Law's;

    a) 8th, 9th, 11th, 13th, 14th, 15th, 16th, 17th, 18th articles shall enter into force after six months following the date of publication,

    b) Other articles shall enter into force on the date of publication.

Enforcement

ARTICLE 33 - (1) The provisions of this Law shall be enforced by the Council of Ministers.