Following the enactment of the Law on the Protection of Personal Data numbered 6698 (“Data Protection Law”) on April 07, 2016, many organizations began reviewing their level of compliance with the Data Protection Law and initiate conducting compliance projects.

Under the Data Protection Law, companies have a transition period of two years meaning that personal data that has been processed prior to the enactment of the law must be brought in compliance with the provisions of the law within the said period.

In case such compliance is not ensured, incompliant personal data will be deleted, destroyed or anonymized. However, personal data for which the consents obtained legitimately before the enactment of the Data Protection Law from the data subjects will be held compliant with the law unless contrary statement is obtained from the data subject within one year as o the date of the law. In addition, for those data subjects’ consent that were legitimately obtained shall be deemed to be in compliance with the Data Protection Law, unless otherwise is communicated by the data subject.

Data Protection Authority (DPA) is currently being established and as the regulations that detail the application of the Data Protection Law will be published within a one-year period as of the enactment of the law, there is currently minimal guidance as to requirements that may be required for Turkey. It is currently not clear how the companies can adapt themselves to the Data Protection Law and ensure all personal data obtained will be brought in compliance or how personal data will be deleted, destroyed or anonymized. It is expected that guidelines will be prepared by the DPA.

However it must be noted that the Data Protection Law came into force as of April 07, 2016, and although certain provisions came into force after six months from its enactment, now it is fully in force therefore organisations are busy with planning compliance projects.

Data protection compliance projects do not have pure legal, technical or organizational aspects. A successful compliance project must combine the three features to ensure and maintain full compliance in the long run.

We would like to summarize in this paper the tips for companies to initiate and complete a successful compliance project:

  • Create an awareness within the company at management level as well as personnel level;
    • Plan a training for introducing the requirements of the Data Protection Law and convince management to conduct data protection compliance project and the importance of being compliant;
  • Plan your compliance project within the company;
    • Plan your budget and the responsible person for the whole project; 
    • Review your data flow and process;
    • Analyze what type of data is being process within the company;
    • Review data storage, data process, data retention procedures;
    • Review third party data processors on behalf of the company;
    • Review internal data process policies or practices;
    • Identify where servers are kept;
    • Identify data transfers abroad;
  • Identify your needs;
  • Find your business partner(s) to conduct the compliance project and target a general timeline;
  • Detail the project with your business partner; 
    • Define the scope and time line of the project;
  • Appoint responsible teams to be in charge of the compliance project and assist the business partner;
    • Prioritize the items that must be implemented, plan the implementation phase; 
    • Develop new work products and tools;
    • Establish compliant procedures, policies, contracts, response mechanisms (for complaints), provisions, and new organizational structure if need be, upon review and analysis of the current status with the business partner;
  • Introduce the new work products and tools to the company;
  • Provide trainings to the personnel to adapt them to the new tools and procedures and to make them internalize the new concepts;
  • Implement the new procedures, policies, contracts and organizational changes if need be;
  • Plan any developments that need infrastructural and technical investment;
  • Maintain compliance in the long run;
    • Conduct reviews, audits or regular trainings internally and to customers/ suppliers for this purpose;
  • Be aware of latest developments, always follow new regulations and guidelines;
  • Liaise with the DPA and relevant associations regularly;
  • Be ready to adapt the company procedures easily in case there is an amendment as per the latest developments (upon release of a new secondary legislation or guideline by the DPA).