Penalty-Free Period of Data Protection Law No 6698 has ended today

As we have examined in our previous publications, the Law No.6698 on Protection of Personal Data (“DP Law”) has entered into force on 07.04.2016 and delayed enforceability of certain provisions for compliance until 07.10.2016, which is today.

Therefore, the provisions especially for transfer of personal data abroad, information of data subject about their rights and establishment of adequate systems for such, applications to data controller and the Board by the data subject and the relevant penalties for non-compliance have become enforceable as of today.

Also today 5 out of the 9 board members that had been elected by the Parliament have been announced in the Official Gazette.


  • Unless there is a change in the Law regarding establishment of the Board, the remaining 4 members will be elected as follows: 2 members will be elected by the President of the Republic and the remaining 2 members will be elected by the Council of Ministers.
  • Following the election of the Board, the organization of the Authority will be established with app. 195 people and relevant operations will commence for application and implementation of the Law.
  • Initially, the secondary legislation will be prepared by the Board.


Urgently, the management should;

  • Meet up with the directors/managers of the data collector and processor units within the company organization and draw up data flow charts for any and all kind of personal data entering into to the company records;
  • Have the explicit consent texts and texts for information of the data subject been prepared and make sure the necessary mechanisms are in place for such information obligations to be fulfilled by the data controller against the data subjects;
  • Establish necessary mechanisms and protections especially for transfer of personal data overseas.

Subsequently, in parallel to the above actions, in order to comply with the obligations under the Law especially for provision of data security, the management should;  

  • build a team for the due management of the compliance process(preferably the team must include legal advisors and IT experts and depending the size of the company a risk manager and aninternal auditorcan beadded to theteam)
  • conduct an audit  in  relation  to  data  processing  activities  and  compliance  requirements thereunder
  • determine whether data is shared with thirdpartiesortransferredtooverseasandifso identify applicable dutiesand liabilities associated with such activities;
  • determine group policies for data processing intra-group and out of group, especially for international organizations
  • appoint an in-house data protection officer or compliance officer, as the representative of the data controller and determine powersand dutiesofsuch person
  • reorganize the company organization chart
  • establish necessary technical and legal infrastructure for datas ecurity
  • review all contracts for data processing and data sharing activities, including but not limited to application forms used by thecompany for different purposes, such as client CRM, employment etc, and revising such in light with the compliance program
  • establish the contractual basis for the relationship between the third party data processor and thedatacontrollerbydetermining mutualrightsanddutiesofthepartiesthereunder
  • train executives as well as operational teams who actor may be acting as data processors


For compliance phases; 

  • the Law has governed that in relation to data collected and processed prior to 7.04.2016 there will be a transition period ending on 07.04.2018. The companies will be required to be effectively compliant with the Law by such deadline.
  • the penalty free term for compliance in relation to data collected and processed after 7.04.2016 has ended today.
  • From today onwards, with the establishment and commencement of operations of the Board, those companies and their directors who had not completed the works for compliance with the Law regarding the data collected after 07.04.2016, as the result of official audits to be performed, might face with  administrative penalties that can go up to TRY 1 million for each occurrence and also imprisonment between 1-4 years in case of recording, transferring, dispersing, receipt or non-destruction of data against the laws.
  • There is also the risk of facing with different penalties under different legislations specific to the sector of the companies operating at i.e those that can be issued by the Information Technologies and Communication Board.

For all the above reasons, we advise that all data controller and processor companies take necessary actions for compliance with the Law at the earliest convenience.