General principles
ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws.
(2) It is mandatory to comply with the following principles in the processing of personal data:
a) Complying with the law and the rules of honesty.
b) Being accurate and up to date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being related to the purpose for which they are processed, limited and proportionate.
d) To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Terms of processing of personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the relevant person.
(2) In case one of the following conditions exists, without the express consent of the relevant person
processing of personal data is possible:
a) It is clearly prescribed by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Conditions for processing special personal data
ARTICLE 6- (1) Data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. Biometric and genetic data are special personal data.
(2) It is prohibited to process special personal data without the explicit consent of the person concerned.
(3) Personal data other than health and sexual life listed in the first paragraph may be processed without the express consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant perso.
(4) In the processing of special personal data, it is also essential to take adequate measures determined by the Board.
Deletion, destruction or anonymization of personal data
ARTICLE 7- (1) Although personal data has been processed in accordance with the provisions of this Law and other relevant laws, if the reasons requiring processing are eliminated, personal data is deleted, destroyed or made anonymous by the data controller ex officio or upon the request of the relevant person.
(2) The provisions of other laws regarding the deletion, destruction or anonymization of personal data are reserved.
(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by the regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the relevant person.
(2) Personal data;
a) In the second paragraph of Article 5,
b) Provided that adequate precautions are taken, it may be transferred without the express consent of the relevant person, provided that one of the conditions specified in the third paragraph of Article 6 is met.
(3) The provisions of other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the express consent of the relevant person.
(2) Personal data is subject to the presence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 and in the foreign country to which the personal data will be transferred;
a) Availability of adequate protection,
b) In case there is no adequate protection, the data may be transferred abroad without seeking the express consent of the relevant person, provided that the data controllers in Turkey and the relevant foreign country undertake to provide adequate protection in writing and the Board has permission.
(3) Countries with adequate protection are determined and announced by the Board.
(4) The Board shall decide whether there is sufficient protection in the foreign country and whether permission will be granted in accordance with subparagraph (b) of the second paragraph.
a) International agreements to which Turkey is a party,
b) Reciprocity status regarding data transfer between the country requesting personal data and Turkey,
c) Regarding each concrete personal data transfer, the nature of the personal data and the purpose and duration of processing,
d) The relevant legislation and practice of the country to which personal data will be transferred,
d) It decides by evaluating the measures undertaken by the data controller in the country to which personal data will be transferred and, if necessary, by obtaining the opinion of relevant institutions and organizations.
(5) Without prejudice to the provisions of international agreements, personal data may be transferred abroad only with the permission of the Board, after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the relevant person will be seriously harmed.
(6) Provisions in other laws regarding the transfer of personal data abroad are reserved.
