Although Turkey has signed the EU Directive No. 95/46 (the “Directive”), there is no specific regulation related to the protection of personal data in Turkey yet. Under Turkish law, data protection is governed by the Turkish Constitution and a number of laws, such as the Turkish Criminal Code, the Turkish Code of Obligations and the Turkish Civil Code. The Draft Law on the Protection of Personal Data, based on the Directive is on the agenda of the Turkish Grand National Assembly for enactment.
Based on the fact that the subject matter personal data is of an EU citizen and processing (such as collection, storage of personal data and etc.) of personal data of an EU member state’s citizen is governed by the Directive, and there is no specific Turkish legislation that prevents such processing of data, the provisions of the Directive should be applicable for processing of such personal data in Turkey (which is also a party to the Directive).
According to the Directive Article 7, personal data may be processed only if;
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
As per the Turkish Constitution, every individual has the right to claim for protection of his/her personal data. Furthermore, individuals shall be entitled to be informed of their personal data, to have access to their data, request the revision or removal of their data and learn whether or not their data is used for the right purposes.
Currently, the Turkish Criminal Code (the “TCC”) is one of the most important legislation governing protection of personal data, naturally from a criminal law perspective. An individual who intentionally discloses or allows unlawful disclosure or reproduction of confidential information shall be criminally liable under the TCC. Similarly, Article 135 of the TCC provides protection against unlawful recording of personal data which may subject a person to imprisonment from 6 months to 3 years.
Article 136 of the TCC sets forth that unlawful transfer or dissemination of personal data to third parties may subject a person to imprisonment from 1 to 4 years. Article 137 sets out the aggravating factors –resulting in an increased sentence– such as violation of data protection rules while holding a public office or by abusing an occupational power. Article 138 stipulates that failing to dispose of personal data upon expiration of statutory retention periods may subject a person to imprisonment from 6 months to 1 year. Prosecution of the foregoing felonies is not subject to an official complaint made by the owner of the personal data and that the public prosecutors may, at their own discretion, decide to investigate any suspicious act.
In the event that the felonies defined under TCC Articles 135 through 137 and Article 239 are committed by corporations and/or to the benefit of a corporation, they may be subject to certain security measures. These include (i) confiscation of all revenue and other financial benefits derived from such unlawful acts, and (ii) provided that the felony is committed by abuse of an occupational power granted under a license, revocation of such license. The owner of the personal data can also claim compensation from the violating party.
In sum, having explained Turkish legislation on personal data protection, there is no specific law prohibiting data collection of EU citizens in Turkey as long as above mentioned principles are duly applied.