Main Obligations of the Data Controllers Under the Law on the Protection of Personal Data (LPPD)








Is Documentation Required or





Obligation to Ensure Personal Data Security

Data controllers should take all necessary technical and administrative measures to ensure the data security. There are specific measures announced by the Turkish Data Protection Authority (“DPA”) with regards to the special categories of personal data.2


Any incident resulting in the acquisition of processed personal data by third parties through unlawful means is considered as a data breach. Data controllers should notify the DPA within 72 hours after becoming aware of a breach and notify the data subjects whose data have been affected within a reasonable time. 3

Data Breach Response Plan


Employee Confidentiality Agreement


Administrative fine up to 1.802.640 TRY (approx. US$233.000)


Obligation to Comply with the General Principles

Data processing activities should be carried out in accordance with the general principles stated below:

(1)   Lawfulness and fairness,

(2)   Being accurate and kept up to date where necessary,

(3)   Being processed for specified, explicit and legitimate purposes,

(4)   Being relevant, limited and proportionate to the purposes for which they are processed,

(5)   Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed



Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


Obligation to Process Personal Data Based on the Legal Grounds

Personal data processing activities should be carried out based on the legal grounds stated under Articles 5 and 6 of the LPPD.5



Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


Obligation to Fulfill Data Subject Applications

The data controller should fulfill the DSAs and respond to the data subject within 30 day.

Data     Subject Application Form


Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


Obligation to Conduct Audits

The data controller is obliged to carry out the necessary audits, or have them carried out, in its own institution or organization, to ensure its compliance.

Internal Governance and Audit Policy


Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


Obligation to Lawfully Transfer Personal Data

Transfer Within Turkey: Based on the legal grounds stated under the LPPD, personal data could be transferred within Turkey.


Cross-Border Data Transfer: Since the DPA has not yet announced the list of the countries with adequate protection; in order to transfer personal data from Turkey to abroad (a) the explicit consent of the data subjects should be obtained or (b) (i) executing a data protection undertaking agreement between the transferor and transferee parties

and (ii) submitting it to the Board’s approval. This option could be fulfilled by either executing a bilateral data transfer agreement or local binding corporate rules

Cross-border Data Transfer Agreement / Local BCR

Recommended [Required if option

(b) is chosen for cross-border data transfer]

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


Obligation to Prepare Personal Data Processing Inventory

Data controllers are required to prepare a personal data processing inventory similar to Records of Processing Activities required under the Article 30 of the GDPR.

Personal Processing Inventory




Obligation to Inform

Data controllers must inform data subjects about the personal data processing activity while obtaining personal data. In this regard, Article 10/1 of the LPPD stipulates the minimum content requirement of the obligation to inform and therefore, the privacy notices should involve the elements stated under the mentioned Article.

Privacy Notice


Administrative fine

180.263 TRY US$23.300)


Obligation to Register before the Data Controllers’ Registry

Data controllers residing in Turkey that (i) have an annual turnover more than or equal to 25M TRY or (ii) employ more than 50 employees should register to the Registry.


Each non-resident data controller processing personal data of the data subjects in Turkey as a data controller should register before the Data Controllers Registry.



Administrative fine 1.802.640 TRY. US$233.000)


Obligation to Ensure Erasure, Destruction, Anonymization of Personal Data

Personal data should be erased, destructed, or anonymized by the data controller, ex officio or upon the request of the data subject, in the event that the purposes for the processing no longer exist.


The data controller should keep the records of all operations relating to erasure, destruction and anonymization of personal data at least for 3 years.

Personal Data

Storage and Disposal Policy


Administrative fine up to 1.802.640 TRY. (approx. US$233.000)


In case of failure to destroy the data within a defined system despite the expiration of legally prescribed period, persons responsible from this failure are

sentenced to imprisonment from 6 months to 1 year.