Personal Data Protection Law (PDPL) and GDPR Consulting Services

Personal Data Protection Law (PDPL) and GDPR Consulting Services

By identifying the risks that may occur through legal non-compliance, our consulting services provide you taking both technical and administrative precautions which are crucial for processing and protecting each kind of personal data in accordance with the law.

General Overview


From Information to Transformation

Technological improvements and the increase in storage of personal data digitally have created the need for regulation on national information security in Turkey. In addition, personal data protection needs in international area, integration process with European Union, also local information security necessities have obliged the implementation of personal data protection legislation.

Dijital Dönüşüm

Four of the negotiation chapters of Turkey’ s ongoing accession process for EU membership, are fully related to personal data protection.

In order to protect each personal data possessed (digitally or physically) with the principle of right to privacy, organizations are obliged to prepare required technical and administrative infrastructures. Furthermore, they need to realize all necessary legal regulations in terms of actions to be taken when personal data had by third parties.

The data which needs to be kept confidential appears through the exchange of information between you and your clients, employees, their families, vendors and any other third parties. Digital transformation requires important changes in any services you give and any operation you manage. This new cultural formation shall be possible as you change your own status quos that provide administrative and technical easiness in your organization.

What Is Personal Data Protection Law (PDPL)?

Personal data is considered as any information which causes an individual being identifiable or identified. Information that is gathered from various divisions can also identify an individual. Name, surname, address, e- mail address, IP address of your computer, vehicle plate and such are the data than can be related to an individual. Also, health data is included in the scope of sensitive personal data. PDPL regulates all methods and principals which both natural and legal persons are obliged to protect, process, destroy, anonymize and keep updated all personal data in compliance with the law.

The History of PDPL and Significant Dates

Turkish Personal Data Protection Law no. 6698 based on the Data Protection Directive 95/46/EC of European Parliament and European Commission, published in the Official Gazette dated 7/04/2016 no. 29677. Personal data that is processed before the date of publication of the law, must become compliant with the rules stated in the law in two years starting from publishing date. In other words, all personal data processed before 07/04/2016 must become compliant with the law by 07/04/2018.

What is General Data Protection Regulation (GDPR)?

EU General Data Protection Regulation (GDPR) is the latest and most significant implementation change proposed in the last 20 years. GDPR which makes organizations liable to heavy fines regarding compatibility was adopted on 14/06/2018 and has become fully enforceable on 25/05/2018.

GDPR has replaced with Data Protection Directive 95/46/EC of European Council and Parliament. The main purpose of GDPR is to reshape organizations regarding compliance to ensure data security of EU citizens through an efficient privacy and security approach.

Do the regulations required for PDPL provide compliance for GDPR requirements?

The fact that GDPR applies to personal data of EU citizens who live inside and outside EU causes a misunderstanding by companies residing in Turkey. Furthermore, many companies outside of EU have the similar understanding. For instance, according to various researches, 50% of American companies do not consider to be in the scope of GDPR. Only 12% of Asia-Pacific companies have prepared for GDPR regulations.

Some misleading publications state as GDPR only applies to organizations located within the EU which is completely inaccurate. As a result of various business operations, numerous companies located in Turkey fall under GDPR together with PDPL.

Are you certain you are not liable to GDPR?

EU GDPR - Article 3 (Territorial Scope)

Art. 3 GDPR is related to territorial scope. 2nd article of this chapter states that;

  • The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • The monitoring of their behaviour as far as their behaviour takes place within the Union. are necessary indicators for a company to become liable to GDPR.

An interpretation of the relevant article of the legislation can be exemplified as follows; if a company proposes a service through its website in a language legally spoken in the EU (In Increased Territorial Scope) or if a company offers a price list through one of the currencies used in EU by gathering information through a contact page, it becomes liable to GDPR. Also, identifying personal information of people, determining their behavior, and obtaining their IP addresses through a website or other different methods as web cookies are in the scope of GDPR. On the other hand, companies which have any kind of business relations with EU countries must comply with GDPR.