Turkiye: Adopted Personal Data Protection Board's guidelines on conditions for processing data under Turkish and EU law

On 5 August 2024, the Personal Data Protection Board (KVKK) adopted guidelines on conditions for processing data under Turkish and European Union law. The guidelines focus on how the protection, processing, and storing of personal data is regulated under the two jurisdictions. Processing of personal data builds on a constitutional basis in Turkey, according to which the right to privacy and protection of personal data is safeguarded by Article 20. Processing of personal data is only allowed by law or with explicit consent of the individual. On a lower legal level, the Law on the Protection of Personal Data (Law No. 6698) governs the principles for processing personal data. For instance, according to Article 5, a provision in any law that allows the processing of personal data will establish a condition for processing such data. Lastly, the guidelines compare the protection of personal data under the GDPR. Data processing necessary for the data controller to fulfil a legal obligation is stipulated in Article 6 of the General Data Protection Regulation (GDPR), but unlike Turkish law, the GDPR does not distinguish between the explicit provision in the law and the fulfilment of a legal obligation.