In a step toward its accession to the EU, Turkey has enacted its first comprehensive Data Protection Law. The law was passed by the Turkish Parliament 24 March and published in the Official Gazette 7 April.

The law is based largely on the EU Data Protection Directive (95/46/EC), and as such introduces familiar definitions of ‘personal data’, ‘data processor’, and ‘data controller’. There are, however, some novelties such as a definition of ‘explicit consent’, which has been lacking under EU law. The law also introduces restrictions on the international transfer of data.

The law provides for the establishment of two new bodies: the Personal Data Protection Authority (the Authority) and the Board of Personal Data Protection (the Board). These bodies will together be responsible for ensuring that the law is enforced. Once established, the Authority will have the power to impose fines of up to €300,000 and prison sentences of up to four years in certain circumstances.

Organisations with operations in Turkey will need to review their data practices in-country to ensure that they comply with the new law.