Regulatory & Compliance


SUMMARY    :  By publishing the Law On The Protection Of Personal Data No. 6698 in the Official Journal No. 29677 dated 07.04.2016, various obligations regarding the processing, recording, storing, transferring and destruction of personal data are imposed on Data Controller. The violation and/or negligence of these obligations and their consequences are regulated in articles 135 and ff of the Turkish Criminal Code No. 5237.



Personal data is often collected and used by public and private institutions these days especially trough informatics.  Although there are various practical aspects to using this data, the collection, storage, transfer and processing of this data, which makes the individuals prominent, can easily be abused.

The acquisition of this data contrary to the purpose of processing and by persons without the purpose of processing leads to human rights violations. For this reason, the need for separate and special regulations on the protection of personal data and the establishment of an effective control mechanism has arisen.

Article 20 of the Constitution has been amended with Law No. 5982 which has adopted with the public vote on 12 September 2010 and the protection of personal data has been secured as a fundamental right and the details have been arranged by law. The content and framework of violations relating to personal data have been clarified by Law No. 6698 on the protection of personal data. The nature of the violations is diversified by the decisions of the Personal Data Protection Board, which began its audit activities by publishing them in the Official Gazette and on the website of the Personal Data Protection Authority.

Under the heading of Crimes and Misdemeanors in Article 17 of the Law on Protection of Personal Data, the provisions of the Turkish Criminal Code No. 5237 in Article 135 to 140 which sanction various actions related to personal data are referred to.

In Article 135 and subsequent articles of the Turkish Penal Code No. 5237, acts of obtaining, recording or disclosing personal data unlawfully are criminalized; sanctions regarding these acts are also included in the related articles.




  • Turkish Criminal Law Art. 135 : In the first paragraph of this article, which regulates the recording of  personal data; it has been stipulated that anyone who illegally records personal data shall be sentenced one to three years in prison.

The second paragraph of the relevant article regulates the major version of the first paragraph; it is envisaged that for any person who illegally records personal data on another person’s political, philosophical or religious opinions, their racial origins; their moral tendencies, sexual orientations, health or relations to trade unions; the penalty under the first paragraph shall be increased by half. Therefore, if the subject of the crime in the first paragraph, is of personal data of special nature (sensitive) data, the penalty shall be increased by half.

Again, on the justification of Article 135 of the Law no. 5237 entitled ”Recording of personal data”, it is stated that any information about the real person should be considered as personal data, but the definition of personal data is not fully and clearly defined.


  • Turkish Criminal Law, Art. 136 : This article, which regulates the obtaining and dissemination of personal data, stipulates two to four years of imprisonment for persons who illegally transmit, disseminate or obtain personal data. As it can be understood from the justification of Article 136/1 of the Turkish Criminal Law, which is “With the provision of this article, whether or not recorded in accordance with the law, disclosing, disseminating data to others illegally or capturing personal data illegally is defined as an substantive felony.” and it is essential to have personal data recorded in order for the relevant crime to occur. From this perspective, it is more likely that the act of the dissemination of personal data, which is not recorded and known through purely sensory organs, will fall within the scope of the crime of “Violation of Pivacy” in TCK 134/1.
  • Turkish Criminal Law, Art. 137: The case where crimes that regulated in Turkish Criminal Law Art. 135 and Art.136 are committed by a public official and by abuse of authority given by the duty or by taking advantage of the convenience provided by a certain profession and art has been considered as a major offence that will result in an increase in punishment in Art.137 of same law.


  • Turkish Criminal Law, Art. 138: People who do not destroy the data within the period specified in the law shall be sentenced one to two years imprisonment; If the subject of the crime is in the status of data that should be extinguishment by the provisions of the Law of Criminal Procedure, the major version of the crime will be on the agenda and the penalty will be increased by one fold.


  • Turkish Criminal Law, Art. 139: With this article, Excluding the offences of Recording of Personal Data, Illegally Obtaining or Giving Data and Destruction of Data, the commencement of an investigation and prosecution for the offences listed in this Part are subject to complaint.

About Us

We are aware of legal expectations of corporates and business community in need of sustainable growth, development and stability, when they do business in a complicated and emerging jurisdiction.

Recent Posts

Ask Us a Question

Talk To An Expert